From 9f7769ad61dc4a935e1872c9e784f9e609cbaff7 Mon Sep 17 00:00:00 2001
From: HaiberL <156420673+HaiberL@users.noreply.github.com>
Date: Mon, 5 Feb 2024 09:24:19 +0100
Subject: [PATCH 1/3] setup KeyChain

---
 .github/workflows/release.yaml | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 403cb3190..0eb24a187 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -16,7 +16,7 @@ permissions:
 
 jobs:
   goreleaser:
-    runs-on: ubuntu-latest
+    runs-on: macOS-latest
     env:
       SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAPCRAFT_TOKEN }}
     steps:
@@ -34,6 +34,24 @@ jobs:
         with:
           gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
           passphrase: ${{ secrets.GPG_PASSPHRASE }}
+      - name: Set up keychain
+        run: |
+          echo -n $SIGNING_CERTIFICATE_BASE64 | base64 -d -o ./ApplicationID.p12
+          KEYCHAIN_PATH=$RUNNER_TEMP/ios_signing_temp.keychain-db
+          security create-keychain -p  "${{ secrets.TEMP_KEYCHAIN }}" $KEYCHAIN_PATH
+          security default-keychain -s $KEYCHAIN_PATH
+          security unlock-keychain -p "${{ secrets.TEMP_KEYCHAIN }}" $KEYCHAIN_PATH
+          security import ./ApplicationID.p12 -P "${{ secrets.APPLICATION_ID }}" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+          security list-keychain -d user -s $KEYCHAIN_PATH
+          echo -n $AUTHKEY_BASE64 | base64 -d -o ./AuthKey.p8
+          xcrun notarytool store-credentials stackit-cli -i $APPLE_ISSUER -d $APPLE_KEY_ID -k AuthKey.p8 --keychain $KEYCHAIN_PATH
+          rm ./ApplicationID.p12
+          rm ./AuthKey.p8
+        env:
+          APPLE_ISSUER: ${{ secrets.APPLE_ISSUER }}
+          APPLE_KEY_ID: ${{ secrets.APPLE_KEY_ID }}
+          SIGNING_CERTIFICATE_BASE64: ${{ secrets.APPLICATION_ID_CERT }}
+          AUTHKEY_BASE64: ${{ secrets.APPLE_API_KEY }}
       - name: Install Snapcraft
         uses: samuelmeuli/action-snapcraft@v2
       - name: Run GoReleaser

From d3ffffda5dfd01be18e05fbd86336f3a21e6be41 Mon Sep 17 00:00:00 2001
From: HaiberL <156420673+HaiberL@users.noreply.github.com>
Date: Mon, 5 Feb 2024 09:26:51 +0100
Subject: [PATCH 2/3] setup Notarization

---
 .goreleaser.yaml | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index afe15e395..1a297f7e7 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -20,9 +20,27 @@ builds:
   - id: macos-builds
     env:
       - CGO_ENABLED=0
+      - BUNDLE_ID=cloud.stackit.cli
+      - 'APPLE_APPLICATION_IDENTITY=Developer ID Application: Schwarz IT KG'
     goos:
       - darwin
     binary: "stackit"
+    goarch:
+      - arm64
+      - amd64
+    hooks:
+      post:
+        - |
+          sh -c '
+          codesign -s "{{.Env.APPLE_APPLICATION_IDENTITY}}" -f -v --options=runtime "dist/macos-builds_{{.Target}}/{{.Name}}"
+          codesign -vvv --deep --strict "dist/macos-builds_{{.Target}}/{{.Name}}"
+          ls -l "dist/macos_{{.Target}}"
+          hdiutil create -volname "STACKIT-CLI" -srcfolder "dist/macos-builds_{{.Target}}/{{.Name}}" -ov -format UDZO "dist/{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.dmg"
+          codesign -s "{{.Env.APPLE_APPLICATION_IDENTITY}}" -f -v --options=runtime "dist/{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.dmg"
+          xcrun notarytool submit --keychain-profile "stackit-cli" --wait --progress dist/{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.dmg
+          xcrun stapler staple "dist/{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.dmg"
+          spctl -a -t open --context context:primary-signature -v dist/{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.dmg
+          '
 
 archives:
   - format: tar.gz
@@ -94,4 +112,4 @@ snapcrafts:
     description: "A command-line interface to manage STACKIT resources.\nThis CLI is in a BETA state. More services and functionality will be supported soon."
     license: Apache-2.0
     # Will only publish to `edge` and `beta` channels 
-    grade: devel
\ No newline at end of file
+    grade: devel

From cb666ee9ffc95f245b6b3d65fe05a9c4793297eb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jo=C3=A3o=20Palet?= <joao.palet@outlook.com>
Date: Mon, 5 Feb 2024 15:33:20 +0000
Subject: [PATCH 3/3] Remove custom name template in archives for consistency
 and skip snap publishing

---
 .goreleaser.yaml | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index 1a297f7e7..c5fbf26bc 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -44,14 +44,6 @@ builds:
 
 archives:
   - format: tar.gz
-    # This name template makes the OS and Arch compatible with the results of `uname`
-    name_template: >-
-      {{ .ProjectName }}_
-      {{- title .Os }}_
-      {{- if eq .Arch "amd64" }}x86_64
-      {{- else if eq .Arch "386" }}i386
-      {{- else }}{{ .Arch }}{{ end }}
-      {{- if .Arm }}v{{ .Arm }}{{ end }}
     format_overrides:
       - goos: windows
         format: zip
@@ -113,3 +105,5 @@ snapcrafts:
     license: Apache-2.0
     # Will only publish to `edge` and `beta` channels 
     grade: devel
+    # Skip publishing until we get approval for used interfaces or classic confinement
+    publish: false