Ozgur Ersoy
4daf6d1176
Some checks failed
Test macOS Signing / test-signing (push) Failing after 2m15s
177 lines
6.2 KiB
YAML
177 lines
6.2 KiB
YAML
name: Test macOS Signing
|
|
|
|
on:
|
|
push:
|
|
branches: [ozgur/build]
|
|
workflow_dispatch: # Manual trigger is also available
|
|
|
|
jobs:
|
|
test-signing:
|
|
runs-on: macos
|
|
steps:
|
|
- name: Create Entitlements File
|
|
run: |
|
|
# Create entitlements file inline
|
|
cat > LuckyRobots.entitlements << EOF
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
|
<plist version="1.0">
|
|
<dict>
|
|
<key>com.apple.security.cs.allow-jit</key>
|
|
<true/>
|
|
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
|
|
<true/>
|
|
<key>com.apple.security.cs.disable-library-validation</key>
|
|
<true/>
|
|
<key>com.apple.security.cs.allow-dyld-environment-variables</key>
|
|
<true/>
|
|
<key>com.apple.security.device.audio-input</key>
|
|
<true/>
|
|
<key>com.apple.security.device.camera</key>
|
|
<true/>
|
|
</dict>
|
|
</plist>
|
|
EOF
|
|
|
|
echo "Created entitlements file:"
|
|
cat LuckyRobots.entitlements
|
|
shell: bash
|
|
|
|
- name: Download and Extract Artifact
|
|
id: extract-artifact
|
|
run: |
|
|
# Create directories
|
|
mkdir -p Builds/Mac
|
|
|
|
# Download specific artifact
|
|
echo "Downloading build artifact..."
|
|
|
|
# Use fixed artifact URL
|
|
ARTIFACT_URL="https://luckyrobots.com/LuckyRobots/LuckyWorld/actions/runs/84/artifacts/LuckyRobots-macOS"
|
|
|
|
echo "Using artifact URL: $ARTIFACT_URL"
|
|
|
|
# Download the artifact
|
|
curl -L "$ARTIFACT_URL" -o build.zip
|
|
|
|
# First unzip - Outer artifact zip file
|
|
echo "Extracting outer zip file..."
|
|
unzip -o build.zip -d temp_extract/
|
|
|
|
# List the contents of temp_extract
|
|
echo "Contents of temp_extract:"
|
|
ls -la temp_extract/
|
|
|
|
# Second unzip - Inner macOS app package
|
|
echo "Extracting inner zip file..."
|
|
INNER_ZIP=$(find temp_extract -name "*.zip" | head -1)
|
|
|
|
if [[ -z "$INNER_ZIP" ]]; then
|
|
echo "Could not find inner zip in artifact"
|
|
exit 1
|
|
fi
|
|
|
|
echo "Found inner zip: $INNER_ZIP"
|
|
unzip -o "$INNER_ZIP" -d Builds/Mac/
|
|
|
|
# Recursive search for .app directory
|
|
echo "Searching for .app bundle..."
|
|
APP_PATH=$(find Builds -type d -name "*.app" -print 2>/dev/null | head -1)
|
|
|
|
if [[ -z "$APP_PATH" ]]; then
|
|
echo "Could not find app bundle in extracted files"
|
|
echo "Contents of Builds directory:"
|
|
find Builds -type d | sort
|
|
echo "All directories in workspace:"
|
|
find . -type d -maxdepth 4 | grep -v "node_modules\|.git" | sort
|
|
exit 1
|
|
fi
|
|
|
|
echo "Found app bundle: $APP_PATH"
|
|
echo "app_path=$APP_PATH" >> $GITHUB_OUTPUT
|
|
shell: bash
|
|
|
|
- name: Validate App Path
|
|
id: validate-app
|
|
run: |
|
|
APP_PATH="${{ steps.extract-artifact.outputs.app_path }}"
|
|
|
|
echo "Validating path: $APP_PATH"
|
|
|
|
if [ ! -d "$APP_PATH" ]; then
|
|
echo "Error: Application path does not exist: $APP_PATH"
|
|
exit 1
|
|
fi
|
|
|
|
echo "Will sign and notarize: $APP_PATH"
|
|
echo "Contents of app bundle:"
|
|
ls -la "$APP_PATH"
|
|
echo "app_path=$APP_PATH" >> $GITHUB_OUTPUT
|
|
shell: bash
|
|
|
|
- name: Setup for Signing
|
|
id: setup-signing
|
|
env:
|
|
API_KEY_PATH: ${{ secrets.NOTARY_API_KEY_PATH }}
|
|
run: |
|
|
# Decode the API key from Base64 secret
|
|
echo "$API_KEY_PATH" | base64 --decode > api_key.p8
|
|
echo "api_key_file=$(pwd)/api_key.p8" >> $GITHUB_OUTPUT
|
|
shell: bash
|
|
|
|
- name: Sign macOS App
|
|
uses: lando/code-sign-action@v3
|
|
id: sign-app
|
|
with:
|
|
file: ${{ steps.validate-app.outputs.app_path }}
|
|
certificate-data: ${{ secrets.MACOS_CERTIFICATE }}
|
|
certificate-password: ${{ secrets.MACOS_CERTIFICATE_PWD }}
|
|
apple-team-id: "${{ secrets.APPLE_TEAM_ID }}"
|
|
options: --force --options runtime --deep --timestamp --entitlements ./LuckyRobots.entitlements
|
|
|
|
- name: Notarize macOS App
|
|
run: |
|
|
# Create a temporary file for notarization
|
|
APP_PATH="${{ steps.validate-app.outputs.app_path }}"
|
|
NOTARIZE_APP_PATH="./LuckyRobots-notarize.zip"
|
|
ditto -c -k --keepParent "$APP_PATH" "$NOTARIZE_APP_PATH"
|
|
|
|
API_KEY_FILE="${{ steps.setup-signing.outputs.api_key_file }}"
|
|
|
|
# Submit for notarization using API key
|
|
echo "Submitting for notarization with API key..."
|
|
xcrun notarytool submit "$NOTARIZE_APP_PATH" --key "$API_KEY_FILE" --key-id "${{ secrets.NOTARY_API_KEY_ID }}" --issuer "${{ secrets.NOTARY_API_KEY_ISSUER_ID }}" --wait
|
|
|
|
# Staple the ticket to the application
|
|
xcrun stapler staple "$APP_PATH"
|
|
|
|
# Clean up the API key file
|
|
rm -f "$API_KEY_FILE"
|
|
rm -f "$NOTARIZE_APP_PATH"
|
|
shell: bash
|
|
|
|
- name: Package macOS App
|
|
run: |
|
|
# Package the signed and notarized app
|
|
APP_PATH="${{ steps.validate-app.outputs.app_path }}"
|
|
APP_NAME=$(basename "$APP_PATH")
|
|
DIR_PATH=$(dirname "$APP_PATH")
|
|
|
|
# Create test output directory
|
|
mkdir -p TestSignedApps
|
|
|
|
echo "Creating test package..."
|
|
(cd "$DIR_PATH" && zip -r "../../TestSignedApps/Test-$APP_NAME.zip" "$APP_NAME")
|
|
echo "Created test package: TestSignedApps/Test-$APP_NAME.zip"
|
|
|
|
echo "Test packaged apps:"
|
|
ls -la TestSignedApps/
|
|
shell: bash
|
|
|
|
- name: Upload Test Signed App
|
|
uses: actions/upload-artifact@v3
|
|
if: success()
|
|
with:
|
|
name: TestSigned-macOS-App
|
|
path: TestSignedApps/Test-*.zip
|
|
retention-days: 7 |