[workspaces] Configure EAS build (#115)

* [workspaces] Configure EAS builds

* [eas] Add custom EAS build function to configure macOS credentials

* Add preview workflow

* Update configureMacOSCredentials readme

* Add changelog entry

CHANGELOG.md

@@ -15,6 +15,7 @@
 ### 💡 Others
 
 - Upgrade @react-native-clipboard/clipboard to 1.13.1 and remove patch. ([#116](https://github.com/expo/orbit/pull/116) by [@gabrieldonadel](https://github.com/gabrieldonadel))
+- Configure EAS build workflow. ([#115](https://github.com/expo/orbit/pull/115) by [@gabrieldonadel](https://github.com/gabrieldonadel))
 
 ## 1.0.1 — 2023-12-01
 

apps/menu-bar/.eas/build/build-preview.yml

@@ -0,0 +1,45 @@
+build:
+  name: Build Orbit preview
+  steps:
+    - eas/checkout
+    - configure_macos_credentials:
+        inputs:
+          buildCredentials: ${ eas.job.secrets.buildCredentials }
+    - eas/install_node_modules
+    - run:
+        name: Build packages
+        working_directory: ../../
+        command: |
+          yarn build
+    - run:
+        name: Archive CLI
+        working_directory: ../../apps/cli
+        command: |
+          yarn archive
+    - run:
+        name: Codesign CLI
+        working_directory: ../../apps/cli
+        command: |
+          yarn codesign
+    - run:
+        name: Install menu-bar pods
+        working_directory: ./macos
+        command: pod install
+    - run:
+        name: Archive menu-bar
+        working_directory: ../../apps/menu-bar
+        command: |
+          yarn archive
+    - run:
+        name: Export archive menu-bar
+        working_directory: ../../apps/menu-bar
+        command: |
+          yarn export-local-archive
+    - eas/find_and_upload_build_artifacts
+functions:
+  configure_macos_credentials:
+    name: Configure macOS Credentials
+    inputs:
+      - name: buildCredentials
+        type: json
+    path: ./configureMacOSCredentials

apps/menu-bar/.eas/build/build-release.yml

@@ -0,0 +1,50 @@
+build:
+  name: Build and notarize Orbit
+  steps:
+    - eas/checkout
+    - configure_macos_credentials:
+        inputs:
+          buildCredentials: ${ eas.job.secrets.buildCredentials }
+    - eas/install_node_modules
+    - run:
+        name: Build packages
+        working_directory: ../../
+        command: |
+          yarn build
+    - run:
+        name: Archive CLI
+        working_directory: ../../apps/cli
+        command: |
+          yarn archive
+    - run:
+        name: Codesign CLI
+        working_directory: ../../apps/cli
+        command: |
+          yarn codesign
+    - run:
+        name: Install menu-bar pods
+        working_directory: ./macos
+        command: pod install
+    - run:
+        name: Archive menu-bar
+        working_directory: ../../apps/menu-bar
+        command: |
+          yarn archive
+    - run:
+        name: Export archive menu-bar
+        working_directory: ../../apps/menu-bar
+        command: |
+          yarn export-upload-archive
+    - run:
+        name: Notarize menu-bar
+        working_directory: ../../apps/menu-bar
+        command: |
+          yarn notarize
+    - eas/find_and_upload_build_artifacts
+functions:
+  configure_macos_credentials:
+    name: Configure macOS Credentials
+    inputs:
+      - name: buildCredentials
+        type: json
+    path: ./configureMacOSCredentials

apps/menu-bar/.eas/build/configureMacOSCredentials/README.md

@@ -0,0 +1,35 @@
+# Configure macOS credentials
+
+This is a custom EAS build function written in TypeScript that configures the credentials for a macOS build while EAS
+doesn't add official support. It can be used as a step in a [custom build](https://docs.expo.dev/preview/custom-build-config/).
+
+## How to use it
+
+1. Install dependencies: `npm install`.
+2. Implement your function in `src/index.ts`.
+3. Install [`ncc`](https://github.com/vercel/ncc) if not yet installed: `npm install -g @vercel/ncc`.
+4. Compile the function with `ncc` by running `npm run build`. Ensure that the `build` directory is not ignored by `.gitignore` / `.easignore`, it must be included in the [archive uploaded when running `eas build`](https://expo.fyi/eas-build-archive).
+5. Use the function in a custom build YAML config. For example:
+
+   ```yml
+   build:
+     name: Custom build
+     steps:
+       - run:
+           name: Hi!
+           command: echo "Hello! Let's run a custom function!"
+       - configure_macos_credentials:
+           id: my-function-call
+       - run:
+           name: Bye!
+           command: echo "Bye! The custom function has finished its job."
+
+   functions:
+     configure_macos_credentials:
+       name: Configure macOS Credentials
+       path: ./configureMacOSCredentials # The path is resolved relative to this config file.
+   ```
+
+## Learn more
+
+Refer to the [custom builds documentation](https://docs.expo.dev/preview/custom-build-config/).

apps/menu-bar/.eas/build/configureMacOSCredentials/eas.json

@@ -0,0 +1,18 @@
+{
+  "cli": {
+    "version": ">= 5.4.0"
+  },
+  "build": {
+    "development": {
+      "developmentClient": true,
+      "distribution": "internal"
+    },
+    "preview": {
+      "distribution": "internal"
+    },
+    "production": {}
+  },
+  "submit": {
+    "production": {}
+  }
+}

apps/menu-bar/.eas/build/configureMacOSCredentials/package.json

@@ -0,0 +1,18 @@
+{
+  "name": "configure-macos-credentials",
+  "version": "1.0.0",
+  "description": "",
+  "main": "./build/index.js",
+  "type": "commonjs",
+  "scripts": {
+    "build": "ncc build ./src/index.ts -o build/ --minify --no-cache --no-source-map-register",
+    "watch": "ncc build ./src/index.ts -o build/ --minify --no-cache --no-source-map-register --watch"
+  },
+  "keywords": [],
+  "author": "",
+  "devDependencies": {
+    "@types/node": "^18.11.18",
+    "typescript": "^5.1.6",
+    "@expo/steps": "^1.0.34"
+  }
+}

apps/menu-bar/.eas/build/configureMacOSCredentials/src/index.ts

@@ -0,0 +1,111 @@
+import path from 'path';
+import fs from 'fs-extra';
+import { v4 as uuid } from 'uuid';
+import { BuildStepInput, BuildStepInputValueTypeName } from '@expo/steps';
+import spawnAsync from '@expo/spawn-async';
+
+import { BuildStepContext } from '@expo/steps';
+
+interface FunctionInputs {
+  buildCredentials: BuildStepInput<BuildStepInputValueTypeName.JSON, true>;
+}
+
+const KEYCHAIN_NAME = 'orbit-keychain';
+const KEYCHAIN_PASSWORD = 'orbit-keychain-password';
+
+async function configureMacOSCredentials(
+  ctx: BuildStepContext,
+  {
+    inputs,
+  }: {
+    inputs: FunctionInputs;
+  }
+): Promise<void> {
+  try {
+    // Download Apple Developer ID intermediate certificate
+    await spawnAsync('curl', [
+      'https://www.apple.com/certificateauthority/DeveloperIDG2CA.cer',
+      '-o',
+      'DeveloperIDG2CA.cer',
+    ]);
+
+    // Allow `security add-trusted-cert` command to run without password prompt
+    await spawnAsync('sudo', [
+      'security',
+      'authorizationdb',
+      'write',
+      'com.apple.trust-settings.admin',
+      'allow',
+    ]);
+
+    // Add DeveloperIDG2CA certificate to System keychain
+    await spawnAsync('sudo', [
+      'security',
+      'add-trusted-cert',
+      '-d',
+      '-k',
+      '/Library/Keychains/System.keychain',
+      '-r',
+      'trustRoot',
+      'DeveloperIDG2CA.cer',
+    ]);
+
+    // Read distribution certificate from build credentials and write it to a file
+    const rawCredentialsInput = inputs.buildCredentials.value as Record<string, any>;
+    const target = Object.keys(rawCredentialsInput)[0];
+    const certificate = rawCredentialsInput[target].distributionCertificate;
+    const distCertPath = path.join(ctx.workingDirectory, `${uuid()}.p12`);
+    ctx.logger.info(`Writing distribution certificate to ${distCertPath}`);
+    await fs.writeFile(distCertPath, Buffer.from(certificate.dataBase64, 'base64'));
+
+    // Create a new keychain
+    await spawnAsync('security', ['create-keychain', '-p', KEYCHAIN_PASSWORD, KEYCHAIN_NAME]);
+
+    // Add new keychain to search list
+    const keychainsListResult = await spawnAsync('security', ['list-keychains']);
+    await spawnAsync('security', [
+      'list-keychains',
+      '-s',
+      KEYCHAIN_NAME,
+      ...keychainsListResult.output,
+    ]);
+
+    // Import the distribution certificate into the new keychain
+    await spawnAsync('security', [
+      'import',
+      distCertPath,
+      '-P',
+      certificate.password,
+      '-k',
+      KEYCHAIN_NAME,
+      '-T',
+      '/usr/bin/codesign',
+    ]);
+
+    // Set a partition list to avoid interactive prompts
+    await spawnAsync('security', [
+      'set-key-partition-list',
+      '-S',
+      'apple-tool:,apple:',
+      '-s',
+      '-k',
+      KEYCHAIN_PASSWORD,
+      KEYCHAIN_NAME,
+    ]);
+
+    // List all available identities
+    let result = await spawnAsync('security', ['find-identity']);
+    ctx.logger.info(`Identities: ${result.output}`);
+
+    // Unlock the keychain so we don't get prompted for the password
+    await spawnAsync('security', ['unlock-keychain', '-p', KEYCHAIN_PASSWORD, KEYCHAIN_NAME]);
+
+    // Set the keychain timeout to infinity
+    await spawnAsync('security', ['set-keychain-settings', KEYCHAIN_NAME]);
+  } catch (error) {
+    ctx.logger.error(`ERROR: ${error}`);
+    throw error;
+  }
+}
+
+export default configureMacOSCredentials;

apps/menu-bar/.eas/build/configureMacOSCredentials/tsconfig.json

@@ -0,0 +1,26 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "commonjs",
+    "sourceMap": true,
+    "inlineSources": true,
+    "strict": true,
+    "noUnusedLocals": true,
+    "noUnusedParameters": true,
+    "noImplicitReturns": true,
+    "noFallthroughCasesInSwitch": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "noEmit": false,
+    "forceConsistentCasingInFileNames": true,
+    "outDir": "build",
+    "resolveJsonModule": true,
+    "allowSyntheticDefaultImports": true,
+    "moduleResolution": "node",
+    "rootDir": "src",
+    "declaration": false,
+    "composite": false
+  },
+  "include": ["src/**/*.ts"],
+  "exclude": ["**/__mocks__/*", "**/__tests__/*"]
+}