LuckyRobots/LuckyWorld
14
0
Fork 0
Code Issues Pull Requests 3 Actions Packages Projects 1 Releases 13 Wiki Activity

fix(workflows): refactor macOS build workflow to streamline signing and notarization process with improved error handling
Some checks failed
Unreal Engine Build / macos-build (push) Failing after 28m42s
Details
Unreal Engine Build / windows-build (push) Has been cancelled
Details
Unreal Engine Build / linux-build (push) Has been cancelled
Details
Unreal Engine Build / create-release (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Ozgur 2025-04-13 14:01:49 +02:00
parent f19ccd8a6f
commit 49032920a1
No known key found for this signature in database
GPG Key ID: 66CDF27505A35546
1 changed files with 55 additions and 116 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

171
.gitea/actions/macos-build/action.yml
View File

@ -48,140 +48,79 @@ runs:
./scripts/mac_build.sh
shell: bash
- name: Sign and Notarize macOS App
- name: Setup for Signing
id: setup-signing
if: ${{ success() }}
env:
APPLE_TEAM_ID: ${{ inputs.apple_team_id }}
APPLE_CERTIFICATE_BASE64: ${{ inputs.apple_certificate_base64 }}
APPLE_CERTIFICATE_PASSWORD: ${{ inputs.apple_certificate_password }}
API_KEY_PATH: ${{ inputs.api_key_path }}
API_KEY_ID: ${{ inputs.api_key_id }}
API_KEY_ISSUER_ID: ${{ inputs.api_key_issuer_id }}
run: |
# Create output directory
mkdir -p PackagedReleases
# Download Apple root certificates
echo "Downloading Apple Developer certificates..."
curl -s -o AppleWWDRCAG3.cer https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer
curl -s -o DeveloperIDG2.cer https://www.apple.com/certificateauthority/DeveloperIDG2.cer
# Decode the base64 certificate
echo "Setting up certificate..."
echo $APPLE_CERTIFICATE_BASE64 | base64 --decode > certificate.p12
# Create keychain and import certificate
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
KEYCHAIN_PASSWORD=temporary
security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
# Import all certificates to our custom keychain
security import AppleWWDRCAG3.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign -f der -A
security import DeveloperIDG2.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign -f der -A
security import certificate.p12 -P "$APPLE_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"
# Set keychain for signing
security list-keychain -d user -s "$KEYCHAIN_PATH"
security default-keychain -s "$KEYCHAIN_PATH"
# Always trust our certificates
security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
# Decode the API key from Base64 secret
echo "$API_KEY_PATH" | base64 --decode > api_key.p8
echo "api_key_file=$(pwd)/api_key.p8" >> $GITHUB_OUTPUT
# Find app bundle
APP_PATH=$(find Builds -type d -name "*.app" | head -1)
if [ -n "$APP_PATH" ]; then
echo "Signing app bundle: $APP_PATH"
# First, handle problematic libraries separately (specifically libmujoco)
find "$APP_PATH" -name "libmujoco*.dylib" | while read DYLIB; do
echo "Pre-signing library: $DYLIB"
codesign --force --options runtime --timestamp --sign "Developer ID Application: $APPLE_TEAM_ID" "$DYLIB"
done
# Now sign all other dylibs
find "$APP_PATH" -name "*.dylib" -o -name "*.framework" | while read LIB; do
echo "Signing library: $LIB"
codesign --force --options runtime --timestamp --sign "Developer ID Application: $APPLE_TEAM_ID" "$LIB"
done
# Now sign the application itself
echo "Signing main application bundle..."
/usr/bin/codesign --force --options runtime --deep --timestamp --sign "Developer ID Application: $APPLE_TEAM_ID" --entitlements "./LuckyRobots.entitlements" "$APP_PATH"
# Verify signature
echo "Verifying signature..."
codesign --verify --verbose "$APP_PATH"
# Create a temporary file for notarization
NOTARIZE_APP_PATH="./LuckyRobots-notarize.zip"
ditto -c -k --keepParent "$APP_PATH" "$NOTARIZE_APP_PATH"
# Decode the API key from Base64 secret
echo "$API_KEY_PATH" | base64 --decode > api_key.p8
API_KEY_FILE="api_key.p8"
# Submit for notarization using API key
echo "Submitting for notarization with API key..."
xcrun notarytool submit "$NOTARIZE_APP_PATH" --key "$API_KEY_FILE" --key-id "$API_KEY_ID" --issuer "$API_KEY_ISSUER_ID" --wait
# Check notarization result
NOTARIZATION_INFO=$(xcrun notarytool history --key "$API_KEY_FILE" --key-id "$API_KEY_ID" --issuer "$API_KEY_ISSUER_ID" | grep -E '(success|invalid)' | head -1)
# Clean up the API key file
rm -f "$API_KEY_FILE"
if echo "$NOTARIZATION_INFO" | grep -q "success"; then
echo "Notarization successful"
# Staple the ticket to the application
xcrun stapler staple "$APP_PATH"
# Package the notarized app
echo "Creating final package..."
APP_NAME=$(basename "$APP_PATH")
(cd $(dirname "$APP_PATH") && zip -r "../../PackagedReleases/LuckyRobots-macOS.zip" "$APP_NAME")
echo "Created packaged release: PackagedReleases/LuckyRobots-macOS.zip"
else
echo "Notarization failed: $NOTARIZATION_INFO"
exit 1
fi
else
echo "No app bundle found for signing and notarization"
if [ -z "$APP_PATH" ]; then
# Look for a directory that might be a bundle but not named .app
MAIN_BUILD_DIR=$(find Builds -mindepth 1 -maxdepth 1 -type d | head -1)
if [ -n "$MAIN_BUILD_DIR" ]; then
echo "Found main build directory: $MAIN_BUILD_DIR"
# Sign libraries first
find "$MAIN_BUILD_DIR" -name "*.dylib" -o -name "*.framework" | while read LIB; do
echo "Signing library: $LIB"
codesign --force --options runtime --timestamp --sign "Developer ID Application: $APPLE_TEAM_ID" "$LIB"
done
# Then sign main directory
/usr/bin/codesign --force --options runtime --timestamp --sign "Developer ID Application: $APPLE_TEAM_ID" --deep --entitlements "./LuckyRobots.entitlements" "$MAIN_BUILD_DIR"
# Package it
DIR_NAME=$(basename "$MAIN_BUILD_DIR")
(cd $(dirname "$MAIN_BUILD_DIR") && zip -r "../../PackagedReleases/LuckyRobots-macOS.zip" "$DIR_NAME")
echo "Created packaged release: PackagedReleases/LuckyRobots-macOS.zip"
else
echo "No main directory found, cannot sign or package"
APP_PATH=$(find Builds -mindepth 1 -maxdepth 1 -type d | head -1)
if [ -z "$APP_PATH" ]; then
echo "No build directory found, cannot continue"
exit 1
fi
fi
echo "Found app path: $APP_PATH"
echo "app_path=$APP_PATH" >> $GITHUB_OUTPUT
shell: bash
- name: Sign macOS App
uses: lando/code-sign-action@v3
id: sign-app
with:
file: ${{ steps.setup-signing.outputs.app_path }}
certificate-data: ${{ inputs.apple_certificate_base64 }}
certificate-password: ${{ inputs.apple_certificate_password }}
certificate-id: ${{ inputs.apple_team_id }}
options: --force --options runtime --deep --timestamp --entitlements ./LuckyRobots.entitlements
- name: Notarize macOS App
run: |
# Create a temporary file for notarization
APP_PATH="${{ steps.setup-signing.outputs.app_path }}"
NOTARIZE_APP_PATH="./LuckyRobots-notarize.zip"
ditto -c -k --keepParent "$APP_PATH" "$NOTARIZE_APP_PATH"
API_KEY_FILE="${{ steps.setup-signing.outputs.api_key_file }}"
# Submit for notarization using API key
echo "Submitting for notarization with API key..."
xcrun notarytool submit "$NOTARIZE_APP_PATH" --key "$API_KEY_FILE" --key-id "${{ inputs.api_key_id }}" --issuer "${{ inputs.api_key_issuer_id }}" --wait
# Staple the ticket to the application
xcrun stapler staple "$APP_PATH"
# Clean up the API key file
rm -f "$API_KEY_FILE"
rm -f "$NOTARIZE_APP_PATH"
shell: bash
- name: Package macOS App
run: |
# Package the signed and notarized app
APP_PATH="${{ steps.setup-signing.outputs.app_path }}"
APP_NAME=$(basename "$APP_PATH")
DIR_PATH=$(dirname "$APP_PATH")
echo "Creating final package..."
(cd "$DIR_PATH" && zip -r "../../PackagedReleases/LuckyRobots-macOS.zip" "$APP_NAME")
echo "Created packaged release: PackagedReleases/LuckyRobots-macOS.zip"
echo "Packaged releases:"
ls -la PackagedReleases/
# Clean up
rm -f certificate.p12 AppleWWDRCAG3.cer DeveloperIDG2.cer
security delete-keychain "$KEYCHAIN_PATH"
shell: bash
- name: Upload macOS Build Artifact