WIP: feat(workflows): add new build workflows for Windows, Linux, and macOS, and remove obsolete build scripts #17
@ -35,9 +35,6 @@ jobs:
|
|||||||
|
|
||||||
echo "Created entitlements file:"
|
echo "Created entitlements file:"
|
||||||
cat LuckyRobots.entitlements
|
cat LuckyRobots.entitlements
|
||||||
|
|
||||||
# Move entitlements to home directory to ensure consistent access
|
|
||||||
cp LuckyRobots.entitlements ~/LuckyRobots.entitlements
|
|
||||||
shell: bash
|
shell: bash
|
||||||
|
|
||||||
- name: Download and Extract Artifact
|
- name: Download and Extract Artifact
|
||||||
@ -113,61 +110,87 @@ jobs:
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
echo "Found app bundle at: $APP_PATH"
|
echo "Found app bundle at: $APP_PATH"
|
||||||
# Make a local copy to ensure access
|
|
||||||
LOCAL_APP="$WORKSPACE_DIR/LuckyWorld.app"
|
|
||||||
echo "Creating accessible copy at: $LOCAL_APP"
|
|
||||||
|
|
||||||
# Remove if exists
|
|
||||||
rm -rf "$LOCAL_APP"
|
|
||||||
cp -R "$APP_PATH" "$LOCAL_APP"
|
|
||||||
|
|
||||||
echo "app_path=$LOCAL_APP" >> $GITHUB_OUTPUT
|
|
||||||
shell: bash
|
|
||||||
|
|
||||||
- name: Validate App Path
|
|
||||||
id: validate-app
|
|
||||||
run: |
|
|
||||||
APP_PATH="${{ steps.extract-artifact.outputs.app_path }}"
|
|
||||||
|
|
||||||
echo "Validating path: $APP_PATH"
|
|
||||||
|
|
||||||
if [ ! -d "$APP_PATH" ]; then
|
|
||||||
echo "Error: Application path does not exist: $APP_PATH"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Ensure the path is absolute
|
|
||||||
if [[ "$APP_PATH" != /* ]]; then
|
|
||||||
APP_PATH="$(pwd)/$APP_PATH"
|
|
||||||
echo "Converted to absolute path: $APP_PATH"
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "Will sign and notarize: $APP_PATH"
|
|
||||||
echo "Contents of app bundle:"
|
|
||||||
ls -la "$APP_PATH"
|
|
||||||
echo "app_path=$APP_PATH" >> $GITHUB_OUTPUT
|
echo "app_path=$APP_PATH" >> $GITHUB_OUTPUT
|
||||||
shell: bash
|
shell: bash
|
||||||
|
|
||||||
|
- name: Setup for Signing
|
||||||
|
id: setup-signing
|
||||||
|
env:
|
||||||
|
APPLE_CERTIFICATE_BASE64: ${{ secrets.MACOS_CERTIFICATE }}
|
||||||
|
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
|
||||||
|
run: |
|
||||||
|
# Decode the base64 certificate
|
||||||
|
echo "$APPLE_CERTIFICATE_BASE64" | base64 --decode > certificate.p12
|
||||||
|
|
||||||
|
# Create keychain and import certificate
|
||||||
|
KEYCHAIN_PATH="signing-keychain.keychain-db"
|
||||||
|
KEYCHAIN_PASSWORD="temporary"
|
||||||
|
|
||||||
|
# Create custom keychain
|
||||||
|
security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
||||||
|
security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
|
||||||
|
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
||||||
|
|
||||||
|
# Download Apple root certificates
|
||||||
|
echo "Downloading Apple Developer certificates..."
|
||||||
|
curl -s -o AppleWWDRCAG3.cer https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer
|
||||||
|
curl -s -o DeveloperIDG2.cer https://www.apple.com/certificateauthority/DeveloperIDG2.cer
|
||||||
|
|
||||||
|
# Import all certificates to our custom keychain
|
||||||
|
security import AppleWWDRCAG3.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign -f der -A
|
||||||
|
security import DeveloperIDG2.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign -f der -A
|
||||||
|
security import certificate.p12 -P "$APPLE_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"
|
||||||
|
|
||||||
|
# Set keychain for signing
|
||||||
|
security list-keychain -d user -s "$KEYCHAIN_PATH"
|
||||||
|
security default-keychain -s "$KEYCHAIN_PATH"
|
||||||
|
|
||||||
|
# Always trust our certificates
|
||||||
|
security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
||||||
|
|
||||||
|
# Setup API key
|
||||||
|
echo "${{ secrets.NOTARY_API_KEY_PATH }}" | base64 --decode > api_key.p8
|
||||||
|
echo "keychain_path=$KEYCHAIN_PATH" >> $GITHUB_OUTPUT
|
||||||
|
echo "keychain_password=$KEYCHAIN_PASSWORD" >> $GITHUB_OUTPUT
|
||||||
|
echo "api_key_path=$(pwd)/api_key.p8" >> $GITHUB_OUTPUT
|
||||||
|
shell: bash
|
||||||
|
|
||||||
- name: Sign macOS App
|
- name: Sign macOS App
|
||||||
uses: lando/code-sign-action@v3
|
|
||||||
id: sign-app
|
id: sign-app
|
||||||
with:
|
env:
|
||||||
file: ${{ steps.validate-app.outputs.app_path }}
|
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
|
||||||
certificate-data: ${{ secrets.MACOS_CERTIFICATE }}
|
run: |
|
||||||
certificate-password: ${{ secrets.MACOS_CERTIFICATE_PWD }}
|
APP_PATH="${{ steps.extract-artifact.outputs.app_path }}"
|
||||||
apple-team-id: "${{ secrets.APPLE_TEAM_ID }}"
|
|
||||||
options: --force --options runtime --deep --timestamp --entitlements ~/LuckyRobots.entitlements
|
echo "Signing app bundle: $APP_PATH"
|
||||||
|
|
||||||
|
# First, handle problematic libraries separately
|
||||||
|
find "$APP_PATH" -name "*.dylib" | while read DYLIB; do
|
||||||
|
echo "Signing library: $DYLIB"
|
||||||
|
codesign --force --options runtime --timestamp --sign "Developer ID Application: $APPLE_TEAM_ID" "$DYLIB"
|
||||||
|
done
|
||||||
|
|
||||||
|
# Now sign the application itself
|
||||||
|
echo "Signing main application bundle..."
|
||||||
|
/usr/bin/codesign --force --options runtime --deep --timestamp --sign "Developer ID Application: $APPLE_TEAM_ID" --entitlements ./LuckyRobots.entitlements "$APP_PATH"
|
||||||
|
|
||||||
|
# Verify signature
|
||||||
|
echo "Verifying signature..."
|
||||||
|
codesign --verify --verbose "$APP_PATH"
|
||||||
|
|
||||||
|
echo "App signing completed successfully"
|
||||||
|
echo "app_path=$APP_PATH" >> $GITHUB_OUTPUT
|
||||||
|
shell: bash
|
||||||
|
|
||||||
- name: Notarize macOS App
|
- name: Notarize macOS App
|
||||||
run: |
|
run: |
|
||||||
# Create a temporary file for notarization
|
# Create a temporary file for notarization
|
||||||
APP_PATH="${{ steps.validate-app.outputs.app_path }}"
|
APP_PATH="${{ steps.sign-app.outputs.app_path }}"
|
||||||
NOTARIZE_APP_PATH="./LuckyRobots-notarize.zip"
|
NOTARIZE_APP_PATH="./LuckyRobots-notarize.zip"
|
||||||
ditto -c -k --keepParent "$APP_PATH" "$NOTARIZE_APP_PATH"
|
ditto -c -k --keepParent "$APP_PATH" "$NOTARIZE_APP_PATH"
|
||||||
|
|
||||||
# Set up API key
|
# Get API key path from previous step
|
||||||
API_KEY_PATH="$(pwd)/api_key.p8"
|
API_KEY_PATH="${{ steps.setup-signing.outputs.api_key_path }}"
|
||||||
echo "${{ secrets.NOTARY_API_KEY_PATH }}" | base64 --decode > "$API_KEY_PATH"
|
|
||||||
|
|
||||||
# Submit for notarization using API key
|
# Submit for notarization using API key
|
||||||
echo "Submitting for notarization with API key..."
|
echo "Submitting for notarization with API key..."
|
||||||
@ -184,7 +207,7 @@ jobs:
|
|||||||
- name: Package macOS App
|
- name: Package macOS App
|
||||||
run: |
|
run: |
|
||||||
# Package the signed and notarized app
|
# Package the signed and notarized app
|
||||||
APP_PATH="${{ steps.validate-app.outputs.app_path }}"
|
APP_PATH="${{ steps.sign-app.outputs.app_path }}"
|
||||||
APP_NAME=$(basename "$APP_PATH")
|
APP_NAME=$(basename "$APP_PATH")
|
||||||
WORKSPACE_DIR="$(pwd)"
|
WORKSPACE_DIR="$(pwd)"
|
||||||
OUTPUT_DIR="$WORKSPACE_DIR/TestSignedApps"
|
OUTPUT_DIR="$WORKSPACE_DIR/TestSignedApps"
|
||||||
@ -206,4 +229,17 @@ jobs:
|
|||||||
with:
|
with:
|
||||||
name: TestSigned-macOS-App
|
name: TestSigned-macOS-App
|
||||||
path: TestSignedApps/Test-*.zip
|
path: TestSignedApps/Test-*.zip
|
||||||
retention-days: 7
|
retention-days: 7
|
||||||
|
|
||||||
|
- name: Cleanup
|
||||||
|
if: always()
|
||||||
|
run: |
|
||||||
|
# Clean up keychain
|
||||||
|
KEYCHAIN_PATH="${{ steps.setup-signing.outputs.keychain_path }}"
|
||||||
|
if [ -n "$KEYCHAIN_PATH" ]; then
|
||||||
|
security delete-keychain "$KEYCHAIN_PATH" || true
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Clean up temp files
|
||||||
|
rm -f certificate.p12 AppleWWDRCAG3.cer DeveloperIDG2.cer || true
|
||||||
|
shell: bash
|
||||||
Loading…
x
Reference in New Issue
Block a user