burrow/.github/actions/notarize/action.yml

name: Notarize
inputs:
  app-store-key:
    description: App Store key in PEM PKCS#8 format
    required: true
  app-store-key-id:
    description: App Store key ID
    required: true
  app-store-key-issuer-id:
    description: App Store key issuer ID
    required: true
  archive-path:
    description: Xcode archive path
    required: true
  export-path:
    description: The path to export the archive to
    required: true
runs:
  using: composite
  steps:
  - id: notarize
    shell: bash
    working-directory: Apple
    run: |
      echo "${{ inputs.app-store-key }}" > AuthKey_${{ inputs.app-store-key-id }}.p8

      echo '{"destination":"export","method":"developer-id"}' \
        | plutil -convert xml1 -o ExportOptions.plist -

      xcodebuild \
        -exportArchive \
        -allowProvisioningUpdates \
        -allowProvisioningDeviceRegistration \
        -skipPackagePluginValidation \
        -skipMacroValidation \
        -archivePath Wallet.xcarchive \
        -exportPath Release \
        -exportOptionsPlist ExportOptions.plist

      rm ExportOptions.plist

      NOTARY_AUTH=""

      ditto -c -k --keepParent Release/Wallet.app Upload.zip
      SUBMISSION_ID=$(xcrun notarytool submit --issuer ${{ inputs.app-store-key-issuer-id }} --key-id ${{ inputs.app-store-key-id }} --key "${PWD}/AuthKey_${{ inputs.app-store-key-id }}.p8" Upload.zip | awk '/ id:/ { print $2; exit }')

      xcrun notarytool wait $SUBMISSION_ID --issuer ${{ inputs.app-store-key-issuer-id }} --key-id ${{ inputs.app-store-key-id }} --key "${PWD}/AuthKey_${{ inputs.app-store-key-id }}.p8"
      xcrun stapler staple Release/Wallet.app

      aa archive -a lzma -b 8m -d Release -subdir Wallet.app -o Wallet.app.aar

      rm -rf Upload.zip Release AuthKey_${{ inputs.app-store-key-id }}.p8 ExportOptions.plist