debug release workflow

peterjah · peterjah · commit fa3f1d1d7066 · 2025-07-25T18:57:50.000+02:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -20,20 +20,20 @@ jobs:
       matrix:
         include:
           # The first combination is Ubuntu running on an AMD64 processor, building for Windows.
-          - os: ubuntu-24.04
-            arch: amd64
-            target: windows
-            ext: .exe
+          # - os: ubuntu-24.04
+          #   arch: amd64
+          #   target: windows
+          #   ext: .exe
 
-          # The second combination is Ubuntu running on an AMD64 processor, building for Linux.
-          - os: ubuntu-24.04
-            arch: amd64
-            target: linux
+          # # The second combination is Ubuntu running on an AMD64 processor, building for Linux.
+          # - os: ubuntu-24.04
+          #   arch: amd64
+          #   target: linux
 
           # The third combination is macOS running on an AMD64 processor, building for Darwin (macOS).
-          - os: macos-13
-            arch: amd64
-            target: darwin
+          # - os: macos-13
+          #   arch: amd64
+          #   target: darwin
 
           # The fourth combination is macOS running on an ARM64 processor, building for Darwin (macOS).
           - os: macos-13
@@ -66,20 +66,46 @@ jobs:
         if: ${{ matrix.target != 'windows' }}
         run: |
           ls -la build/
-          chmod +x build/node-manager-plugin*
+          chmod +x build/node-manager-plugin
+          md5 build/node-manager-plugin
 
-      - name: Sign Macos binary
-        uses: massalabs/massa/.github/actions/sign-macos@ccc3f02e34544f722634a6fb7732cc4bb515e90b
-        if: ${{ runner.os == 'macOS' }}
+      # - name: Sign Macos binary
+      #   uses: massalabs/massa/.github/actions/sign-macos@ccc3f02e34544f722634a6fb7732cc4bb515e90b
+      #   if: ${{ runner.os == 'macOS' }}
+      #   with:
+      #     paths: "build/node-manager-plugin"
+      #     certificate-p12-base64: ${{ secrets.APPLE_CERTIFICATE_P12_BASE64 }}
+      #     certificate-password: ${{ secrets.APPLE_CERTIFICATE_P12_PASSWORD }}
+      #     signing-identity: ${{ vars.APPLE_DEVELOPER_ID_APPLICATION }}
+
+      - name: Import Apple signing certificate
+        uses: Apple-Actions/import-codesign-certs@v3
         with:
-          paths: "build/node-manager-plugin"
-          certificate-p12-base64: ${{ secrets.APPLE_CERTIFICATE_P12_BASE64 }}
-          certificate-password: ${{ secrets.APPLE_CERTIFICATE_P12_PASSWORD }}
-          signing-identity: ${{ vars.APPLE_DEVELOPER_ID_APPLICATION }}
+          p12-file-base64: ${{ inputs.certificate-p12-base64 }}
+          p12-password: ${{ inputs.certificate-password }}
+
+      - name: Re-sign with entitlements (if custom action doesn't support entitlements)
+        if: ${{ runner.os == 'macOS' }}
+        run: |
+          echo "Re-signing with entitlements to ensure proper hardened runtime..."
+          codesign --force --options runtime --entitlements entitlements.plist --sign "${{ vars.APPLE_DEVELOPER_ID_APPLICATION }}" build/node-manager-plugin
+          echo "Verifying re-signed binary..."
+          codesign --verify --verbose build/node-manager-plugin
+
+      - name: Verify code signing
+        if: ${{ runner.os == 'macOS' }}
+        run: |
+          echo "Verifying code signature..."
+          codesign --verify --verbose build/node-manager-plugin
+          codesign --display --verbose=4 build/node-manager-plugin
+          spctl --assess --type execute --verbose build/node-manager-plugin || echo "SPCTL assessment failed - this is expected before notarization"
 
       - name: Rename Plugin artifact
-        run: 
+        run: |
+          md5 build/node-manager-plugin
           mv build/node-manager-plugin${{ matrix.ext }} ${{ env.TARGET_NAME }}${{ matrix.ext }}
+          ls -la
+          md5 ${{ env.TARGET_NAME }}${{ matrix.ext }}
 
       - name: Upload artifacts
         uses: actions/upload-artifact@v4
@@ -88,35 +114,35 @@ jobs:
           path: |
             ${{ env.TARGET_NAME }}${{ matrix.ext }}
      
-  sign-windows-binary:
-    name: Sign Windows binary
-    needs: build
-    runs-on: windows-latest
-    permissions:
-      contents: write
-      id-token: write
-    env:
-      TARGET_NAME: node-manager-plugin_windows-amd64
-    steps:
-      - name: Download Windows artifacts
-        uses: actions/download-artifact@v4
-        with:
-          name: ${{ env.TARGET_NAME }}
-          path: .
+  # sign-windows-binary:
+  #   name: Sign Windows binary
+  #   needs: build
+  #   runs-on: windows-latest
+  #   permissions:
+  #     contents: write
+  #     id-token: write
+  #   env:
+  #     TARGET_NAME: node-manager-plugin_windows-amd64
+  #   steps:
+  #     - name: Download Windows artifacts
+  #       uses: actions/download-artifact@v4
+  #       with:
+  #         name: ${{ env.TARGET_NAME }}
+  #         path: .
 
-      - name: Sign Windows binary
-        uses: massalabs/station/.github/actions/sign-file-digicert@413d4c0bbd042d5e797fbb66bcd2c96be5c3e71a
-        with:
-          files: ${{ env.TARGET_NAME }}.exe
-          SM_API_KEY: ${{ secrets.SM_API_KEY }}
-          SM_CLIENT_CERT_FILE_B64: ${{ secrets.SM_CLIENT_CERT_FILE_B64 }}
-          SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }}
-          SM_CERT_FINGERPRINT: ${{ secrets.SM_CERT_FINGERPRINT }}
-          SM_HOST: ${{ secrets.SM_HOST }}
-
-      - name: Upload signed Windows zip (overwrite original)
-        uses: actions/upload-artifact@v4
-        with:
-          name: ${{ env.TARGET_NAME }}
-          path: ./${{ env.TARGET_NAME }}.exe
-          overwrite: true
+  #     - name: Sign Windows binary
+  #       uses: massalabs/station/.github/actions/sign-file-digicert@413d4c0bbd042d5e797fbb66bcd2c96be5c3e71a
+  #       with:
+  #         files: ${{ env.TARGET_NAME }}.exe
+  #         SM_API_KEY: ${{ secrets.SM_API_KEY }}
+  #         SM_CLIENT_CERT_FILE_B64: ${{ secrets.SM_CLIENT_CERT_FILE_B64 }}
+  #         SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }}
+  #         SM_CERT_FINGERPRINT: ${{ secrets.SM_CERT_FINGERPRINT }}
+  #         SM_HOST: ${{ secrets.SM_HOST }}
+
+  #     - name: Upload signed Windows zip (overwrite original)
+  #       uses: actions/upload-artifact@v4
+  #       with:
+  #         name: ${{ env.TARGET_NAME }}
+  #         path: ./${{ env.TARGET_NAME }}.exe
+  #         overwrite: true
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -23,22 +23,22 @@ on:
         default: true
 
 jobs:
-  check-manifest:
-    name: Check the Manifest
-    runs-on: ubuntu-24.04
-    steps:
-      - uses: actions/checkout@v3
-      - name: Check the manifest version
-        if: ${{ inputs.tag_name != '' }}
-        run: |
-          sudo apt-get install -y jq
-          version=$(jq -r '.version' manifest.json)
-          tag_name=${{ inputs.tag_name }}
-          tag_name_without_v=${tag_name#v}
-          if [[ $version != $tag_name_without_v ]]; then
-            echo "The manifest version is not equal to the tag version"
-            exit 1
-          fi
+  # check-manifest:
+  #   name: Check the Manifest
+  #   runs-on: ubuntu-24.04
+  #   steps:
+  #     - uses: actions/checkout@v3
+  #     - name: Check the manifest version
+  #       if: ${{ inputs.tag_name != '' }}
+  #       run: |
+  #         sudo apt-get install -y jq
+  #         version=$(jq -r '.version' manifest.json)
+  #         tag_name=${{ inputs.tag_name }}
+  #         tag_name_without_v=${tag_name#v}
+  #         if [[ $version != $tag_name_without_v ]]; then
+  #           echo "The manifest version is not equal to the tag version"
+  #           exit 1
+  #         fi
   
   build-plugin:
     name: Build node manager plugin
@@ -54,16 +54,16 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - os: ubuntu-24.04
-            target: windows
-            ext: .exe
-            arch: amd64
-          - os: ubuntu-24.04
-            target: linux
-            arch: amd64
-          - os: macos-13
-            target: darwin
-            arch: amd64
+          # - os: ubuntu-24.04
+          #   target: windows
+          #   ext: .exe
+          #   arch: amd64
+          # - os: ubuntu-24.04
+          #   target: linux
+          #   arch: amd64
+          # - os: macos-13
+          #   target: darwin
+          #   arch: amd64
           - os: macos-13
             target: darwin
             arch: arm64
@@ -99,13 +99,15 @@ jobs:
 
       - name: make bin executable
         run: |
+          ls -la
           ls -la ${{ env.TARGET_NAME }}
           chmod +x ${{ env.TARGET_NAME }}/*
+          md5 ${{ env.TARGET_NAME }}/${{ env.TARGET_NAME }}
 
       - name : zip package
         shell: bash
         run: |
-          zip -j ${{ env.TARGET_NAME }}.zip web/public/favicon.svg manifest.json ${{ env.TARGET_NAME }}/*
+          zip -j ${{ env.TARGET_NAME }}.zip web/public/favicon.svg manifest.json ${{ env.TARGET_NAME }}/${{ env.TARGET_NAME }}
           cd build && zip -r ../${{ env.TARGET_NAME }}.zip node-massa
 
       - name: Notarize zip for MacOS ${{ matrix.arch }}
@@ -127,7 +129,7 @@ jobs:
           
   create-release:
     name: Create release
-    needs: [check-manifest, zip-package]
+    needs: [ zip-package]
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout
@@ -139,16 +141,16 @@ jobs:
           pattern: 'release-zip-node-manager-plugin_*'
           merge-multiple: true
     
-      - name: Create release and upload binaries
-        uses: softprops/action-gh-release@v1
-        with:
-          target_commitish: ${{ github.sha }}
-          tag_name: ${{ inputs.tag_name }}
-          draft: ${{ inputs.draft }}
-          prerelease: ${{ inputs.prerelease }}
-          generate_release_notes: ${{ inputs.generate_release_notes }}
-          files: |
-            *.zip
+      # - name: Create release and upload binaries
+      #   uses: softprops/action-gh-release@v1
+      #   with:
+      #     target_commitish: ${{ github.sha }}
+      #     tag_name: ${{ inputs.tag_name }}
+      #     draft: ${{ inputs.draft }}
+      #     prerelease: ${{ inputs.prerelease }}
+      #     generate_release_notes: ${{ inputs.generate_release_notes }}
+      #     files: |
+      #       *.zip
   
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v4
diff --git a/entitlements.plist b/entitlements.plist
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <!-- Allow JIT compilation (needed for some Go runtime features) -->
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    
+    <!-- Allow unsigned executable memory (common for Go binaries) -->
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    
+    <!-- Allow DYLD environment variables -->
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+    <true/>
+    
+    <!-- Disable library validation -->
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+    
+    <!-- Allow debugger attachment (can be removed for production) -->
+    <key>com.apple.security.get-task-allow</key>
+    <false/>
+</dict>
+</plist> 
