name: Test macOS Signing on: push: branches: [ozgur/build] workflow_dispatch: # Manual trigger is also available jobs: test-signing: runs-on: macos steps: - name: Checkout repository uses: actions/checkout@v3 with: lfs: true fetch-depth: 0 - name: Download and Extract Artifact id: extract-artifact run: | # Create directories mkdir -p Builds/Mac # Download specific artifact echo "Downloading build artifact..." # Use fixed artifact URL ARTIFACT_URL="https://luckyrobots.com/LuckyRobots/LuckyWorld/actions/runs/84/artifacts/LuckyRobots-macOS" echo "Using artifact URL: $ARTIFACT_URL" # Download the artifact curl -L "$ARTIFACT_URL" -o build.zip # First unzip - Outer artifact zip file echo "Extracting outer zip file..." unzip -o build.zip -d temp_extract/ # List the contents of temp_extract echo "Contents of temp_extract:" ls -la temp_extract/ # Second unzip - Inner macOS app package echo "Extracting inner zip file..." INNER_ZIP=$(find temp_extract -name "*.zip" | head -1) if [[ -z "$INNER_ZIP" ]]; then echo "Could not find inner zip in artifact" exit 1 fi echo "Found inner zip: $INNER_ZIP" unzip -o "$INNER_ZIP" -d Builds/Mac/ # Recursive search for .app directory echo "Searching for .app bundle..." APP_PATH=$(find Builds -type d -name "*.app" -print 2>/dev/null | head -1) if [[ -z "$APP_PATH" ]]; then echo "Could not find app bundle in extracted files" echo "Contents of Builds directory:" find Builds -type d | sort echo "All directories in workspace:" find . -type d -maxdepth 4 | grep -v "node_modules\|.git" | sort exit 1 fi echo "Found app bundle: $APP_PATH" echo "app_path=$APP_PATH" >> $GITHUB_OUTPUT shell: bash - name: Validate App Path id: validate-app run: | APP_PATH="${{ steps.extract-artifact.outputs.app_path }}" echo "Validating path: $APP_PATH" if [ ! -d "$APP_PATH" ]; then echo "Error: Application path does not exist: $APP_PATH" exit 1 fi echo "Will sign and notarize: $APP_PATH" echo "Contents of app bundle:" ls -la "$APP_PATH" echo "app_path=$APP_PATH" >> $GITHUB_OUTPUT shell: bash - name: Setup for Signing id: setup-signing env: API_KEY_PATH: ${{ secrets.NOTARY_API_KEY_PATH }} run: | # Decode the API key from Base64 secret echo "$API_KEY_PATH" | base64 --decode > api_key.p8 echo "api_key_file=$(pwd)/api_key.p8" >> $GITHUB_OUTPUT shell: bash - name: Sign macOS App uses: lando/code-sign-action@v3 id: sign-app with: file: ${{ steps.validate-app.outputs.app_path }} certificate-data: ${{ secrets.MACOS_CERTIFICATE }} certificate-password: ${{ secrets.MACOS_CERTIFICATE_PWD }} apple-team-id: "${{ secrets.APPLE_TEAM_ID }}" options: --force --options runtime --deep --timestamp --entitlements ./LuckyRobots.entitlements - name: Notarize macOS App run: | # Create a temporary file for notarization APP_PATH="${{ steps.validate-app.outputs.app_path }}" NOTARIZE_APP_PATH="./LuckyRobots-notarize.zip" ditto -c -k --keepParent "$APP_PATH" "$NOTARIZE_APP_PATH" API_KEY_FILE="${{ steps.setup-signing.outputs.api_key_file }}" # Submit for notarization using API key echo "Submitting for notarization with API key..." xcrun notarytool submit "$NOTARIZE_APP_PATH" --key "$API_KEY_FILE" --key-id "${{ secrets.NOTARY_API_KEY_ID }}" --issuer "${{ secrets.NOTARY_API_KEY_ISSUER_ID }}" --wait # Staple the ticket to the application xcrun stapler staple "$APP_PATH" # Clean up the API key file rm -f "$API_KEY_FILE" rm -f "$NOTARIZE_APP_PATH" shell: bash - name: Package macOS App run: | # Package the signed and notarized app APP_PATH="${{ steps.validate-app.outputs.app_path }}" APP_NAME=$(basename "$APP_PATH") DIR_PATH=$(dirname "$APP_PATH") # Create test output directory mkdir -p TestSignedApps echo "Creating test package..." (cd "$DIR_PATH" && zip -r "../../TestSignedApps/Test-$APP_NAME.zip" "$APP_NAME") echo "Created test package: TestSignedApps/Test-$APP_NAME.zip" echo "Test packaged apps:" ls -la TestSignedApps/ shell: bash - name: Upload Test Signed App uses: actions/upload-artifact@v3 if: success() with: name: TestSigned-macOS-App path: TestSignedApps/Test-*.zip retention-days: 7