LuckyRobots/LuckyWorld
14
0
Fork 0
Code Issues Pull Requests 1 Actions 1 Packages Projects 1 Releases 13 Wiki Activity

WIP: feat(workflows): add new build workflows for Windows, Linux, and macOS, and remove obsolete build scripts #17

Draft
m wants to merge 117 commits from ozgur/build into main
pull from: ozgur/build
merge into: LuckyRobots:main
Conversation 0 Commits 117 Files Changed 21 +84 -48
1 changed files with 84 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 4400b47873 - Show all commits

130
.gitea/workflows/test-signing.yml
View File

@ -35,9 +35,6 @@ jobs:
echo "Created entitlements file:"
cat LuckyRobots.entitlements
# Move entitlements to home directory to ensure consistent access
cp LuckyRobots.entitlements ~/LuckyRobots.entitlements
shell: bash
- name: Download and Extract Artifact
@ -113,61 +110,87 @@ jobs:
fi
echo "Found app bundle at: $APP_PATH"
# Make a local copy to ensure access
LOCAL_APP="$WORKSPACE_DIR/LuckyWorld.app"
echo "Creating accessible copy at: $LOCAL_APP"
# Remove if exists
rm -rf "$LOCAL_APP"
cp -R "$APP_PATH" "$LOCAL_APP"
echo "app_path=$LOCAL_APP" >> $GITHUB_OUTPUT
shell: bash
- name: Validate App Path
id: validate-app
run: |
APP_PATH="${{ steps.extract-artifact.outputs.app_path }}"
echo "Validating path: $APP_PATH"
if [ ! -d "$APP_PATH" ]; then
echo "Error: Application path does not exist: $APP_PATH"
exit 1
fi
# Ensure the path is absolute
if [[ "$APP_PATH" != /* ]]; then
APP_PATH="$(pwd)/$APP_PATH"
echo "Converted to absolute path: $APP_PATH"
fi
echo "Will sign and notarize: $APP_PATH"
echo "Contents of app bundle:"
ls -la "$APP_PATH"
echo "app_path=$APP_PATH" >> $GITHUB_OUTPUT
shell: bash
- name: Setup for Signing
id: setup-signing
env:
APPLE_CERTIFICATE_BASE64: ${{ secrets.MACOS_CERTIFICATE }}
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
run: |
# Decode the base64 certificate
echo "$APPLE_CERTIFICATE_BASE64" | base64 --decode > certificate.p12
# Create keychain and import certificate
KEYCHAIN_PATH="signing-keychain.keychain-db"
KEYCHAIN_PASSWORD="temporary"
# Create custom keychain
security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
# Download Apple root certificates
echo "Downloading Apple Developer certificates..."
curl -s -o AppleWWDRCAG3.cer https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer
curl -s -o DeveloperIDG2.cer https://www.apple.com/certificateauthority/DeveloperIDG2.cer
# Import all certificates to our custom keychain
security import AppleWWDRCAG3.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign -f der -A
security import DeveloperIDG2.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign -f der -A
security import certificate.p12 -P "$APPLE_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"
# Set keychain for signing
security list-keychain -d user -s "$KEYCHAIN_PATH"
security default-keychain -s "$KEYCHAIN_PATH"
# Always trust our certificates
security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
# Setup API key
echo "${{ secrets.NOTARY_API_KEY_PATH }}" | base64 --decode > api_key.p8
echo "keychain_path=$KEYCHAIN_PATH" >> $GITHUB_OUTPUT
echo "keychain_password=$KEYCHAIN_PASSWORD" >> $GITHUB_OUTPUT
echo "api_key_path=$(pwd)/api_key.p8" >> $GITHUB_OUTPUT
shell: bash
- name: Sign macOS App
uses: lando/code-sign-action@v3
id: sign-app
with:
file: ${{ steps.validate-app.outputs.app_path }}
certificate-data: ${{ secrets.MACOS_CERTIFICATE }}
certificate-password: ${{ secrets.MACOS_CERTIFICATE_PWD }}
apple-team-id: "${{ secrets.APPLE_TEAM_ID }}"
options: --force --options runtime --deep --timestamp --entitlements ~/LuckyRobots.entitlements
env:
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
run: |
APP_PATH="${{ steps.extract-artifact.outputs.app_path }}"
echo "Signing app bundle: $APP_PATH"
# First, handle problematic libraries separately
find "$APP_PATH" -name "*.dylib" | while read DYLIB; do
echo "Signing library: $DYLIB"
codesign --force --options runtime --timestamp --sign "Developer ID Application: $APPLE_TEAM_ID" "$DYLIB"
done
# Now sign the application itself
echo "Signing main application bundle..."
/usr/bin/codesign --force --options runtime --deep --timestamp --sign "Developer ID Application: $APPLE_TEAM_ID" --entitlements ./LuckyRobots.entitlements "$APP_PATH"
# Verify signature
echo "Verifying signature..."
codesign --verify --verbose "$APP_PATH"
echo "App signing completed successfully"
echo "app_path=$APP_PATH" >> $GITHUB_OUTPUT
shell: bash
- name: Notarize macOS App
run: |
# Create a temporary file for notarization
APP_PATH="${{ steps.validate-app.outputs.app_path }}"
APP_PATH="${{ steps.sign-app.outputs.app_path }}"
NOTARIZE_APP_PATH="./LuckyRobots-notarize.zip"
ditto -c -k --keepParent "$APP_PATH" "$NOTARIZE_APP_PATH"
# Set up API key
API_KEY_PATH="$(pwd)/api_key.p8"
echo "${{ secrets.NOTARY_API_KEY_PATH }}" | base64 --decode > "$API_KEY_PATH"
# Get API key path from previous step
API_KEY_PATH="${{ steps.setup-signing.outputs.api_key_path }}"
# Submit for notarization using API key
echo "Submitting for notarization with API key..."
@ -184,7 +207,7 @@ jobs:
- name: Package macOS App
run: |
# Package the signed and notarized app
APP_PATH="${{ steps.validate-app.outputs.app_path }}"
APP_PATH="${{ steps.sign-app.outputs.app_path }}"
APP_NAME=$(basename "$APP_PATH")
WORKSPACE_DIR="$(pwd)"
OUTPUT_DIR="$WORKSPACE_DIR/TestSignedApps"
@ -207,3 +230,16 @@ jobs:
name: TestSigned-macOS-App
path: TestSignedApps/Test-*.zip
retention-days: 7
- name: Cleanup
if: always()
run: |
# Clean up keychain
KEYCHAIN_PATH="${{ steps.setup-signing.outputs.keychain_path }}"
if [ -n "$KEYCHAIN_PATH" ]; then
security delete-keychain "$KEYCHAIN_PATH" || true
fi
# Clean up temp files
rm -f certificate.p12 AppleWWDRCAG3.cer DeveloperIDG2.cer || true
shell: bash