166 lines
6.1 KiB
YAML
166 lines
6.1 KiB
YAML
name: Test macOS Signing
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
use_previous_build:
|
|
description: 'Use a previous successful build artifact instead of local app path'
|
|
required: true
|
|
type: boolean
|
|
default: false
|
|
app_path:
|
|
description: 'Path to the app bundle to sign (if not using artifact)'
|
|
required: false
|
|
default: 'Builds/Mac/LuckyRobots.app'
|
|
artifact_run_id:
|
|
description: 'Run ID of the workflow that produced the artifact to use (if using artifact)'
|
|
required: false
|
|
default: ''
|
|
|
|
jobs:
|
|
test-signing:
|
|
runs-on: macos
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v3
|
|
with:
|
|
lfs: true
|
|
fetch-depth: 0
|
|
|
|
- name: Download Previous Build
|
|
if: ${{ github.event.inputs.use_previous_build == 'true' }}
|
|
run: |
|
|
# Create directories
|
|
mkdir -p Builds/Mac
|
|
|
|
# Download artifact (using GitHub API or direct download)
|
|
echo "Downloading previous build artifact..."
|
|
|
|
# If artifact_run_id is provided, use it
|
|
if [[ -n "${{ github.event.inputs.artifact_run_id }}" ]]; then
|
|
RUN_ID="${{ github.event.inputs.artifact_run_id }}"
|
|
else
|
|
# Get latest successful build run ID
|
|
echo "No specific run ID provided, finding latest successful build..."
|
|
|
|
# You'll need to have proper authentication to access the API
|
|
# This is simplified, you might need to adjust based on your setup
|
|
RUN_ID=$(curl -s "https://luckyrobots.com/api/v1/repos/luckyrobots/luckyworld/actions/runs?status=success&event=push" | grep -o '"id":[0-9]*' | head -1 | cut -d':' -f2)
|
|
|
|
if [[ -z "$RUN_ID" ]]; then
|
|
echo "Could not find a successful run ID. Please specify one manually."
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
echo "Using run ID: $RUN_ID"
|
|
|
|
# Download artifact using your Gitea API
|
|
# This is a simplified example - adjust as needed for your actual API
|
|
curl -L "https://luckyrobots.com/luckyrobots/luckyworld/actions/runs/$RUN_ID/artifacts/LuckyRobots-macOS" -o build.zip
|
|
|
|
# Extract to Builds directory
|
|
unzip -o build.zip -d Builds/Mac/
|
|
|
|
# Find extracted app bundle
|
|
APP_PATH=$(find Builds/Mac -type d -name "*.app" | head -1)
|
|
|
|
if [[ -z "$APP_PATH" ]]; then
|
|
echo "Could not find app bundle in downloaded artifact"
|
|
exit 1
|
|
fi
|
|
|
|
echo "Downloaded app bundle: $APP_PATH"
|
|
echo "app_path=$APP_PATH" >> $GITHUB_ENV
|
|
shell: bash
|
|
|
|
- name: Validate App Path
|
|
id: validate-app
|
|
run: |
|
|
if [[ "${{ github.event.inputs.use_previous_build }}" == "true" ]]; then
|
|
APP_PATH="$app_path"
|
|
else
|
|
APP_PATH="${{ github.event.inputs.app_path }}"
|
|
fi
|
|
|
|
if [ ! -d "$APP_PATH" ]; then
|
|
echo "Error: Application path does not exist: $APP_PATH"
|
|
echo "You can download a previous successful build artifact or specify a different path"
|
|
|
|
# List available directories to help user
|
|
echo "Available directories in workspace:"
|
|
find . -type d -maxdepth 3 | grep -v "node_modules\|.git"
|
|
|
|
exit 1
|
|
fi
|
|
|
|
echo "Will sign and notarize: $APP_PATH"
|
|
echo "app_path=$APP_PATH" >> $GITHUB_OUTPUT
|
|
shell: bash
|
|
|
|
- name: Setup for Signing
|
|
id: setup-signing
|
|
env:
|
|
API_KEY_PATH: ${{ secrets.NOTARY_API_KEY_PATH }}
|
|
run: |
|
|
# Decode the API key from Base64 secret
|
|
echo "$API_KEY_PATH" | base64 --decode > api_key.p8
|
|
echo "api_key_file=$(pwd)/api_key.p8" >> $GITHUB_OUTPUT
|
|
shell: bash
|
|
|
|
- name: Sign macOS App
|
|
uses: lando/code-sign-action@v3
|
|
id: sign-app
|
|
with:
|
|
file: ${{ steps.validate-app.outputs.app_path }}
|
|
certificate-data: ${{ secrets.MACOS_CERTIFICATE }}
|
|
certificate-password: ${{ secrets.MACOS_CERTIFICATE_PWD }}
|
|
certificate-id: ${{ secrets.APPLE_TEAM_ID }}
|
|
options: --force --options runtime --deep --timestamp --entitlements ./LuckyRobots.entitlements
|
|
|
|
- name: Notarize macOS App
|
|
run: |
|
|
# Create a temporary file for notarization
|
|
APP_PATH="${{ steps.validate-app.outputs.app_path }}"
|
|
NOTARIZE_APP_PATH="./LuckyRobots-notarize.zip"
|
|
ditto -c -k --keepParent "$APP_PATH" "$NOTARIZE_APP_PATH"
|
|
|
|
API_KEY_FILE="${{ steps.setup-signing.outputs.api_key_file }}"
|
|
|
|
# Submit for notarization using API key
|
|
echo "Submitting for notarization with API key..."
|
|
xcrun notarytool submit "$NOTARIZE_APP_PATH" --key "$API_KEY_FILE" --key-id "${{ secrets.NOTARY_API_KEY_ID }}" --issuer "${{ secrets.NOTARY_API_KEY_ISSUER_ID }}" --wait
|
|
|
|
# Staple the ticket to the application
|
|
xcrun stapler staple "$APP_PATH"
|
|
|
|
# Clean up the API key file
|
|
rm -f "$API_KEY_FILE"
|
|
rm -f "$NOTARIZE_APP_PATH"
|
|
shell: bash
|
|
|
|
- name: Package macOS App
|
|
run: |
|
|
# Package the signed and notarized app
|
|
APP_PATH="${{ steps.validate-app.outputs.app_path }}"
|
|
APP_NAME=$(basename "$APP_PATH")
|
|
DIR_PATH=$(dirname "$APP_PATH")
|
|
|
|
# Create test output directory
|
|
mkdir -p TestSignedApps
|
|
|
|
echo "Creating test package..."
|
|
(cd "$DIR_PATH" && zip -r "../../TestSignedApps/Test-$APP_NAME.zip" "$APP_NAME")
|
|
echo "Created test package: TestSignedApps/Test-$APP_NAME.zip"
|
|
|
|
echo "Test packaged apps:"
|
|
ls -la TestSignedApps/
|
|
shell: bash
|
|
|
|
- name: Upload Test Signed App
|
|
uses: actions/upload-artifact@v3
|
|
if: success()
|
|
with:
|
|
name: TestSigned-macOS-App
|
|
path: TestSignedApps/Test-*.zip
|
|
retention-days: 7 |