Update CircleCI config to sign MacOS binaries (gruntwork-io#2661)

* Add config of circleci to sign macos binaries

* Add go orb

* Persist workspace between jobs

* Fix spacing in persist_to_workspace

.circleci/config.yml

@@ -1,6 +1,13 @@
 orbs:
   # The Windows orb gives us everything we need to start using the Windows executor.
   win: circleci/[email protected]
+  go: circleci/[email protected]
+
+# The "sign binary" rubs in a MacOS environment, so it's necessary to download GW's binaries
+env: &env
+  environment:
+    GRUNTWORK_INSTALLER_VERSION: v0.0.39
+    MODULE_CI_VERSION: v0.52.6
 
 defaults: &defaults
   docker:
@@ -116,13 +123,44 @@ jobs:
     steps:
       - checkout
       - run: build-go-binaries --app-name terragrunt --dest-path bin --ld-flags "-X github.com/gruntwork-io/go-commons/version.Version=$CIRCLE_TAG -extldflags '-static'"
+      - persist_to_workspace:
+          root: .
+          paths: bin
   deploy:
-    resource_class: large
-    <<: *defaults
+    <<: *env
+    macos:
+      xcode: 14.2.0
+    resource_class: macos.x86.medium.gen2
     steps:
       - checkout
-      - run: build-go-binaries --app-name terragrunt --dest-path bin --ld-flags "-X github.com/gruntwork-io/go-commons/version.Version=$CIRCLE_TAG -extldflags '-static'"
-      - run: cd bin && sha256sum * > SHA256SUMS
+      - attach_workspace:
+          at: .
+      - go/install:
+          version: "1.20.5"
+      - run:
+          name: Install sign-binary-helpers
+          command: |
+            curl -Ls https://raw.githubusercontent.com/gruntwork-io/gruntwork-installer/master/bootstrap-gruntwork-installer.sh | bash /dev/stdin --version "${GRUNTWORK_INSTALLER_VERSION}"
+            gruntwork-install --module-name "gruntwork-module-circleci-helpers" --repo "https://github.com/gruntwork-io/terraform-aws-ci" --tag "${MODULE_CI_VERSION}"
+            gruntwork-install --module-name "sign-binary-helpers" --repo "https://github.com/gruntwork-io/terraform-aws-ci" --tag "${MODULE_CI_VERSION}"
+      - run:
+          name: Compile and sign the binaries
+          command: |
+            sign-binary --install-macos-sign-dependencies --os mac .gon_amd64.hcl
+            sign-binary --os mac .gon_arm64.hcl
+            echo "Done signing the binary"
+
+            # Replace the files in bin. These are the same file names generated from .gon_amd64.hcl and .gon_arm64.hcl
+            unzip terragrunt_darwin_amd64.zip
+            mv terragrunt_darwin_amd64 bin/
+
+            unzip terragrunt_darwin_arm64.zip
+            mv terragrunt_darwin_arm64 bin/
+      - run:
+          name: Run SHA256SUM
+          command: |
+            brew install coreutils
+            cd bin && sha256sum * > SHA256SUMS
       - run: upload-github-release-assets bin/*
 workflows:
   version: 2
@@ -177,3 +215,4 @@ workflows:
             - GITHUB__PAT__gruntwork-ci
             - GCP__automated-tests
             - GITHUB__PAT__gruntwork-ci
+            - APPLE__OSX__code-signing

.gon_amd64.hcl

@@ -0,0 +1,19 @@
+# See https://github.com/gruntwork-io/terraform-aws-ci/blob/main/modules/sign-binary-helpers/
+# for further instructions on how to sign the binary + submitting for notarization.
+
+source = ["./bin/terragrunt_darwin_amd64"]
+
+bundle_id = "io.gruntwork.app.terragrunt"
+
+apple_id {
+  username = "[email protected]"
+  password = "@env:MACOS_AC_PASSWORD"
+}
+
+sign {
+  application_identity = "Developer ID Application: Gruntwork, Inc."
+}
+
+zip {
+  output_path = "terragrunt_darwin_amd64.zip"
+}

.gon_arm64.hcl

@@ -0,0 +1,19 @@
+# See https://github.com/gruntwork-io/terraform-aws-ci/blob/main/modules/sign-binary-helpers/
+# for further instructions on how to sign the binary + submitting for notarization.
+
+source = ["./bin/terragrunt_darwin_arm64"]
+
+bundle_id = "io.gruntwork.app.terragrunt"
+
+apple_id {
+  username = "[email protected]"
+  password = "@env:MACOS_AC_PASSWORD"
+}
+
+sign {
+  application_identity = "Developer ID Application: Gruntwork, Inc."
+}
+
+zip {
+  output_path = "terragrunt_darwin_arm64.zip"
+}