LuckyRobots/LuckyWorld
15
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects 1 Releases 13 Wiki Activity

WIP: feat(workflows): add new build workflows for Windows, Linux, and macOS, and remove obsolete build scripts #17

Draft
m wants to merge 141 commits from ozgur/build into main
pull from: ozgur/build
merge into: LuckyRobots:main
Conversation 0 Commits 141 Files Changed 24 +120 -229
2 changed files with 120 additions and 229 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 16274ec126 - Show all commits

216
.gitea/workflows/test-local-signing.yml
View File

@ -2,8 +2,8 @@ name: Test Local Signing
on: on:
workflow_dispatch: # Manual trigger workflow_dispatch: # Manual trigger
# push: push:
# branches: [ozgur/build] branches: [ozgur/build]
jobs: jobs:
test-local-signing: test-local-signing:
@ -62,7 +62,7 @@ jobs:
<key>CFBundleExecutable</key> <key>CFBundleExecutable</key>
<string>TestApp</string> <string>TestApp</string>
<key>CFBundleIdentifier</key> <key>CFBundleIdentifier</key>
<string>com.luckyworld.testapp</string> <string>com.luckyrobots.luckyworld.testapp</string>
<key>CFBundleName</key> <key>CFBundleName</key>
<string>TestApp</string> <string>TestApp</string>
<key>CFBundlePackageType</key> <key>CFBundlePackageType</key>
@ -85,144 +85,164 @@ jobs:
echo "🔍 App bundle contents:" echo "🔍 App bundle contents:"
ls -la "$TEST_APP_DIR" ls -la "$TEST_APP_DIR"
# Store app path as environment variable
echo "APP_PATH=$(pwd)/TestApp.app" >> "$GITHUB_ENV"
shell: bash shell: bash
- name: Self-Sign App for Testing - name: Setup Certificate
env:
CERTIFICATE_BASE64: ${{ secrets.MACOS_CERTIFICATE }}
CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
run: | run: |
echo "🔏 Self-signing app for testing..." echo "🔐 Setting up certificate..."
# Create a self-signed certificate for testing # Create a temporary directory for certificates
echo "🔑 Creating self-signed certificate..." CERT_DIR="$HOME/certificates"
mkdir -p "$CERT_DIR"
# Generate key and certificate # Decode the certificate to a p12 file
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ echo "$CERTIFICATE_BASE64" | base64 --decode > "$CERT_DIR/certificate.p12"
-keyout TestKey.key -out TestCert.crt \
-subj "/CN=Test Signing/O=LuckyWorld/C=TR"
# Sign the app with ad-hoc identity # Check certificate format
echo "🔏 Signing app with ad-hoc identity..." echo "📑 Certificate format check:"
codesign --force --sign - --timestamp --options runtime --entitlements LuckyWorld.entitlements TestApp.app file "$CERT_DIR/certificate.p12"
# Verify signing # Create keychain
echo "🔍 Verifying signature..." KEYCHAIN_PATH="$CERT_DIR/app-signing.keychain-db"
codesign -vvv --deep --strict TestApp.app KEYCHAIN_PASSWORD="$(openssl rand -base64 12)"
# Check entitlements # Delete existing keychain if it exists
echo "🔍 Checking entitlements..." security delete-keychain "$KEYCHAIN_PATH" 2>/dev/null || true
codesign -d --entitlements - TestApp.app
# Create new keychain
security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
security set-keychain-settings -t 3600 -u -l "$KEYCHAIN_PATH"
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
# Add to search list and make default
security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | tr -d '"')
security default-keychain -s "$KEYCHAIN_PATH"
# Import certificate
echo "🔑 Importing developer certificate..."
security import "$CERT_DIR/certificate.p12" -k "$KEYCHAIN_PATH" -P "$CERTIFICATE_PASSWORD" -T /usr/bin/codesign
# Set partition list for codesign to access keychain
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
# Verify certificate
echo "🔍 Verifying certificate..."
security find-identity -v -p codesigning "$KEYCHAIN_PATH"
# Store keychain variables for later steps
echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV"
echo "KEYCHAIN_PASSWORD=$KEYCHAIN_PASSWORD" >> "$GITHUB_ENV"
echo "APPLE_TEAM_ID=$APPLE_TEAM_ID" >> "$GITHUB_ENV"
# Cleanup
rm -f "$CERT_DIR/certificate.p12"
shell: bash shell: bash
- name: Create Sign and Notarize Script (Developer Reference) - name: Sign with Developer ID
run: | run: |
echo "📝 Creating reference script for actual code signing..." echo "🔏 Signing app with Developer ID certificate..."
cat > sign_and_notarize.sh << 'EOF' # Make sure keychain is unlocked
#!/bin/bash security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
# Sign and notarize macOS application
# This script is a reference for using a real Developer ID certificate
# Configuration (replace with your values) # Get the Developer ID Application identity
APP_PATH="YourApp.app" IDENTITY=$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep "Developer ID Application" | head -1 | awk -F '"' '{print $2}')
TEAM_ID="YOUR_TEAM_ID"
BUNDLE_ID="com.yourdomain.yourapp"
ENTITLEMENTS_PATH="YourApp.entitlements"
APPLE_ID="your_apple_id@example.com"
APP_PASSWORD="your_app_specific_password"
# Step 1: Check for Developer ID Application certificate
echo "Checking for Developer ID Application certificate..."
IDENTITY=$(security find-identity -v -p codesigning | grep "Developer ID Application" | head -1 | awk -F '"' '{print $2}')
if [ -z "$IDENTITY" ]; then if [ -z "$IDENTITY" ]; then
echo "Error: No Developer ID Application certificate found" echo "❌ Error: No valid Developer ID Application identity found"
echo "Please create a Developer ID Application certificate in your Apple Developer account" echo "Please check if your certificate is valid and properly imported"
echo "and install it in your keychain"
exit 1 exit 1
fi fi
echo "Using identity: $IDENTITY" echo "Using identity: $IDENTITY"
# Step 2: Sign the app # Sign the app bundle
echo "Signing app..." echo "Signing app bundle..."
codesign --force --options runtime --entitlements "$ENTITLEMENTS_PATH" \ codesign --force --deep --verbose --options runtime --entitlements LuckyWorld.entitlements --sign "$IDENTITY" --timestamp "$APP_PATH"
--sign "$IDENTITY" --timestamp "$APP_PATH"
# Step 3: Verify signing # Verify signing
echo "Verifying signature..." echo "🔍 Verifying signature..."
codesign -vvv --deep --strict "$APP_PATH" codesign -vvv --deep --strict "$APP_PATH"
# Step 4: Create zip for notarization # Check entitlements
echo "Creating zip for notarization..." echo "🔍 Checking entitlements..."
zip_path="/tmp/app_for_notarization.zip" codesign -d --entitlements - "$APP_PATH"
ditto -c -k --keepParent "$APP_PATH" "$zip_path" shell: bash
- name: Notarize App
if: success()
env:
APPLE_ID: ${{ secrets.APPLE_NOTARY_USER }}
APP_PASSWORD: ${{ secrets.APPLE_NOTARY_PASSWORD }}
run: |
echo "📤 Notarizing app..."
# Make sure we have required secrets
if [ -z "$APPLE_ID" ] || [ -z "$APP_PASSWORD" ] || [ -z "$APPLE_TEAM_ID" ]; then
echo "⚠️ Missing notarization credentials. Skipping notarization."
echo "NOTARIZED=false" >> "$GITHUB_ENV"
exit 0
fi
# Create zip for notarization
ZIP_PATH="TestApp-notarize.zip"
ditto -c -k --keepParent "$APP_PATH" "$ZIP_PATH"
# Step 5: Submit for notarization
echo "Submitting for notarization..." echo "Submitting for notarization..."
xcrun notarytool submit "$zip_path" \ xcrun notarytool submit "$ZIP_PATH" \
--apple-id "$APPLE_ID" \ --apple-id "$APPLE_ID" \
--password "$APP_PASSWORD" \ --password "$APP_PASSWORD" \
--team-id "$TEAM_ID" \ --team-id "$APPLE_TEAM_ID" \
--wait --wait
# Step 6: Staple the notarization ticket # Staple the notarization ticket
echo "Stapling notarization ticket..." echo "Stapling notarization ticket..."
xcrun stapler staple "$APP_PATH" xcrun stapler staple "$APP_PATH"
# Step 7: Verify notarization # Verify notarization
echo "Verifying notarization..." echo "🔍 Verifying notarization..."
spctl --assess --verbose --type exec "$APP_PATH" spctl --assess --verbose --type exec "$APP_PATH"
echo "✅ App successfully signed and notarized!" echo "NOTARIZED=true" >> "$GITHUB_ENV"
EOF
chmod +x sign_and_notarize.sh
echo "✅ Created reference script for actual code signing"
shell: bash shell: bash
- name: Documentation for Certificate Requirements - name: Package Signed App
run: | run: |
echo "📋 Requirements for code signing with Developer ID Application certificate:" echo "📦 Packaging signed app..."
echo ""
echo "1. You must have a paid Apple Developer account"
echo "2. You need to create a Developer ID Application certificate in Apple Developer Portal"
echo "3. The certificate must be exported with its private key in p12 format"
echo "4. The certificate must be properly imported into keychain with proper access controls"
echo "5. For production, you should use the xcrun notarytool to notarize your app"
echo ""
echo "Common issues:"
echo "- The p12 file doesn't contain a private key"
echo "- The certificate is not a Developer ID Application type (it might be Developer ID Installer or other type)"
echo "- The certificate has expired"
echo "- The certificate was revoked"
echo "- Keychain access restrictions are preventing access to the private key"
echo ""
echo "For testing purposes, you can sign with ad-hoc identity (as demonstrated in this workflow)"
echo "For production, follow the steps in the reference script created in this workflow"
# Print this information in a file for reference if [ "${NOTARIZED:-false}" == "true" ]; then
echo "📋 Requirements for code signing with Developer ID Application certificate:" > signing_requirements.txt ZIP_FILE="TestApp-Signed-Notarized.zip"
echo "" >> signing_requirements.txt echo "Creating distribution package with notarized app..."
echo "1. You must have a paid Apple Developer account" >> signing_requirements.txt else
echo "2. You need to create a Developer ID Application certificate in Apple Developer Portal" >> signing_requirements.txt ZIP_FILE="TestApp-Signed.zip"
echo "3. The certificate must be exported with its private key in p12 format" >> signing_requirements.txt echo "Creating distribution package with signed app..."
echo "4. The certificate must be properly imported into keychain with proper access controls" >> signing_requirements.txt fi
echo "5. For production, you should use the xcrun notarytool to notarize your app" >> signing_requirements.txt
echo "" >> signing_requirements.txt # Create zip package
echo "Common issues:" >> signing_requirements.txt ditto -c -k --keepParent "$APP_PATH" "$ZIP_FILE"
echo "- The p12 file doesn't contain a private key" >> signing_requirements.txt
echo "- The certificate is not a Developer ID Application type (it might be Developer ID Installer or other type)" >> signing_requirements.txt echo "✅ Created package: $ZIP_FILE"
echo "- The certificate has expired" >> signing_requirements.txt
echo "- The certificate was revoked" >> signing_requirements.txt
echo "- Keychain access restrictions are preventing access to the private key" >> signing_requirements.txt
echo "" >> signing_requirements.txt
echo "For testing purposes, you can sign with ad-hoc identity (as demonstrated in this workflow)" >> signing_requirements.txt
echo "For production, follow the steps in the reference script created in this workflow" >> signing_requirements.txt
shell: bash shell: bash
- name: Upload Artifact
uses: actions/upload-artifact@v3
with:
name: LuckyWorld-Signed-App
path: TestApp-*.zip
retention-days: 7
- name: Cleanup - name: Cleanup
if: always() if: always()
run: | run: |
echo "🧹 Cleaning up..." echo "🧹 Cleaning up..."
rm -rf TestApp.app TestKey.key TestCert.crt || true rm -rf TestApp.app TestApp-*.zip || true
security delete-keychain "$KEYCHAIN_PATH" 2>/dev/null || true
echo "✅ Cleanup complete" echo "✅ Cleanup complete"
shell: bash shell: bash

133
.gitea/workflows/test-macos-build.yml
View File

@ -2,8 +2,8 @@ name: Test macOS Build Action
on: on:
workflow_dispatch: # Manual trigger only for testing workflow_dispatch: # Manual trigger only for testing
push: # push:
branches: [ozgur/build] # branches: [ozgur/build]
jobs: jobs:
test-macos-build: test-macos-build:
@ -21,9 +21,6 @@ jobs:
if [ -f "LuckyWorld.entitlements" ]; then if [ -f "LuckyWorld.entitlements" ]; then
echo "Using existing LuckyWorld.entitlements file" echo "Using existing LuckyWorld.entitlements file"
ENTITLEMENTS_FILE="LuckyWorld.entitlements" ENTITLEMENTS_FILE="LuckyWorld.entitlements"
elif [ -f "LuckyRobots.entitlements" ]; then
echo "Using existing LuckyRobots.entitlements file"
ENTITLEMENTS_FILE="LuckyRobots.entitlements"
else else
echo "Creating default entitlements file as LuckyWorld.entitlements" echo "Creating default entitlements file as LuckyWorld.entitlements"
# Create entitlements file line by line instead of heredoc # Create entitlements file line by line instead of heredoc
@ -74,55 +71,6 @@ jobs:
echo "WORKSPACE_DIR=$WORKSPACE_DIR" >> "$GITHUB_ENV" echo "WORKSPACE_DIR=$WORKSPACE_DIR" >> "$GITHUB_ENV"
shell: bash shell: bash
- name: Debug Certificate Import (Test)
env:
CERTIFICATE_BASE64: ${{ secrets.MACOS_CERTIFICATE }}
CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
run: |
set -e # Fail on any error
echo "Current working directory: $(pwd)"
echo "Checking for .app bundles in Saved directory..."
find ./Saved -type d -name "*.app" || echo "No app bundles found."
echo "Decoding certificate..."
CERT_DIR="$HOME/certificates"
mkdir -p "$CERT_DIR"
CERT_PATH="$CERT_DIR/developer_certificate.p12"
echo "$CERTIFICATE_BASE64" | base64 --decode > "$CERT_PATH"
echo "Decoded certificate size: $(wc -c < "$CERT_PATH") bytes"
echo "Type: $(file "$CERT_PATH")"
echo "Creating and configuring custom keychain..."
CUSTOM_KEYCHAIN="$CERT_DIR/build.keychain"
CUSTOM_PASSWORD="temppassword123"
security create-keychain -p "$CUSTOM_PASSWORD" "$CUSTOM_KEYCHAIN"
security set-keychain-settings "$CUSTOM_KEYCHAIN"
security unlock-keychain -p "$CUSTOM_PASSWORD" "$CUSTOM_KEYCHAIN"
echo "Setting only this keychain as active..."
security list-keychains -s "$CUSTOM_KEYCHAIN"
security default-keychain -s "$CUSTOM_KEYCHAIN"
echo "Importing certificate..."
security import "$CERT_PATH" -P "$CERTIFICATE_PASSWORD" -k "$CUSTOM_KEYCHAIN" -T /usr/bin/codesign
echo "Granting access to codesign..."
security set-key-partition-list -S apple-tool:,apple: -s -k "$CUSTOM_PASSWORD" "$CUSTOM_KEYCHAIN"
echo "Verifying imported identities..."
security find-identity -v -p codesigning "$CUSTOM_KEYCHAIN"
echo "Setting environment variables for future steps..."
echo "KEYCHAIN_PATH=$CUSTOM_KEYCHAIN" >> "$GITHUB_ENV"
echo "KEYCHAIN_PASSWORD=$CUSTOM_PASSWORD" >> "$GITHUB_ENV"
echo "DIRECT_SIGNING_AVAILABLE=true" >> "$GITHUB_ENV"
echo "APPLE_TEAM=$APPLE_TEAM_ID" >> "$GITHUB_ENV"
shell: bash
# Step 2: Build for macOS # Step 2: Build for macOS
- name: Build for macOS - name: Build for macOS
run: | run: |
@ -344,83 +292,6 @@ jobs:
echo "✅ Created reference script for production code signing" echo "✅ Created reference script for production code signing"
shell: bash shell: bash
# Step 7: Documentation for Certificate Requirements
- name: Certificate Requirements Documentation
run: |
echo "📋 Requirements for code signing with Developer ID Application certificate:"
echo ""
echo "1. You must have a paid Apple Developer account"
echo "2. You need to create a Developer ID Application certificate in Apple Developer Portal"
echo "3. The certificate must be exported with its private key in p12 format"
echo "4. The certificate must be properly imported into keychain with proper access controls"
echo "5. For production, you should use the xcrun notarytool to notarize your app"
echo ""
echo "Common issues:"
echo "- The p12 file doesn't contain a private key"
echo "- The certificate is not a Developer ID Application type (it might be Developer ID Installer or other type)"
echo "- The certificate has expired"
echo "- The certificate was revoked"
echo "- Keychain access restrictions are preventing access to the private key"
echo ""
echo "For testing CI/CD pipeline: Use ad-hoc signing (as demonstrated in this workflow)"
echo "For production: Follow the steps in the reference script sign_and_notarize_production.sh"
# Print this information in a file for reference
cat > code_signing_requirements.md << EOF
# macOS Code Signing Requirements
## Requirements
1. You must have a paid Apple Developer account
2. You need to create a Developer ID Application certificate in Apple Developer Portal
3. The certificate must be exported with its private key in p12 format
4. The certificate must be properly imported into keychain with proper access controls
5. For production, you should use the xcrun notarytool to notarize your app
## Common Issues
- The p12 file doesn't contain a private key
- The certificate is not a Developer ID Application type (it might be Developer ID Installer or other type)
- The certificate has expired
- The certificate was revoked
- Keychain access restrictions are preventing access to the private key
## Workflow
- For testing CI/CD pipeline: Use ad-hoc signing (as demonstrated in this workflow)
- For production: Follow the steps in the reference script sign_and_notarize_production.sh
EOF
echo "✅ Created code signing requirements documentation"
shell: bash
# Step 8: Package macOS App (For Testing)
- name: Package macOS App (Test Only)
run: |
echo "📦 Packaging ad-hoc signed app bundle for testing..."
# Create zip package with clear test indication
ZIP_FILE="PackagedReleases/LuckyWorld-macOS-TEST-ONLY.zip"
(cd "$(dirname "$APP_PATH")" && zip -r "${WORKSPACE_DIR}/$ZIP_FILE" "$(basename "$APP_PATH")")
echo "✅ Created test package: $ZIP_FILE"
echo "⚠️ NOTE: This package is signed with ad-hoc identity for TESTING ONLY"
echo "⚠️ It will NOT pass Gatekeeper on macOS and is NOT suitable for distribution"
# Create README file to accompany the zip
cat > "PackagedReleases/README-TEST-BUILD.txt" << EOF
# LuckyWorld macOS Test Build
This build is signed with an ad-hoc signature for TESTING PURPOSES ONLY.
IMPORTANT:
- This app will NOT pass Gatekeeper on macOS
- It is NOT suitable for distribution to users
- Use the production signing script for creating distributable builds
For production builds, follow the instructions in code_signing_requirements.md
EOF
echo "✅ Created README for test build"
shell: bash
# Step 9: Upload test artifact # Step 9: Upload test artifact
- name: Upload Test Build Artifact - name: Upload Test Build Artifact
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@v3