From aecc54a987c036fd9688771685fa770fa25a63d2 Mon Sep 17 00:00:00 2001
From: Tim Rogers <me@timrogers.co.uk>
Date: Sun, 6 Oct 2024 19:18:26 +0100
Subject: [PATCH] feat: build, sign and notarize a binary for Apple Silicon
 macOS devices

---
 .github/workflows/ci.yml | 58 +++++++++++++++++++++++++++++++++++++++-
 1 file changed, 57 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 18e59e0..dbff83c 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -303,6 +303,55 @@ jobs:
         with:
           name: linux-outputs-ghes-311
           path: output
+  package-macos-arm64:
+    name: Package macOS binary for Apple Silicon
+    runs-on: macos-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Setup Node.js
+        uses: actions/setup-node@v4.0.4
+        with:
+          node-version: 20.x
+          cache: 'npm'
+      - name: Install dependencies
+        run: npm ci
+      - name: Generate binaries for macOS, Linux and Windows
+        run: npm run package
+      - name: Rename macOS binary to conform to GitHub CLI extension rules
+        run: mv bin/migrate-project-macos bin/gh-migrate-project-darwin-arm64
+      - name: Write Apple signing key to a file
+        env:
+          APPLE_SIGNING_KEY_P12: ${{ secrets.APPLE_SIGNING_KEY_P12 }}
+        run: echo "$APPLE_SIGNING_KEY_P12" | base64 -d -o key.p12
+      - name: Write App Store Connect API key to a file
+        env:
+          APP_STORE_CONNECT_API_KEY: ${{ secrets.APP_STORE_CONNECT_API_KEY }}
+        run: echo "$APP_STORE_CONNECT_API_KEY" > app_store_connect_api_key.json
+      - name: Sign macOS binary (macOS only)
+        uses: indygreg/apple-code-sign-action@v1
+        with:
+          input_path: bin/gh-migrate-project-darwin-arm64
+          p12_file: key.p12
+          p12_password: ${{ secrets.APPLE_SIGNING_KEY_PASSWORD }}
+          sign: true
+          sign_args: '--code-signature-flags=runtime'
+      - name: Upload binary as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          path: bin/gh-migrate-project-darwin-arm64
+          name: gh-migrate-project-darwin-arm64
+      - name: Archive macOS binary for notarisation (macOS only)
+        run: zip gh-migrate-project-darwin-arm64.zip bin/gh-migrate-project-darwin-arm64
+      - name: Notarise signed macOS binary (macOS only)
+        uses: indygreg/apple-code-sign-action@v1
+        with:
+          input_path: gh-migrate-project-darwin-arm64.zi
+          sign: false
+          notarize: true
+          app_store_connect_api_key_json_file: app_store_connect_api_key.json
   package:
     name: Package binaries
     runs-on: ubuntu-latest
@@ -348,6 +397,7 @@ jobs:
     needs:
       [
         'package',
+        'package-macos-arm64',
         'test_and_lint',
         'end_to_end_tests_linux_ghes_314',
         'end_to_end_tests_linux_ghes_313',
@@ -380,11 +430,16 @@ jobs:
         with:
           name: package-windows
           path: bin
-      - name: Download macOS binary
+      - name: Download macOS AMD64 binary
         uses: actions/download-artifact@v4
         with:
           name: package-macos
           path: bin
+      - name: Download macOS ARM64 binary
+        uses: actions/download-artifact@v4
+        with:
+          name: gh-migrate-project-darwin-arm64
+          path: bin
       - name: Download Linux binary
         uses: actions/download-artifact@v4
         with:
@@ -395,6 +450,7 @@ jobs:
         with:
           files: |
             bin/gh-migrate-project-darwin-amd64
+            bin/gh-migrate-project-darwin-arm64
             bin/gh-migrate-project-linux-amd64
             bin/gh-migrate-project-windows-amd64.exe
           generate_release_notes: true