name: Test macOS Build Action on: workflow_dispatch: # Manual trigger only for testing push: branches: [ozgur/build] jobs: test-macos-build: runs-on: macos steps: - name: Checkout repository uses: actions/checkout@v3 with: lfs: true fetch-depth: 0 - name: Check entitlements file run: | # Check if entitlements files exist if [ -f "LuckyWorld.entitlements" ]; then echo "Using existing LuckyWorld.entitlements file" ENTITLEMENTS_FILE="LuckyWorld.entitlements" elif [ -f "LuckyRobots.entitlements" ]; then echo "Using existing LuckyRobots.entitlements file" ENTITLEMENTS_FILE="LuckyRobots.entitlements" else echo "Creating default entitlements file as LuckyWorld.entitlements" cat > LuckyWorld.entitlements << EOF com.apple.security.cs.allow-jit com.apple.security.cs.allow-unsigned-executable-memory com.apple.security.cs.disable-library-validation com.apple.security.cs.allow-dyld-environment-variables com.apple.security.device.audio-input com.apple.security.device.camera EOF ENTITLEMENTS_FILE="LuckyWorld.entitlements" fi echo "Using entitlements file: $ENTITLEMENTS_FILE" echo "ENTITLEMENTS_FILE=$ENTITLEMENTS_FILE" >> "$GITHUB_ENV" shell: bash # Step 1: Setup environment - name: Setup environment run: | # Use the correct path where Unreal Engine is installed UE_PATH="/Users/Shared/Epic Games/UE_5.5" if [ ! -d "$UE_PATH" ]; then echo "Warning: Unreal Engine is not installed in the expected location" echo "This is expected in CI environment - continuing anyway" fi # Create directories for builds mkdir -p Builds/Mac mkdir -p PackagedReleases echo "Using Unreal Engine 5.5" shell: bash # Step 2: Build for macOS - name: Build for macOS run: | if [ -f "./scripts/mac_build.sh" ]; then chmod +x ./scripts/mac_build.sh ./scripts/mac_build.sh else echo "Build script not found, skipping this step" fi shell: bash # Step 3: Setup for Signing - name: Setup for Signing id: setup-signing env: API_KEY_PATH: ${{ secrets.NOTARY_API_KEY_PATH }} APPLE_CERTIFICATE_BASE64: ${{ secrets.MACOS_CERTIFICATE }} APPLE_CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }} run: | # Create output directory mkdir -p PackagedReleases # Decode the API key from Base64 secret echo "$API_KEY_PATH" | base64 --decode > api_key.p8 # Decode the certificate echo "$APPLE_CERTIFICATE_BASE64" | base64 --decode > certificate.p12 # Create keychain KEYCHAIN_PATH="signing.keychain-db" KEYCHAIN_PASSWORD="temporary" security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH" security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" # Download Apple root certificates curl -s -o AppleWWDRCAG3.cer https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer curl -s -o DeveloperIDG2.cer https://www.apple.com/certificateauthority/DeveloperIDG2.cer # Import certificates security import AppleWWDRCAG3.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign -f der -A security import DeveloperIDG2.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign -f der -A security import certificate.p12 -P "$APPLE_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH" # Set keychain for signing security list-keychain -d user -s "$KEYCHAIN_PATH" security default-keychain -s "$KEYCHAIN_PATH" # Set partition list security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" # Find app bundle APP_PATH=$(find Builds -type d -name "*.app" | head -1) if [ -z "$APP_PATH" ]; then # Look for a directory that might be a bundle but not named .app APP_PATH=$(find Builds -mindepth 1 -maxdepth 1 -type d | head -1) if [ -z "$APP_PATH" ]; then echo "No build directory found, cannot continue" exit 1 fi fi echo "Found app path: $APP_PATH" # Use standard environment variable that works in all workflows echo "APP_PATH=$APP_PATH" >> "$GITHUB_ENV" # Also save the keychain and api key info echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV" echo "API_KEY_FILE=$(pwd)/api_key.p8" >> "$GITHUB_ENV" shell: bash # Step 4: Sign macOS App - name: Sign macOS App env: APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} run: | echo "Signing app bundle: $APP_PATH" # First, handle libraries find "$APP_PATH" -name "*.dylib" -o -name "*.framework" | while read LIB; do echo "Signing library: $LIB" codesign --force --options runtime --timestamp --sign "Developer ID Application: $APPLE_TEAM_ID" "$LIB" done # Sign the app bundle echo "Signing with entitlements file: $ENTITLEMENTS_FILE" codesign --force --options runtime --deep --timestamp --sign "Developer ID Application: $APPLE_TEAM_ID" --entitlements "./$ENTITLEMENTS_FILE" "$APP_PATH" # Verify signature codesign --verify --verbose "$APP_PATH" shell: bash # Step 5: Notarize macOS App - name: Notarize macOS App env: API_KEY_ID: ${{ secrets.NOTARY_API_KEY_ID }} API_KEY_ISSUER_ID: ${{ secrets.NOTARY_API_KEY_ISSUER_ID }} run: | # Create a temporary file for notarization NOTARIZE_APP_PATH="./LuckyRobots-notarize.zip" ditto -c -k --keepParent "$APP_PATH" "$NOTARIZE_APP_PATH" # Submit for notarization using API key echo "Submitting for notarization with API key..." xcrun notarytool submit "$NOTARIZE_APP_PATH" --key "$API_KEY_FILE" --key-id "$API_KEY_ID" --issuer "$API_KEY_ISSUER_ID" --wait # Staple the ticket to the application xcrun stapler staple "$APP_PATH" # Clean up temporary notarization file rm -f "$NOTARIZE_APP_PATH" shell: bash # Step 6: Package macOS App - name: Package macOS App run: | # Package the signed and notarized app APP_NAME=$(basename "$APP_PATH") DIR_PATH=$(dirname "$APP_PATH") echo "Creating final package..." (cd "$DIR_PATH" && zip -r "../../PackagedReleases/LuckyRobots-macOS.zip" "$APP_NAME") echo "Created packaged release: PackagedReleases/LuckyRobots-macOS.zip" echo "Packaged releases:" ls -la PackagedReleases/ shell: bash # Step 7: Upload macOS Build Artifact - name: Upload macOS Build Artifact uses: actions/upload-artifact@v3 if: success() with: name: LuckyRobots-macOS path: PackagedReleases/LuckyRobots-macOS.zip retention-days: 365 # Step 8: Cleanup - name: Cleanup if: always() run: | # Clean up keychain and files if [ -n "$KEYCHAIN_PATH" ]; then security delete-keychain "$KEYCHAIN_PATH" || true fi rm -f certificate.p12 AppleWWDRCAG3.cer DeveloperIDG2.cer api_key.p8 || true shell: bash