name: Test macOS Signing on: workflow_dispatch: inputs: use_previous_build: description: 'Use a previous successful build artifact instead of local app path' required: true type: boolean default: false app_path: description: 'Path to the app bundle to sign (if not using artifact)' required: false default: 'Builds/Mac/LuckyRobots.app' artifact_run_id: description: 'Run ID of the workflow that produced the artifact to use (if using artifact)' required: false default: '' jobs: test-signing: runs-on: macos steps: - name: Checkout repository uses: actions/checkout@v3 with: lfs: true fetch-depth: 0 - name: Download Previous Build if: ${{ github.event.inputs.use_previous_build == 'true' }} run: | # Create directories mkdir -p Builds/Mac # Download artifact (using GitHub API or direct download) echo "Downloading previous build artifact..." # If artifact_run_id is provided, use it if [[ -n "${{ github.event.inputs.artifact_run_id }}" ]]; then RUN_ID="${{ github.event.inputs.artifact_run_id }}" else # Get latest successful build run ID echo "No specific run ID provided, finding latest successful build..." # You'll need to have proper authentication to access the API # This is simplified, you might need to adjust based on your setup RUN_ID=$(curl -s "https://luckyrobots.com/api/v1/repos/luckyrobots/luckyworld/actions/runs?status=success&event=push" | grep -o '"id":[0-9]*' | head -1 | cut -d':' -f2) if [[ -z "$RUN_ID" ]]; then echo "Could not find a successful run ID. Please specify one manually." exit 1 fi fi echo "Using run ID: $RUN_ID" # Download artifact using your Gitea API # This is a simplified example - adjust as needed for your actual API curl -L "https://luckyrobots.com/luckyrobots/luckyworld/actions/runs/$RUN_ID/artifacts/LuckyRobots-macOS" -o build.zip # Extract to Builds directory unzip -o build.zip -d Builds/Mac/ # Find extracted app bundle APP_PATH=$(find Builds/Mac -type d -name "*.app" | head -1) if [[ -z "$APP_PATH" ]]; then echo "Could not find app bundle in downloaded artifact" exit 1 fi echo "Downloaded app bundle: $APP_PATH" echo "app_path=$APP_PATH" >> $GITHUB_ENV shell: bash - name: Validate App Path id: validate-app run: | if [[ "${{ github.event.inputs.use_previous_build }}" == "true" ]]; then APP_PATH="$app_path" else APP_PATH="${{ github.event.inputs.app_path }}" fi if [ ! -d "$APP_PATH" ]; then echo "Error: Application path does not exist: $APP_PATH" echo "You can download a previous successful build artifact or specify a different path" # List available directories to help user echo "Available directories in workspace:" find . -type d -maxdepth 3 | grep -v "node_modules\|.git" exit 1 fi echo "Will sign and notarize: $APP_PATH" echo "app_path=$APP_PATH" >> $GITHUB_OUTPUT shell: bash - name: Setup for Signing id: setup-signing env: API_KEY_PATH: ${{ secrets.NOTARY_API_KEY_PATH }} run: | # Decode the API key from Base64 secret echo "$API_KEY_PATH" | base64 --decode > api_key.p8 echo "api_key_file=$(pwd)/api_key.p8" >> $GITHUB_OUTPUT shell: bash - name: Sign macOS App uses: lando/code-sign-action@v3 id: sign-app with: file: ${{ steps.validate-app.outputs.app_path }} certificate-data: ${{ secrets.MACOS_CERTIFICATE }} certificate-password: ${{ secrets.MACOS_CERTIFICATE_PWD }} certificate-id: ${{ secrets.APPLE_TEAM_ID }} options: --force --options runtime --deep --timestamp --entitlements ./LuckyRobots.entitlements - name: Notarize macOS App run: | # Create a temporary file for notarization APP_PATH="${{ steps.validate-app.outputs.app_path }}" NOTARIZE_APP_PATH="./LuckyRobots-notarize.zip" ditto -c -k --keepParent "$APP_PATH" "$NOTARIZE_APP_PATH" API_KEY_FILE="${{ steps.setup-signing.outputs.api_key_file }}" # Submit for notarization using API key echo "Submitting for notarization with API key..." xcrun notarytool submit "$NOTARIZE_APP_PATH" --key "$API_KEY_FILE" --key-id "${{ secrets.NOTARY_API_KEY_ID }}" --issuer "${{ secrets.NOTARY_API_KEY_ISSUER_ID }}" --wait # Staple the ticket to the application xcrun stapler staple "$APP_PATH" # Clean up the API key file rm -f "$API_KEY_FILE" rm -f "$NOTARIZE_APP_PATH" shell: bash - name: Package macOS App run: | # Package the signed and notarized app APP_PATH="${{ steps.validate-app.outputs.app_path }}" APP_NAME=$(basename "$APP_PATH") DIR_PATH=$(dirname "$APP_PATH") # Create test output directory mkdir -p TestSignedApps echo "Creating test package..." (cd "$DIR_PATH" && zip -r "../../TestSignedApps/Test-$APP_NAME.zip" "$APP_NAME") echo "Created test package: TestSignedApps/Test-$APP_NAME.zip" echo "Test packaged apps:" ls -la TestSignedApps/ shell: bash - name: Upload Test Signed App uses: actions/upload-artifact@v3 if: success() with: name: TestSigned-macOS-App path: TestSignedApps/Test-*.zip retention-days: 7