From 252238106336c59302c58adc6903f8f7d2440f08 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=A7=8B=E5=A5=88=E6=9C=88?= <43605695+akinazuki@users.noreply.github.com> Date: Tue, 2 Jun 2026 14:54:21 +0900 Subject: [PATCH] feat(swift): optional codesigning and private SPM dependency auth Two opt-in capabilities for the shared Swift build, both off by default so existing consumers are unaffected: - entitlements: when set, ad-hoc codesign the built binary with the given entitlements plist right after swift build (mirrors local build-swift.sh). Threaded through swift-pkg-pr.yml and swift-release.yml into swift-build. - private-deps: when true, mint a short-lived owner-scoped token from the org App (APP_ID/APP_PRIVATE_KEY) and configure git so SwiftPM can clone private/internal org dependencies without listing repo names. --- .github/blocks/swift-build/action.yml | 26 ++++++++++++++++++++++++-- .github/workflows/swift-pkg-pr.yml | 22 ++++++++++++++++++++++ .github/workflows/swift-release.yml | 20 ++++++++++++++++++++ 3 files changed, 66 insertions(+), 2 deletions(-) diff --git a/.github/blocks/swift-build/action.yml b/.github/blocks/swift-build/action.yml index 6b6523f..3f47b3d 100644 --- a/.github/blocks/swift-build/action.yml +++ b/.github/blocks/swift-build/action.yml @@ -17,6 +17,14 @@ inputs: description: "Space-separated list of SPM resource bundle names to include (e.g. 'Foo_Foo.bundle')" required: false default: "" + entitlements: + description: "Path to an entitlements plist (relative to repo root). When set, the built binary is ad-hoc codesigned with these entitlements. Needed for daemons that require private entitlements (e.g. to connect to imagent)." + required: false + default: "" + github-token: + description: "Token with read access to private/internal SPM dependencies. When set, git is configured to use it for github.com clones (so SwiftPM can fetch private deps)." + required: false + default: "" outputs: binary-path: @@ -49,13 +57,27 @@ runs: - name: Create artifacts directory run: mkdir -p artifacts shell: bash + - name: Configure git auth for private/internal SPM dependencies + if: inputs.github-token != '' + shell: bash + env: + GH_TOKEN: ${{ inputs.github-token }} + run: | + git config --global url."https://x-access-token:${GH_TOKEN}@github.com/".insteadOf "https://github.com/" - name: Build Swift Binary shell: bash id: build run: | swift build -c release - cp ".build/release/${{ inputs.binary-name }}" artifacts - echo "binary-path=.build/release/${{ inputs.binary-name }}" >> $GITHUB_OUTPUT + BIN=".build/release/${{ inputs.binary-name }}" + if [ -n "${{ inputs.entitlements }}" ]; then + echo "::group::Codesign $BIN (entitlements: ${{ inputs.entitlements }})" + codesign -s - --entitlements "${{ inputs.entitlements }}" -f "$BIN" + codesign -dvvv "$BIN" || true + echo "::endgroup::" + fi + cp "$BIN" artifacts + echo "binary-path=$BIN" >> $GITHUB_OUTPUT # ── Collect resource bundles ── BUNDLES_PATH="" diff --git a/.github/workflows/swift-pkg-pr.yml b/.github/workflows/swift-pkg-pr.yml index aef6a33..1e73d7e 100644 --- a/.github/workflows/swift-pkg-pr.yml +++ b/.github/workflows/swift-pkg-pr.yml @@ -24,6 +24,16 @@ on: required: false default: "" description: "Space-separated list of SPM resource bundle names to include in the .pkg" + entitlements: + type: string + required: false + default: "" + description: "Path to an entitlements plist for ad-hoc codesigning the built binary." + private-deps: + type: boolean + required: false + default: false + description: "Mint an app token (APP_ID/APP_PRIVATE_KEY) so SwiftPM can clone private/internal org dependencies." secrets: SECRET_ENV_VARS: required: false @@ -54,12 +64,24 @@ jobs: | **Commit** | ${{ github.sha }} | | **Run** | [#${{ github.run_number }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) | + # ── Mint app token for private SPM dependencies (optional) ─────────── + - name: Mint app token for private SPM deps + id: app-token + if: inputs.private-deps + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ secrets.APP_ID }} + private-key: ${{ secrets.APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} + # ── Build ──────────────────────────────────────────────────────────── - name: Swift Build id: build uses: photon-hq/buildspace/.github/blocks/swift-build@main with: binary-name: ${{ inputs.package-name }} + entitlements: ${{ inputs.entitlements }} + github-token: ${{ steps.app-token.outputs.token }} compile-env: |- VERSION=PR-${{ github.event.pull_request.number }} DEPLOYMENT_ENVIRONMENT=development diff --git a/.github/workflows/swift-release.yml b/.github/workflows/swift-release.yml index 735d91f..867dce4 100644 --- a/.github/workflows/swift-release.yml +++ b/.github/workflows/swift-release.yml @@ -23,6 +23,16 @@ on: required: false default: "" description: "Space-separated list of SPM resource bundle names to include in the .pkg" + entitlements: + type: string + required: false + default: "" + description: "Path to an entitlements plist for ad-hoc codesigning the built binary." + private-deps: + type: boolean + required: false + default: false + description: "Mint an app token (APP_ID/APP_PRIVATE_KEY) so SwiftPM can clone private/internal org dependencies." labels-to-check: type: string required: false @@ -115,12 +125,22 @@ jobs: needs: prepare-release runs-on: macos-26 steps: + - name: Mint app token for private SPM deps + id: app-token + if: inputs.private-deps + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ secrets.APP_ID }} + private-key: ${{ secrets.APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Swift Build id: build uses: photon-hq/buildspace/.github/blocks/swift-build@main with: binary-name: ${{ inputs.package-name }} use-cache: "false" + entitlements: ${{ inputs.entitlements }} + github-token: ${{ steps.app-token.outputs.token }} compile-env: |- VERSION=${{ needs.prepare-release.outputs.version }} DEPLOYMENT_ENVIRONMENT=production