SL-19242: Reference the actual stored GitHub repo secrets.

Add a Mac signing step to unpack the credentials bundled into
NOTARIZE_CREDS_MACOS so viewer-build-util/sign-pkg-mac need not know about
that peculiarity of our secrets formatting.

1 files changed, 25 insertions, 0 deletions

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index b010115e9c..d7bc4a84af 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -279,11 +279,36 @@ jobs:
     needs: build
     runs-on: macos-latest
     steps:
+      - name: Unpack Mac notarization credentials
+        id: note-creds
+        shell: bash
+        run: |
+          # In NOTARIZE_CREDS_MACOS we expect to find:
+          # USERNAME="..."
+          # PASSWORD="..."
+          # ASC_PROVIDER="..."
+          eval "${{ secrets.NOTARIZE_CREDS_MACOS }}
+          echo "::add-mask::$USERNAME"
+          echo "::add-mask::$PASSWORD"
+          echo "::add-mask::$ASC_PROVIDER"
+          echo "note_user=$USERNAME" >> "$GITHUB_OUTPUT"
+          echo "note_pass=$PASSWORD" >> "$GITHUB_OUTPUT"
+          echo "note_asc=$ASC_PROVIDER" >> "$GITHUB_OUTPUT"
+          # If we didn't manage to retrieve all of these credentials, better
+          # find out sooner than later.
+          [[ -n "$USERNAME" && -n "$PASSWORD && -n "$ASC_PROVIDER" ]]
+
       - name: Sign and package Mac viewer
         uses: secondlife/viewer-build-util/sign-pkg-mac@main
         with:
           channel: ${{ needs.build.outputs.viewer_channel }}
           imagename: ${{ needs.build.outputs.imagename }}
+          cert_base64: ${{ secrets.SIGNING_CERT_MACOS }}
+          cert_name: ${{ secrets.SIGNING_CERT_MACOS_IDENTITY }}
+          cert_pass: ${{ secrets.SIGNING_CERT_MACOS_PASSWORD }}
+          note_user: ${{ steps.note-creds.outputs.note_user }}
+          note_pass: ${{ steps.note-creds.outputs.note_pass }}
+          note_asc: ${{ steps.note-creds.outputs.note_asc }}
 
   post-windows-symbols:
     needs: build