name: Test macOS Build Action on: workflow_dispatch: # Manual trigger only for testing push: branches: [ozgur/build] jobs: test-macos-build: runs-on: macos steps: - name: Checkout repository uses: actions/checkout@v3 with: lfs: true fetch-depth: 0 - name: Check entitlements file run: | # Check if entitlements files exist if [ -f "LuckyWorld.entitlements" ]; then echo "Using existing LuckyWorld.entitlements file" ENTITLEMENTS_FILE="LuckyWorld.entitlements" elif [ -f "LuckyRobots.entitlements" ]; then echo "Using existing LuckyRobots.entitlements file" ENTITLEMENTS_FILE="LuckyRobots.entitlements" else echo "Creating default entitlements file as LuckyWorld.entitlements" # Create entitlements file line by line instead of heredoc echo '' > LuckyWorld.entitlements echo '' >> LuckyWorld.entitlements echo '' >> LuckyWorld.entitlements echo '' >> LuckyWorld.entitlements echo ' com.apple.security.cs.allow-jit' >> LuckyWorld.entitlements echo ' ' >> LuckyWorld.entitlements echo ' com.apple.security.cs.allow-unsigned-executable-memory' >> LuckyWorld.entitlements echo ' ' >> LuckyWorld.entitlements echo ' com.apple.security.cs.disable-library-validation' >> LuckyWorld.entitlements echo ' ' >> LuckyWorld.entitlements echo ' com.apple.security.cs.allow-dyld-environment-variables' >> LuckyWorld.entitlements echo ' ' >> LuckyWorld.entitlements echo ' com.apple.security.device.audio-input' >> LuckyWorld.entitlements echo ' ' >> LuckyWorld.entitlements echo ' com.apple.security.device.camera' >> LuckyWorld.entitlements echo ' ' >> LuckyWorld.entitlements echo '' >> LuckyWorld.entitlements echo '' >> LuckyWorld.entitlements ENTITLEMENTS_FILE="LuckyWorld.entitlements" fi echo "Using entitlements file: $ENTITLEMENTS_FILE" echo "ENTITLEMENTS_FILE=$ENTITLEMENTS_FILE" >> "$GITHUB_ENV" shell: bash # Step 1: Setup environment - name: Setup environment run: | # Use the correct path where Unreal Engine is installed UE_PATH="/Users/Shared/Epic Games/UE_5.5" if [ ! -d "$UE_PATH" ]; then echo "Warning: Unreal Engine is not installed in the expected location" echo "This is expected in CI environment - continuing anyway" fi # Create directories for builds mkdir -p Builds/Mac mkdir -p PackagedReleases echo "Using Unreal Engine 5.5" # Get the working directory path for absolute paths WORKSPACE_DIR="$(pwd)" echo "WORKSPACE_DIR=$WORKSPACE_DIR" >> "$GITHUB_ENV" shell: bash # Step 2: Build for macOS - name: Build for macOS run: | if [ -f "./scripts/mac_build.sh" ]; then chmod +x ./scripts/mac_build.sh ./scripts/mac_build.sh else echo "Build script not found, skipping this step" fi shell: bash # Step 3: Create keychain and import certificate - name: Create keychain and import certificate env: CERTIFICATE_BASE64: ${{ secrets.MACOS_CERTIFICATE }} CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }} APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} run: | # Debug: Print working directory echo "Current working directory: $(pwd)" echo "Contents of Builds directory:" find Builds -type d | sort # Check what saved builds we have echo "Contents of Saved/StagedBuilds directory (if exists):" find ./Saved -type d -name "*.app" 2>/dev/null || echo "No .app bundles found in Saved/" # Create temporary directory for keychain and certificates TEMP_DIR=$(mktemp -d) KEYCHAIN_PATH="$TEMP_DIR/build.keychain" KEYCHAIN_PASSWORD="temporary$(date +%s)" echo "Creating keychain at: $KEYCHAIN_PATH" # Create and configure keychain security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH" security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" # Add to keychain list and make it default security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | sed s/\"//g) security default-keychain -s "$KEYCHAIN_PATH" # Decode certificate to temporary directory CERT_PATH="$TEMP_DIR/certificate.p12" echo "$CERTIFICATE_BASE64" | base64 --decode > "$CERT_PATH" # Import certificate with correct flags for automated use security import "$CERT_PATH" -k "$KEYCHAIN_PATH" -P "$CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 # Set partition list - important for automated signing without UI prompts security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" # Get the certificate's Common Name and SHA-1 fingerprint for signing echo "Listing available codesigning identities:" security find-identity -v -p codesigning "$KEYCHAIN_PATH" # Get the certificate ID (SHA-1 fingerprint) - this is more reliable than using the name CERT_ID=$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep -o '[0-9A-F]\{40\}' | head -1) if [ -z "$CERT_ID" ]; then echo "⚠️ No valid signing certificate found in keychain" exit 1 fi echo "Using certificate ID: $CERT_ID" echo "CERT_ID=$CERT_ID" >> "$GITHUB_ENV" echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV" echo "Certificate imported successfully" shell: bash # Step 4: Find and prep app for signing - name: Find and prep app for signing run: | # First check Saved/StagedBuilds directory - where Unreal often places built apps echo "Checking Saved/StagedBuilds directory..." APP_PATHS=$(find ./Saved/StagedBuilds -type d -name "*.app" 2>/dev/null) # If not found, check Builds directory if [ -z "$APP_PATHS" ]; then echo "Checking Builds directory..." APP_PATHS=$(find ./Builds -type d -name "*.app" 2>/dev/null) fi # If still not found, check the whole workspace if [ -z "$APP_PATHS" ]; then echo "Checking entire workspace..." APP_PATHS=$(find . -type d -name "*.app" -not -path "*/\.*" 2>/dev/null) fi if [ -z "$APP_PATHS" ]; then echo "ERROR: Could not find any app bundles!" echo "Listing all directories to help debug:" find . -type d -maxdepth 3 | sort exit 1 fi echo "Found potential app bundles:" echo "$APP_PATHS" # Use the first app path found APP_PATH=$(echo "$APP_PATHS" | head -1) # Get app name for later use APP_NAME=$(basename "$APP_PATH") echo "Using app bundle: $APP_PATH" echo "App name: $APP_NAME" echo "APP_PATH=$APP_PATH" >> "$GITHUB_ENV" echo "APP_NAME=$APP_NAME" >> "$GITHUB_ENV" shell: bash # Step 5: Sign application with codesign - improved based on forums - name: Sign application env: APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} run: | echo "Signing app bundle: $APP_PATH" echo "Using entitlements file: $ENTITLEMENTS_FILE" echo "Using certificate ID: $CERT_ID" # Make sure keychain is accessible security unlock-keychain -p "$(security find-generic-password -a ${USER} -s login -w)" login.keychain security unlock-keychain -p "temporary" "$KEYCHAIN_PATH" || true # Sign all dylib files echo "🔍 Signing all .dylib files..." find "$APP_PATH" -type f -name "*.dylib" | while read DYLIB; do echo "Signing dylib: $DYLIB" codesign --force --options runtime --timestamp --sign "$CERT_ID" "$DYLIB" done # Sign all .so files echo "🔍 Signing all .so files..." find "$APP_PATH" -type f -name "*.so" | while read SO; do echo "Signing .so: $SO" codesign --force --options runtime --timestamp --sign "$CERT_ID" "$SO" done # Sign all executables in frameworks echo "🔍 Signing framework executables..." find "$APP_PATH" -path "*.framework/*" -type f -perm +111 | while read FMWK_BIN; do echo "Signing framework binary: $FMWK_BIN" codesign --force --options runtime --timestamp --sign "$CERT_ID" "$FMWK_BIN" done # Sign all other executables echo "🔍 Signing other executables..." find "$APP_PATH" -type f -perm +111 -not -path "*.framework/*" -not -name "*.dylib" -not -name "*.so" | while read EXEC; do echo "Signing executable: $EXEC" codesign --force --options runtime --timestamp --sign "$CERT_ID" "$EXEC" done # Sign all frameworks echo "🔍 Signing frameworks..." find "$APP_PATH" -name "*.framework" -type d | while read FRAMEWORK; do echo "Signing framework: $FRAMEWORK" codesign --force --options runtime --timestamp --sign "$CERT_ID" "$FRAMEWORK" done # Finally sign the app bundle itself with entitlements echo "🔍 Signing the main app bundle with entitlements..." codesign --force --options runtime --deep --timestamp --verbose --sign "$CERT_ID" --entitlements "$WORKSPACE_DIR/$ENTITLEMENTS_FILE" "$APP_PATH" # Verify signature echo "Verifying signature..." codesign --verify --verbose "$APP_PATH" # Use spctl to check if app is acceptable by Gatekeeper echo "Checking if app will pass Gatekeeper validation..." spctl -vvv --assess --type exec "$APP_PATH" if [ $? -eq 0 ]; then echo "✅ Code signing and Gatekeeper validation was successful" else echo "⚠️ Gatekeeper validation had warnings, but continuing with notarization" fi shell: bash # Step 6: Notarize application - name: Notarize application env: API_KEY_PATH: ${{ secrets.NOTARY_API_KEY_PATH }} API_KEY_ID: ${{ secrets.NOTARY_API_KEY_ID }} API_KEY_ISSUER_ID: ${{ secrets.NOTARY_API_KEY_ISSUER_ID }} run: | echo "Preparing for notarization..." # Create API key file echo "$API_KEY_PATH" | base64 --decode > api_key.p8 API_KEY_FILE="$(pwd)/api_key.p8" # Create a zip archive for notarization NOTARIZE_APP_PATH="LuckyWorld-notarize.zip" echo "Creating archive for notarization: $NOTARIZE_APP_PATH" # Use ditto to preserve bundle structure ditto -c -k --keepParent "$APP_PATH" "$NOTARIZE_APP_PATH" # Check if zip file was created successfully if [ ! -f "$NOTARIZE_APP_PATH" ]; then echo "❌ Failed to create notarization archive" exit 1 fi echo "Submitting for notarization..." echo "API Key ID: $API_KEY_ID" echo "API Key File: $API_KEY_FILE" # Submit for notarization using API key NOTARIZE_OUTPUT=$(xcrun notarytool submit "$NOTARIZE_APP_PATH" --key "$API_KEY_FILE" --key-id "$API_KEY_ID" --issuer "$API_KEY_ISSUER_ID" --wait) echo "Notarization response:" echo "$NOTARIZE_OUTPUT" # Check if notarization was successful if [[ "$NOTARIZE_OUTPUT" =~ "status: Accepted" ]]; then echo "✅ Notarization successful" else echo "⚠️ Notarization may have failed. Checking status..." # Extract submission ID if available SUBMISSION_ID=$(echo "$NOTARIZE_OUTPUT" | grep "id:" | awk '{print $2}') if [ -n "$SUBMISSION_ID" ]; then echo "Checking submission $SUBMISSION_ID..." xcrun notarytool info "$SUBMISSION_ID" --key "$API_KEY_FILE" --key-id "$API_KEY_ID" --issuer "$API_KEY_ISSUER_ID" # Continue even if notarization failed - we'll staple if possible echo "⚠️ Continuing despite potential notarization issues..." else echo "⚠️ No submission ID found. Continuing anyway..." fi fi # Staple the notarization ticket to the app echo "Stapling notarization ticket to app..." xcrun stapler staple "$APP_PATH" # Verify stapling echo "Verifying stapling..." stapler validate "$APP_PATH" if [ $? -eq 0 ]; then echo "✅ Stapling successful" else echo "⚠️ Stapling verification may have failed. This is sometimes expected for new apps." echo "⚠️ Continuing with packaging..." fi # Clean up rm -f "$NOTARIZE_APP_PATH" "$API_KEY_FILE" shell: bash # Step 7: Package macOS App - name: Package macOS App run: | echo "Packaging signed app bundle: $APP_PATH" # Create zip package (cd "$(dirname "$APP_PATH")" && zip -r "${WORKSPACE_DIR}/PackagedReleases/LuckyWorld-macOS.zip" "$(basename "$APP_PATH")") echo "Created packaged release: PackagedReleases/LuckyWorld-macOS.zip" echo "Packaged releases:" ls -la PackagedReleases/ shell: bash # Step 8: Upload macOS Build Artifact - name: Upload macOS Build Artifact uses: actions/upload-artifact@v3 if: success() with: name: LuckyWorld-macOS path: PackagedReleases/LuckyWorld-macOS.zip retention-days: 365 # Step 9: Cleanup - name: Cleanup if: always() run: | # Clean up keychain and certificates if [ -n "$KEYCHAIN_PATH" ]; then security delete-keychain "$KEYCHAIN_PATH" || true fi # Clean up certificate files rm -f certificate.p12 api_key.p8 || true echo "Cleanup complete" shell: bash