diff --git a/.gitea/workflows/build.yml b/.gitea/workflows/build.yml index 12a13ab2..28027bfd 100644 --- a/.gitea/workflows/build.yml +++ b/.gitea/workflows/build.yml @@ -2,8 +2,8 @@ name: Unreal Engine Build on: workflow_dispatch: - push: - branches: [ozgur/build] + # push: + # branches: [ozgur/build] jobs: windows-build: diff --git a/.gitea/workflows/test-signing.yml b/.gitea/workflows/test-signing.yml new file mode 100644 index 00000000..43cb2f13 --- /dev/null +++ b/.gitea/workflows/test-signing.yml @@ -0,0 +1,166 @@ +name: Test macOS Signing + +on: + workflow_dispatch: + inputs: + use_previous_build: + description: 'Use a previous successful build artifact instead of local app path' + required: true + type: boolean + default: false + app_path: + description: 'Path to the app bundle to sign (if not using artifact)' + required: false + default: 'Builds/Mac/LuckyRobots.app' + artifact_run_id: + description: 'Run ID of the workflow that produced the artifact to use (if using artifact)' + required: false + default: '' + +jobs: + test-signing: + runs-on: macos + steps: + - name: Checkout repository + uses: actions/checkout@v3 + with: + lfs: true + fetch-depth: 0 + + - name: Download Previous Build + if: ${{ github.event.inputs.use_previous_build == 'true' }} + run: | + # Create directories + mkdir -p Builds/Mac + + # Download artifact (using GitHub API or direct download) + echo "Downloading previous build artifact..." + + # If artifact_run_id is provided, use it + if [[ -n "${{ github.event.inputs.artifact_run_id }}" ]]; then + RUN_ID="${{ github.event.inputs.artifact_run_id }}" + else + # Get latest successful build run ID + echo "No specific run ID provided, finding latest successful build..." + + # You'll need to have proper authentication to access the API + # This is simplified, you might need to adjust based on your setup + RUN_ID=$(curl -s "https://luckyrobots.com/api/v1/repos/luckyrobots/luckyworld/actions/runs?status=success&event=push" | grep -o '"id":[0-9]*' | head -1 | cut -d':' -f2) + + if [[ -z "$RUN_ID" ]]; then + echo "Could not find a successful run ID. Please specify one manually." + exit 1 + fi + fi + + echo "Using run ID: $RUN_ID" + + # Download artifact using your Gitea API + # This is a simplified example - adjust as needed for your actual API + curl -L "https://luckyrobots.com/luckyrobots/luckyworld/actions/runs/$RUN_ID/artifacts/LuckyRobots-macOS" -o build.zip + + # Extract to Builds directory + unzip -o build.zip -d Builds/Mac/ + + # Find extracted app bundle + APP_PATH=$(find Builds/Mac -type d -name "*.app" | head -1) + + if [[ -z "$APP_PATH" ]]; then + echo "Could not find app bundle in downloaded artifact" + exit 1 + fi + + echo "Downloaded app bundle: $APP_PATH" + echo "app_path=$APP_PATH" >> $GITHUB_ENV + shell: bash + + - name: Validate App Path + id: validate-app + run: | + if [[ "${{ github.event.inputs.use_previous_build }}" == "true" ]]; then + APP_PATH="$app_path" + else + APP_PATH="${{ github.event.inputs.app_path }}" + fi + + if [ ! -d "$APP_PATH" ]; then + echo "Error: Application path does not exist: $APP_PATH" + echo "You can download a previous successful build artifact or specify a different path" + + # List available directories to help user + echo "Available directories in workspace:" + find . -type d -maxdepth 3 | grep -v "node_modules\|.git" + + exit 1 + fi + + echo "Will sign and notarize: $APP_PATH" + echo "app_path=$APP_PATH" >> $GITHUB_OUTPUT + shell: bash + + - name: Setup for Signing + id: setup-signing + env: + API_KEY_PATH: ${{ secrets.NOTARY_API_KEY_PATH }} + run: | + # Decode the API key from Base64 secret + echo "$API_KEY_PATH" | base64 --decode > api_key.p8 + echo "api_key_file=$(pwd)/api_key.p8" >> $GITHUB_OUTPUT + shell: bash + + - name: Sign macOS App + uses: lando/code-sign-action@v3 + id: sign-app + with: + file: ${{ steps.validate-app.outputs.app_path }} + certificate-data: ${{ secrets.MACOS_CERTIFICATE }} + certificate-password: ${{ secrets.MACOS_CERTIFICATE_PWD }} + certificate-id: ${{ secrets.APPLE_TEAM_ID }} + options: --force --options runtime --deep --timestamp --entitlements ./LuckyRobots.entitlements + + - name: Notarize macOS App + run: | + # Create a temporary file for notarization + APP_PATH="${{ steps.validate-app.outputs.app_path }}" + NOTARIZE_APP_PATH="./LuckyRobots-notarize.zip" + ditto -c -k --keepParent "$APP_PATH" "$NOTARIZE_APP_PATH" + + API_KEY_FILE="${{ steps.setup-signing.outputs.api_key_file }}" + + # Submit for notarization using API key + echo "Submitting for notarization with API key..." + xcrun notarytool submit "$NOTARIZE_APP_PATH" --key "$API_KEY_FILE" --key-id "${{ secrets.NOTARY_API_KEY_ID }}" --issuer "${{ secrets.NOTARY_API_KEY_ISSUER_ID }}" --wait + + # Staple the ticket to the application + xcrun stapler staple "$APP_PATH" + + # Clean up the API key file + rm -f "$API_KEY_FILE" + rm -f "$NOTARIZE_APP_PATH" + shell: bash + + - name: Package macOS App + run: | + # Package the signed and notarized app + APP_PATH="${{ steps.validate-app.outputs.app_path }}" + APP_NAME=$(basename "$APP_PATH") + DIR_PATH=$(dirname "$APP_PATH") + + # Create test output directory + mkdir -p TestSignedApps + + echo "Creating test package..." + (cd "$DIR_PATH" && zip -r "../../TestSignedApps/Test-$APP_NAME.zip" "$APP_NAME") + echo "Created test package: TestSignedApps/Test-$APP_NAME.zip" + + echo "Test packaged apps:" + ls -la TestSignedApps/ + shell: bash + + - name: Upload Test Signed App + uses: actions/upload-artifact@v3 + if: success() + with: + name: TestSigned-macOS-App + path: TestSignedApps/Test-*.zip + retention-days: 7 \ No newline at end of file