224 lines
8.3 KiB
YAML
224 lines
8.3 KiB
YAML
name: Test macOS Build Action
|
|
|
|
on:
|
|
workflow_dispatch: # Manual trigger only for testing
|
|
push:
|
|
branches: [ozgur/build]
|
|
|
|
jobs:
|
|
test-macos-build:
|
|
runs-on: macos
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v3
|
|
with:
|
|
lfs: true
|
|
fetch-depth: 0
|
|
|
|
- name: Check entitlements file
|
|
run: |
|
|
# Check if entitlements files exist
|
|
if [ -f "LuckyWorld.entitlements" ]; then
|
|
echo "Using existing LuckyWorld.entitlements file"
|
|
ENTITLEMENTS_FILE="LuckyWorld.entitlements"
|
|
elif [ -f "LuckyRobots.entitlements" ]; then
|
|
echo "Using existing LuckyRobots.entitlements file"
|
|
ENTITLEMENTS_FILE="LuckyRobots.entitlements"
|
|
else
|
|
echo "Creating default entitlements file as LuckyWorld.entitlements"
|
|
cat > LuckyWorld.entitlements << EOF
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
|
<plist version="1.0">
|
|
<dict>
|
|
<key>com.apple.security.cs.allow-jit</key>
|
|
<true/>
|
|
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
|
|
<true/>
|
|
<key>com.apple.security.cs.disable-library-validation</key>
|
|
<true/>
|
|
<key>com.apple.security.cs.allow-dyld-environment-variables</key>
|
|
<true/>
|
|
<key>com.apple.security.device.audio-input</key>
|
|
<true/>
|
|
<key>com.apple.security.device.camera</key>
|
|
<true/>
|
|
</dict>
|
|
</plist>
|
|
EOF
|
|
ENTITLEMENTS_FILE="LuckyWorld.entitlements"
|
|
fi
|
|
|
|
echo "Using entitlements file: $ENTITLEMENTS_FILE"
|
|
echo "ENTITLEMENTS_FILE=$ENTITLEMENTS_FILE" >> "$GITHUB_ENV"
|
|
shell: bash
|
|
|
|
# Step 1: Setup environment
|
|
- name: Setup environment
|
|
run: |
|
|
# Use the correct path where Unreal Engine is installed
|
|
UE_PATH="/Users/Shared/Epic Games/UE_5.5"
|
|
|
|
if [ ! -d "$UE_PATH" ]; then
|
|
echo "Warning: Unreal Engine is not installed in the expected location"
|
|
echo "This is expected in CI environment - continuing anyway"
|
|
fi
|
|
|
|
# Create directories for builds
|
|
mkdir -p Builds/Mac
|
|
mkdir -p PackagedReleases
|
|
|
|
echo "Using Unreal Engine 5.5"
|
|
shell: bash
|
|
|
|
# Step 2: Build for macOS
|
|
- name: Build for macOS
|
|
run: |
|
|
if [ -f "./scripts/mac_build.sh" ]; then
|
|
chmod +x ./scripts/mac_build.sh
|
|
./scripts/mac_build.sh
|
|
else
|
|
echo "Build script not found, skipping this step"
|
|
fi
|
|
shell: bash
|
|
|
|
# Step 3: Setup for Signing
|
|
- name: Setup for Signing
|
|
id: setup-signing
|
|
env:
|
|
API_KEY_PATH: ${{ secrets.NOTARY_API_KEY_PATH }}
|
|
APPLE_CERTIFICATE_BASE64: ${{ secrets.MACOS_CERTIFICATE }}
|
|
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
|
|
run: |
|
|
# Create output directory
|
|
mkdir -p PackagedReleases
|
|
|
|
# Decode the API key from Base64 secret
|
|
echo "$API_KEY_PATH" | base64 --decode > api_key.p8
|
|
|
|
# Decode the certificate
|
|
echo "$APPLE_CERTIFICATE_BASE64" | base64 --decode > certificate.p12
|
|
|
|
# Create keychain
|
|
KEYCHAIN_PATH="signing.keychain-db"
|
|
KEYCHAIN_PASSWORD="temporary"
|
|
|
|
security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
|
security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
|
|
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
|
|
|
# Download Apple root certificates
|
|
curl -s -o AppleWWDRCAG3.cer https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer
|
|
curl -s -o DeveloperIDG2.cer https://www.apple.com/certificateauthority/DeveloperIDG2.cer
|
|
|
|
# Import certificates
|
|
security import AppleWWDRCAG3.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign -f der -A
|
|
security import DeveloperIDG2.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign -f der -A
|
|
security import certificate.p12 -P "$APPLE_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"
|
|
|
|
# Set keychain for signing
|
|
security list-keychain -d user -s "$KEYCHAIN_PATH"
|
|
security default-keychain -s "$KEYCHAIN_PATH"
|
|
|
|
# Set partition list
|
|
security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
|
|
|
# Find app bundle
|
|
APP_PATH=$(find Builds -type d -name "*.app" | head -1)
|
|
|
|
if [ -z "$APP_PATH" ]; then
|
|
# Look for a directory that might be a bundle but not named .app
|
|
APP_PATH=$(find Builds -mindepth 1 -maxdepth 1 -type d | head -1)
|
|
if [ -z "$APP_PATH" ]; then
|
|
echo "No build directory found, cannot continue"
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
echo "Found app path: $APP_PATH"
|
|
# Use standard environment variable that works in all workflows
|
|
echo "APP_PATH=$APP_PATH" >> "$GITHUB_ENV"
|
|
|
|
# Also save the keychain and api key info
|
|
echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV"
|
|
echo "API_KEY_FILE=$(pwd)/api_key.p8" >> "$GITHUB_ENV"
|
|
shell: bash
|
|
|
|
# Step 4: Sign macOS App
|
|
- name: Sign macOS App
|
|
env:
|
|
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
|
|
run: |
|
|
echo "Signing app bundle: $APP_PATH"
|
|
|
|
# First, handle libraries
|
|
find "$APP_PATH" -name "*.dylib" -o -name "*.framework" | while read LIB; do
|
|
echo "Signing library: $LIB"
|
|
codesign --force --options runtime --timestamp --sign "Developer ID Application: $APPLE_TEAM_ID" "$LIB"
|
|
done
|
|
|
|
# Sign the app bundle
|
|
echo "Signing with entitlements file: $ENTITLEMENTS_FILE"
|
|
codesign --force --options runtime --deep --timestamp --sign "Developer ID Application: $APPLE_TEAM_ID" --entitlements "./$ENTITLEMENTS_FILE" "$APP_PATH"
|
|
|
|
# Verify signature
|
|
codesign --verify --verbose "$APP_PATH"
|
|
shell: bash
|
|
|
|
# Step 5: Notarize macOS App
|
|
- name: Notarize macOS App
|
|
env:
|
|
API_KEY_ID: ${{ secrets.NOTARY_API_KEY_ID }}
|
|
API_KEY_ISSUER_ID: ${{ secrets.NOTARY_API_KEY_ISSUER_ID }}
|
|
run: |
|
|
# Create a temporary file for notarization
|
|
NOTARIZE_APP_PATH="./LuckyRobots-notarize.zip"
|
|
ditto -c -k --keepParent "$APP_PATH" "$NOTARIZE_APP_PATH"
|
|
|
|
# Submit for notarization using API key
|
|
echo "Submitting for notarization with API key..."
|
|
xcrun notarytool submit "$NOTARIZE_APP_PATH" --key "$API_KEY_FILE" --key-id "$API_KEY_ID" --issuer "$API_KEY_ISSUER_ID" --wait
|
|
|
|
# Staple the ticket to the application
|
|
xcrun stapler staple "$APP_PATH"
|
|
|
|
# Clean up temporary notarization file
|
|
rm -f "$NOTARIZE_APP_PATH"
|
|
shell: bash
|
|
|
|
# Step 6: Package macOS App
|
|
- name: Package macOS App
|
|
run: |
|
|
# Package the signed and notarized app
|
|
APP_NAME=$(basename "$APP_PATH")
|
|
DIR_PATH=$(dirname "$APP_PATH")
|
|
|
|
echo "Creating final package..."
|
|
(cd "$DIR_PATH" && zip -r "../../PackagedReleases/LuckyRobots-macOS.zip" "$APP_NAME")
|
|
echo "Created packaged release: PackagedReleases/LuckyRobots-macOS.zip"
|
|
|
|
echo "Packaged releases:"
|
|
ls -la PackagedReleases/
|
|
shell: bash
|
|
|
|
# Step 7: Upload macOS Build Artifact
|
|
- name: Upload macOS Build Artifact
|
|
uses: actions/upload-artifact@v3
|
|
if: success()
|
|
with:
|
|
name: LuckyRobots-macOS
|
|
path: PackagedReleases/LuckyRobots-macOS.zip
|
|
retention-days: 365
|
|
|
|
# Step 8: Cleanup
|
|
- name: Cleanup
|
|
if: always()
|
|
run: |
|
|
# Clean up keychain and files
|
|
if [ -n "$KEYCHAIN_PATH" ]; then
|
|
security delete-keychain "$KEYCHAIN_PATH" || true
|
|
fi
|
|
|
|
rm -f certificate.p12 AppleWWDRCAG3.cer DeveloperIDG2.cer api_key.p8 || true
|
|
shell: bash
|
|
|