Update CircleCI config to sign MacOS binaries (#137)

marinalimeira · web-flow · commit 3018857b23e9 · 2023-08-11T16:37:37.000+02:00
* Sign MacOS builds

* Move build-and-deploy to separate steps

* Don't run build when its not a release

* Use v2.1 of circleci

* Fix build args
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -1,16 +1,18 @@
-defaults: &defaults
-  docker:
-    - image: 087285199408.dkr.ecr.us-east-1.amazonaws.com/circle-ci-test-image-base:go1.18-tf1.4-tg39.1-pck1.8-ci50.7
-  environment: 
+env: &env
+  environment:
     TERRATEST_LOG_PARSER_VERSION: NONE
     TERRAFORM_VERSION: NONE
     TERRAGRUNT_VERSION: NONE
     PACKER_VERSION: NONE
-    GRUNTWORK_INSTALLER_VERSION: v0.0.35
-    MODULE_CI_VERSION: v0.33.1
+    GRUNTWORK_INSTALLER_VERSION: v0.0.39
+    MODULE_CI_VERSION: v0.52.6
     GOLANG_VERSION: 1.18
     GO111MODULE: auto
     CGO_ENABLED: 1
+defaults: &defaults
+  docker:
+    - image: 087285199408.dkr.ecr.us-east-1.amazonaws.com/circle-ci-test-image-base:go1.18-tf1.4-tg39.1-pck1.8-ci50.7
+  <<: *env
 install_gruntwork_utils: &install_gruntwork_utils
   name: Install gruntwork utils
   command: |
@@ -20,8 +22,10 @@ install_gruntwork_utils: &install_gruntwork_utils
     --terraform-version ${TERRAFORM_VERSION} \
     --terragrunt-version ${TERRAGRUNT_VERSION} \
     --packer-version ${PACKER_VERSION} \
-    --go-version ${GOLANG_VERSION} 
-version: 2
+    --go-version ${GOLANG_VERSION}
+orbs:
+  go: circleci/go@1.7.3
+version: 2.1
 jobs:
   pre-commit:
     <<: *defaults
@@ -48,15 +52,51 @@ jobs:
           command: run-go-tests --timeout 5m
           no_output_timeout: 45m
           when: always
-  build-and-deploy:
+  build:
+    resource_class: large
     <<: *defaults
     steps:
       - checkout
-      - run: 
-          <<: *install_gruntwork_utils
-      - run: build-go-binaries --app-name git-xargs --src-path ./ --dest-path bin --ld-flags "-X main.VERSION=$CIRCLE_TAG"
-      - run: cd bin && sha256sum * > SHA256SUMS
-      - run: upload-github-release-assets bin/* 
+      - run: build-go-binaries --app-name git-xargs --dest-path bin --ld-flags "-X main.VERSION=$CIRCLE_TAG"
+      - persist_to_workspace:
+          root: .
+          paths: bin
+  deploy:
+    <<: *env
+    macos:
+      xcode: 14.2.0
+    resource_class: macos.x86.medium.gen2
+    steps:
+      - checkout
+      - attach_workspace:
+          at: .
+      - go/install:
+          version: "1.20.5"
+      - run:
+          name: Install sign-binary-helpers
+          command: |
+            curl -Ls https://raw.githubusercontent.com/gruntwork-io/gruntwork-installer/master/bootstrap-gruntwork-installer.sh | bash /dev/stdin --version "${GRUNTWORK_INSTALLER_VERSION}"
+            gruntwork-install --module-name "gruntwork-module-circleci-helpers" --repo "https://github.com/gruntwork-io/terraform-aws-ci" --tag "${MODULE_CI_VERSION}"
+            gruntwork-install --module-name "sign-binary-helpers" --repo "https://github.com/gruntwork-io/terraform-aws-ci" --tag "${MODULE_CI_VERSION}"
+      - run:
+          name: Compile and sign the binaries
+          command: |
+            sign-binary --install-macos-sign-dependencies --os mac .gon_amd64.hcl
+            sign-binary --os mac .gon_arm64.hcl
+            echo "Done signing the binary"
+
+            # Replace the files in bin. These are the same file names generated from .gon_amd64.hcl and .gon_arm64.hcl
+            unzip git-xargs_darwin_amd64.zip
+            mv git-xargs_darwin_amd64 bin/
+
+            unzip git-xargs_darwin_arm64.zip
+            mv git-xargs_darwin_arm64 bin/
+      - run:
+          name: Run SHA256SUM
+          command: |
+            brew install coreutils
+            cd bin && sha256sum * > SHA256SUMS
+      - run: upload-github-release-assets bin/*
 workflows:
   version: 2
   build-and-test:
@@ -77,14 +117,26 @@ workflows:
           context:
             - AWS__PHXDEVOPS__circle-ci-test
             - GITHUB__PAT__gruntwork-ci
-      - build-and-deploy:
+      - build:
           requires:
             - test
           filters:
             tags:
               only: /^v.*/
-            branches: 
+            branches:
+              ignore: /.*/
+          context:
+            - AWS__PHXDEVOPS__circle-ci-test
+            - GITHUB__PAT__gruntwork-ci
+      - deploy:
+          requires:
+            - build
+          filters:
+            tags:
+              only: /^v.*/
+            branches:
               ignore: /.*/
           context:
             - AWS__PHXDEVOPS__circle-ci-test
             - GITHUB__PAT__gruntwork-ci
+            - APPLE__OSX__code-signing
diff --git a/.gon_amd64.hcl b/.gon_amd64.hcl
@@ -0,0 +1,19 @@
+# See https://github.com/gruntwork-io/terraform-aws-ci/blob/main/modules/sign-binary-helpers/
+# for further instructions on how to sign the binary + submitting for notarization.
+
+source = ["./bin/git-xargs_darwin_amd64"]
+
+bundle_id = "io.gruntwork.app.terragrunt"
+
+apple_id {
+  username = "machine.apple@gruntwork.io"
+  password = "@env:MACOS_AC_PASSWORD"
+}
+
+sign {
+  application_identity = "Developer ID Application: Gruntwork, Inc."
+}
+
+zip {
+  output_path = "git-xargs_darwin_amd64.zip"
+}
diff --git a/.gon_arm64.hcl b/.gon_arm64.hcl
@@ -0,0 +1,19 @@
+# See https://github.com/gruntwork-io/terraform-aws-ci/blob/main/modules/sign-binary-helpers/
+# for further instructions on how to sign the binary + submitting for notarization.
+
+source = ["./bin/git-xargs_darwin_arm64"]
+
+bundle_id = "io.gruntwork.app.terragrunt"
+
+apple_id {
+  username = "machine.apple@gruntwork.io"
+  password = "@env:MACOS_AC_PASSWORD"
+}
+
+sign {
+  application_identity = "Developer ID Application: Gruntwork, Inc."
+}
+
+zip {
+  output_path = "git-xargs_darwin_arm64.zip"
+}
