From 994a25f02f29a244ebb7d74fb5bde17d2ea80efe Mon Sep 17 00:00:00 2001 From: Stanislav Zhuk Date: Mon, 8 Jun 2026 15:35:21 +0300 Subject: [PATCH 1/5] chore(*): use bats libraries, bump actions --- .github/workflows/test.yml | 19 ++++++++++++------- README.md | 1 + tests/01_macos_sign.bats | 15 ++++++++++----- tests/02_macos_notarize.bats | 8 ++++---- tests/setup.sh | 11 +++++++++++ 5 files changed, 38 insertions(+), 16 deletions(-) create mode 100644 tests/setup.sh diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index dc0fdd9..98311b6 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,6 +1,8 @@ name: Test on: push: + branches: [ master, main ] + pull_request: schedule: - cron: '0 3 * * *' @@ -12,6 +14,10 @@ on: required: false default: false +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + permissions: actions: write @@ -28,15 +34,16 @@ jobs: runs-on: macos-15 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - name: Set up Homebrew id: set-up-homebrew uses: Homebrew/actions/setup-homebrew@main - - uses: actions/setup-go@v5 + - uses: actions/setup-go@v6 with: - go-version: '^1.20' + go-version: '>=1.23' + check-latest: true - name: Load 1Password secrets for signing tools - uses: 1password/load-secrets-action@v2 + uses: 1password/load-secrets-action@v4 with: export-env: true env: @@ -49,8 +56,7 @@ jobs: echo "APP_SPECIFIC_PASSWORD set: $([ -n "${APP_SPECIFIC_PASSWORD}" ] && echo "yes" || echo "no")" echo "SIGNING_TOOLS_SIGNING_PASSWORD set: $([ -n "${SIGNING_TOOLS_SIGNING_PASSWORD}" ] && echo "yes" || echo "no")" - run: | - brew tap bats-core/bats-core - brew install bats-core gnu-getopt jq xq yq + brew install bats-core bats-core/bats-core/bats-assert bats-core/bats-core/bats-file bats-core/bats-core/bats-support gnu-getopt jq xq yq - name: Setup tmate session uses: mxschmitt/action-tmate@v3 with: @@ -63,4 +69,3 @@ jobs: echo "Running ${item}" bats "${item}" done - # - uses: gautamkrishnar/keepalive-workflow@v2 diff --git a/README.md b/README.md index 1338500..d49534d 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,4 @@ +[![tests](https://github.com/ddev/signing_tools/actions/workflows/test.yml/badge.svg?branch=master)](https://github.com/ddev/signing_tools/actions/workflows/test.yml?query=branch%3Amaster) [![last commit](https://img.shields.io/github/last-commit/ddev/signing_tools)](https://github.com/ddev/signing_tools/commits) # signing_tools: macOS Signing and Notarization Tools diff --git a/tests/01_macos_sign.bats b/tests/01_macos_sign.bats index ec1b733..8271d1d 100644 --- a/tests/01_macos_sign.bats +++ b/tests/01_macos_sign.bats @@ -9,15 +9,20 @@ TARGET_BINARY=/tmp/macos_sign_bats_dummy # SIGNING_TOOLS_SIGNING_PASSWORD must be set by test runner -function setup { +setup() { + load setup.sh rm -f ${TARGET_BINARY} go build -o ${TARGET_BINARY} tests/testdata/helloworld.go } @test "Sign a dummy binary" { - ./macos_sign.sh --signing-password="${SIGNING_TOOLS_SIGNING_PASSWORD}" --cert-file=${CERTFILE} --cert-name="${CERTNAME}" --target-binary="${TARGET_BINARY}" - codesign -vv ${TARGET_BINARY} - codesign -vv -d ${TARGET_BINARY} 2>&1 | grep "$CERTNAME" -} + run ./macos_sign.sh --signing-password="${SIGNING_TOOLS_SIGNING_PASSWORD}" --cert-file=${CERTFILE} --cert-name="${CERTNAME}" --target-binary="${TARGET_BINARY}" + assert_success + run codesign -vv ${TARGET_BINARY} + assert_success + run codesign -vv -d "${TARGET_BINARY}" + assert_success + assert_output --partial "${CERTNAME}" +} diff --git a/tests/02_macos_notarize.bats b/tests/02_macos_notarize.bats index 6909779..f781a77 100644 --- a/tests/02_macos_notarize.bats +++ b/tests/02_macos_notarize.bats @@ -12,14 +12,14 @@ TARGET_BINARY=/tmp/macos_notarize_dummy # APPLE_ID should come from environment variable TEAM_ID="9HQ298V2BW" -function setup { +setup() { + load setup.sh rm -f ${TARGET_BINARY} go build -o ${TARGET_BINARY} tests/testdata/helloworld.go ./macos_sign.sh --signing-password="${SIGNING_TOOLS_SIGNING_PASSWORD}" --cert-file=${CERTFILE} --cert-name="${CERTNAME}" --target-binary="${TARGET_BINARY}" } @test "Notarize a signed dummy binary" { - ./macos_notarize.sh --app-specific-password=${APP_SPECIFIC_PASSWORD} --apple-id=${APPLE_ID} --team-id=${TEAM_ID} --primary-bundle-id=com.ddev.test-signing-tools --target-binary=${TARGET_BINARY} + run ./macos_notarize.sh --app-specific-password=${APP_SPECIFIC_PASSWORD} --apple-id=${APPLE_ID} --team-id=${TEAM_ID} --primary-bundle-id=com.ddev.test-signing-tools --target-binary=${TARGET_BINARY} + assert_success } - - diff --git a/tests/setup.sh b/tests/setup.sh new file mode 100644 index 0000000..29467c5 --- /dev/null +++ b/tests/setup.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env bash + +# brew install bats-core bats-core/bats-core/bats-assert bats-core/bats-core/bats-file bats-core/bats-core/bats-support + +bats_require_minimum_version 1.11.0 +set -eu -o pipefail +TEST_BREW_PREFIX="$(brew --prefix 2>/dev/null || true)" +export BATS_LIB_PATH="${BATS_LIB_PATH:-}:${TEST_BREW_PREFIX}/lib:/usr/lib/bats" +bats_load_library bats-assert +bats_load_library bats-file +bats_load_library bats-support From a77f774b0b7200024ab1c5040bbfa829c0005cb3 Mon Sep 17 00:00:00 2001 From: Stanislav Zhuk Date: Mon, 8 Jun 2026 15:45:49 +0300 Subject: [PATCH 2/5] disable cache warning --- .github/workflows/test.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 98311b6..a752233 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -42,6 +42,7 @@ jobs: with: go-version: '>=1.23' check-latest: true + cache: false - name: Load 1Password secrets for signing tools uses: 1password/load-secrets-action@v4 with: From d1f2718035087930779d889778e98b5b3b8ade77 Mon Sep 17 00:00:00 2001 From: Stanislav Zhuk Date: Mon, 8 Jun 2026 15:49:34 +0300 Subject: [PATCH 3/5] use macos-26 --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index a752233..1ca6f7a 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -32,7 +32,7 @@ jobs: run: shell: bash - runs-on: macos-15 + runs-on: macos-26 steps: - uses: actions/checkout@v6 - name: Set up Homebrew From ee4a9db5d5fa5074dee5bf8b921864faf6fc29fa Mon Sep 17 00:00:00 2001 From: Stanislav Zhuk Date: Mon, 8 Jun 2026 15:52:49 +0300 Subject: [PATCH 4/5] add HOMEBREW_NO_REQUIRE_TAP_TRUST=1 --- .github/workflows/test.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 1ca6f7a..37afa6e 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -56,7 +56,10 @@ jobs: echo "APPLE_ID: ${APPLE_ID}" echo "APP_SPECIFIC_PASSWORD set: $([ -n "${APP_SPECIFIC_PASSWORD}" ] && echo "yes" || echo "no")" echo "SIGNING_TOOLS_SIGNING_PASSWORD set: $([ -n "${SIGNING_TOOLS_SIGNING_PASSWORD}" ] && echo "yes" || echo "no")" - - run: | + - name: Install dependencies + env: + HOMEBREW_NO_REQUIRE_TAP_TRUST: 1 + run: | brew install bats-core bats-core/bats-core/bats-assert bats-core/bats-core/bats-file bats-core/bats-core/bats-support gnu-getopt jq xq yq - name: Setup tmate session uses: mxschmitt/action-tmate@v3 From 3a8b47e7c90654f0018fb87c73e37109ba6e4d08 Mon Sep 17 00:00:00 2001 From: Stanislav Zhuk Date: Mon, 8 Jun 2026 16:25:42 +0300 Subject: [PATCH 5/5] do not add HOMEBREW_NO_REQUIRE_TAP_TRUST, will add it later if needed --- .github/workflows/test.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 37afa6e..937fa99 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -57,8 +57,6 @@ jobs: echo "APP_SPECIFIC_PASSWORD set: $([ -n "${APP_SPECIFIC_PASSWORD}" ] && echo "yes" || echo "no")" echo "SIGNING_TOOLS_SIGNING_PASSWORD set: $([ -n "${SIGNING_TOOLS_SIGNING_PASSWORD}" ] && echo "yes" || echo "no")" - name: Install dependencies - env: - HOMEBREW_NO_REQUIRE_TAP_TRUST: 1 run: | brew install bats-core bats-core/bats-core/bats-assert bats-core/bats-core/bats-file bats-core/bats-core/bats-support gnu-getopt jq xq yq - name: Setup tmate session