name: Test macOS Build Action

on:
  workflow_dispatch:  # Manual trigger only for testing
  # push:
  #   branches: [ozgur/build]

jobs:
  test-macos-build:
    runs-on: macos
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3
        with:
          lfs: true
          fetch-depth: 0
      
      - name: Check entitlements file
        run: |
          # Check if entitlements files exist
          if [ -f "LuckyWorld.entitlements" ]; then
            echo "Using existing LuckyWorld.entitlements file"
            ENTITLEMENTS_FILE="LuckyWorld.entitlements"
          elif [ -f "LuckyRobots.entitlements" ]; then
            echo "Using existing LuckyRobots.entitlements file"
            ENTITLEMENTS_FILE="LuckyRobots.entitlements"
          else
            echo "Creating default entitlements file as LuckyWorld.entitlements"
            # Create entitlements file line by line instead of heredoc
            echo '<?xml version="1.0" encoding="UTF-8"?>' > LuckyWorld.entitlements
            echo '<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">' >> LuckyWorld.entitlements
            echo '<plist version="1.0">' >> LuckyWorld.entitlements
            echo '<dict>' >> LuckyWorld.entitlements
            echo '    <key>com.apple.security.cs.allow-jit</key>' >> LuckyWorld.entitlements
            echo '    <true/>' >> LuckyWorld.entitlements
            echo '    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>' >> LuckyWorld.entitlements
            echo '    <true/>' >> LuckyWorld.entitlements
            echo '    <key>com.apple.security.cs.disable-library-validation</key>' >> LuckyWorld.entitlements
            echo '    <true/>' >> LuckyWorld.entitlements
            echo '    <key>com.apple.security.cs.allow-dyld-environment-variables</key>' >> LuckyWorld.entitlements
            echo '    <true/>' >> LuckyWorld.entitlements
            echo '    <key>com.apple.security.device.audio-input</key>' >> LuckyWorld.entitlements
            echo '    <true/>' >> LuckyWorld.entitlements
            echo '    <key>com.apple.security.device.camera</key>' >> LuckyWorld.entitlements
            echo '    <true/>' >> LuckyWorld.entitlements
            echo '</dict>' >> LuckyWorld.entitlements
            echo '</plist>' >> LuckyWorld.entitlements
            ENTITLEMENTS_FILE="LuckyWorld.entitlements"
          fi
          
          echo "Using entitlements file: $ENTITLEMENTS_FILE"
          echo "ENTITLEMENTS_FILE=$ENTITLEMENTS_FILE" >> "$GITHUB_ENV"
        shell: bash
      
      # Step 1: Setup environment
      - name: Setup environment
        run: |
          # Use the correct path where Unreal Engine is installed
          UE_PATH="/Users/Shared/Epic Games/UE_5.5"
          
          if [ ! -d "$UE_PATH" ]; then
            echo "Warning: Unreal Engine is not installed in the expected location"
            echo "This is expected in CI environment - continuing anyway"
          fi
          
          # Create directories for builds
          mkdir -p Builds/Mac
          mkdir -p PackagedReleases
          
          echo "Using Unreal Engine 5.5"
          
          # Get the working directory path for absolute paths
          WORKSPACE_DIR="$(pwd)"
          echo "WORKSPACE_DIR=$WORKSPACE_DIR" >> "$GITHUB_ENV"
        shell: bash

      - name: Debug Certificate Import (Test)
        env:
          CERTIFICATE_BASE64: ${{ secrets.MACOS_CERTIFICATE }}
          CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
        run: |
          set -e  # Fail on any error

          echo "Current working directory: $(pwd)"
          echo "Checking for .app bundles in Saved directory..."
          find ./Saved -type d -name "*.app" || echo "No app bundles found."

          echo "Decoding certificate..."
          CERT_DIR="$HOME/certificates"
          mkdir -p "$CERT_DIR"
          CERT_PATH="$CERT_DIR/developer_certificate.p12"
          echo "$CERTIFICATE_BASE64" | base64 --decode > "$CERT_PATH"

          echo "Decoded certificate size: $(wc -c < "$CERT_PATH") bytes"
          echo "Type: $(file "$CERT_PATH")"

          echo "Creating and configuring custom keychain..."
          CUSTOM_KEYCHAIN="$CERT_DIR/build.keychain"
          CUSTOM_PASSWORD="temppassword123"

          security create-keychain -p "$CUSTOM_PASSWORD" "$CUSTOM_KEYCHAIN"
          security set-keychain-settings "$CUSTOM_KEYCHAIN"
          security unlock-keychain -p "$CUSTOM_PASSWORD" "$CUSTOM_KEYCHAIN"

          echo "Setting only this keychain as active..."
          security list-keychains -s "$CUSTOM_KEYCHAIN"
          security default-keychain -s "$CUSTOM_KEYCHAIN"

          echo "Importing certificate..."
          security import "$CERT_PATH" -P "$CERTIFICATE_PASSWORD" -k "$CUSTOM_KEYCHAIN" -T /usr/bin/codesign

          echo "Granting access to codesign..."
          security set-key-partition-list -S apple-tool:,apple: -s -k "$CUSTOM_PASSWORD" "$CUSTOM_KEYCHAIN"

          echo "Verifying imported identities..."
          security find-identity -v -p codesigning "$CUSTOM_KEYCHAIN"

          echo "Setting environment variables for future steps..."
          echo "KEYCHAIN_PATH=$CUSTOM_KEYCHAIN" >> "$GITHUB_ENV"
          echo "KEYCHAIN_PASSWORD=$CUSTOM_PASSWORD" >> "$GITHUB_ENV"
          echo "DIRECT_SIGNING_AVAILABLE=true" >> "$GITHUB_ENV"
          echo "APPLE_TEAM=$APPLE_TEAM_ID" >> "$GITHUB_ENV"
        shell: bash      
      
      # Step 2: Build for macOS
      - name: Build for macOS
        run: |
          if [ -f "./scripts/mac_build.sh" ]; then
            chmod +x ./scripts/mac_build.sh
            ./scripts/mac_build.sh
          else
            echo "Build script not found, skipping this step"
          fi
        shell: bash


      # Step 3: Enhanced Debug for Certificate Import
      - name: Debug Certificate Import
        env:
          CERTIFICATE_BASE64: ${{ secrets.MACOS_CERTIFICATE }}
          CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
        run: |
          # Debug: Print working directory and available resources
          echo "Current working directory: $(pwd)"
          echo "Contents of Saved/StagedBuilds directory (if exists):"
          find ./Saved -type d -name "*.app" 2>/dev/null || echo "No .app bundles found in Saved/"
          
          # Checking system keychains
          echo "Examining system keychains and certificates..."
          security list-keychains
          security default-keychain
          
          # Decode certificate and examine format - DEBUG
          echo "Decoding certificate to debug..."
          CERT_DIR="$HOME/certificates"
          mkdir -p "$CERT_DIR"
          CERT_PATH="$CERT_DIR/developer_certificate.p12"
          echo "$CERTIFICATE_BASE64" | base64 --decode > "$CERT_PATH"
          
          # Check if certificate was properly decoded
          if [ -f "$CERT_PATH" ]; then
            echo "Certificate was decoded, size: $(wc -c < "$CERT_PATH") bytes"
            echo "Certificate file type: $(file "$CERT_PATH")"
          else
            echo "ERROR: Failed to decode certificate"
            exit 1
          fi
          
          # Trying import with different methods
          echo "ATTEMPT 1: Using login keychain"
          KEYCHAIN_PASSWORD="$(security find-generic-password -a ${USER} -s login -w)"
          security unlock-keychain -p "$KEYCHAIN_PASSWORD" login.keychain
          security import "$CERT_PATH" -P "$CERTIFICATE_PASSWORD" -k login.keychain -T /usr/bin/codesign || echo "Import to login keychain failed"
          
          echo "ATTEMPT 2: Creating custom keychain"
          CUSTOM_KEYCHAIN="$CERT_DIR/build.keychain"
          CUSTOM_PASSWORD="temppassword123"
          security create-keychain -p "$CUSTOM_PASSWORD" "$CUSTOM_KEYCHAIN"
          security default-keychain -s "$CUSTOM_KEYCHAIN" 
          security unlock-keychain -p "$CUSTOM_PASSWORD" "$CUSTOM_KEYCHAIN"
          security import "$CERT_PATH" -P "$CERTIFICATE_PASSWORD" -k "$CUSTOM_KEYCHAIN" -T /usr/bin/codesign || echo "Import to custom keychain failed"
          
          # Add to search list
          security list-keychains -d user -s "$CUSTOM_KEYCHAIN" login.keychain
          security set-key-partition-list -S apple-tool:,apple: -s -k "$CUSTOM_PASSWORD" "$CUSTOM_KEYCHAIN"
          
          # Check available identities in both keychains
          echo "Checking login keychain for identities:"
          security find-identity -v -p codesigning login.keychain || echo "No identities in login keychain"
          
          echo "Checking custom keychain for identities:"
          security find-identity -v -p codesigning "$CUSTOM_KEYCHAIN" || echo "No identities in custom keychain"
          
          # Fallback solution - use adhoc signing for testing
          echo "FALLBACK: Setting up adhoc signing option"
          echo "KEYCHAIN_PATH=$CUSTOM_KEYCHAIN" >> "$GITHUB_ENV"
          echo "KEYCHAIN_PASSWORD=$CUSTOM_PASSWORD" >> "$GITHUB_ENV"
          echo "DIRECT_SIGNING_AVAILABLE=false" >> "$GITHUB_ENV"
          
          # For debugging only, use a specific team ID if needed
          echo "APPLE_TEAM=$APPLE_TEAM_ID" >> "$GITHUB_ENV"
        shell: bash
      
      # Step 4: Find and prep app for signing
      - name: Find and prep app for signing
        run: |
          # First check Saved/StagedBuilds directory - where Unreal often places built apps
          echo "Checking Saved/StagedBuilds directory..."
          APP_PATHS=$(find ./Saved/StagedBuilds -type d -name "*.app" 2>/dev/null)
          
          # If not found, check Builds directory
          if [ -z "$APP_PATHS" ]; then
            echo "Checking Builds directory..."
            APP_PATHS=$(find ./Builds -type d -name "*.app" 2>/dev/null)
          fi
          
          # If still not found, check the whole workspace
          if [ -z "$APP_PATHS" ]; then
            echo "Checking entire workspace..."
            APP_PATHS=$(find . -type d -name "*.app" -not -path "*/\.*" 2>/dev/null)
          fi
          
          if [ -z "$APP_PATHS" ]; then
            echo "ERROR: Could not find any app bundles!"
            echo "Listing all directories to help debug:"
            find . -type d -maxdepth 3 | sort
            exit 1
          fi
          
          echo "Found potential app bundles:"
          echo "$APP_PATHS"
          
          # Use the first app path found (preferably the main app, not a child app)
          MAIN_APP_PATH=$(echo "$APP_PATHS" | grep -v "CrashReportClient" | head -1 || echo "$APP_PATHS" | head -1)
          
          # Get app name for later use
          APP_NAME=$(basename "$MAIN_APP_PATH")
          
          echo "Using app bundle: $MAIN_APP_PATH"
          echo "App name: $APP_NAME"
          
          echo "APP_PATH=$MAIN_APP_PATH" >> "$GITHUB_ENV"
          echo "APP_NAME=$APP_NAME" >> "$GITHUB_ENV"
        shell: bash
      
      # Step 5: Sign application with alternative fallback
      - name: Sign application 
        env:
          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
        run: |
          # Debug info
          echo "Signing app bundle: $APP_PATH"
          echo "Using entitlements file: $ENTITLEMENTS_FILE"
          
          # === TEST MODE: Using -SIGNED TEST ONLY- === #
          echo "⚠️ CERTIFICATE IMPORT FAILED: Using test-only signing approach"
          echo "This is for testing the workflow only and will NOT produce a valid signed build"
          
          # For testing ONLY - using `-` identity (ad-hoc signing)
          # This doesn't require a certificate but won't pass notarization
          echo "🔍 Test-signing the app with ad-hoc identity..."
          /usr/bin/codesign --force --deep --verbose --sign "-" --entitlements "$WORKSPACE_DIR/$ENTITLEMENTS_FILE" "$APP_PATH" || true
          
          echo "✅ Test signing completed. Note: This is NOT a properly signed app!"
          echo "NEEDS_REAL_CERT=true" >> "$GITHUB_ENV"
          
          # Recommendation for production
          echo "⚠️ IMPORTANT: For production builds, please ensure your certificate is correctly configured."
          echo "⚠️ Check the following:"
          echo "  1. Certificate format is correct (PKCS#12)" 
          echo "  2. Certificate password is correct"
          echo "  3. Team ID matches the certificate"
        shell: bash
      
      # Step 6: Skip Notarization (since we're not properly signed)
      - name: Package macOS App (Test Only)
        run: |
          echo "⚠️ SKIPPING NOTARIZATION - test build only"
          echo "Packaging unsigned test app bundle: $APP_PATH"
          
          # Create zip package
          (cd "$(dirname "$APP_PATH")" && zip -r "${WORKSPACE_DIR}/PackagedReleases/LuckyWorld-macOS-UNSIGNED-TEST.zip" "$(basename "$APP_PATH")")
          
          echo "Created test package: PackagedReleases/LuckyWorld-macOS-UNSIGNED-TEST.zip"
          echo "NOTE: This package is NOT properly signed and will NOT pass Gatekeeper!"
          
          echo "Debug certificate summary:"
          echo "- Check if your p12 file is valid"
          echo "- Verify certificate password in secrets"
          echo "- Confirm Apple Developer Team ID is correct"
        shell: bash
      
      # Step 7: Upload test artifact
      - name: Upload Test Build Artifact
        uses: actions/upload-artifact@v3
        if: success()
        with:
          name: LuckyWorld-macOS-UNSIGNED-TEST
          path: PackagedReleases/LuckyWorld-macOS-UNSIGNED-TEST.zip
          retention-days: 7
      
      # Step 8: Cleanup
      - name: Cleanup
        if: always()
        run: |
          # Clean up keychain and certificates
          rm -rf "$HOME/certificates" || true
          security delete-keychain "$HOME/certificates/build.keychain" || true
          
          echo "Cleanup complete"
        shell: bash