Ozgur Ersoy
c98b68281e
Some checks failed
Test macOS Build Action / test-macos-build (push) Failing after 27m51s
369 lines
15 KiB
YAML
369 lines
15 KiB
YAML
name: Test macOS Build Action
|
|
|
|
on:
|
|
workflow_dispatch: # Manual trigger only for testing
|
|
push:
|
|
branches: [ozgur/build]
|
|
|
|
jobs:
|
|
test-macos-build:
|
|
runs-on: macos
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v3
|
|
with:
|
|
lfs: true
|
|
fetch-depth: 0
|
|
|
|
- name: Check entitlements file
|
|
run: |
|
|
# Check if entitlements files exist
|
|
if [ -f "LuckyWorld.entitlements" ]; then
|
|
echo "Using existing LuckyWorld.entitlements file"
|
|
ENTITLEMENTS_FILE="LuckyWorld.entitlements"
|
|
elif [ -f "LuckyRobots.entitlements" ]; then
|
|
echo "Using existing LuckyRobots.entitlements file"
|
|
ENTITLEMENTS_FILE="LuckyRobots.entitlements"
|
|
else
|
|
echo "Creating default entitlements file as LuckyWorld.entitlements"
|
|
# Create entitlements file line by line instead of heredoc
|
|
echo '<?xml version="1.0" encoding="UTF-8"?>' > LuckyWorld.entitlements
|
|
echo '<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">' >> LuckyWorld.entitlements
|
|
echo '<plist version="1.0">' >> LuckyWorld.entitlements
|
|
echo '<dict>' >> LuckyWorld.entitlements
|
|
echo ' <key>com.apple.security.cs.allow-jit</key>' >> LuckyWorld.entitlements
|
|
echo ' <true/>' >> LuckyWorld.entitlements
|
|
echo ' <key>com.apple.security.cs.allow-unsigned-executable-memory</key>' >> LuckyWorld.entitlements
|
|
echo ' <true/>' >> LuckyWorld.entitlements
|
|
echo ' <key>com.apple.security.cs.disable-library-validation</key>' >> LuckyWorld.entitlements
|
|
echo ' <true/>' >> LuckyWorld.entitlements
|
|
echo ' <key>com.apple.security.cs.allow-dyld-environment-variables</key>' >> LuckyWorld.entitlements
|
|
echo ' <true/>' >> LuckyWorld.entitlements
|
|
echo ' <key>com.apple.security.device.audio-input</key>' >> LuckyWorld.entitlements
|
|
echo ' <true/>' >> LuckyWorld.entitlements
|
|
echo ' <key>com.apple.security.device.camera</key>' >> LuckyWorld.entitlements
|
|
echo ' <true/>' >> LuckyWorld.entitlements
|
|
echo '</dict>' >> LuckyWorld.entitlements
|
|
echo '</plist>' >> LuckyWorld.entitlements
|
|
ENTITLEMENTS_FILE="LuckyWorld.entitlements"
|
|
fi
|
|
|
|
echo "Using entitlements file: $ENTITLEMENTS_FILE"
|
|
echo "ENTITLEMENTS_FILE=$ENTITLEMENTS_FILE" >> "$GITHUB_ENV"
|
|
shell: bash
|
|
|
|
# Step 1: Setup environment
|
|
- name: Setup environment
|
|
run: |
|
|
# Use the correct path where Unreal Engine is installed
|
|
UE_PATH="/Users/Shared/Epic Games/UE_5.5"
|
|
|
|
if [ ! -d "$UE_PATH" ]; then
|
|
echo "Warning: Unreal Engine is not installed in the expected location"
|
|
echo "This is expected in CI environment - continuing anyway"
|
|
fi
|
|
|
|
# Create directories for builds
|
|
mkdir -p Builds/Mac
|
|
mkdir -p PackagedReleases
|
|
|
|
echo "Using Unreal Engine 5.5"
|
|
|
|
# Get the working directory path for absolute paths
|
|
WORKSPACE_DIR="$(pwd)"
|
|
echo "WORKSPACE_DIR=$WORKSPACE_DIR" >> "$GITHUB_ENV"
|
|
shell: bash
|
|
|
|
# Step 2: Build for macOS
|
|
- name: Build for macOS
|
|
run: |
|
|
if [ -f "./scripts/mac_build.sh" ]; then
|
|
chmod +x ./scripts/mac_build.sh
|
|
./scripts/mac_build.sh
|
|
else
|
|
echo "Build script not found, skipping this step"
|
|
fi
|
|
shell: bash
|
|
|
|
# Step 3: Create keychain and import certificate
|
|
- name: Create keychain and import certificate
|
|
env:
|
|
CERTIFICATE_BASE64: ${{ secrets.MACOS_CERTIFICATE }}
|
|
CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
|
|
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
|
|
run: |
|
|
# Debug: Print working directory
|
|
echo "Current working directory: $(pwd)"
|
|
echo "Contents of Builds directory:"
|
|
find Builds -type d | sort
|
|
|
|
# Check what saved builds we have
|
|
echo "Contents of Saved/StagedBuilds directory (if exists):"
|
|
find ./Saved -type d -name "*.app" 2>/dev/null || echo "No .app bundles found in Saved/"
|
|
|
|
# Create temporary directory for keychain and certificates
|
|
TEMP_DIR=$(mktemp -d)
|
|
KEYCHAIN_PATH="$TEMP_DIR/build.keychain"
|
|
KEYCHAIN_PASSWORD="temporary$(date +%s)"
|
|
|
|
echo "Creating keychain at: $KEYCHAIN_PATH"
|
|
|
|
# Create and configure keychain
|
|
security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
|
security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
|
|
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
|
|
|
# Add to keychain list and make it default
|
|
security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | sed s/\"//g)
|
|
security default-keychain -s "$KEYCHAIN_PATH"
|
|
|
|
# Decode certificate to temporary directory
|
|
CERT_PATH="$TEMP_DIR/certificate.p12"
|
|
echo "$CERTIFICATE_BASE64" | base64 --decode > "$CERT_PATH"
|
|
|
|
# Import certificate with correct flags for automated use
|
|
security import "$CERT_PATH" -k "$KEYCHAIN_PATH" -P "$CERTIFICATE_PASSWORD" -A -t cert -f pkcs12
|
|
|
|
# Set partition list - important for automated signing without UI prompts
|
|
security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
|
|
|
# Get the certificate's Common Name and SHA-1 fingerprint for signing
|
|
echo "Listing available codesigning identities:"
|
|
security find-identity -v -p codesigning "$KEYCHAIN_PATH"
|
|
|
|
# Get the certificate ID (SHA-1 fingerprint) - this is more reliable than using the name
|
|
CERT_ID=$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep -o '[0-9A-F]\{40\}' | head -1)
|
|
|
|
if [ -z "$CERT_ID" ]; then
|
|
echo "⚠️ No valid signing certificate found in keychain"
|
|
exit 1
|
|
fi
|
|
|
|
echo "Using certificate ID: $CERT_ID"
|
|
echo "CERT_ID=$CERT_ID" >> "$GITHUB_ENV"
|
|
echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV"
|
|
|
|
echo "Certificate imported successfully"
|
|
shell: bash
|
|
|
|
# Step 4: Find and prep app for signing
|
|
- name: Find and prep app for signing
|
|
run: |
|
|
# First check Saved/StagedBuilds directory - where Unreal often places built apps
|
|
echo "Checking Saved/StagedBuilds directory..."
|
|
APP_PATHS=$(find ./Saved/StagedBuilds -type d -name "*.app" 2>/dev/null)
|
|
|
|
# If not found, check Builds directory
|
|
if [ -z "$APP_PATHS" ]; then
|
|
echo "Checking Builds directory..."
|
|
APP_PATHS=$(find ./Builds -type d -name "*.app" 2>/dev/null)
|
|
fi
|
|
|
|
# If still not found, check the whole workspace
|
|
if [ -z "$APP_PATHS" ]; then
|
|
echo "Checking entire workspace..."
|
|
APP_PATHS=$(find . -type d -name "*.app" -not -path "*/\.*" 2>/dev/null)
|
|
fi
|
|
|
|
if [ -z "$APP_PATHS" ]; then
|
|
echo "ERROR: Could not find any app bundles!"
|
|
echo "Listing all directories to help debug:"
|
|
find . -type d -maxdepth 3 | sort
|
|
exit 1
|
|
fi
|
|
|
|
echo "Found potential app bundles:"
|
|
echo "$APP_PATHS"
|
|
|
|
# Use the first app path found
|
|
APP_PATH=$(echo "$APP_PATHS" | head -1)
|
|
|
|
# Get app name for later use
|
|
APP_NAME=$(basename "$APP_PATH")
|
|
|
|
echo "Using app bundle: $APP_PATH"
|
|
echo "App name: $APP_NAME"
|
|
|
|
echo "APP_PATH=$APP_PATH" >> "$GITHUB_ENV"
|
|
echo "APP_NAME=$APP_NAME" >> "$GITHUB_ENV"
|
|
shell: bash
|
|
|
|
# Step 5: Sign application with codesign - improved based on forums
|
|
- name: Sign application
|
|
env:
|
|
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
|
|
run: |
|
|
echo "Signing app bundle: $APP_PATH"
|
|
echo "Using entitlements file: $ENTITLEMENTS_FILE"
|
|
echo "Using certificate ID: $CERT_ID"
|
|
|
|
# Make sure keychain is accessible
|
|
security unlock-keychain -p "$(security find-generic-password -a ${USER} -s login -w)" login.keychain
|
|
security unlock-keychain -p "temporary" "$KEYCHAIN_PATH" || true
|
|
|
|
# Sign all dylib files
|
|
echo "🔍 Signing all .dylib files..."
|
|
find "$APP_PATH" -type f -name "*.dylib" | while read DYLIB; do
|
|
echo "Signing dylib: $DYLIB"
|
|
codesign --force --options runtime --timestamp --sign "$CERT_ID" "$DYLIB"
|
|
done
|
|
|
|
# Sign all .so files
|
|
echo "🔍 Signing all .so files..."
|
|
find "$APP_PATH" -type f -name "*.so" | while read SO; do
|
|
echo "Signing .so: $SO"
|
|
codesign --force --options runtime --timestamp --sign "$CERT_ID" "$SO"
|
|
done
|
|
|
|
# Sign all executables in frameworks
|
|
echo "🔍 Signing framework executables..."
|
|
find "$APP_PATH" -path "*.framework/*" -type f -perm +111 | while read FMWK_BIN; do
|
|
echo "Signing framework binary: $FMWK_BIN"
|
|
codesign --force --options runtime --timestamp --sign "$CERT_ID" "$FMWK_BIN"
|
|
done
|
|
|
|
# Sign all other executables
|
|
echo "🔍 Signing other executables..."
|
|
find "$APP_PATH" -type f -perm +111 -not -path "*.framework/*" -not -name "*.dylib" -not -name "*.so" | while read EXEC; do
|
|
echo "Signing executable: $EXEC"
|
|
codesign --force --options runtime --timestamp --sign "$CERT_ID" "$EXEC"
|
|
done
|
|
|
|
# Sign all frameworks
|
|
echo "🔍 Signing frameworks..."
|
|
find "$APP_PATH" -name "*.framework" -type d | while read FRAMEWORK; do
|
|
echo "Signing framework: $FRAMEWORK"
|
|
codesign --force --options runtime --timestamp --sign "$CERT_ID" "$FRAMEWORK"
|
|
done
|
|
|
|
# Finally sign the app bundle itself with entitlements
|
|
echo "🔍 Signing the main app bundle with entitlements..."
|
|
codesign --force --options runtime --deep --timestamp --verbose --sign "$CERT_ID" --entitlements "$WORKSPACE_DIR/$ENTITLEMENTS_FILE" "$APP_PATH"
|
|
|
|
# Verify signature
|
|
echo "Verifying signature..."
|
|
codesign --verify --verbose "$APP_PATH"
|
|
|
|
# Use spctl to check if app is acceptable by Gatekeeper
|
|
echo "Checking if app will pass Gatekeeper validation..."
|
|
spctl -vvv --assess --type exec "$APP_PATH"
|
|
|
|
if [ $? -eq 0 ]; then
|
|
echo "✅ Code signing and Gatekeeper validation was successful"
|
|
else
|
|
echo "⚠️ Gatekeeper validation had warnings, but continuing with notarization"
|
|
fi
|
|
shell: bash
|
|
|
|
# Step 6: Notarize application
|
|
- name: Notarize application
|
|
env:
|
|
API_KEY_PATH: ${{ secrets.NOTARY_API_KEY_PATH }}
|
|
API_KEY_ID: ${{ secrets.NOTARY_API_KEY_ID }}
|
|
API_KEY_ISSUER_ID: ${{ secrets.NOTARY_API_KEY_ISSUER_ID }}
|
|
run: |
|
|
echo "Preparing for notarization..."
|
|
|
|
# Create API key file
|
|
echo "$API_KEY_PATH" | base64 --decode > api_key.p8
|
|
API_KEY_FILE="$(pwd)/api_key.p8"
|
|
|
|
# Create a zip archive for notarization
|
|
NOTARIZE_APP_PATH="LuckyWorld-notarize.zip"
|
|
echo "Creating archive for notarization: $NOTARIZE_APP_PATH"
|
|
|
|
# Use ditto to preserve bundle structure
|
|
ditto -c -k --keepParent "$APP_PATH" "$NOTARIZE_APP_PATH"
|
|
|
|
# Check if zip file was created successfully
|
|
if [ ! -f "$NOTARIZE_APP_PATH" ]; then
|
|
echo "❌ Failed to create notarization archive"
|
|
exit 1
|
|
fi
|
|
|
|
echo "Submitting for notarization..."
|
|
echo "API Key ID: $API_KEY_ID"
|
|
echo "API Key File: $API_KEY_FILE"
|
|
|
|
# Submit for notarization using API key
|
|
NOTARIZE_OUTPUT=$(xcrun notarytool submit "$NOTARIZE_APP_PATH" --key "$API_KEY_FILE" --key-id "$API_KEY_ID" --issuer "$API_KEY_ISSUER_ID" --wait)
|
|
|
|
echo "Notarization response:"
|
|
echo "$NOTARIZE_OUTPUT"
|
|
|
|
# Check if notarization was successful
|
|
if [[ "$NOTARIZE_OUTPUT" =~ "status: Accepted" ]]; then
|
|
echo "✅ Notarization successful"
|
|
else
|
|
echo "⚠️ Notarization may have failed. Checking status..."
|
|
|
|
# Extract submission ID if available
|
|
SUBMISSION_ID=$(echo "$NOTARIZE_OUTPUT" | grep "id:" | awk '{print $2}')
|
|
|
|
if [ -n "$SUBMISSION_ID" ]; then
|
|
echo "Checking submission $SUBMISSION_ID..."
|
|
xcrun notarytool info "$SUBMISSION_ID" --key "$API_KEY_FILE" --key-id "$API_KEY_ID" --issuer "$API_KEY_ISSUER_ID"
|
|
|
|
# Continue even if notarization failed - we'll staple if possible
|
|
echo "⚠️ Continuing despite potential notarization issues..."
|
|
else
|
|
echo "⚠️ No submission ID found. Continuing anyway..."
|
|
fi
|
|
fi
|
|
|
|
# Staple the notarization ticket to the app
|
|
echo "Stapling notarization ticket to app..."
|
|
xcrun stapler staple "$APP_PATH"
|
|
|
|
# Verify stapling
|
|
echo "Verifying stapling..."
|
|
stapler validate "$APP_PATH"
|
|
|
|
if [ $? -eq 0 ]; then
|
|
echo "✅ Stapling successful"
|
|
else
|
|
echo "⚠️ Stapling verification may have failed. This is sometimes expected for new apps."
|
|
echo "⚠️ Continuing with packaging..."
|
|
fi
|
|
|
|
# Clean up
|
|
rm -f "$NOTARIZE_APP_PATH" "$API_KEY_FILE"
|
|
shell: bash
|
|
|
|
# Step 7: Package macOS App
|
|
- name: Package macOS App
|
|
run: |
|
|
echo "Packaging signed app bundle: $APP_PATH"
|
|
|
|
# Create zip package
|
|
(cd "$(dirname "$APP_PATH")" && zip -r "${WORKSPACE_DIR}/PackagedReleases/LuckyWorld-macOS.zip" "$(basename "$APP_PATH")")
|
|
|
|
echo "Created packaged release: PackagedReleases/LuckyWorld-macOS.zip"
|
|
echo "Packaged releases:"
|
|
ls -la PackagedReleases/
|
|
shell: bash
|
|
|
|
# Step 8: Upload macOS Build Artifact
|
|
- name: Upload macOS Build Artifact
|
|
uses: actions/upload-artifact@v3
|
|
if: success()
|
|
with:
|
|
name: LuckyWorld-macOS
|
|
path: PackagedReleases/LuckyWorld-macOS.zip
|
|
retention-days: 365
|
|
|
|
# Step 9: Cleanup
|
|
- name: Cleanup
|
|
if: always()
|
|
run: |
|
|
# Clean up keychain and certificates
|
|
if [ -n "$KEYCHAIN_PATH" ]; then
|
|
security delete-keychain "$KEYCHAIN_PATH" || true
|
|
fi
|
|
|
|
# Clean up certificate files
|
|
rm -f certificate.p12 api_key.p8 || true
|
|
|
|
echo "Cleanup complete"
|
|
shell: bash
|
|
|