WIP: feat(workflows): add new build workflows for Windows, Linux, and macOS, and remove obsolete build scripts #17
@ -88,22 +88,76 @@ jobs:
|
|||||||
ls -la "$TEST_APP_DIR"
|
ls -la "$TEST_APP_DIR"
|
||||||
shell: bash
|
shell: bash
|
||||||
|
|
||||||
- name: Sign and Notarize App
|
- name: Setup Certificate
|
||||||
uses: lando/code-sign-action@v3
|
run: |
|
||||||
with:
|
echo "🔐 Setting up certificate..."
|
||||||
file: TestApp.app
|
|
||||||
certificate-data: ${{ secrets.MACOS_CERTIFICATE }}
|
# Create keychain
|
||||||
certificate-password: ${{ secrets.MACOS_CERTIFICATE_PWD }}
|
KEYCHAIN_PATH="$RUNNER_TEMP/app-signing.keychain-db"
|
||||||
apple-team-id: ${{ secrets.APPLE_TEAM_ID }}
|
KEYCHAIN_PASSWORD="$(openssl rand -base64 12)"
|
||||||
apple-notary-user: ${{ secrets.APPLE_NOTARY_USER }}
|
|
||||||
apple-notary-password: ${{ secrets.APPLE_NOTARY_PASSWORD }}
|
security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
||||||
apple-product-id: com.luckyworld.testapp
|
security set-keychain-settings -t 3600 -l "$KEYCHAIN_PATH"
|
||||||
options: --options runtime --entitlements LuckyWorld.entitlements
|
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
||||||
|
security list-keychains -s "$KEYCHAIN_PATH" $(security list-keychains | xargs)
|
||||||
|
|
||||||
|
# Import certificate
|
||||||
|
echo "${{ secrets.MACOS_CERTIFICATE }}" | base64 --decode > certificate.p12
|
||||||
|
security import certificate.p12 -k "$KEYCHAIN_PATH" -P "${{ secrets.MACOS_CERTIFICATE_PWD }}" -T /usr/bin/codesign
|
||||||
|
|
||||||
|
# Set keychain as default
|
||||||
|
security default-keychain -s "$KEYCHAIN_PATH"
|
||||||
|
|
||||||
|
# Verify certificate
|
||||||
|
echo "🔍 Verifying certificate..."
|
||||||
|
security find-identity -v -p codesigning "$KEYCHAIN_PATH"
|
||||||
|
|
||||||
|
# Cleanup
|
||||||
|
rm -f certificate.p12
|
||||||
|
shell: bash
|
||||||
|
|
||||||
|
- name: Sign App Bundle
|
||||||
|
run: |
|
||||||
|
echo "🔏 Signing app bundle..."
|
||||||
|
|
||||||
|
# Sign the app bundle
|
||||||
|
codesign --force --options runtime --entitlements LuckyWorld.entitlements --sign "Developer ID Application" --timestamp TestApp.app
|
||||||
|
|
||||||
|
# Verify signing
|
||||||
|
echo "🔍 Verifying signature..."
|
||||||
|
codesign -vvv --deep --strict TestApp.app
|
||||||
|
|
||||||
|
# Check entitlements
|
||||||
|
echo "🔍 Checking entitlements..."
|
||||||
|
codesign -d --entitlements - TestApp.app
|
||||||
|
shell: bash
|
||||||
|
|
||||||
|
- name: Notarize App
|
||||||
|
run: |
|
||||||
|
echo "📤 Notarizing app..."
|
||||||
|
|
||||||
|
# Create zip for notarization
|
||||||
|
ditto -c -k --keepParent TestApp.app TestApp.zip
|
||||||
|
|
||||||
|
# Submit for notarization
|
||||||
|
xcrun notarytool submit TestApp.zip \
|
||||||
|
--apple-id "${{ secrets.APPLE_NOTARY_USER }}" \
|
||||||
|
--password "${{ secrets.APPLE_NOTARY_PASSWORD }}" \
|
||||||
|
--team-id "${{ secrets.APPLE_TEAM_ID }}" \
|
||||||
|
--wait
|
||||||
|
|
||||||
|
# Staple the notarization ticket
|
||||||
|
xcrun stapler staple TestApp.app
|
||||||
|
|
||||||
|
# Verify notarization
|
||||||
|
spctl --assess --verbose --type exec TestApp.app
|
||||||
|
shell: bash
|
||||||
|
|
||||||
- name: Cleanup
|
- name: Cleanup
|
||||||
if: always()
|
if: always()
|
||||||
run: |
|
run: |
|
||||||
echo "🧹 Cleaning up..."
|
echo "🧹 Cleaning up..."
|
||||||
rm -rf TestApp.app || true
|
rm -rf TestApp.app TestApp.zip || true
|
||||||
|
security delete-keychain "$KEYCHAIN_PATH" || true
|
||||||
echo "✅ Cleanup complete"
|
echo "✅ Cleanup complete"
|
||||||
shell: bash
|
shell: bash
|
||||||
Loading…
x
Reference in New Issue
Block a user