Add now required teamId option to notarization script

per1234 · per1234 · commit 9e0854aa17d9 · 2023-06-14T23:54:19.000-07:00
The options for the `notarize` call in the script are different depending on the setting of the `tool` option. Now that
the `tool` has been changed from the default `legacy` to `notarytool`, there is an additional `teamId` option, which is
the Apple Developer Program team ID associated with the macOS signing certificate.

Following the convention established in the Arduino IDE, I used an encrypted repository secret to configure the team ID
value. This is not absolutely necessary because, unlike some of the other credentials used by the build system, the team
ID is not actually a secret and can be seen in plaintext by anyone who examines the notarized application.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -49,6 +49,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           AC_USERNAME: ${{ secrets.AC_USERNAME }}
           AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
+          AC_TEAM_ID: ${{ secrets.AC_TEAM_ID }}
           # AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           # AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           # IS_NIGHTLY: ${{ github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main') }}
diff --git a/build_resources/notarize.js b/build_resources/notarize.js
@@ -40,5 +40,6 @@ exports.default = async function notarizing(context) {
 				appPath: `${appOutDir}/${appName}.app`,
 				appleId: process.env.AC_USERNAME,
 				appleIdPassword: process.env.AC_PASSWORD,
+				teamId: process.env.AC_TEAM_ID,
 		});
 };
