LuckyRobots/LuckyWorld
14
0
Fork 0
Code Issues Pull Requests 1 Actions 1 Packages Projects 1 Releases 13 Wiki Activity

WIP: feat(workflows): add new build workflows for Windows, Linux, and macOS, and remove obsolete build scripts #17

Draft
m wants to merge 115 commits from ozgur/build into main
pull from: ozgur/build
merge into: LuckyRobots:main
Conversation 0 Commits 115 Files Changed 21 +28 -89
1 changed files with 28 additions and 89 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit e6e28290b7 - Show all commits

115
.gitea/workflows/test-macos-build.yml
View File

@ -21,9 +21,6 @@ jobs:
if [ -f "LuckyWorld.entitlements" ]; then
echo "Using existing LuckyWorld.entitlements file"
ENTITLEMENTS_FILE="LuckyWorld.entitlements"
elif [ -f "LuckyRobots.entitlements" ]; then
echo "Using existing LuckyRobots.entitlements file"
ENTITLEMENTS_FILE="LuckyRobots.entitlements"
else
echo "Creating default entitlements file as LuckyWorld.entitlements"
# Create entitlements file line by line instead of heredoc
@ -81,47 +78,23 @@ jobs:
fi
shell: bash
# Step 3: Setup for Signing
- name: Setup for Signing
id: setup-signing
# Step 3: Setup API Key
- name: Setup API Key
id: setup-api-key
env:
API_KEY_PATH: ${{ secrets.NOTARY_API_KEY_PATH }}
APPLE_CERTIFICATE_BASE64: ${{ secrets.MACOS_CERTIFICATE }}
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
run: |
# Create output directory
mkdir -p PackagedReleases
# Decode the API key from Base64 secret
# Decode the API key from Base64 secret and save it to a file
echo "$API_KEY_PATH" | base64 --decode > api_key.p8
echo "API_KEY_FILE=$(pwd)/api_key.p8" >> "$GITHUB_ENV"
# Decode the certificate
echo "$APPLE_CERTIFICATE_BASE64" | base64 --decode > certificate.p12
# Create keychain
KEYCHAIN_PATH="signing.keychain-db"
KEYCHAIN_PASSWORD="temporary"
security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
# Download Apple root certificates
curl -s -o AppleWWDRCAG3.cer https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer
curl -s -o DeveloperIDG2.cer https://www.apple.com/certificateauthority/DeveloperIDG2.cer
# Import certificates
security import AppleWWDRCAG3.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign -f der -A
security import DeveloperIDG2.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign -f der -A
security import certificate.p12 -P "$APPLE_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"
# Set keychain for signing
security list-keychain -d user -s "$KEYCHAIN_PATH"
security default-keychain -s "$KEYCHAIN_PATH"
# Set partition list
security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
echo "API key setup complete"
shell: bash
# Step 4: Find App Bundle
- name: Find App Bundle
id: find-app-bundle
run: |
# Find app bundle
APP_PATH=$(find Builds -type d -name "*.app" | head -1)
@ -135,60 +108,30 @@ jobs:
fi
echo "Found app path: $APP_PATH"
# Use standard environment variable that works in all workflows
echo "APP_PATH=$APP_PATH" >> "$GITHUB_ENV"
# Also save the keychain and api key info
echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV"
echo "API_KEY_FILE=$(pwd)/api_key.p8" >> "$GITHUB_ENV"
shell: bash
# Step 4: Sign macOS App
# Step 5: Sign macOS App using lando/code-sign-action
- name: Sign macOS App
env:
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
run: |
echo "Signing app bundle: $APP_PATH"
# First, handle libraries
find "$APP_PATH" -name "*.dylib" -o -name "*.framework" | while read LIB; do
echo "Signing library: $LIB"
codesign --force --options runtime --timestamp --sign "Developer ID Application: $APPLE_TEAM_ID" "$LIB"
done
# Sign the app bundle
echo "Signing with entitlements file: $ENTITLEMENTS_FILE"
codesign --force --options runtime --deep --timestamp --sign "Developer ID Application: $APPLE_TEAM_ID" --entitlements "./$ENTITLEMENTS_FILE" "$APP_PATH"
# Verify signature
codesign --verify --verbose "$APP_PATH"
shell: bash
# Step 5: Notarize macOS App
- name: Notarize macOS App
env:
API_KEY_ID: ${{ secrets.NOTARY_API_KEY_ID }}
API_KEY_ISSUER_ID: ${{ secrets.NOTARY_API_KEY_ISSUER_ID }}
run: |
# Create a temporary file for notarization
NOTARIZE_APP_PATH="./LuckyRobots-notarize.zip"
ditto -c -k --keepParent "$APP_PATH" "$NOTARIZE_APP_PATH"
# Submit for notarization using API key
echo "Submitting for notarization with API key..."
xcrun notarytool submit "$NOTARIZE_APP_PATH" --key "$API_KEY_FILE" --key-id "$API_KEY_ID" --issuer "$API_KEY_ISSUER_ID" --wait
# Staple the ticket to the application
xcrun stapler staple "$APP_PATH"
# Clean up temporary notarization file
rm -f "$NOTARIZE_APP_PATH"
shell: bash
id: sign-app
uses: lando/code-sign-action@v3
with:
file: ${{ env.APP_PATH }}
certificate-data: ${{ secrets.MACOS_CERTIFICATE }}
certificate-password: ${{ secrets.MACOS_CERTIFICATE_PWD }}
apple-team-id: ${{ secrets.APPLE_TEAM_ID }}
options: --options runtime --deep --timestamp --entitlements ./${{ env.ENTITLEMENTS_FILE }}
# API Key Notarization (daha güvenli ve modern)
apple-api-key: ${{ env.API_KEY_FILE }}
apple-api-key-id: ${{ secrets.NOTARY_API_KEY_ID }}
apple-api-issuer: ${{ secrets.NOTARY_API_KEY_ISSUER_ID }}
apple-product-id: dev.luckyrobots.luckyworld
# Step 6: Package macOS App
- name: Package macOS App
run: |
# Package the signed and notarized app
APP_PATH="${{ steps.sign-app.outputs.file }}"
APP_NAME=$(basename "$APP_PATH")
DIR_PATH=$(dirname "$APP_PATH")
@ -213,11 +156,7 @@ jobs:
- name: Cleanup
if: always()
run: |
# Clean up keychain and files
if [ -n "$KEYCHAIN_PATH" ]; then
security delete-keychain "$KEYCHAIN_PATH" || true
fi
# Clean up files
rm -f certificate.p12 AppleWWDRCAG3.cer DeveloperIDG2.cer api_key.p8 || true
shell: bash