LuckyRobots/LuckyWorld
14
0
Fork 0
Code Issues Pull Requests 1 Actions 1 Packages Projects 1 Releases 13 Wiki Activity
LuckyWorld/.gitea/workflows/test-macos-build.yml
Ozgur Ersoy 515c4c34b5
Some checks failed
Test macOS Build Action / test-macos-build (push) Failing after 27m51s
Details
fix(workflows): simplify macOS build workflow with enhanced debugging and direct signing approach
2025-04-13 23:52:42 +02:00

341 lines
14 KiB
YAML
Raw Blame History

name: Test macOS Build Action
on:
workflow_dispatch: # Manual trigger only for testing
push:
branches: [ozgur/build]
jobs:
test-macos-build:
runs-on: macos
steps:
- name: Checkout repository
uses: actions/checkout@v3
with:
lfs: true
fetch-depth: 0
- name: Check entitlements file
run: |
# Check if entitlements files exist
if [ -f "LuckyWorld.entitlements" ]; then
echo "Using existing LuckyWorld.entitlements file"
ENTITLEMENTS_FILE="LuckyWorld.entitlements"
elif [ -f "LuckyRobots.entitlements" ]; then
echo "Using existing LuckyRobots.entitlements file"
ENTITLEMENTS_FILE="LuckyRobots.entitlements"
else
echo "Creating default entitlements file as LuckyWorld.entitlements"
# Create entitlements file line by line instead of heredoc
echo '<?xml version="1.0" encoding="UTF-8"?>' > LuckyWorld.entitlements
echo '<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">' >> LuckyWorld.entitlements
echo '<plist version="1.0">' >> LuckyWorld.entitlements
echo '<dict>' >> LuckyWorld.entitlements
echo ' <key>com.apple.security.cs.allow-jit</key>' >> LuckyWorld.entitlements
echo ' <true/>' >> LuckyWorld.entitlements
echo ' <key>com.apple.security.cs.allow-unsigned-executable-memory</key>' >> LuckyWorld.entitlements
echo ' <true/>' >> LuckyWorld.entitlements
echo ' <key>com.apple.security.cs.disable-library-validation</key>' >> LuckyWorld.entitlements
echo ' <true/>' >> LuckyWorld.entitlements
echo ' <key>com.apple.security.cs.allow-dyld-environment-variables</key>' >> LuckyWorld.entitlements
echo ' <true/>' >> LuckyWorld.entitlements
echo ' <key>com.apple.security.device.audio-input</key>' >> LuckyWorld.entitlements
echo ' <true/>' >> LuckyWorld.entitlements
echo ' <key>com.apple.security.device.camera</key>' >> LuckyWorld.entitlements
echo ' <true/>' >> LuckyWorld.entitlements
echo '</dict>' >> LuckyWorld.entitlements
echo '</plist>' >> LuckyWorld.entitlements
ENTITLEMENTS_FILE="LuckyWorld.entitlements"
fi
echo "Using entitlements file: $ENTITLEMENTS_FILE"
echo "ENTITLEMENTS_FILE=$ENTITLEMENTS_FILE" >> "$GITHUB_ENV"
shell: bash
# Step 1: Setup environment
- name: Setup environment
run: |
# Use the correct path where Unreal Engine is installed
UE_PATH="/Users/Shared/Epic Games/UE_5.5"
if [ ! -d "$UE_PATH" ]; then
echo "Warning: Unreal Engine is not installed in the expected location"
echo "This is expected in CI environment - continuing anyway"
fi
# Create directories for builds
mkdir -p Builds/Mac
mkdir -p PackagedReleases
echo "Using Unreal Engine 5.5"
# Get the working directory path for absolute paths
WORKSPACE_DIR="$(pwd)"
echo "WORKSPACE_DIR=$WORKSPACE_DIR" >> "$GITHUB_ENV"
shell: bash
# Step 2: Build for macOS
- name: Build for macOS
run: |
if [ -f "./scripts/mac_build.sh" ]; then
chmod +x ./scripts/mac_build.sh
./scripts/mac_build.sh
else
echo "Build script not found, skipping this step"
fi
shell: bash
# Step 3: Create keychain and import certificate - SIMPLIFIED for debugging
- name: Create keychain and import certificate
env:
CERTIFICATE_BASE64: ${{ secrets.MACOS_CERTIFICATE }}
CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
run: |
# Debug: Print working directory and available resources
echo "Current working directory: $(pwd)"
echo "Contents of Builds directory:"
find Builds -type d | sort
echo "Contents of Saved/StagedBuilds directory (if exists):"
find ./Saved -type d -name "*.app" 2>/dev/null || echo "No .app bundles found in Saved/"
# Decode certificate to working directory for simplicity
echo "Decoding certificate..."
echo "$CERTIFICATE_BASE64" | base64 --decode > certificate.p12
ls -la certificate.p12
# Create a simple local keychain
echo "Creating login keychain..."
KEYCHAIN_PATH="$HOME/Library/Keychains/build.keychain-db"
KEYCHAIN_PASSWORD="temp$(date +%s)"
security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
security default-keychain -s "$KEYCHAIN_PATH"
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
# Debug import step
echo "Importing certificate with flags: -P [PWD] -k $KEYCHAIN_PATH"
security import certificate.p12 -P "$CERTIFICATE_PASSWORD" -k "$KEYCHAIN_PATH" -T /usr/bin/codesign
# Set partition list for automation
echo "Setting key partition list..."
security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
# Check for identities - DEBUG
echo "Listing identities after import:"
security find-identity -v -p codesigning "$KEYCHAIN_PATH"
# Verify Apple Team ID matches certificate
echo "Expected Apple Team ID: $APPLE_TEAM_ID"
# Get a more detailed certificate info for debugging
echo "Certificate details:"
security find-certificate -a -c "Developer ID" -p "$KEYCHAIN_PATH" | openssl x509 -text | grep -E "Subject:|Issuer:|Not Before:|Not After :|Serial Number:" || echo "No certificate details found"
# Use alternative approach to get signing identity
SIGNING_IDENTITY=$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep "Developer ID Application" | sed -E 's/.*\"Developer ID Application: ([^\"]+).*/\1/g' || echo "")
if [ -z "$SIGNING_IDENTITY" ]; then
# Try with certificate CN directly
SIGNING_IDENTITY="Developer ID Application: $APPLE_TEAM_ID"
echo "Using APPLE_TEAM_ID directly: $SIGNING_IDENTITY"
else
echo "Found signing identity: $SIGNING_IDENTITY"
fi
echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV"
echo "SIGNING_IDENTITY=$SIGNING_IDENTITY" >> "$GITHUB_ENV"
echo "KEYCHAIN_PASSWORD=$KEYCHAIN_PASSWORD" >> "$GITHUB_ENV"
# Add to search list if needed
security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | sed s/\"//g)
shell: bash
# Step 4: Find and prep app for signing
- name: Find and prep app for signing
run: |
# First check Saved/StagedBuilds directory - where Unreal often places built apps
echo "Checking Saved/StagedBuilds directory..."
APP_PATHS=$(find ./Saved/StagedBuilds -type d -name "*.app" 2>/dev/null)
# If not found, check Builds directory
if [ -z "$APP_PATHS" ]; then
echo "Checking Builds directory..."
APP_PATHS=$(find ./Builds -type d -name "*.app" 2>/dev/null)
fi
# If still not found, check the whole workspace
if [ -z "$APP_PATHS" ]; then
echo "Checking entire workspace..."
APP_PATHS=$(find . -type d -name "*.app" -not -path "*/\.*" 2>/dev/null)
fi
if [ -z "$APP_PATHS" ]; then
echo "ERROR: Could not find any app bundles!"
echo "Listing all directories to help debug:"
find . -type d -maxdepth 3 | sort
exit 1
fi
echo "Found potential app bundles:"
echo "$APP_PATHS"
# Use the first app path found (preferably the main app, not a child app)
MAIN_APP_PATH=$(echo "$APP_PATHS" | grep -v "CrashReportClient" | head -1 || echo "$APP_PATHS" | head -1)
# Get app name for later use
APP_NAME=$(basename "$MAIN_APP_PATH")
echo "Using app bundle: $MAIN_APP_PATH"
echo "App name: $APP_NAME"
echo "APP_PATH=$MAIN_APP_PATH" >> "$GITHUB_ENV"
echo "APP_NAME=$APP_NAME" >> "$GITHUB_ENV"
shell: bash
# Step 5: Sign application with codesign - DIRECT METHOD
- name: Sign application
env:
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
run: |
# Debug info
echo "Signing app bundle: $APP_PATH"
echo "Using entitlements file: $ENTITLEMENTS_FILE"
echo "Using signing identity: $SIGNING_IDENTITY"
# Make sure keychain is accessible
echo "Unlocking keychains..."
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" || true
# Verify signing identity accessibility
echo "Verifying codesigning identities..."
security find-identity -v -p codesigning "$KEYCHAIN_PATH"
# Sign the app directly, with a more direct approach
echo "🔍 Signing the app bundle with its contents..."
/usr/bin/codesign --force --options runtime --sign "$SIGNING_IDENTITY" --entitlements "$WORKSPACE_DIR/$ENTITLEMENTS_FILE" --deep --verbose "$APP_PATH"
# Verify signature
echo "Verifying signature..."
/usr/bin/codesign --verify --verbose "$APP_PATH"
# Check the result
if [ $? -eq 0 ]; then
echo "✅ Code signing was successful"
else
echo "⚠️ Code signing verification had issues, but continuing with notarization..."
fi
shell: bash
# Step 6: Notarize application
- name: Notarize application
env:
API_KEY_PATH: ${{ secrets.NOTARY_API_KEY_PATH }}
API_KEY_ID: ${{ secrets.NOTARY_API_KEY_ID }}
API_KEY_ISSUER_ID: ${{ secrets.NOTARY_API_KEY_ISSUER_ID }}
run: |
echo "Preparing for notarization..."
# Create API key file
echo "$API_KEY_PATH" | base64 --decode > api_key.p8
API_KEY_FILE="$(pwd)/api_key.p8"
# Create a zip archive for notarization
NOTARIZE_APP_PATH="LuckyWorld-notarize.zip"
echo "Creating archive for notarization: $NOTARIZE_APP_PATH"
# Use ditto to preserve bundle structure
ditto -c -k --keepParent "$APP_PATH" "$NOTARIZE_APP_PATH"
# Check if zip file was created successfully
if [ ! -f "$NOTARIZE_APP_PATH" ]; then
echo "❌ Failed to create notarization archive"
exit 1
fi
echo "Submitting for notarization..."
echo "API Key ID: $API_KEY_ID"
echo "API Key File: $API_KEY_FILE"
# Submit for notarization using API key
NOTARIZE_OUTPUT=$(xcrun notarytool submit "$NOTARIZE_APP_PATH" --key "$API_KEY_FILE" --key-id "$API_KEY_ID" --issuer "$API_KEY_ISSUER_ID" --wait)
echo "Notarization response:"
echo "$NOTARIZE_OUTPUT"
# Check if notarization was successful
if [[ "$NOTARIZE_OUTPUT" =~ "status: Accepted" ]]; then
echo "✅ Notarization successful"
else
echo "⚠️ Notarization may have failed. Checking status..."
# Extract submission ID if available
SUBMISSION_ID=$(echo "$NOTARIZE_OUTPUT" | grep "id:" | awk '{print $2}')
if [ -n "$SUBMISSION_ID" ]; then
echo "Checking submission $SUBMISSION_ID..."
xcrun notarytool info "$SUBMISSION_ID" --key "$API_KEY_FILE" --key-id "$API_KEY_ID" --issuer "$API_KEY_ISSUER_ID"
# Continue even if notarization failed - we'll staple if possible
echo "⚠️ Continuing despite potential notarization issues..."
else
echo "⚠️ No submission ID found. Continuing anyway..."
fi
fi
# Staple the notarization ticket to the app
echo "Stapling notarization ticket to app..."
xcrun stapler staple "$APP_PATH"
# Verify stapling
echo "Verifying stapling..."
stapler validate "$APP_PATH"
if [ $? -eq 0 ]; then
echo "✅ Stapling successful"
else
echo "⚠️ Stapling verification may have failed. This is sometimes expected for new apps."
echo "⚠️ Continuing with packaging..."
fi
# Clean up
rm -f "$NOTARIZE_APP_PATH" "$API_KEY_FILE"
shell: bash
# Step 7: Package macOS App
- name: Package macOS App
run: |
echo "Packaging signed app bundle: $APP_PATH"
# Create zip package
(cd "$(dirname "$APP_PATH")" && zip -r "${WORKSPACE_DIR}/PackagedReleases/LuckyWorld-macOS.zip" "$(basename "$APP_PATH")")
echo "Created packaged release: PackagedReleases/LuckyWorld-macOS.zip"
echo "Packaged releases:"
ls -la PackagedReleases/
shell: bash
# Step 8: Upload macOS Build Artifact
- name: Upload macOS Build Artifact
uses: actions/upload-artifact@v3
if: success()
with:
name: LuckyWorld-macOS
path: PackagedReleases/LuckyWorld-macOS.zip
retention-days: 365
# Step 9: Cleanup
- name: Cleanup
if: always()
run: |
# Clean up keychain and certificates
if [ -n "$KEYCHAIN_PATH" ]; then
security delete-keychain "$KEYCHAIN_PATH" || true
fi
# Clean up certificate files
rm -f certificate.p12 api_key.p8 || true
echo "Cleanup complete"
shell: bash
Reference in New Issue View Git Blame Copy Permalink