LuckyRobots/LuckyWorld
14
0
Fork 0
Code Issues Pull Requests 1 Actions 1 Packages Projects 1 Releases 13 Wiki Activity
LuckyWorld/.gitea/workflows/test-macos-build.yml
Ozgur Ersoy a207e10eff
Some checks failed
Test macOS Build Action / test-macos-build (push) Failing after 27m33s
Details
fix(workflows): enhance macOS build workflow with keychain management, notarization, and improved packaging steps
2025-04-13 20:24:34 +02:00

301 lines
12 KiB
YAML
Raw Blame History

name: Test macOS Build Action
on:
workflow_dispatch: # Manual trigger only for testing
push:
branches: [ozgur/build]
jobs:
test-macos-build:
runs-on: macos
steps:
- name: Checkout repository
uses: actions/checkout@v3
with:
lfs: true
fetch-depth: 0
- name: Check entitlements file
run: |
# Check if entitlements files exist
if [ -f "LuckyWorld.entitlements" ]; then
echo "Using existing LuckyWorld.entitlements file"
ENTITLEMENTS_FILE="LuckyWorld.entitlements"
elif [ -f "LuckyRobots.entitlements" ]; then
echo "Using existing LuckyRobots.entitlements file"
ENTITLEMENTS_FILE="LuckyRobots.entitlements"
else
echo "Creating default entitlements file as LuckyWorld.entitlements"
# Create entitlements file line by line instead of heredoc
echo '<?xml version="1.0" encoding="UTF-8"?>' > LuckyWorld.entitlements
echo '<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">' >> LuckyWorld.entitlements
echo '<plist version="1.0">' >> LuckyWorld.entitlements
echo '<dict>' >> LuckyWorld.entitlements
echo ' <key>com.apple.security.cs.allow-jit</key>' >> LuckyWorld.entitlements
echo ' <true/>' >> LuckyWorld.entitlements
echo ' <key>com.apple.security.cs.allow-unsigned-executable-memory</key>' >> LuckyWorld.entitlements
echo ' <true/>' >> LuckyWorld.entitlements
echo ' <key>com.apple.security.cs.disable-library-validation</key>' >> LuckyWorld.entitlements
echo ' <true/>' >> LuckyWorld.entitlements
echo ' <key>com.apple.security.cs.allow-dyld-environment-variables</key>' >> LuckyWorld.entitlements
echo ' <true/>' >> LuckyWorld.entitlements
echo ' <key>com.apple.security.device.audio-input</key>' >> LuckyWorld.entitlements
echo ' <true/>' >> LuckyWorld.entitlements
echo ' <key>com.apple.security.device.camera</key>' >> LuckyWorld.entitlements
echo ' <true/>' >> LuckyWorld.entitlements
echo '</dict>' >> LuckyWorld.entitlements
echo '</plist>' >> LuckyWorld.entitlements
ENTITLEMENTS_FILE="LuckyWorld.entitlements"
fi
echo "Using entitlements file: $ENTITLEMENTS_FILE"
echo "ENTITLEMENTS_FILE=$ENTITLEMENTS_FILE" >> "$GITHUB_ENV"
shell: bash
# Step 1: Setup environment
- name: Setup environment
run: |
# Use the correct path where Unreal Engine is installed
UE_PATH="/Users/Shared/Epic Games/UE_5.5"
if [ ! -d "$UE_PATH" ]; then
echo "Warning: Unreal Engine is not installed in the expected location"
echo "This is expected in CI environment - continuing anyway"
fi
# Create directories for builds
mkdir -p Builds/Mac
mkdir -p PackagedReleases
echo "Using Unreal Engine 5.5"
# Get the working directory path for absolute paths
WORKSPACE_DIR="$(pwd)"
echo "WORKSPACE_DIR=$WORKSPACE_DIR" >> "$GITHUB_ENV"
shell: bash
# Step 2: Build for macOS
- name: Build for macOS
run: |
if [ -f "./scripts/mac_build.sh" ]; then
chmod +x ./scripts/mac_build.sh
./scripts/mac_build.sh
else
echo "Build script not found, skipping this step"
fi
shell: bash
# Step 3: Create keychain and import certificate
- name: Create keychain and import certificate
env:
CERTIFICATE_BASE64: ${{ secrets.MACOS_CERTIFICATE }}
CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
run: |
# Debug: Print working directory
echo "Current working directory: $(pwd)"
echo "Contents of Builds directory:"
find Builds -type d | sort
# Create keychain
KEYCHAIN_PATH="${WORKSPACE_DIR}/build.keychain"
KEYCHAIN_PASSWORD="temporary"
# Create and configure keychain
security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
# Set keychain search list
security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | sed s/\"//g)
# Decode and import certificate
echo "$CERTIFICATE_BASE64" | base64 --decode > certificate.p12
# Download Apple certificates
curl -s -o AppleWWDRCAG3.cer https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer
curl -s -o DeveloperIDG2.cer https://www.apple.com/certificateauthority/DeveloperIDG2.cer
# Import certificates
security import AppleWWDRCAG3.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign -f der -A
security import DeveloperIDG2.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign -f der -A
security import certificate.p12 -P "$CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"
# Set partition list
security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
# Export keychain path and password for later use
echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV"
echo "KEYCHAIN_PASSWORD=$KEYCHAIN_PASSWORD" >> "$GITHUB_ENV"
echo "Certificate imported to keychain"
shell: bash
# Step 4: Find and prep app for signing
- name: Find and prep app for signing
run: |
# Find app bundle - look everywhere
APP_PATHS=$(find . -type d -name "*.app" 2>/dev/null)
if [ -z "$APP_PATHS" ]; then
# No *.app extension found, look in Builds/Mac directory for any directory
APP_PATHS=$(find ./Builds/Mac -type d -mindepth 1 -maxdepth 1 2>/dev/null)
fi
if [ -z "$APP_PATHS" ]; then
echo "ERROR: Could not find any app bundles!"
exit 1
fi
echo "Found potential app bundles:"
echo "$APP_PATHS"
# Use the first app path found
APP_PATH=$(echo "$APP_PATHS" | head -1)
# Get app name for later use
APP_NAME=$(basename "$APP_PATH")
echo "Using app bundle: $APP_PATH"
echo "App name: $APP_NAME"
echo "APP_PATH=$APP_PATH" >> "$GITHUB_ENV"
echo "APP_NAME=$APP_NAME" >> "$GITHUB_ENV"
shell: bash
# Step 5: Sign application with codesign
- name: Sign application
env:
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
run: |
echo "Signing app bundle: $APP_PATH"
echo "Using entitlements file: $ENTITLEMENTS_FILE"
# First, handle libraries and frameworks
find "$APP_PATH" -type f -name "*.dylib" -o -name "*.framework/Versions/*/Resources" | while read LIB; do
echo "Signing library: $LIB"
/usr/bin/codesign --force --options runtime --timestamp --sign "Developer ID Application: $APPLE_TEAM_ID" "$LIB"
done
# Sign the app bundle itself
/usr/bin/codesign --force --options runtime --deep --timestamp --verbose --sign "Developer ID Application: $APPLE_TEAM_ID" --entitlements "$WORKSPACE_DIR/$ENTITLEMENTS_FILE" "$APP_PATH"
# Verify signature
echo "Verifying signature..."
/usr/bin/codesign --verify --verbose "$APP_PATH"
if [ $? -eq 0 ]; then
echo "✅ Code signing was successful"
else
echo "❌ Code signing failed"
exit 1
fi
shell: bash
# Step 6: Notarize application
- name: Notarize application
env:
API_KEY_PATH: ${{ secrets.NOTARY_API_KEY_PATH }}
API_KEY_ID: ${{ secrets.NOTARY_API_KEY_ID }}
API_KEY_ISSUER_ID: ${{ secrets.NOTARY_API_KEY_ISSUER_ID }}
run: |
echo "Preparing for notarization..."
# Create API key file
echo "$API_KEY_PATH" | base64 --decode > api_key.p8
API_KEY_FILE="$(pwd)/api_key.p8"
# Create a zip archive for notarization
NOTARIZE_APP_PATH="LuckyWorld-notarize.zip"
echo "Creating archive for notarization: $NOTARIZE_APP_PATH"
# Use ditto to preserve bundle structure
ditto -c -k --keepParent "$APP_PATH" "$NOTARIZE_APP_PATH"
# Check if zip file was created successfully
if [ ! -f "$NOTARIZE_APP_PATH" ]; then
echo "❌ Failed to create notarization archive"
exit 1
fi
echo "Submitting for notarization..."
echo "API Key ID: $API_KEY_ID"
echo "API Key File: $API_KEY_FILE"
# Submit for notarization using API key
NOTARIZE_OUTPUT=$(xcrun notarytool submit "$NOTARIZE_APP_PATH" --key "$API_KEY_FILE" --key-id "$API_KEY_ID" --issuer "$API_KEY_ISSUER_ID" --wait)
echo "Notarization response:"
echo "$NOTARIZE_OUTPUT"
# Check if notarization was successful
if [[ "$NOTARIZE_OUTPUT" =~ "status: Accepted" ]]; then
echo "✅ Notarization successful"
else
echo "⚠️ Notarization may have failed. Checking status..."
# Extract submission ID if available
SUBMISSION_ID=$(echo "$NOTARIZE_OUTPUT" | grep "id:" | awk '{print $2}')
if [ -n "$SUBMISSION_ID" ]; then
echo "Checking submission $SUBMISSION_ID..."
xcrun notarytool info "$SUBMISSION_ID" --key "$API_KEY_FILE" --key-id "$API_KEY_ID" --issuer "$API_KEY_ISSUER_ID"
# Continue even if notarization failed - we'll staple if possible
echo "⚠️ Continuing despite potential notarization issues..."
else
echo "⚠️ No submission ID found. Continuing anyway..."
fi
fi
# Staple the notarization ticket to the app
echo "Stapling notarization ticket to app..."
xcrun stapler staple "$APP_PATH"
if [ $? -eq 0 ]; then
echo "✅ Stapling successful"
else
echo "⚠️ Stapling may have failed. This is sometimes expected for new apps."
echo "⚠️ Continuing with packaging..."
fi
# Clean up
rm -f "$NOTARIZE_APP_PATH" "$API_KEY_FILE"
shell: bash
# Step 7: Package macOS App
- name: Package macOS App
run: |
echo "Packaging signed app bundle: $APP_PATH"
# Create zip package
(cd "$(dirname "$APP_PATH")" && zip -r "${WORKSPACE_DIR}/PackagedReleases/LuckyWorld-macOS.zip" "$(basename "$APP_PATH")")
echo "Created packaged release: PackagedReleases/LuckyWorld-macOS.zip"
echo "Packaged releases:"
ls -la PackagedReleases/
shell: bash
# Step 8: Upload macOS Build Artifact
- name: Upload macOS Build Artifact
uses: actions/upload-artifact@v3
if: success()
with:
name: LuckyWorld-macOS
path: PackagedReleases/LuckyWorld-macOS.zip
retention-days: 365
# Step 9: Cleanup
- name: Cleanup
if: always()
run: |
# Clean up keychain and certificates
if [ -n "$KEYCHAIN_PATH" ]; then
security delete-keychain "$KEYCHAIN_PATH" || true
fi
# Clean up certificate files
rm -f certificate.p12 AppleWWDRCAG3.cer DeveloperIDG2.cer api_key.p8 || true
echo "Cleanup complete"
shell: bash
Reference in New Issue View Git Blame Copy Permalink