From 7d3ce24f3519b656dc6bcd3f121c18cfe46c4d8d Mon Sep 17 00:00:00 2001
From: Tim Rogers <me@timrogers.co.uk>
Date: Tue, 1 Oct 2024 22:14:20 +0100
Subject: [PATCH 1/6] Create, sign and notarize a universal macOS binary,
 combining the arm64 and amd64 binaries

---
 .github/workflows/build_and_release.yml | 58 ++++++++++++++++++++++++-
 1 file changed, 57 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build_and_release.yml b/.github/workflows/build_and_release.yml
index be41543..4215609 100644
--- a/.github/workflows/build_and_release.yml
+++ b/.github/workflows/build_and_release.yml
@@ -102,6 +102,56 @@ jobs:
           notarize: true
           app_store_connect_api_key_json_file: app_store_connect_api_key.json
         if: matrix.job.os == 'macos-latest'
+  create_and_sign_macos_universal_binary:
+    name: Create and sign macOS universal binary (macOS only)
+    runs-on: macos-latest
+    needs: build
+    steps:
+      - name: Download macOS amd64 binary
+        uses: actions/download-artifact@v4
+        with:
+          name: litra_${{ steps.sanitise_ref.outputs.value }}_darwin-amd64
+      - name: Download macOS arm64 binary
+        uses: actions/download-artifact@v4
+        with:
+          name: litra_${{ steps.sanitise_ref.outputs.value }}_darwin-arm64
+      - name: Create universal macOS binary
+        run: lipo -create -output litra_${{ steps.sanitise_ref.outputs.value }}_darwin-universal \
+          litra_${{ steps.sanitise_ref.outputs.value }}_darwin-amd64 \
+          litra_${{ steps.sanitise_ref.outputs.value }}_darwin-arm64
+      - name: Write Apple signing key to a file (macOS only)
+        env:
+          APPLE_SIGNING_KEY_P12: ${{ secrets.APPLE_SIGNING_KEY_P12 }}
+        run: echo "$APPLE_SIGNING_KEY_P12" | base64 -d -o key.p12
+        if: matrix.job.os == 'macos-latest'
+      - name: Write App Store Connect API key to a file (macOS only)
+        env:
+          APP_STORE_CONNECT_API_KEY: ${{ secrets.APP_STORE_CONNECT_API_KEY }}
+        run: echo "$APP_STORE_CONNECT_API_KEY" > app_store_connect_api_key.json
+        if: matrix.job.os == 'macos-latest'
+      - name: Sign macOS binary (macOS only)
+        uses: indygreg/apple-code-sign-action@v1
+        with:
+          input_path: litra_${{ steps.sanitise_ref.outputs.value }}_darwin-universal
+          p12_file: key.p12
+          p12_password: ${{ secrets.APPLE_SIGNING_KEY_PASSWORD }}
+          sign: true
+          sign_args: "--code-signature-flags=runtime"
+      - name: Upload binary as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          path: litra_${{ steps.sanitise_ref.outputs.value }}_darwin-universal
+          name: litra_${{ steps.sanitise_ref.outputs.value }}_darwin-universal
+      - name: Archive macOS binary for notarisation (macOS only)
+        run: zip litra_${{ steps.sanitise_ref.outputs.value }}_darwin-universal.zip litra_${{ steps.sanitise_ref.outputs.value }}_darwin-universal
+      - name: Notarise signed macOS binary (macOS only)
+        uses: indygreg/apple-code-sign-action@v1
+        with:
+          input_path: litra_${{ steps.sanitise_ref.outputs.value }}_darwin-universal.zip
+          sign: false
+          notarize: true
+          app_store_connect_api_key_json_file: app_store_connect_api_key.json
+          
   cargo_publish_dry_run:
     name: Publish with Cargo in dry-run mode
     runs-on: ubuntu-latest
@@ -133,7 +183,9 @@ jobs:
   create_github_release:
     name: Create release with binary assets
     runs-on: ubuntu-latest
-    needs: build
+    needs: 
+      - build
+      - create_and_sign_macos_universal_binary
     if: startsWith(github.event.ref, 'refs/tags/v')
     steps:
       - name: Sanitise Git ref for use in filenames
@@ -148,6 +200,9 @@ jobs:
       - uses: actions/download-artifact@v4
         with:
           name: litra_${{ steps.sanitise_ref.outputs.value }}_darwin-arm64
+      - uses: actions/download-artifact@v4
+        with:
+          name: litra_${{ steps.sanitise_ref.outputs.value }}_darwin-universal
       - uses: actions/download-artifact@v4
         with:
           name: litra_${{ steps.sanitise_ref.outputs.value }}_windows-amd64.exe
@@ -159,6 +214,7 @@ jobs:
             litra_${{ steps.sanitise_ref.outputs.value }}_darwin-amd64
             litra_${{ steps.sanitise_ref.outputs.value }}_darwin-arm64
             litra_${{ steps.sanitise_ref.outputs.value }}_linux-amd64
+            litra_${{ steps.sanitise_ref.outputs.value }}_darwin-universal
   publish_on_homebrew:
     name: Publish release on Homebrew
     runs-on: ubuntu-latest

From 33ffb74a1673615ad113c3034acfceda40505998 Mon Sep 17 00:00:00 2001
From: Tim Rogers <me@timrogers.co.uk>
Date: Tue, 1 Oct 2024 22:14:47 +0100
Subject: [PATCH 2/6] Use the darwin-universal binary for Homebrew

---
 .github/workflows/build_and_release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build_and_release.yml b/.github/workflows/build_and_release.yml
index 4215609..d34c581 100644
--- a/.github/workflows/build_and_release.yml
+++ b/.github/workflows/build_and_release.yml
@@ -227,7 +227,7 @@ jobs:
       - uses: mislav/bump-homebrew-formula-action@v3
         with:
           formula-name: litra
-          download-url: https://github.com/timrogers/litra-rs/releases/download/${{ steps.get_version.outputs.VERSION }}/litra_${{ steps.get_version.outputs.VERSION }}_darwin-amd64
+          download-url: https://github.com/timrogers/litra-rs/releases/download/${{ steps.get_version.outputs.VERSION }}/litra_${{ steps.get_version.outputs.VERSION }}_darwin-universal
           homebrew-tap: timrogers/homebrew-tap
           push-to: timrogers/homebrew-tap
           create-pullrequest: true

From d22e3de1af75f15cf1e17537499df6a5f63f43ba Mon Sep 17 00:00:00 2001
From: Tim Rogers <me@timrogers.co.uk>
Date: Tue, 1 Oct 2024 22:18:01 +0100
Subject: [PATCH 3/6] Add sanitize ref step

---
 .github/workflows/build_and_release.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/build_and_release.yml b/.github/workflows/build_and_release.yml
index d34c581..0a400c2 100644
--- a/.github/workflows/build_and_release.yml
+++ b/.github/workflows/build_and_release.yml
@@ -107,6 +107,9 @@ jobs:
     runs-on: macos-latest
     needs: build
     steps:
+      - name: Sanitise Git ref for use in filenames
+        id: sanitise_ref
+        run: echo "::set-output name=value::$(echo "${{ github.ref_name }}" | tr '/' '_')"
       - name: Download macOS amd64 binary
         uses: actions/download-artifact@v4
         with:

From 11009048dc608679b8295cfc602bf9bb44391603 Mon Sep 17 00:00:00 2001
From: Tim Rogers <me@timrogers.co.uk>
Date: Tue, 1 Oct 2024 22:18:10 +0100
Subject: [PATCH 4/6] Inline lipo call

---
 .github/workflows/build_and_release.yml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/.github/workflows/build_and_release.yml b/.github/workflows/build_and_release.yml
index 0a400c2..8fb0886 100644
--- a/.github/workflows/build_and_release.yml
+++ b/.github/workflows/build_and_release.yml
@@ -119,9 +119,7 @@ jobs:
         with:
           name: litra_${{ steps.sanitise_ref.outputs.value }}_darwin-arm64
       - name: Create universal macOS binary
-        run: lipo -create -output litra_${{ steps.sanitise_ref.outputs.value }}_darwin-universal \
-          litra_${{ steps.sanitise_ref.outputs.value }}_darwin-amd64 \
-          litra_${{ steps.sanitise_ref.outputs.value }}_darwin-arm64
+        run: lipo -create -output litra_${{ steps.sanitise_ref.outputs.value }}_darwin-universal litra_${{ steps.sanitise_ref.outputs.value }}_darwin-amd64 litra_${{ steps.sanitise_ref.outputs.value }}_darwin-arm64
       - name: Write Apple signing key to a file (macOS only)
         env:
           APPLE_SIGNING_KEY_P12: ${{ secrets.APPLE_SIGNING_KEY_P12 }}

From a19cf947191778481fce9046d6c3bbbb3312a714 Mon Sep 17 00:00:00 2001
From: Tim Rogers <me@timrogers.co.uk>
Date: Tue, 1 Oct 2024 22:20:22 +0100
Subject: [PATCH 5/6] Remove unnecessary condition

---
 .github/workflows/build_and_release.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.github/workflows/build_and_release.yml b/.github/workflows/build_and_release.yml
index 8fb0886..77cda09 100644
--- a/.github/workflows/build_and_release.yml
+++ b/.github/workflows/build_and_release.yml
@@ -124,12 +124,10 @@ jobs:
         env:
           APPLE_SIGNING_KEY_P12: ${{ secrets.APPLE_SIGNING_KEY_P12 }}
         run: echo "$APPLE_SIGNING_KEY_P12" | base64 -d -o key.p12
-        if: matrix.job.os == 'macos-latest'
       - name: Write App Store Connect API key to a file (macOS only)
         env:
           APP_STORE_CONNECT_API_KEY: ${{ secrets.APP_STORE_CONNECT_API_KEY }}
         run: echo "$APP_STORE_CONNECT_API_KEY" > app_store_connect_api_key.json
-        if: matrix.job.os == 'macos-latest'
       - name: Sign macOS binary (macOS only)
         uses: indygreg/apple-code-sign-action@v1
         with:

From 2f2ab145a5b3a19407a8b988ac3467d9d898acce Mon Sep 17 00:00:00 2001
From: Tim Rogers <me@timrogers.co.uk>
Date: Tue, 1 Oct 2024 22:20:28 +0100
Subject: [PATCH 6/6] Fix formatting

---
 .github/workflows/build_and_release.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build_and_release.yml b/.github/workflows/build_and_release.yml
index 77cda09..4a5149f 100644
--- a/.github/workflows/build_and_release.yml
+++ b/.github/workflows/build_and_release.yml
@@ -150,7 +150,7 @@ jobs:
           sign: false
           notarize: true
           app_store_connect_api_key_json_file: app_store_connect_api_key.json
-          
+
   cargo_publish_dry_run:
     name: Publish with Cargo in dry-run mode
     runs-on: ubuntu-latest
@@ -182,7 +182,7 @@ jobs:
   create_github_release:
     name: Create release with binary assets
     runs-on: ubuntu-latest
-    needs: 
+    needs:
       - build
       - create_and_sign_macos_universal_binary
     if: startsWith(github.event.ref, 'refs/tags/v')