try github action ci build

.github/scripts/decrypt-secret.ps1

@@ -0,0 +1,29 @@
+param (
+  [Parameter(Mandatory=$true)]
+  [string] $filename,
+  [string] $output
+)
+
+$homePath = Resolve-Path "~" | Select-Object -ExpandProperty Path
+$rootPath = $env:GITHUB_WORKSPACE
+
+$secretInputPath = $rootPath + "/.github/secrets"
+$input = $secretInputPath + "/" + $filename
+
+$passphrase = $env:DECRYPT_FILE_PASSWORD
+$secretOutputPath = $homePath + "/secrets"
+
+if ([string]::IsNullOrEmpty($output)) {
+  if ($filename.EndsWith(".gpg")) {
+    $output = $secretOutputPath + "/" + $filename.TrimEnd(".gpg")
+  } else {
+    $output = $secretOutputPath + "/" + $filename + ".plaintext"
+  }
+}
+
+if (!(Test-Path -Path $secretOutputPath))  
+{
+  New-Item -ItemType Directory -Path $secretOutputPath 
+}
+
+gpg --quiet --batch --yes --decrypt --passphrase="$passphrase" --output $output $input

.github/scripts/macos/decrypt-secrets.ps1

@@ -0,0 +1,10 @@
+$rootPath = $env:GITHUB_WORKSPACE;
+
+$decryptSecretPath = $($rootPath + "/.github/scripts/decrypt-secret.ps1");
+
+Invoke-Expression "& `"$decryptSecretPath`" -filename bitwarden-deskop-key.p12.gpg"
+Invoke-Expression "& `"$decryptSecretPath`" -filename appstore-app-cert.p12.gpg"
+Invoke-Expression "& `"$decryptSecretPath`" -filename appstore-installer-cert.p12.gpg"
+Invoke-Expression "& `"$decryptSecretPath`" -filename devid-app-cert.p12.gpg"
+Invoke-Expression "& `"$decryptSecretPath`" -filename devid-installer-cert.p12.gpg"
+Invoke-Expression "& `"$decryptSecretPath`" -filename bitwarden_desktop_appstore.provisionprofile.gpg"

.github/scripts/macos/increment-version.ps1

@@ -0,0 +1,2 @@
+$rootPath = $env:GITHUB_WORKSPACE;
+$buildNumber = 100 + [int]$env:GITHUB_RUN_NUMBER;

.github/scripts/macos/setup-keychain.ps1

@@ -0,0 +1,19 @@
+$homePath = Resolve-Path "~" | Select-Object -ExpandProperty Path;
+$secretsPath = $homePath + "/secrets"
+
+$desktopKeyPath = $($secretsPath + "/bitwarden-dekstop-key.p12");
+$devidAppCertPath = $($secretsPath + "/devid-app-cert.p12");
+$devidInstallerCertPath = $($secretsPath + "/devid-installer-cert.p12");
+$appstoreAppCertPath = $($secretsPath + "/appstore-app-cert.p12");
+$appstoreInstallerCertPath = $($secretsPath + "/appstore-installer-cert.p12");
+
+security create-keychain -p $env:KEYCHAIN_PASSWORD build.keychain
+security default-keychain -s build.keychain
+security unlock-keychain -p $env:KEYCHAIN_PASSWORD build.keychain
+security set-keychain-settings -lut 1200 build.keychain
+security import $desktopKeyPath -k build.keychain -P $env:DESKTOP_KEY_PASSWORD -T /usr/bin/codesign -T /usr/bin/security
+security import $devidAppCertPath -k build.keychain -P $env:DIST_CERT_PASSWORD -T /usr/bin/codesign -T /usr/bin/security
+security import $devidInstallerCertPath -k build.keychain -P $env:DIST_CERT_PASSWORD -T /usr/bin/codesign -T /usr/bin/security
+security import $appstoreAppCertPath -k build.keychain -P $env:DIST_CERT_PASSWORD -T /usr/bin/codesign -T /usr/bin/security
+security import $appstoreInstallerCertPath -k build.keychain -P $env:DIST_CERT_PASSWORD -T /usr/bin/codesign -T /usr/bin/security
+security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $env:KEYCHAIN_PASSWORD build.keychain

.github/scripts/macos/setup-profiles.ps1

@@ -0,0 +1,6 @@
+$homePath = Resolve-Path "~" | Select-Object -ExpandProperty Path;
+$secretsPath = $homePath + "/secrets"
+$rootPath = $env:GITHUB_WORKSPACE
+$pprofile = "bitwarden_desktop_appstore.provisionprofile"
+
+Copy-Item "$secretsPath/$pprofile" -destination "$rootPath/$pprofile"

.github/workflows/build.yml

@@ -99,3 +99,59 @@ jobs:
         with:
           name: desktop-artifacts
           path: artifacts/*
+
+  macos:
+    runs-on: macos-latest
+
+    steps:
+      - name: Print environment
+        run: |
+          Write-Output "GitHub ref: $env:GITHUB_REF"
+          Write-Output "GitHub event: $env:GITHUB_EVENT"
+        shell: pwsh
+        env:
+          GITHUB_REF: ${{ github.ref }}
+          GITHUB_EVENT: ${{ github.event_name }}
+
+      - name: Checkout repo
+        uses: actions/checkout@v2
+
+      - name: Decrypt secrets
+        run: ./.github/scripts/macos/decrypt-secrets.ps1
+        shell: pwsh
+        env:
+          DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }}
+
+      - name: Increment version
+        if: github.ref == 'refs/heads/master' || github.event_name == 'release'
+        run: ./.github/scripts/macos/increment-version.ps1
+        shell: pwsh
+
+      - name: Set up keychain
+        run: ./.github/scripts/macos/setup-keychain.ps1
+        shell: pwsh
+        env:
+          KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
+          DESKTOP_KEY_PASSWORD: ${{ secrets.DESKTOP_KEY_PASSWORD }}
+          DEVID_CERT_PASSWORD: ${{ secrets.DEVID_CERT_PASSWORD }}
+          APPSTORE_CERT_PASSWORD: ${{ secrets.APPSTORE_CERT_PASSWORD }}
+
+      - name: Set up provisioning profiles
+        run: ./.github/scripts/macos/setup-profiles.ps1
+        shell: pwsh
+
+      - name: Build Safari extension for .dmg
+        shell: pwsh
+        run: ./scripts/safari-build.ps1
+
+      - name: Build application for .dmg
+        shell: pwsh
+        run: npm run dist:mac
+
+      - name: Build Safari extension for App Store
+        shell: pwsh
+        run: ./scripts/safari-build.ps1 -mas
+
+      - name: Build application for App Store
+        shell: pwsh
+        run: npm run dist:mac:mas