paper-age 1.5.0

Easy and secure paper backups of secrets
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172

name: Release

permissions:
  id-token: write
  contents: write
  attestations: write

on:
  push:
    tags:
      - v[0-9]+.*

jobs:
  create-release:
    runs-on: ubuntu-latest
    outputs:
      tag: ${{ steps.create-gh-release.outputs.computed-prefix }}${{ steps.create-gh-release.outputs.version }}
      version: ${{ steps.create-gh-release.outputs.version }}
    steps:
      - uses: actions/checkout@v6
      - name: Changelog variable
        if: ${{ !(contains(github.ref, 'alpha') || contains(github.ref, 'beta') || contains(github.ref, 'prerelease') || contains(github.ref, 'rc')) }}
        run: |
          echo "changelog=CHANGELOG.md" >> $GITHUB_ENV
      - id: create-gh-release
        uses: taiki-e/create-gh-release-action@v1
        with:
          draft: true
          changelog: ${{ env.changelog }}
          # (required) GitHub token for creating GitHub Releases.
          token: ${{ secrets.GITHUB_TOKEN }}

  upload-assets:
    needs: [create-release]
    strategy:
      matrix:
        include:
          # Linux (ARM and x86-64)
          - target: aarch64-unknown-linux-gnu
            os: ubuntu-latest
          - target: x86_64-unknown-linux-gnu
            os: ubuntu-latest
          # macOS targets (Universal only)
          - target: universal-apple-darwin
            os: macos-latest
          # Windows (x86-64)
          - target: x86_64-pc-windows-msvc
            os: windows-latest
    runs-on: ${{ matrix.os }}
    steps:
      - uses: actions/checkout@v6
      - name: Configure cache
        uses: Swatinem/rust-cache@v2
      - name: Include documentation files variable (macOS)
        if: ${{ matrix.target == 'universal-apple-darwin' }}
        run: |
          echo "include_docs=target/aarch64-apple-darwin/release/man,target/aarch64-apple-darwin/release/completion" >> $GITHUB_ENV
      - name: Install the Apple certificate, provisioning profile, and API key (macOS)
        if: ${{ matrix.target == 'universal-apple-darwin' }}
        id: keychain
        env:
          BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
          P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
          BUILD_PROVISION_PROFILE_BASE64: ${{ secrets.BUILD_PROVISION_PROFILE_BASE64 }}
          KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
          AUTH_KEY_BASE64: ${{ secrets.AUTH_KEY_BASE64 }}
        run: |
          # create variables
          CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
          PP_PATH=$RUNNER_TEMP/build_pp.provisionprofile
          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
          AUTH_KEY_PATH=$RUNNER_TEMP/AuthKey.p8

          # import certificate and provisioning profile from secrets
          echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH
          echo -n "$BUILD_PROVISION_PROFILE_BASE64" | base64 --decode -o $PP_PATH

          # create temporary keychain
          security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
          security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH

          # import certificate to keychain
          security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
          security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
          security list-keychain -d user -s $KEYCHAIN_PATH

          # apply provisioning profile
          mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
          cp $PP_PATH ~/Library/MobileDevice/Provisioning\ Profiles

          # create auth key file for notarization
          echo -n "$AUTH_KEY_BASE64" | base64 --decode -o $AUTH_KEY_PATH

          # setup outputs
          echo "auth_key_path=$AUTH_KEY_PATH" >> $GITHUB_OUTPUT
          echo "keychain_path=$KEYCHAIN_PATH" >> $GITHUB_OUTPUT
          echo "pp_path=$PP_PATH" >> $GITHUB_OUTPUT
          echo "certificate_path=$CERTIFICATE_PATH" >> $GITHUB_OUTPUT
      - name: Include documentation files variable (windows)
        if: ${{ matrix.target == 'x86_64-pc-windows-msvc' }}
        run: |
          echo "include_docs=target/${{ matrix.target }}/release/man,target/${{ matrix.target }}/release/completion" >> $env:GITHUB_ENV
      - name: Include documentation files variable (linux)
        if: ${{ contains(matrix.target, 'linux') }}
        run: |
          echo "include_docs=target/${{ matrix.target }}/release/man,target/${{ matrix.target }}/release/completion" >> $GITHUB_ENV
      - id: upload-rust-binary-action
        uses: taiki-e/upload-rust-binary-action@v1.27.0
        with:
          # (required) Comma-separated list of binary names (non-extension portion of filename) to build and upload.
          # Note that glob pattern is not supported yet.
          bin: paper-age
          # (optional) Comma-separated list of algorithms to be used for checksum (sha256, sha512, sha1, or md5)
          checksum: sha256
          # (optional) Target triple, default is host triple.
          target: ${{ matrix.target }}
          # (optional) Comma-separated list of additional files to be included to archive.
          include: README.md,LICENSE.txt,src/assets/fonts/IBMPlexMono-LICENSE.txt,${{ env.include_docs }}
          # (required) GitHub token for uploading assets to GitHub Releases.
          token: ${{ secrets.GITHUB_TOKEN }}
          # Sign build products using codesign on macOS
          codesign: '7FP48PW9TN'
          codesign-prefix: 'fi.matiaskorhonen.'
          codesign-options: 'runtime'
      - name: Zip the binary for notarization (macOS)
        if: ${{ matrix.target == 'universal-apple-darwin' }}
        run: zip -r $RUNNER_TEMP/paper-age-signed.zip target/${{ matrix.target }}/release/paper-age
      - name: Upload the binary for notarization (macOS)
        if: ${{ matrix.target == 'universal-apple-darwin' }}
        env:
          KEY_ID: ${{ secrets.KEY_ID }}
          ISSUER: ${{ secrets.ISSUER }}
        run: |
          xcrun notarytool submit $RUNNER_TEMP/paper-age-signed.zip \
            --key "${{ steps.keychain.outputs.auth_key_path }}" \
            --key-id "$KEY_ID" \
            --issuer "$ISSUER" \
            --wait
      - uses: actions/attest-build-provenance@v3
        with:
          subject-path: "${{ steps.upload-rust-binary-action.outputs.archive }}.*"

  publish-release:
    needs: [create-release, upload-assets]
    runs-on: ubuntu-latest
    env:
      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    steps:
      - uses: actions/checkout@v6
      - name: mark release as non-draft
        run: |
          gh release edit ${{ needs.create-release.outputs.tag }} --draft=false

  update-homebrew:
    needs: [create-release, upload-assets, publish-release]
    if: ${{ !(contains(needs.create-release.outputs.tag, 'alpha') || contains(needs.create-release.outputs.tag, 'beta') || contains(needs.create-release.outputs.tag, 'prerelease') || contains(needs.create-release.outputs.tag, 'rc')) }}
    runs-on: ubuntu-latest
    steps:
      - name: Update Homebrew Formula
        uses: actions/github-script@v8
        with:
          github-token: ${{ secrets.PAT }}
          script: |
            github.rest.repos.createDispatchEvent({
              owner: "matiaskorhonen",
              repo: "homebrew-paper-age",
              event_type: "Update Homebrew Formula",
              client_payload: {
                version: ${{ toJSON(needs.create-release.outputs.version) }}
              }
            })