[feature]: Automated releases via GitHub Actions #725
Comments
|
Also, it doesn't even seem possible to build the application, and there isn't any contributing documentation? Auditing is essentially impossible, as the bundled |
|
Agreed this would be lovely to have, and would reduce that attack surface/attack angle. Building LuLu is rather involved largely due the myriad of constraints imposed by Apple, that include but are not limited to requires special entitlements, notarization, etc. etc. As such, wherever LuLu is built must have access to various private certificates, profiles, keys, and be signed in with an Apple Developer Account. I am unfamiliar with GitHub Actions, though do see there is some documentation about how to do (at least some of these) steps: https://federicoterzi.com/blog/automatic-code-signing-and-notarization-for-macos-apps-using-github-actions/ & https://github.com/marketplace/actions/codesign-and-notarize Maybe something to look into once I have a free weekend! PS. The complexities of building LuLu from source are discussed here as well: #568 |
|
@objective-see Totally understandable! GitHub Actions has really good APIs for secrets and entitlements, and anything that can be done on a macOS CLI is possible on it. I'd be happy to contribute an actions workflow for releases with explanations on the different environment variables if that would be welcomed! Side note: This is an awesome project, love it tons! |
|
👍 Awesome, will definitely look into this more and set this as a goal! One question, currently LuLu is built via Xcode (which has the necessary profiles installed/can grab the all the things from the keychain) ...would it be easier to first get it building via the CLI (still locally), then once that's working "covert" that to a GitHub Action? Or? |
|
@objective-see GitHub actions are basically just lists of CLI commands that are run based on a certain trigger, so yes! Almost all of the functions that are done in the XCode GUI can easily be converted over to CLI commands, which can be easily run on a GitHub Action runner! |
|
@objective-see maybe this could be a good starting point :) |
|
I agree with objective-see on the negation |
You could reduce the amount of supply-chain attack vectors in distributing LuLu by building and uploading to GitHub Releases using a sandboxed GitHub Actions runner that builds, signs, and uploads from the source code.
This means that rather than a human building and signing LuLu on a computer that may or may not be compromised, with virtually no way to verify the integrity of the build input (i.e. source code), you could instead have a transparently running GitHub Action that takes the same input (
actions/checkoutverifies that the source code is exactly as it is in the repository) and is able to produce the same output to GitHub Releases.The text was updated successfully, but these errors were encountered: