Fix/certificate (#6)

* add certificate

* macOS?

* copy pasta

* use from docs

https://docs.github.com/en/actions/use-cases-and-examples/deploying/installing-an-apple-certificate-on-macos-runners-for-xcode-development

* only run om macos

* removed setting certificate from blog post

* add provisioning profile

* uncomment path

* move command up for debugging

* clean up keychain

use actual env value

* remove avrgirl-arduino

* clean bundle to only include required modules

could potentially be even stricter

* dont strict verify

* debug osx sign for pipeline test

* sign in release as well

.github/workflows/make.yml

@@ -21,10 +21,37 @@ jobs:
         os: [macos-latest, ubuntu-latest, windows-latest]
 
     steps:
+      - name: Install the Apple certificate
+        if: runner.os == 'macOS'
+        env:
+          MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
+          MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
+          KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
+        run: |
+          # create variables
+          CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
+          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
+
+          # import certificate
+          echo -n "$MACOS_CERTIFICATE" | base64 --decode -o $CERTIFICATE_PATH
+
+          # create temporary keychain
+          security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+
+          # import certificate to keychain
+          security import $CERTIFICATE_PATH -P "$MACOS_CERTIFICATE_PWD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+          security list-keychain -d user -s $KEYCHAIN_PATH
+
+      - name: Run security find-identity -v
+        if: runner.os == 'macOS'
+        run: security find-identity -v
+
       - uses: actions/checkout@v4
 
       - name: Cache node modules
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: '**/node_modules'
           key: ${{ runner.os }}-modules-${{ hashFiles('**/yarn.lock') }}
@@ -48,8 +75,13 @@ jobs:
           # Required for `distutils` module
           python-version: '3.10'
 
+      # https://localazy.com/blog/how-to-automatically-sign-macos-apps-using-github-actions
       - name: Make application
         run: yarn make
         env:
-          APPLE_API_KEY: AuthKey_${{ env.APPLE_API_KEY_ID }}.p8
-          APPLE_IDENTITY: env.APPLE_IDENTITY
+          APPLE_IDENTITY: ${{ env.APPLE_IDENTITY }}
+
+      - name: Clean up keychain and provisioning profile
+        if: runner.os == 'macOS'
+        run: |
+          security delete-keychain $RUNNER_TEMP/app-signing.keychain-db

.github/workflows/release.yml

@@ -14,10 +14,33 @@ jobs:
         os: [macos-latest, ubuntu-latest, windows-latest]
 
     steps:
+      - name: Install the Apple certificate
+        if: runner.os == 'macOS'
+        env:
+          MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
+          MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
+          KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
+        run: |
+          # create variables
+          CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
+          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
+
+          # import certificate
+          echo -n "$MACOS_CERTIFICATE" | base64 --decode -o $CERTIFICATE_PATH
+
+          # create temporary keychain
+          security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+
+          # import certificate to keychain
+          security import $CERTIFICATE_PATH -P "$MACOS_CERTIFICATE_PWD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+          security list-keychain -d user -s $KEYCHAIN_PATH
+
       - uses: actions/checkout@v4
 
       - name: Cache node modules
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: '**/node_modules'
           key: ${{ runner.os }}-modules-${{ hashFiles('**/yarn.lock') }}

.gitignore

@@ -122,3 +122,4 @@ dist-ssr
 # Secrets
 .env
 *.p8
+*.provisionprofile

apps/electron-app/bundler.js

@@ -51,10 +51,28 @@ const collectProdDeps = node => {
 
 	while (stack.length > 0) {
 		const currentNode = stack.pop();
+		// Ignore types packages
+		if (currentNode.location.startsWith('node_modules/@types')) {
+			// console.debug(`IGNORE ${currentNode.location}`);
+			continue;
+		}
+
+		// Ignore radix-ui packages
+		if (currentNode.location.includes('@radix-ui')) {
+			// console.debug(`IGNORE ${currentNode.location}`);
+			continue;
+		}
+
 		const depEdges = [...currentNode.edgesOut.values()].filter(
 			depEdge => depEdge.type === 'prod',
 		);
 
+		// Show dependencies
+		// console.debug(
+		// 	currentNode.location,
+		// 	depEdges.map(depEdge => depEdge.to.location),
+		// );
+
 		for (const depEdge of depEdges) {
 			const depNode = resolveLink(depEdge.to);
 
@@ -83,8 +101,20 @@ const bundle = async (source, destination) => {
 	for (const dep of prodDeps) {
 		const dest = path.join(destination, dep.location);
 
-		console.log(`Copying ${dep.location} to ${dest}`);
-		await fs.cp(dep.realpath, dest, {
+		let bundlePath = dest;
+		if (dep.location.startsWith('packages')) {
+			switch (dep.location) {
+				case 'packages/components':
+					bundlePath = dest.replace('packages', 'node_modules/@microflow');
+					break;
+				default:
+					continue;
+			}
+		}
+
+		console.log(`${dep.location} --> ${bundlePath}`);
+
+		await fs.cp(dep.realpath, bundlePath, {
 			recursive: true,
 			errorOnExist: false,
 		});

apps/electron-app/forge.config.js

@@ -8,7 +8,34 @@ module.exports = {
 		executableName: 'Microflow studio',
 		icon: 'assets/icon',
 		osxSign: {
+			strictVerify: false,
 			identity: process.env.APPLE_IDENTITY, // https://github.com/electron/forge/issues/3131#issuecomment-2237818679
+			ignore: filePath => {
+				if (filePath.includes('build/node_gyp_bins/python3')) {
+					console.log('>> ignore signing', filePath);
+					return true;
+				}
+				return false;
+			},
+			// optionsForFile: filePath => {
+			// 	if (!filePath.includes('node_gyp_bins/python3')) {
+			// 		return;
+			// 	}
+
+			// 	console.log('>> extra options', filePath);
+
+			// 	return {
+			// 		additionalArguments: ['--deep'],
+			// 	};
+			// },
+			// ignore: filePath => {
+			// 	if (!filePath.includes('node_gyp_bins/python3')) {
+			// 		return false;
+			// 	}
+
+			// 	console.log('>> ignore', filePath);
+			// 	return true;
+			// },
 		},
 		// osxNotarize: {
 		// 	tool: 'notarytool',
@@ -17,7 +44,6 @@ module.exports = {
 		// 	teamId: process.env.APPLE_TEAM_ID,
 		// },
 		prune: false, // Requires for monorepo
-		extraResource: ['./workers', './hex'],
 		protocols: [
 			{
 				name: 'microflow-studio',

apps/electron-app/package.json

@@ -59,7 +59,6 @@
 		"@microflow/utils": "workspaces:*",
 		"@xyflow/react": "^12.0.0",
 		"abcjs": "^6.4.2",
-		"avrgirl-arduino": "https://github.com/xiduzo/avrgirl-arduino.git",
 		"electron-log": "^5.1.5",
 		"firmata": "https://github.com/xiduzo/firmata.js.git",
 		"mqtt": "^5.8.0",

apps/electron-app/src/main/ipc.ts

@@ -23,9 +23,6 @@ import {
 
 let childProcess: UtilityProcess | null = null;
 
-const isDev = process.env.NODE_ENV === 'development';
-const resourcesPath = isDev ? __dirname : process.resourcesPath;
-
 // ipcMain.on("shell:open", () => {
 //   const pageDirectory = __dirname.replace('app.asar', 'app.asar.unpacked')
 //   const pagePath = path.join('file://', pageDirectory, 'index.html')
@@ -47,24 +44,41 @@ ipcMain.on('ipc-check-board', async event => {
 
 	const boardsAndPorts = await getKnownBoardsWithPorts();
 
-	const filePath = join(resourcesPath, 'workers', 'check.js');
+	const filePath = join(__dirname, 'workers', 'check.js');
 
 	let connectedPort: PortInfo | null = null;
 
 	const [lastBoard, ports] = boardsAndPorts.at(-1);
 	const lastPort = ports.at(-1);
 
+	log.debug('Checking boards and ports', {
+		boardsAndPorts: JSON.stringify(boardsAndPorts),
+	});
+
 	// Check board on all ports which match the known product IDs
 	checkBoard: for (const [board, ports] of boardsAndPorts) {
 		for (const port of ports) {
-			log.debug(`checking board ${board} on path ${port.path}`);
+			log.debug(`checking board ${board} on path ${port.path}`, { filePath });
 
 			const result = await new Promise<BoardCheckResult>(resolve => {
 				childProcess = utilityProcess.fork(filePath, [port.path], {
 					serviceName: 'Microflow studio - micro-controller validator',
+					stdio: 'pipe',
+				});
+
+				childProcess.stderr?.on('data', data => {
+					log.error('board check child process error', {
+						data: data.toString(),
+					});
+				});
+
+				log.debug('Child process forked', {
+					filePath,
+					port: port.path,
 				});
 
 				childProcess.on('message', async (message: BoardCheckResult) => {
+					log.debug('board check child process process message', { message });
 					if (message.type !== 'info') {
 						childProcess?.kill(); // Free up the port again
 						resolve(message);
@@ -121,7 +135,7 @@ ipcMain.on('ipc-upload-code', (event, code: string, portPath: string) => {
 	}
 	childProcess?.kill();
 
-	const filePath = join(resourcesPath, 'temp.js');
+	const filePath = join(__dirname, 'temp.js');
 	log.debug('Writing code to file', { filePath });
 	writeFile(filePath, code, error => {
 		if (error) {
@@ -135,6 +149,13 @@ ipcMain.on('ipc-upload-code', (event, code: string, portPath: string) => {
 
 		childProcess = utilityProcess.fork(filePath, [portPath], {
 			serviceName: 'Microflow studio - micro-controller runner',
+			stdio: 'pipe',
+		});
+
+		childProcess.stderr?.on('data', data => {
+			log.error('board check child process error', {
+				data: data.toString(),
+			});
 		});
 
 		childProcess.on(
@@ -160,7 +181,7 @@ async function flashBoard(board: BoardName, port: PortInfo): Promise<void> {
 	log.debug(`Try flashing firmata to ${board} on ${port.path}`);
 
 	const firmataPath = resolve(
-		resourcesPath,
+		__dirname,
 		'hex',
 		board,
 		'StandardFirmata.cpp.hex',

apps/electron-app/workers/check.js

@@ -1,12 +1,13 @@
 const { Board } = require('@microflow/components');
-const log = require('electron-log/node');
 
 const port = process.argv.at(-1);
 
 if (!port) {
-	log.warn(
-		'No port provided, johnny five usualy can handle this. This might cause unforseen behavior.',
-	);
+	process.parentPort.postMessage({
+		type: 'info',
+		message:
+			'No port provided, johnny five usualy can handle this. This might cause unforseen behavior.',
+	});
 }
 
 let board;
@@ -18,11 +19,10 @@ try {
 		port,
 	});
 
-	log.debug('Board is being checked', { port: board.port });
-
 	process.parentPort.postMessage({
 		type: 'info',
 		message: 'checking micro-controller',
+		port: board.port,
 	});
 
 	board.on('info', event => {
@@ -85,7 +85,6 @@ try {
 		process.parentPort.postMessage({ type: 'close' });
 	});
 } catch (error) {
-	log.error('something went wrong', { error });
 	process.parentPort.postMessage({
 		type: 'error',
 		message: error.message,