LuckyWorld/.gitea/workflows/test-macos-build.yml

name: Test macOS Build Action

on:
  workflow_dispatch:  # Manual trigger only for testing
  push:
    branches: [ozgur/build]

jobs:
  test-macos-build:
    runs-on: macos
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3
        with:
          lfs: true
          fetch-depth: 0
      
      - name: Check entitlements file
        run: |
          # Check if entitlements files exist
          if [ -f "LuckyWorld.entitlements" ]; then
            echo "Using existing LuckyWorld.entitlements file"
            ENTITLEMENTS_FILE="LuckyWorld.entitlements"
          elif [ -f "LuckyRobots.entitlements" ]; then
            echo "Using existing LuckyRobots.entitlements file"
            ENTITLEMENTS_FILE="LuckyRobots.entitlements"
          else
            echo "Creating default entitlements file as LuckyWorld.entitlements"
            # Create entitlements file line by line instead of heredoc
            echo '<?xml version="1.0" encoding="UTF-8"?>' > LuckyWorld.entitlements
            echo '<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">' >> LuckyWorld.entitlements
            echo '<plist version="1.0">' >> LuckyWorld.entitlements
            echo '<dict>' >> LuckyWorld.entitlements
            echo '    <key>com.apple.security.cs.allow-jit</key>' >> LuckyWorld.entitlements
            echo '    <true/>' >> LuckyWorld.entitlements
            echo '    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>' >> LuckyWorld.entitlements
            echo '    <true/>' >> LuckyWorld.entitlements
            echo '    <key>com.apple.security.cs.disable-library-validation</key>' >> LuckyWorld.entitlements
            echo '    <true/>' >> LuckyWorld.entitlements
            echo '    <key>com.apple.security.cs.allow-dyld-environment-variables</key>' >> LuckyWorld.entitlements
            echo '    <true/>' >> LuckyWorld.entitlements
            echo '    <key>com.apple.security.device.audio-input</key>' >> LuckyWorld.entitlements
            echo '    <true/>' >> LuckyWorld.entitlements
            echo '    <key>com.apple.security.device.camera</key>' >> LuckyWorld.entitlements
            echo '    <true/>' >> LuckyWorld.entitlements
            echo '</dict>' >> LuckyWorld.entitlements
            echo '</plist>' >> LuckyWorld.entitlements
            ENTITLEMENTS_FILE="LuckyWorld.entitlements"
          fi
          
          echo "Using entitlements file: $ENTITLEMENTS_FILE"
          echo "ENTITLEMENTS_FILE=$ENTITLEMENTS_FILE" >> "$GITHUB_ENV"
        shell: bash
      
      # Step 1: Setup environment
      - name: Setup environment
        run: |
          # Use the correct path where Unreal Engine is installed
          UE_PATH="/Users/Shared/Epic Games/UE_5.5"
          
          if [ ! -d "$UE_PATH" ]; then
            echo "Warning: Unreal Engine is not installed in the expected location"
            echo "This is expected in CI environment - continuing anyway"
          fi
          
          # Create directories for builds
          mkdir -p Builds/Mac
          mkdir -p PackagedReleases
          
          echo "Using Unreal Engine 5.5"
          
          # Get the working directory path for absolute paths
          WORKSPACE_DIR="$(pwd)"
          echo "WORKSPACE_DIR=$WORKSPACE_DIR" >> "$GITHUB_ENV"
        shell: bash
      
      # Step 2: Build for macOS
      - name: Build for macOS
        run: |
          if [ -f "./scripts/mac_build.sh" ]; then
            chmod +x ./scripts/mac_build.sh
            ./scripts/mac_build.sh
          else
            echo "Build script not found, skipping this step"
          fi
        shell: bash
      
      # Step 3: Try both certificate & Ad-Hoc signing
      - name: Prepare certificate or use Ad-Hoc signing
        env:
          CERTIFICATE_BASE64: ${{ secrets.MACOS_CERTIFICATE }}
          CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
        run: |
          # Debug: Print working directory and available resources
          echo "Current working directory: $(pwd)"
          
          # Find the app bundle to sign
          APP_PATHS=$(find ./Saved/StagedBuilds -type d -name "*.app" 2>/dev/null)
          if [ -z "$APP_PATHS" ]; then
            APP_PATHS=$(find ./Builds -type d -name "*.app" 2>/dev/null)
          fi
          if [ -z "$APP_PATHS" ]; then
            echo "ERROR: No .app bundle found to sign!"
            exit 1
          fi
          
          # Use the first app path found (preferably the main app, not a child app)
          MAIN_APP_PATH=$(echo "$APP_PATHS" | grep -v "CrashReportClient" | head -1 || echo "$APP_PATHS" | head -1)
          APP_NAME=$(basename "$MAIN_APP_PATH")
          
          echo "Using app bundle: $MAIN_APP_PATH"
          echo "APP_PATH=$MAIN_APP_PATH" >> "$GITHUB_ENV"
          echo "APP_NAME=$APP_NAME" >> "$GITHUB_ENV"
          
          # Create a simple keychain
          KEYCHAIN_PASSWORD="temp$(date +%s)"
          KEYCHAIN_PATH="$HOME/Library/Keychains/build-temp.keychain-db"
          
          # First, try to use the provided certificate
          echo "Attempting to use provided certificate..."
          if [ -n "$CERTIFICATE_BASE64" ] && [ -n "$CERTIFICATE_PASSWORD" ]; then
            echo "Certificate data provided, attempting import..."
            
            # Decode certificate and check format
            echo "$CERTIFICATE_BASE64" | base64 --decode > temp-cert.p12
            echo "Certificate file info:"
            file temp-cert.p12
            
            # Create keychain
            security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
            security default-keychain -s "$KEYCHAIN_PATH" 
            security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
            
            # Import with debugging info
            echo "Importing certificate into keychain..."
            if security import temp-cert.p12 -k "$KEYCHAIN_PATH" -P "$CERTIFICATE_PASSWORD" -T /usr/bin/codesign; then
              echo "Certificate imported successfully!"
              
              # Set partition list
              security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
              
              # Check certificate details
              echo "Certificate details:"
              security find-identity -v -p codesigning "$KEYCHAIN_PATH"
              
              # If we have a valid identity, use it
              if security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep -q "valid identities found"; then
                IDENTITY=$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep -o '"[^"]*"' | head -1 | sed 's/"//g')
                echo "Using certificate identity: $IDENTITY"
                echo "SIGNING_METHOD=certificate" >> "$GITHUB_ENV"
                echo "SIGNING_IDENTITY=$IDENTITY" >> "$GITHUB_ENV"
              else
                echo "No valid identities found in keychain"
                echo "SIGNING_METHOD=ad-hoc" >> "$GITHUB_ENV"
              fi
            else
              echo "Failed to import certificate, will use ad-hoc signing instead"
              echo "SIGNING_METHOD=ad-hoc" >> "$GITHUB_ENV"
            fi
            
            # Cleanup certificate file
            rm -f temp-cert.p12
          else
            echo "Certificate data not provided, will use ad-hoc signing"
            echo "SIGNING_METHOD=ad-hoc" >> "$GITHUB_ENV"
          fi
          
          echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV"
          echo "KEYCHAIN_PASSWORD=$KEYCHAIN_PASSWORD" >> "$GITHUB_ENV"
        shell: bash
      
      # Step 4: Sign application (with certificate or ad-hoc)
      - name: Sign application
        run: |
          # Debug info
          echo "Signing app bundle: $APP_PATH"
          echo "Using entitlements file: $ENTITLEMENTS_FILE"
          echo "Signing method: $SIGNING_METHOD"
          
          if [ "$SIGNING_METHOD" = "certificate" ]; then
            # Certificate signing
            echo "Using certificate signing with identity: $SIGNING_IDENTITY"
            
            # Unlock keychain
            security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
            
            # Sign the app
            if /usr/bin/codesign --force --options runtime --sign "$SIGNING_IDENTITY" --entitlements "$WORKSPACE_DIR/$ENTITLEMENTS_FILE" --deep --verbose "$APP_PATH"; then
              echo "✅ Code signing with certificate was successful"
            else
              echo "⚠️ Certificate signing failed, falling back to ad-hoc signing"
              /usr/bin/codesign --force --options runtime --sign - --entitlements "$WORKSPACE_DIR/$ENTITLEMENTS_FILE" --deep --verbose "$APP_PATH"
            fi
          else
            # Ad-hoc signing
            echo "Using ad-hoc signing (for testing only)"
            /usr/bin/codesign --force --options runtime --sign - --entitlements "$WORKSPACE_DIR/$ENTITLEMENTS_FILE" --deep --verbose "$APP_PATH"
          fi
          
          # Verify signature (ignore errors)
          echo "Verifying signature..."
          /usr/bin/codesign --verify --verbose "$APP_PATH" || echo "Verification errors are expected with ad-hoc signing"
        shell: bash
      
      # Step 5: Package macOS App
      - name: Package macOS App
        run: |
          echo "Packaging signed app bundle: $APP_PATH"
          
          # Create zip package
          (cd "$(dirname "$APP_PATH")" && zip -r "${WORKSPACE_DIR}/PackagedReleases/LuckyWorld-macOS.zip" "$(basename "$APP_PATH")")
          
          echo "Created packaged release: PackagedReleases/LuckyWorld-macOS.zip"
          echo "Packaged releases:"
          ls -la PackagedReleases/
        shell: bash
      
      # Step 6: Upload macOS Build Artifact
      - name: Upload macOS Build Artifact
        uses: actions/upload-artifact@v3
        if: success()
        with:
          name: LuckyWorld-macOS
          path: PackagedReleases/LuckyWorld-macOS.zip
          retention-days: 365
      
      # Step 7: Cleanup
      - name: Cleanup
        if: always()
        run: |
          # Clean up keychain and certificates
          if [ -n "$KEYCHAIN_PATH" ]; then
            security delete-keychain "$KEYCHAIN_PATH" || true
          fi
          
          # Clean up certificate files
          rm -f certificate.p12 api_key.p8 temp-cert.p12 || true
          
          echo "Cleanup complete"
        shell: bash