name: Test macOS Build Action on: workflow_dispatch: # Manual trigger only for testing push: branches: [ozgur/build] jobs: test-macos-build: runs-on: macos steps: - name: Checkout repository uses: actions/checkout@v3 with: lfs: true fetch-depth: 0 - name: Check entitlements file run: | # Check if entitlements files exist if [ -f "LuckyWorld.entitlements" ]; then echo "Using existing LuckyWorld.entitlements file" ENTITLEMENTS_FILE="LuckyWorld.entitlements" elif [ -f "LuckyRobots.entitlements" ]; then echo "Using existing LuckyRobots.entitlements file" ENTITLEMENTS_FILE="LuckyRobots.entitlements" else echo "Creating default entitlements file as LuckyWorld.entitlements" # Create entitlements file line by line instead of heredoc echo '' > LuckyWorld.entitlements echo '' >> LuckyWorld.entitlements echo '' >> LuckyWorld.entitlements echo '' >> LuckyWorld.entitlements echo ' com.apple.security.cs.allow-jit' >> LuckyWorld.entitlements echo ' ' >> LuckyWorld.entitlements echo ' com.apple.security.cs.allow-unsigned-executable-memory' >> LuckyWorld.entitlements echo ' ' >> LuckyWorld.entitlements echo ' com.apple.security.cs.disable-library-validation' >> LuckyWorld.entitlements echo ' ' >> LuckyWorld.entitlements echo ' com.apple.security.cs.allow-dyld-environment-variables' >> LuckyWorld.entitlements echo ' ' >> LuckyWorld.entitlements echo ' com.apple.security.device.audio-input' >> LuckyWorld.entitlements echo ' ' >> LuckyWorld.entitlements echo ' com.apple.security.device.camera' >> LuckyWorld.entitlements echo ' ' >> LuckyWorld.entitlements echo '' >> LuckyWorld.entitlements echo '' >> LuckyWorld.entitlements ENTITLEMENTS_FILE="LuckyWorld.entitlements" fi echo "Using entitlements file: $ENTITLEMENTS_FILE" echo "ENTITLEMENTS_FILE=$ENTITLEMENTS_FILE" >> "$GITHUB_ENV" shell: bash # Step 1: Setup environment - name: Setup environment run: | # Use the correct path where Unreal Engine is installed UE_PATH="/Users/Shared/Epic Games/UE_5.5" if [ ! -d "$UE_PATH" ]; then echo "Warning: Unreal Engine is not installed in the expected location" echo "This is expected in CI environment - continuing anyway" fi # Create directories for builds mkdir -p Builds/Mac mkdir -p PackagedReleases echo "Using Unreal Engine 5.5" # Get the working directory path for absolute paths WORKSPACE_DIR="$(pwd)" echo "WORKSPACE_DIR=$WORKSPACE_DIR" >> "$GITHUB_ENV" shell: bash # Step 2: Build for macOS - name: Build for macOS run: | if [ -f "./scripts/mac_build.sh" ]; then chmod +x ./scripts/mac_build.sh ./scripts/mac_build.sh else echo "Build script not found, skipping this step" fi shell: bash # Step 3: Create keychain and import certificate - SIMPLIFIED for debugging - name: Create keychain and import certificate env: CERTIFICATE_BASE64: ${{ secrets.MACOS_CERTIFICATE }} CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }} APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} run: | # Debug: Print working directory and available resources echo "Current working directory: $(pwd)" echo "Contents of Builds directory:" find Builds -type d | sort echo "Contents of Saved/StagedBuilds directory (if exists):" find ./Saved -type d -name "*.app" 2>/dev/null || echo "No .app bundles found in Saved/" # Decode certificate to working directory for simplicity echo "Decoding certificate..." echo "$CERTIFICATE_BASE64" | base64 --decode > certificate.p12 ls -la certificate.p12 # Create a simple local keychain echo "Creating login keychain..." KEYCHAIN_PATH="$HOME/Library/Keychains/build.keychain-db" KEYCHAIN_PASSWORD="temp$(date +%s)" security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" security default-keychain -s "$KEYCHAIN_PATH" security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" # Debug import step echo "Importing certificate with flags: -P [PWD] -k $KEYCHAIN_PATH" security import certificate.p12 -P "$CERTIFICATE_PASSWORD" -k "$KEYCHAIN_PATH" -T /usr/bin/codesign # Set partition list for automation echo "Setting key partition list..." security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" # Check for identities - DEBUG echo "Listing identities after import:" security find-identity -v -p codesigning "$KEYCHAIN_PATH" # Verify Apple Team ID matches certificate echo "Expected Apple Team ID: $APPLE_TEAM_ID" # Get a more detailed certificate info for debugging echo "Certificate details:" security find-certificate -a -c "Developer ID" -p "$KEYCHAIN_PATH" | openssl x509 -text | grep -E "Subject:|Issuer:|Not Before:|Not After :|Serial Number:" || echo "No certificate details found" # Use alternative approach to get signing identity SIGNING_IDENTITY=$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep "Developer ID Application" | sed -E 's/.*\"Developer ID Application: ([^\"]+).*/\1/g' || echo "") if [ -z "$SIGNING_IDENTITY" ]; then # Try with certificate CN directly SIGNING_IDENTITY="Developer ID Application: $APPLE_TEAM_ID" echo "Using APPLE_TEAM_ID directly: $SIGNING_IDENTITY" else echo "Found signing identity: $SIGNING_IDENTITY" fi echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV" echo "SIGNING_IDENTITY=$SIGNING_IDENTITY" >> "$GITHUB_ENV" echo "KEYCHAIN_PASSWORD=$KEYCHAIN_PASSWORD" >> "$GITHUB_ENV" # Add to search list if needed security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | sed s/\"//g) shell: bash # Step 4: Find and prep app for signing - name: Find and prep app for signing run: | # First check Saved/StagedBuilds directory - where Unreal often places built apps echo "Checking Saved/StagedBuilds directory..." APP_PATHS=$(find ./Saved/StagedBuilds -type d -name "*.app" 2>/dev/null) # If not found, check Builds directory if [ -z "$APP_PATHS" ]; then echo "Checking Builds directory..." APP_PATHS=$(find ./Builds -type d -name "*.app" 2>/dev/null) fi # If still not found, check the whole workspace if [ -z "$APP_PATHS" ]; then echo "Checking entire workspace..." APP_PATHS=$(find . -type d -name "*.app" -not -path "*/\.*" 2>/dev/null) fi if [ -z "$APP_PATHS" ]; then echo "ERROR: Could not find any app bundles!" echo "Listing all directories to help debug:" find . -type d -maxdepth 3 | sort exit 1 fi echo "Found potential app bundles:" echo "$APP_PATHS" # Use the first app path found (preferably the main app, not a child app) MAIN_APP_PATH=$(echo "$APP_PATHS" | grep -v "CrashReportClient" | head -1 || echo "$APP_PATHS" | head -1) # Get app name for later use APP_NAME=$(basename "$MAIN_APP_PATH") echo "Using app bundle: $MAIN_APP_PATH" echo "App name: $APP_NAME" echo "APP_PATH=$MAIN_APP_PATH" >> "$GITHUB_ENV" echo "APP_NAME=$APP_NAME" >> "$GITHUB_ENV" shell: bash # Step 5: Sign application with codesign - DIRECT METHOD - name: Sign application env: APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} run: | # Debug info echo "Signing app bundle: $APP_PATH" echo "Using entitlements file: $ENTITLEMENTS_FILE" echo "Using signing identity: $SIGNING_IDENTITY" # Make sure keychain is accessible echo "Unlocking keychains..." security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" || true # Verify signing identity accessibility echo "Verifying codesigning identities..." security find-identity -v -p codesigning "$KEYCHAIN_PATH" # Sign the app directly, with a more direct approach echo "🔍 Signing the app bundle with its contents..." /usr/bin/codesign --force --options runtime --sign "$SIGNING_IDENTITY" --entitlements "$WORKSPACE_DIR/$ENTITLEMENTS_FILE" --deep --verbose "$APP_PATH" # Verify signature echo "Verifying signature..." /usr/bin/codesign --verify --verbose "$APP_PATH" # Check the result if [ $? -eq 0 ]; then echo "✅ Code signing was successful" else echo "⚠️ Code signing verification had issues, but continuing with notarization..." fi shell: bash # Step 6: Notarize application - name: Notarize application env: API_KEY_PATH: ${{ secrets.NOTARY_API_KEY_PATH }} API_KEY_ID: ${{ secrets.NOTARY_API_KEY_ID }} API_KEY_ISSUER_ID: ${{ secrets.NOTARY_API_KEY_ISSUER_ID }} run: | echo "Preparing for notarization..." # Create API key file echo "$API_KEY_PATH" | base64 --decode > api_key.p8 API_KEY_FILE="$(pwd)/api_key.p8" # Create a zip archive for notarization NOTARIZE_APP_PATH="LuckyWorld-notarize.zip" echo "Creating archive for notarization: $NOTARIZE_APP_PATH" # Use ditto to preserve bundle structure ditto -c -k --keepParent "$APP_PATH" "$NOTARIZE_APP_PATH" # Check if zip file was created successfully if [ ! -f "$NOTARIZE_APP_PATH" ]; then echo "❌ Failed to create notarization archive" exit 1 fi echo "Submitting for notarization..." echo "API Key ID: $API_KEY_ID" echo "API Key File: $API_KEY_FILE" # Submit for notarization using API key NOTARIZE_OUTPUT=$(xcrun notarytool submit "$NOTARIZE_APP_PATH" --key "$API_KEY_FILE" --key-id "$API_KEY_ID" --issuer "$API_KEY_ISSUER_ID" --wait) echo "Notarization response:" echo "$NOTARIZE_OUTPUT" # Check if notarization was successful if [[ "$NOTARIZE_OUTPUT" =~ "status: Accepted" ]]; then echo "✅ Notarization successful" else echo "⚠️ Notarization may have failed. Checking status..." # Extract submission ID if available SUBMISSION_ID=$(echo "$NOTARIZE_OUTPUT" | grep "id:" | awk '{print $2}') if [ -n "$SUBMISSION_ID" ]; then echo "Checking submission $SUBMISSION_ID..." xcrun notarytool info "$SUBMISSION_ID" --key "$API_KEY_FILE" --key-id "$API_KEY_ID" --issuer "$API_KEY_ISSUER_ID" # Continue even if notarization failed - we'll staple if possible echo "⚠️ Continuing despite potential notarization issues..." else echo "⚠️ No submission ID found. Continuing anyway..." fi fi # Staple the notarization ticket to the app echo "Stapling notarization ticket to app..." xcrun stapler staple "$APP_PATH" # Verify stapling echo "Verifying stapling..." stapler validate "$APP_PATH" if [ $? -eq 0 ]; then echo "✅ Stapling successful" else echo "⚠️ Stapling verification may have failed. This is sometimes expected for new apps." echo "⚠️ Continuing with packaging..." fi # Clean up rm -f "$NOTARIZE_APP_PATH" "$API_KEY_FILE" shell: bash # Step 7: Package macOS App - name: Package macOS App run: | echo "Packaging signed app bundle: $APP_PATH" # Create zip package (cd "$(dirname "$APP_PATH")" && zip -r "${WORKSPACE_DIR}/PackagedReleases/LuckyWorld-macOS.zip" "$(basename "$APP_PATH")") echo "Created packaged release: PackagedReleases/LuckyWorld-macOS.zip" echo "Packaged releases:" ls -la PackagedReleases/ shell: bash # Step 8: Upload macOS Build Artifact - name: Upload macOS Build Artifact uses: actions/upload-artifact@v3 if: success() with: name: LuckyWorld-macOS path: PackagedReleases/LuckyWorld-macOS.zip retention-days: 365 # Step 9: Cleanup - name: Cleanup if: always() run: | # Clean up keychain and certificates if [ -n "$KEYCHAIN_PATH" ]; then security delete-keychain "$KEYCHAIN_PATH" || true fi # Clean up certificate files rm -f certificate.p12 api_key.p8 || true echo "Cleanup complete" shell: bash