LuckyRobots/LuckyWorld
15
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects 1 Releases 13 Wiki Activity

WIP: feat(workflows): add new build workflows for Windows, Linux, and macOS, and remove obsolete build scripts #17

Draft
m wants to merge 141 commits from ozgur/build into main
pull from: ozgur/build
merge into: LuckyRobots:main
Conversation 0 Commits 141 Files Changed 24 +11 -167
1 changed files with 11 additions and 167 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 8b1443bbad - Show all commits

178
.gitea/workflows/test-local-signing.yml
View File

@ -12,111 +12,6 @@ jobs:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v3 uses: actions/checkout@v3
- name: Setup Certificate
env:
CERTIFICATE_BASE64: ${{ secrets.MACOS_CERTIFICATE }}
CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
run: |
echo "🔑 Setting up certificate and keychain..."
# Create working directory
CERT_DIR="$HOME/certificates"
mkdir -p "$CERT_DIR"
cd "$CERT_DIR"
# Decode certificate
echo "📜 Decoding certificate..."
echo "$CERTIFICATE_BASE64" | base64 --decode > certificate.p12
# Check certificate info
echo "🔍 Certificate info:"
file certificate.p12
# Create keychain with a fixed password
KEYCHAIN_PATH="$CERT_DIR/build.keychain-db"
KEYCHAIN_PASSWORD="keychainpassword"
echo "🔐 Creating keychain: $KEYCHAIN_PATH"
security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
# Configure keychain settings
security set-keychain-settings -t 3600 -l "$KEYCHAIN_PATH"
# Add to keychain list and make it default
security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | sed s/\"//g)
security default-keychain -s "$KEYCHAIN_PATH"
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
# Download and import Apple root certificates
echo "📥 Downloading Apple root certificates..."
curl -O https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer
curl -O https://www.apple.com/certificateauthority/DeveloperIDG2.cer
echo "🔐 Importing Apple root certificates..."
security import AppleWWDRCAG3.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign -f der
security import DeveloperIDG2.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign -f der
# Import certificate with all access rights
echo "📥 Importing developer certificate..."
security import certificate.p12 \
-k "$KEYCHAIN_PATH" \
-P "$CERTIFICATE_PASSWORD" \
-T "/usr/bin/codesign" \
-T "/usr/bin/security" \
-T "/usr/bin/xcrun" \
-f pkcs12
# Update keychain partition list
security set-key-partition-list \
-S apple-tool:,apple:,codesign: \
-s \
-k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
# Allow codesign to access the keychain
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
# Verify certificate access
echo "🔍 Verifying certificate access..."
security find-identity -v -p codesigning "$KEYCHAIN_PATH"
# Save environment variables
echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV"
echo "KEYCHAIN_PASSWORD=$KEYCHAIN_PASSWORD" >> "$GITHUB_ENV"
echo "APPLE_TEAM_ID=$APPLE_TEAM_ID" >> "$GITHUB_ENV"
echo "WORKSPACE_DIR=$(pwd)" >> "$GITHUB_ENV"
# Check certificate status and get identity
echo "✅ Checking codesigning identities..."
security find-identity -v -p codesigning "$KEYCHAIN_PATH"
# Extract the identity hash for signing
IDENTITY_HASH=$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep "Developer ID Application" | head -1 | awk '{print $2}')
if [ -n "$IDENTITY_HASH" ]; then
echo "Found identity hash: $IDENTITY_HASH"
echo "IDENTITY_HASH=$IDENTITY_HASH" >> "$GITHUB_ENV"
else
echo "No valid identity hash found"
echo "🔍 Debugging certificate access..."
security find-identity -v -p codesigning "$KEYCHAIN_PATH"
security find-certificate -a -c "Developer ID Application" -p "$KEYCHAIN_PATH"
exit 1
fi
shell: bash
- name: Verify Certificate
run: |
echo "🔍 Verifying certificate in keychain..."
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
security find-identity -v -p codesigning "$KEYCHAIN_PATH"
echo "📋 Certificate details:"
security find-certificate -a -c "Developer ID Application" -p "$KEYCHAIN_PATH" | \
openssl x509 -text | \
grep -E "Subject:|Issuer:|Not Before:|Not After:|Serial Number:"
shell: bash
- name: Create Test Entitlements - name: Create Test Entitlements
run: | run: |
echo "📝 Creating entitlements file..." echo "📝 Creating entitlements file..."
@ -184,73 +79,22 @@ jobs:
echo "APP_PATH=$TEST_APP_DIR" >> "$GITHUB_ENV" echo "APP_PATH=$TEST_APP_DIR" >> "$GITHUB_ENV"
shell: bash shell: bash
- name: Test Signing - name: Sign and Notarize App
run: | uses: lando/code-sign-action@v3
echo "🔏 Testing code signing..." with:
file: ${{ env.APP_PATH }}
# Prepare keychain certificate-data: ${{ secrets.MACOS_CERTIFICATE }}
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" certificate-password: ${{ secrets.MACOS_CERTIFICATE_PWD }}
apple-team-id: ${{ secrets.APPLE_TEAM_ID }}
# Use identity hash directly for signing apple-notary-user: ${{ secrets.APPLE_NOTARY_USER }}
echo "📝 Signing app bundle with identity hash: $IDENTITY_HASH" apple-notary-password: ${{ secrets.APPLE_NOTARY_PASSWORD }}
/usr/bin/codesign --force --deep --verbose \ apple-product-id: com.luckyworld.testapp
--keychain "$KEYCHAIN_PATH" \ options: --options runtime --entitlements LuckyWorld.entitlements
--sign "$IDENTITY_HASH" \
--entitlements "LuckyWorld.entitlements" \
"$APP_PATH"
echo "✅ Signing complete"
echo "🔍 Verifying signature..."
codesign -vv -d "$APP_PATH"
echo "📋 Checking entitlements..."
codesign -d --entitlements :- "$APP_PATH"
echo "🔒 Testing Gatekeeper assessment..."
spctl --assess --type exec "$APP_PATH"
shell: bash
- name: Test Notarization
env:
API_KEY_PATH: ${{ secrets.NOTARY_API_KEY_PATH }}
API_KEY_ID: ${{ secrets.NOTARY_API_KEY_ID }}
API_KEY_ISSUER_ID: ${{ secrets.NOTARY_API_KEY_ISSUER_ID }}
run: |
if [ -n "$API_KEY_PATH" ] && [ -n "$API_KEY_ID" ] && [ -n "$API_KEY_ISSUER_ID" ]; then
echo "🔐 Testing notarization..."
# Create API key file
echo "$API_KEY_PATH" | base64 --decode > api_key.p8
# Zip test app
ditto -c -k --keepParent "$APP_PATH" "TestApp.zip"
# Test notarization
xcrun notarytool submit "TestApp.zip" \
--key "api_key.p8" \
--key-id "$API_KEY_ID" \
--issuer "$API_KEY_ISSUER_ID" \
--wait
# Cleanup
rm -f api_key.p8 TestApp.zip
else
echo "⚠️ Notarization secrets not found, skipping notarization test"
fi
shell: bash
- name: Cleanup - name: Cleanup
if: always() if: always()
run: | run: |
echo "🧹 Cleaning up..." echo "🧹 Cleaning up..."
# Clean up keychain
security delete-keychain "$KEYCHAIN_PATH" || true
# Clean up test files
rm -rf "$HOME/certificates" || true
rm -rf TestApp.app || true rm -rf TestApp.app || true
echo "✅ Cleanup complete" echo "✅ Cleanup complete"
shell: bash shell: bash