LuckyWorld/.gitea/workflows/test-signing.yml

name: Test macOS Signing

on:
  push:
    branches: [ozgur/build]
  workflow_dispatch:  # Manual trigger is also available

jobs:
  test-signing:
    runs-on: macos
    steps:
      - name: Create Entitlements File
        run: |
          # Create entitlements file inline
          cat > LuckyRobots.entitlements << EOF
          <?xml version="1.0" encoding="UTF-8"?>
          <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
          <plist version="1.0">
          <dict>
              <key>com.apple.security.cs.allow-jit</key>
              <true/>
              <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
              <true/>
              <key>com.apple.security.cs.disable-library-validation</key>
              <true/>
              <key>com.apple.security.cs.allow-dyld-environment-variables</key>
              <true/>
              <key>com.apple.security.device.audio-input</key>
              <true/>
              <key>com.apple.security.device.camera</key>
              <true/>
          </dict>
          </plist>
          EOF
          
          echo "Created entitlements file:"
          cat LuckyRobots.entitlements
          
          # Move entitlements to home directory to ensure consistent access
          cp LuckyRobots.entitlements ~/LuckyRobots.entitlements
        shell: bash
      
      - name: Download and Extract Artifact
        id: extract-artifact
        run: |
          # Working with absolute paths to eliminate path inconsistencies
          WORKSPACE_DIR="$(pwd)"
          BUILDS_DIR="$WORKSPACE_DIR/Builds"
          EXTRACT_DIR="$WORKSPACE_DIR/temp_extract"
          
          # Create directories
          mkdir -p "$BUILDS_DIR/Mac"
          mkdir -p "$EXTRACT_DIR"
          
          # Download specific artifact
          echo "Downloading build artifact..."
          
          # Use fixed artifact URL
          ARTIFACT_URL="https://luckyrobots.com/LuckyRobots/LuckyWorld/actions/runs/84/artifacts/LuckyRobots-macOS"
          
          echo "Using artifact URL: $ARTIFACT_URL"
          BUILD_ZIP="$WORKSPACE_DIR/build.zip"
          
          # Download the artifact
          curl -L "$ARTIFACT_URL" -o "$BUILD_ZIP"
          
          # First unzip - Outer artifact zip file
          echo "Extracting outer zip file..."
          unzip -o "$BUILD_ZIP" -d "$EXTRACT_DIR"
          
          # List the contents of temp_extract
          echo "Contents of temp_extract:"
          ls -la "$EXTRACT_DIR"
          
          # Handle case where the artifact might have different structure
          # Try to find any zip files recursively
          echo "Searching for zip files in extract directory..."
          ZIP_FILES=$(find "$EXTRACT_DIR" -name "*.zip" -type f)
          echo "Found ZIP files: $ZIP_FILES"
          
          # Create target directory for Mac app
          TARGET_DIR="$BUILDS_DIR/Mac"
          mkdir -p "$TARGET_DIR"
          
          # Extract all found zip files
          for ZIP_FILE in $ZIP_FILES; do
            echo "Extracting: $ZIP_FILE to $TARGET_DIR"
            unzip -o "$ZIP_FILE" -d "$TARGET_DIR"
          done
          
          # Look for LuckyWorld-Mac-Shipping.app specifically
          if [ -d "$TARGET_DIR/LuckyWorld-Mac-Shipping.app" ]; then
            APP_PATH="$TARGET_DIR/LuckyWorld-Mac-Shipping.app"
            echo "Found specific app: $APP_PATH"
          else
            # Try to find any .app bundle recursively
            echo "Searching for .app bundles in all directories..."
            APP_PATH=$(find "$BUILDS_DIR" -name "*.app" -type d | head -1)
            
            if [ -z "$APP_PATH" ]; then
              echo "Could not find any .app bundle. Looking in other directories..."
              APP_PATH=$(find "$WORKSPACE_DIR" -name "*.app" -type d | head -1)
            fi
          fi
          
          if [ -z "$APP_PATH" ]; then
            echo "ERROR: Could not find any .app bundle"
            echo "Contents of Builds directory:"
            find "$BUILDS_DIR" -type d | sort
            echo "Contents of extracted files:"
            find "$EXTRACT_DIR" -type f | sort
            exit 1
          fi
          
          echo "Found app bundle at: $APP_PATH"
          # Make a local copy to ensure access
          LOCAL_APP="$WORKSPACE_DIR/LuckyWorld.app"
          echo "Creating accessible copy at: $LOCAL_APP"
          
          # Remove if exists
          rm -rf "$LOCAL_APP"
          cp -R "$APP_PATH" "$LOCAL_APP"
          
          echo "app_path=$LOCAL_APP" >> $GITHUB_OUTPUT
        shell: bash
      
      - name: Validate App Path
        id: validate-app
        run: |
          APP_PATH="${{ steps.extract-artifact.outputs.app_path }}"
          
          echo "Validating path: $APP_PATH"
          
          if [ ! -d "$APP_PATH" ]; then
            echo "Error: Application path does not exist: $APP_PATH"
            exit 1
          fi
          
          # Ensure the path is absolute
          if [[ "$APP_PATH" != /* ]]; then
            APP_PATH="$(pwd)/$APP_PATH"
            echo "Converted to absolute path: $APP_PATH"
          fi
          
          echo "Will sign and notarize: $APP_PATH"
          echo "Contents of app bundle:"
          ls -la "$APP_PATH"
          echo "app_path=$APP_PATH" >> $GITHUB_OUTPUT
        shell: bash
      
      - name: Sign macOS App
        uses: lando/code-sign-action@v3
        id: sign-app
        with:
          file: ${{ steps.validate-app.outputs.app_path }}
          certificate-data: ${{ secrets.MACOS_CERTIFICATE }}
          certificate-password: ${{ secrets.MACOS_CERTIFICATE_PWD }}
          apple-team-id: "${{ secrets.APPLE_TEAM_ID }}"
          options: --force --options runtime --deep --timestamp --entitlements ~/LuckyRobots.entitlements
      
      - name: Notarize macOS App
        run: |
          # Create a temporary file for notarization
          APP_PATH="${{ steps.validate-app.outputs.app_path }}"
          NOTARIZE_APP_PATH="./LuckyRobots-notarize.zip"
          ditto -c -k --keepParent "$APP_PATH" "$NOTARIZE_APP_PATH"
          
          # Set up API key
          API_KEY_PATH="$(pwd)/api_key.p8"
          echo "${{ secrets.NOTARY_API_KEY_PATH }}" | base64 --decode > "$API_KEY_PATH"
          
          # Submit for notarization using API key
          echo "Submitting for notarization with API key..."
          xcrun notarytool submit "$NOTARIZE_APP_PATH" --key "$API_KEY_PATH" --key-id "${{ secrets.NOTARY_API_KEY_ID }}" --issuer "${{ secrets.NOTARY_API_KEY_ISSUER_ID }}" --wait
          
          # Staple the ticket to the application
          xcrun stapler staple "$APP_PATH"
          
          # Clean up the API key file
          rm -f "$API_KEY_PATH"
          rm -f "$NOTARIZE_APP_PATH"
        shell: bash
      
      - name: Package macOS App
        run: |
          # Package the signed and notarized app
          APP_PATH="${{ steps.validate-app.outputs.app_path }}"
          APP_NAME=$(basename "$APP_PATH")
          WORKSPACE_DIR="$(pwd)"
          OUTPUT_DIR="$WORKSPACE_DIR/TestSignedApps"
          
          # Create test output directory
          mkdir -p "$OUTPUT_DIR"
          
          echo "Creating test package..."
          ditto -c -k --keepParent "$APP_PATH" "$OUTPUT_DIR/Test-$APP_NAME.zip"
          echo "Created test package: $OUTPUT_DIR/Test-$APP_NAME.zip"
          
          echo "Test packaged apps:"
          ls -la "$OUTPUT_DIR"
        shell: bash
      
      - name: Upload Test Signed App
        uses: actions/upload-artifact@v3
        if: success()
        with:
          name: TestSigned-macOS-App
          path: TestSignedApps/Test-*.zip
          retention-days: 7