WIP: feat(workflows): add new build workflows for Windows, Linux, and macOS, and remove obsolete build scripts #17
@ -21,9 +21,6 @@ jobs:
|
|||||||
if [ -f "LuckyWorld.entitlements" ]; then
|
if [ -f "LuckyWorld.entitlements" ]; then
|
||||||
echo "Using existing LuckyWorld.entitlements file"
|
echo "Using existing LuckyWorld.entitlements file"
|
||||||
ENTITLEMENTS_FILE="LuckyWorld.entitlements"
|
ENTITLEMENTS_FILE="LuckyWorld.entitlements"
|
||||||
elif [ -f "LuckyRobots.entitlements" ]; then
|
|
||||||
echo "Using existing LuckyRobots.entitlements file"
|
|
||||||
ENTITLEMENTS_FILE="LuckyRobots.entitlements"
|
|
||||||
else
|
else
|
||||||
echo "Creating default entitlements file as LuckyWorld.entitlements"
|
echo "Creating default entitlements file as LuckyWorld.entitlements"
|
||||||
# Create entitlements file line by line instead of heredoc
|
# Create entitlements file line by line instead of heredoc
|
||||||
@ -81,47 +78,23 @@ jobs:
|
|||||||
fi
|
fi
|
||||||
shell: bash
|
shell: bash
|
||||||
|
|
||||||
# Step 3: Setup for Signing
|
# Step 3: Setup API Key
|
||||||
- name: Setup for Signing
|
- name: Setup API Key
|
||||||
id: setup-signing
|
id: setup-api-key
|
||||||
env:
|
env:
|
||||||
API_KEY_PATH: ${{ secrets.NOTARY_API_KEY_PATH }}
|
API_KEY_PATH: ${{ secrets.NOTARY_API_KEY_PATH }}
|
||||||
APPLE_CERTIFICATE_BASE64: ${{ secrets.MACOS_CERTIFICATE }}
|
|
||||||
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
|
|
||||||
run: |
|
run: |
|
||||||
# Create output directory
|
# Decode the API key from Base64 secret and save it to a file
|
||||||
mkdir -p PackagedReleases
|
|
||||||
|
|
||||||
# Decode the API key from Base64 secret
|
|
||||||
echo "$API_KEY_PATH" | base64 --decode > api_key.p8
|
echo "$API_KEY_PATH" | base64 --decode > api_key.p8
|
||||||
|
echo "API_KEY_FILE=$(pwd)/api_key.p8" >> "$GITHUB_ENV"
|
||||||
|
|
||||||
# Decode the certificate
|
echo "API key setup complete"
|
||||||
echo "$APPLE_CERTIFICATE_BASE64" | base64 --decode > certificate.p12
|
shell: bash
|
||||||
|
|
||||||
# Create keychain
|
|
||||||
KEYCHAIN_PATH="signing.keychain-db"
|
|
||||||
KEYCHAIN_PASSWORD="temporary"
|
|
||||||
|
|
||||||
security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
|
||||||
security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
|
|
||||||
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
|
||||||
|
|
||||||
# Download Apple root certificates
|
|
||||||
curl -s -o AppleWWDRCAG3.cer https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer
|
|
||||||
curl -s -o DeveloperIDG2.cer https://www.apple.com/certificateauthority/DeveloperIDG2.cer
|
|
||||||
|
|
||||||
# Import certificates
|
|
||||||
security import AppleWWDRCAG3.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign -f der -A
|
|
||||||
security import DeveloperIDG2.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign -f der -A
|
|
||||||
security import certificate.p12 -P "$APPLE_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"
|
|
||||||
|
|
||||||
# Set keychain for signing
|
|
||||||
security list-keychain -d user -s "$KEYCHAIN_PATH"
|
|
||||||
security default-keychain -s "$KEYCHAIN_PATH"
|
|
||||||
|
|
||||||
# Set partition list
|
|
||||||
security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
|
||||||
|
|
||||||
|
# Step 4: Find App Bundle
|
||||||
|
- name: Find App Bundle
|
||||||
|
id: find-app-bundle
|
||||||
|
run: |
|
||||||
# Find app bundle
|
# Find app bundle
|
||||||
APP_PATH=$(find Builds -type d -name "*.app" | head -1)
|
APP_PATH=$(find Builds -type d -name "*.app" | head -1)
|
||||||
|
|
||||||
@ -135,60 +108,30 @@ jobs:
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
echo "Found app path: $APP_PATH"
|
echo "Found app path: $APP_PATH"
|
||||||
# Use standard environment variable that works in all workflows
|
|
||||||
echo "APP_PATH=$APP_PATH" >> "$GITHUB_ENV"
|
echo "APP_PATH=$APP_PATH" >> "$GITHUB_ENV"
|
||||||
|
|
||||||
# Also save the keychain and api key info
|
|
||||||
echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV"
|
|
||||||
echo "API_KEY_FILE=$(pwd)/api_key.p8" >> "$GITHUB_ENV"
|
|
||||||
shell: bash
|
shell: bash
|
||||||
|
|
||||||
# Step 4: Sign macOS App
|
# Step 5: Sign macOS App using lando/code-sign-action
|
||||||
- name: Sign macOS App
|
- name: Sign macOS App
|
||||||
env:
|
id: sign-app
|
||||||
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
|
uses: lando/code-sign-action@v3
|
||||||
run: |
|
with:
|
||||||
echo "Signing app bundle: $APP_PATH"
|
file: ${{ env.APP_PATH }}
|
||||||
|
certificate-data: ${{ secrets.MACOS_CERTIFICATE }}
|
||||||
# First, handle libraries
|
certificate-password: ${{ secrets.MACOS_CERTIFICATE_PWD }}
|
||||||
find "$APP_PATH" -name "*.dylib" -o -name "*.framework" | while read LIB; do
|
apple-team-id: ${{ secrets.APPLE_TEAM_ID }}
|
||||||
echo "Signing library: $LIB"
|
options: --options runtime --deep --timestamp --entitlements ./${{ env.ENTITLEMENTS_FILE }}
|
||||||
codesign --force --options runtime --timestamp --sign "Developer ID Application: $APPLE_TEAM_ID" "$LIB"
|
# API Key Notarization (daha güvenli ve modern)
|
||||||
done
|
apple-api-key: ${{ env.API_KEY_FILE }}
|
||||||
|
apple-api-key-id: ${{ secrets.NOTARY_API_KEY_ID }}
|
||||||
# Sign the app bundle
|
apple-api-issuer: ${{ secrets.NOTARY_API_KEY_ISSUER_ID }}
|
||||||
echo "Signing with entitlements file: $ENTITLEMENTS_FILE"
|
apple-product-id: dev.luckyrobots.luckyworld
|
||||||
codesign --force --options runtime --deep --timestamp --sign "Developer ID Application: $APPLE_TEAM_ID" --entitlements "./$ENTITLEMENTS_FILE" "$APP_PATH"
|
|
||||||
|
|
||||||
# Verify signature
|
|
||||||
codesign --verify --verbose "$APP_PATH"
|
|
||||||
shell: bash
|
|
||||||
|
|
||||||
# Step 5: Notarize macOS App
|
|
||||||
- name: Notarize macOS App
|
|
||||||
env:
|
|
||||||
API_KEY_ID: ${{ secrets.NOTARY_API_KEY_ID }}
|
|
||||||
API_KEY_ISSUER_ID: ${{ secrets.NOTARY_API_KEY_ISSUER_ID }}
|
|
||||||
run: |
|
|
||||||
# Create a temporary file for notarization
|
|
||||||
NOTARIZE_APP_PATH="./LuckyRobots-notarize.zip"
|
|
||||||
ditto -c -k --keepParent "$APP_PATH" "$NOTARIZE_APP_PATH"
|
|
||||||
|
|
||||||
# Submit for notarization using API key
|
|
||||||
echo "Submitting for notarization with API key..."
|
|
||||||
xcrun notarytool submit "$NOTARIZE_APP_PATH" --key "$API_KEY_FILE" --key-id "$API_KEY_ID" --issuer "$API_KEY_ISSUER_ID" --wait
|
|
||||||
|
|
||||||
# Staple the ticket to the application
|
|
||||||
xcrun stapler staple "$APP_PATH"
|
|
||||||
|
|
||||||
# Clean up temporary notarization file
|
|
||||||
rm -f "$NOTARIZE_APP_PATH"
|
|
||||||
shell: bash
|
|
||||||
|
|
||||||
# Step 6: Package macOS App
|
# Step 6: Package macOS App
|
||||||
- name: Package macOS App
|
- name: Package macOS App
|
||||||
run: |
|
run: |
|
||||||
# Package the signed and notarized app
|
# Package the signed and notarized app
|
||||||
|
APP_PATH="${{ steps.sign-app.outputs.file }}"
|
||||||
APP_NAME=$(basename "$APP_PATH")
|
APP_NAME=$(basename "$APP_PATH")
|
||||||
DIR_PATH=$(dirname "$APP_PATH")
|
DIR_PATH=$(dirname "$APP_PATH")
|
||||||
|
|
||||||
@ -213,11 +156,7 @@ jobs:
|
|||||||
- name: Cleanup
|
- name: Cleanup
|
||||||
if: always()
|
if: always()
|
||||||
run: |
|
run: |
|
||||||
# Clean up keychain and files
|
# Clean up files
|
||||||
if [ -n "$KEYCHAIN_PATH" ]; then
|
|
||||||
security delete-keychain "$KEYCHAIN_PATH" || true
|
|
||||||
fi
|
|
||||||
|
|
||||||
rm -f certificate.p12 AppleWWDRCAG3.cer DeveloperIDG2.cer api_key.p8 || true
|
rm -f certificate.p12 AppleWWDRCAG3.cer DeveloperIDG2.cer api_key.p8 || true
|
||||||
shell: bash
|
shell: bash
|
||||||
|
|
||||||
Loading…
x
Reference in New Issue
Block a user