Master sign env (#184)

HDFGroup · May 6, 2024 · 3fb118c · 3fb118c
1 parent 3d30f76
commit 3fb118c
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 11 deletions.
diff --git a/.github/workflows/ant.yml b/.github/workflows/ant.yml
@@ -26,15 +26,17 @@ on:
         type: string
         required: true
         default: snapshots
+    secrets:
+        APPLE_CERTS_BASE64:
+            required: true
+        APPLE_CERTS_BASE64_PASSWORD:
+            required: true
+        KEYCHAIN_PASSWD:
+            required: true
 
 permissions:
   contents: read
 
-env:
-  BUILD_CERTIFICATE_BASE64: ${{ secrets.APPLE_CERTS_BASE64 }}
-  P12_PASSWORD: ${{ secrets.APPLE_CERTS_BASE64_PASSWORD }}
-  KEYCHAIN_PASSWD: ${{ secrets.KEYCHAIN_PASSWD }}
-
 jobs:
   build_and_test_win:
   # Windows w/ MSVC + CMake
@@ -358,17 +360,17 @@ jobs:
           CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
           KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
           # import certificate from secrets
-          echo -n "${{ env.BUILD_CERTIFICATE_BASE64 }}" | base64 --decode -o $CERTIFICATE_PATH
+          echo -n "${{ secrets.APPLE_CERTS_BASE64 }}" | base64 --decode -o $CERTIFICATE_PATH
           ls -la $RUNNER_TEMP
           security -v verify-cert -c $CERTIFICATE_PATH
           # create temporary keychain
-          security -v create-keychain -p "$KEYCHAIN_PASSWD" $KEYCHAIN_PATH
+          security -v create-keychain -p "${{ secrets.KEYCHAIN_PASSWD }}" $KEYCHAIN_PATH
           security -v list-keychains
           security -v set-keychain-settings -lut 21600 $KEYCHAIN_PATH
-          security -v unlock-keychain -p "$KEYCHAIN_PASSWD" $KEYCHAIN_PATH
+          security -v unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWD }}" $KEYCHAIN_PATH
           # import certificate to keychain
-          security -v import $CERTIFICATE_PATH -P "${{ env.P12_PASSWORD }}" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
-          security -v set-key-partition-list -S apple-tool:,apple: -k "${{ env.KEYCHAIN_PASSWD }}" $KEYCHAIN_PATH
+          security -v import $CERTIFICATE_PATH -P "${{ secrets.APPLE_CERTS_BASE64_PASSWORD }}" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+          security -v set-key-partition-list -S apple-tool:,apple: -k "${{ secrets.KEYCHAIN_PASSWD }}" $KEYCHAIN_PATH
           security -v list-keychain -d user -s $KEYCHAIN_PATH
 
     - name: Set up JDK 21

diff --git a/.github/workflows/daily-build.yml b/.github/workflows/daily-build.yml
@@ -81,7 +81,8 @@ jobs:
       use_hdf: ${{ needs.get-base-names.outputs.hdf4-name }}
       use_hdf5: ${{ needs.get-base-names.outputs.hdf5-name }}
       use_environ: snapshots
-    secrets: inherit
+    secrets: inherit      # pass all secrets
+
 
   call-workflow-release:
     needs: [get-base-names, call-workflow-tarball, call-workflow-ant]