Use maintained gon fork to address Apple signing deprecation (#1997)

Summary: Use maintained gon fork to address Apple signing deprecation This is a continuation of #1994. Rather than using the macos tools directly, we can continue using gon by switching to the maintained fork ([github.com/Bearer/gon](https://github.com/Bearer/gon)) Relevant Issues: Closes #1993 Type of change: /kind bugfix Test Plan: cli-release GitHub workflow [succeeds](https://github.com/pixie-io/pixie/actions/runs/10724342153/job/29740236170) when built from this branch Changelog Message: Fix macos signing for px cli releases --------- Signed-off-by: Dom Del Nano <[email protected]>
pixie-io · Sep 5, 2024 · 3a76a27 · 3a76a27
1 parent 0c1fdd2
commit 3a76a27
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 11 deletions.
diff --git a/.github/workflows/cli_release.yaml b/.github/workflows/cli_release.yaml
@@ -88,11 +88,11 @@ jobs:
     - name: Add pwd to git safe dir
       run: git config --global --add safe.directory `pwd`
     - name: Install gon
-      run: brew install mitchellh/gon/gon
+      run: brew install Bearer/tap/gon
     - name: Sign CLI release
       env:
         REF: ${{ github.event.ref }}
-        AC_PASSWD: ${{ secrets.APPLE_ID_PASSWORD }}
+        AC_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
         KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }}
         CERT_BASE64: ${{ secrets.APPLE_SIGN_CERT_B64 }}
         CERT_PASSWORD: ${{ secrets.APPLE_SIGN_CERT_PASSWORD }}
@@ -135,6 +135,9 @@ jobs:
       uses: ./.github/actions/gcloud_creds
       with:
         SERVICE_ACCOUNT_KEY: ${{ secrets.GH_RELEASE_SA_PEM_B64 }}
+    - name: Add pwd to git safe dir
+      run: |
+        git config --global --add safe.directory `pwd`
     - name: Upload signed CLI
       env:
         REF: ${{ github.event.ref }}

diff --git a/ci/cli_upload_signed.sh b/ci/cli_upload_signed.sh
@@ -1,4 +1,4 @@
-#!/usr/bin/env bash
+#!/bin/bash -ex
 
 # Copyright 2018- The Pixie Authors.
 #
@@ -21,8 +21,6 @@ repo_path=$(bazel info workspace)
 # shellcheck source=ci/artifact_utils.sh
 . "${repo_path}/ci/artifact_utils.sh"
 
-set -ex
-
 printenv
 
 release_tag=${TAG_NAME##*/v}

diff --git a/ci/gon.hcl b/ci/gon.hcl
@@ -2,17 +2,16 @@
 // using Gon.
 
 source = ["./cli_darwin_amd64", "./cli_darwin_arm64", "cli_darwin_universal"]
-bundle_id = "ai.pixielabs.px"
+bundle_id = "ai.getcosmic.px"
 
-// TODO(zasgar): Update this to the [email protected] account. It has access to the certs,
-// but does not have access to application passwords.
 apple_id {
-  username = "[email protected]"
-  password = "@env:AC_PASSWD"
+  username = "[email protected]"
+  # Password is provided via AC_PASSWORD env var
+  provider = "769M9XJDG6"
 }
 
 sign {
-  application_identity = "Developer ID Application: Pixie Labs Inc. (SZCNTABEXY)"
+  application_identity = "Developer ID Application: Cosmic Observe, Inc."
 }
 
 zip {