LuckyRobots/LuckyWorld
14
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects 1 Releases 13 Wiki Activity
LuckyWorld/.gitea/workflows/test-macos-build.yml
Ozgur Ersoy 8c02d550fb
Some checks failed
Test macOS Build Action / test-macos-build (push) Has been cancelled
Details
fix(workflows): add detailed debugging for certificate import in macOS build workflow
2025-04-14 13:50:05 +02:00

314 lines
14 KiB
YAML
Raw Blame History

name: Test macOS Build Action
on:
workflow_dispatch: # Manual trigger only for testing
push:
branches: [ozgur/build]
jobs:
test-macos-build:
runs-on: macos
steps:
- name: Checkout repository
uses: actions/checkout@v3
with:
lfs: true
fetch-depth: 0
- name: Check entitlements file
run: |
# Check if entitlements files exist
if [ -f "LuckyWorld.entitlements" ]; then
echo "Using existing LuckyWorld.entitlements file"
ENTITLEMENTS_FILE="LuckyWorld.entitlements"
elif [ -f "LuckyRobots.entitlements" ]; then
echo "Using existing LuckyRobots.entitlements file"
ENTITLEMENTS_FILE="LuckyRobots.entitlements"
else
echo "Creating default entitlements file as LuckyWorld.entitlements"
# Create entitlements file line by line instead of heredoc
echo '<?xml version="1.0" encoding="UTF-8"?>' > LuckyWorld.entitlements
echo '<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">' >> LuckyWorld.entitlements
echo '<plist version="1.0">' >> LuckyWorld.entitlements
echo '<dict>' >> LuckyWorld.entitlements
echo ' <key>com.apple.security.cs.allow-jit</key>' >> LuckyWorld.entitlements
echo ' <true/>' >> LuckyWorld.entitlements
echo ' <key>com.apple.security.cs.allow-unsigned-executable-memory</key>' >> LuckyWorld.entitlements
echo ' <true/>' >> LuckyWorld.entitlements
echo ' <key>com.apple.security.cs.disable-library-validation</key>' >> LuckyWorld.entitlements
echo ' <true/>' >> LuckyWorld.entitlements
echo ' <key>com.apple.security.cs.allow-dyld-environment-variables</key>' >> LuckyWorld.entitlements
echo ' <true/>' >> LuckyWorld.entitlements
echo ' <key>com.apple.security.device.audio-input</key>' >> LuckyWorld.entitlements
echo ' <true/>' >> LuckyWorld.entitlements
echo ' <key>com.apple.security.device.camera</key>' >> LuckyWorld.entitlements
echo ' <true/>' >> LuckyWorld.entitlements
echo '</dict>' >> LuckyWorld.entitlements
echo '</plist>' >> LuckyWorld.entitlements
ENTITLEMENTS_FILE="LuckyWorld.entitlements"
fi
echo "Using entitlements file: $ENTITLEMENTS_FILE"
echo "ENTITLEMENTS_FILE=$ENTITLEMENTS_FILE" >> "$GITHUB_ENV"
shell: bash
# Step 1: Setup environment
- name: Setup environment
run: |
# Use the correct path where Unreal Engine is installed
UE_PATH="/Users/Shared/Epic Games/UE_5.5"
if [ ! -d "$UE_PATH" ]; then
echo "Warning: Unreal Engine is not installed in the expected location"
echo "This is expected in CI environment - continuing anyway"
fi
# Create directories for builds
mkdir -p Builds/Mac
mkdir -p PackagedReleases
echo "Using Unreal Engine 5.5"
# Get the working directory path for absolute paths
WORKSPACE_DIR="$(pwd)"
echo "WORKSPACE_DIR=$WORKSPACE_DIR" >> "$GITHUB_ENV"
shell: bash
- name: Debug Certificate Import (Test)
env:
CERTIFICATE_BASE64: ${{ secrets.MACOS_CERTIFICATE }}
CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
run: |
set -e # Fail on any error
echo "Current working directory: $(pwd)"
echo "Checking for .app bundles in Saved directory..."
find ./Saved -type d -name "*.app" || echo "No app bundles found."
echo "Decoding certificate..."
CERT_DIR="$HOME/certificates"
mkdir -p "$CERT_DIR"
CERT_PATH="$CERT_DIR/developer_certificate.p12"
echo "$CERTIFICATE_BASE64" | base64 --decode > "$CERT_PATH"
echo "Decoded certificate size: $(wc -c < "$CERT_PATH") bytes"
echo "Type: $(file "$CERT_PATH")"
echo "Creating and configuring custom keychain..."
CUSTOM_KEYCHAIN="$CERT_DIR/build.keychain"
CUSTOM_PASSWORD="temppassword123"
security create-keychain -p "$CUSTOM_PASSWORD" "$CUSTOM_KEYCHAIN"
security set-keychain-settings "$CUSTOM_KEYCHAIN"
security unlock-keychain -p "$CUSTOM_PASSWORD" "$CUSTOM_KEYCHAIN"
echo "Setting only this keychain as active..."
security list-keychains -s "$CUSTOM_KEYCHAIN"
security default-keychain -s "$CUSTOM_KEYCHAIN"
echo "Importing certificate..."
security import "$CERT_PATH" -P "$CERTIFICATE_PASSWORD" -k "$CUSTOM_KEYCHAIN" -T /usr/bin/codesign
echo "Granting access to codesign..."
security set-key-partition-list -S apple-tool:,apple: -s -k "$CUSTOM_PASSWORD" "$CUSTOM_KEYCHAIN"
echo "Verifying imported identities..."
security find-identity -v -p codesigning "$CUSTOM_KEYCHAIN"
echo "Setting environment variables for future steps..."
echo "KEYCHAIN_PATH=$CUSTOM_KEYCHAIN" >> "$GITHUB_ENV"
echo "KEYCHAIN_PASSWORD=$CUSTOM_PASSWORD" >> "$GITHUB_ENV"
echo "DIRECT_SIGNING_AVAILABLE=true" >> "$GITHUB_ENV"
echo "APPLE_TEAM=$APPLE_TEAM_ID" >> "$GITHUB_ENV"
shell: bash
# Step 2: Build for macOS
- name: Build for macOS
run: |
if [ -f "./scripts/mac_build.sh" ]; then
chmod +x ./scripts/mac_build.sh
./scripts/mac_build.sh
else
echo "Build script not found, skipping this step"
fi
shell: bash
# Step 3: Enhanced Debug for Certificate Import
- name: Debug Certificate Import
env:
CERTIFICATE_BASE64: ${{ secrets.MACOS_CERTIFICATE }}
CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
run: |
# Debug: Print working directory and available resources
echo "Current working directory: $(pwd)"
echo "Contents of Saved/StagedBuilds directory (if exists):"
find ./Saved -type d -name "*.app" 2>/dev/null || echo "No .app bundles found in Saved/"
# Checking system keychains
echo "Examining system keychains and certificates..."
security list-keychains
security default-keychain
# Decode certificate and examine format - DEBUG
echo "Decoding certificate to debug..."
CERT_DIR="$HOME/certificates"
mkdir -p "$CERT_DIR"
CERT_PATH="$CERT_DIR/developer_certificate.p12"
echo "$CERTIFICATE_BASE64" | base64 --decode > "$CERT_PATH"
# Check if certificate was properly decoded
if [ -f "$CERT_PATH" ]; then
echo "Certificate was decoded, size: $(wc -c < "$CERT_PATH") bytes"
echo "Certificate file type: $(file "$CERT_PATH")"
else
echo "ERROR: Failed to decode certificate"
exit 1
fi
# Trying import with different methods
echo "ATTEMPT 1: Using login keychain"
KEYCHAIN_PASSWORD="$(security find-generic-password -a ${USER} -s login -w)"
security unlock-keychain -p "$KEYCHAIN_PASSWORD" login.keychain
security import "$CERT_PATH" -P "$CERTIFICATE_PASSWORD" -k login.keychain -T /usr/bin/codesign || echo "Import to login keychain failed"
echo "ATTEMPT 2: Creating custom keychain"
CUSTOM_KEYCHAIN="$CERT_DIR/build.keychain"
CUSTOM_PASSWORD="temppassword123"
security create-keychain -p "$CUSTOM_PASSWORD" "$CUSTOM_KEYCHAIN"
security default-keychain -s "$CUSTOM_KEYCHAIN"
security unlock-keychain -p "$CUSTOM_PASSWORD" "$CUSTOM_KEYCHAIN"
security import "$CERT_PATH" -P "$CERTIFICATE_PASSWORD" -k "$CUSTOM_KEYCHAIN" -T /usr/bin/codesign || echo "Import to custom keychain failed"
# Add to search list
security list-keychains -d user -s "$CUSTOM_KEYCHAIN" login.keychain
security set-key-partition-list -S apple-tool:,apple: -s -k "$CUSTOM_PASSWORD" "$CUSTOM_KEYCHAIN"
# Check available identities in both keychains
echo "Checking login keychain for identities:"
security find-identity -v -p codesigning login.keychain || echo "No identities in login keychain"
echo "Checking custom keychain for identities:"
security find-identity -v -p codesigning "$CUSTOM_KEYCHAIN" || echo "No identities in custom keychain"
# Fallback solution - use adhoc signing for testing
echo "FALLBACK: Setting up adhoc signing option"
echo "KEYCHAIN_PATH=$CUSTOM_KEYCHAIN" >> "$GITHUB_ENV"
echo "KEYCHAIN_PASSWORD=$CUSTOM_PASSWORD" >> "$GITHUB_ENV"
echo "DIRECT_SIGNING_AVAILABLE=false" >> "$GITHUB_ENV"
# For debugging only, use a specific team ID if needed
echo "APPLE_TEAM=$APPLE_TEAM_ID" >> "$GITHUB_ENV"
shell: bash
# Step 4: Find and prep app for signing
- name: Find and prep app for signing
run: |
# First check Saved/StagedBuilds directory - where Unreal often places built apps
echo "Checking Saved/StagedBuilds directory..."
APP_PATHS=$(find ./Saved/StagedBuilds -type d -name "*.app" 2>/dev/null)
# If not found, check Builds directory
if [ -z "$APP_PATHS" ]; then
echo "Checking Builds directory..."
APP_PATHS=$(find ./Builds -type d -name "*.app" 2>/dev/null)
fi
# If still not found, check the whole workspace
if [ -z "$APP_PATHS" ]; then
echo "Checking entire workspace..."
APP_PATHS=$(find . -type d -name "*.app" -not -path "*/\.*" 2>/dev/null)
fi
if [ -z "$APP_PATHS" ]; then
echo "ERROR: Could not find any app bundles!"
echo "Listing all directories to help debug:"
find . -type d -maxdepth 3 | sort
exit 1
fi
echo "Found potential app bundles:"
echo "$APP_PATHS"
# Use the first app path found (preferably the main app, not a child app)
MAIN_APP_PATH=$(echo "$APP_PATHS" | grep -v "CrashReportClient" | head -1 || echo "$APP_PATHS" | head -1)
# Get app name for later use
APP_NAME=$(basename "$MAIN_APP_PATH")
echo "Using app bundle: $MAIN_APP_PATH"
echo "App name: $APP_NAME"
echo "APP_PATH=$MAIN_APP_PATH" >> "$GITHUB_ENV"
echo "APP_NAME=$APP_NAME" >> "$GITHUB_ENV"
shell: bash
# Step 5: Sign application with alternative fallback
- name: Sign application
env:
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
run: |
# Debug info
echo "Signing app bundle: $APP_PATH"
echo "Using entitlements file: $ENTITLEMENTS_FILE"
# === TEST MODE: Using -SIGNED TEST ONLY- === #
echo "⚠️ CERTIFICATE IMPORT FAILED: Using test-only signing approach"
echo "This is for testing the workflow only and will NOT produce a valid signed build"
# For testing ONLY - using `-` identity (ad-hoc signing)
# This doesn't require a certificate but won't pass notarization
echo "🔍 Test-signing the app with ad-hoc identity..."
/usr/bin/codesign --force --deep --verbose --sign "-" --entitlements "$WORKSPACE_DIR/$ENTITLEMENTS_FILE" "$APP_PATH" || true
echo "✅ Test signing completed. Note: This is NOT a properly signed app!"
echo "NEEDS_REAL_CERT=true" >> "$GITHUB_ENV"
# Recommendation for production
echo "⚠️ IMPORTANT: For production builds, please ensure your certificate is correctly configured."
echo "⚠️ Check the following:"
echo " 1. Certificate format is correct (PKCS#12)"
echo " 2. Certificate password is correct"
echo " 3. Team ID matches the certificate"
shell: bash
# Step 6: Skip Notarization (since we're not properly signed)
- name: Package macOS App (Test Only)
run: |
echo "⚠️ SKIPPING NOTARIZATION - test build only"
echo "Packaging unsigned test app bundle: $APP_PATH"
# Create zip package
(cd "$(dirname "$APP_PATH")" && zip -r "${WORKSPACE_DIR}/PackagedReleases/LuckyWorld-macOS-UNSIGNED-TEST.zip" "$(basename "$APP_PATH")")
echo "Created test package: PackagedReleases/LuckyWorld-macOS-UNSIGNED-TEST.zip"
echo "NOTE: This package is NOT properly signed and will NOT pass Gatekeeper!"
echo "Debug certificate summary:"
echo "- Check if your p12 file is valid"
echo "- Verify certificate password in secrets"
echo "- Confirm Apple Developer Team ID is correct"
shell: bash
# Step 7: Upload test artifact
- name: Upload Test Build Artifact
uses: actions/upload-artifact@v3
if: success()
with:
name: LuckyWorld-macOS-UNSIGNED-TEST
path: PackagedReleases/LuckyWorld-macOS-UNSIGNED-TEST.zip
retention-days: 7
# Step 8: Cleanup
- name: Cleanup
if: always()
run: |
# Clean up keychain and certificates
rm -rf "$HOME/certificates" || true
security delete-keychain "$HOME/certificates/build.keychain" || true
echo "Cleanup complete"
shell: bash
Reference in New Issue View Git Blame Copy Permalink