LuckyWorld/.gitea/actions/macos-build/action.yml

name: 'macOS Build Steps'
description: 'Build, sign and notarize macOS application'

inputs:
  apple_team_id:
    description: 'Apple Team ID for signing'
    required: true
  apple_certificate_base64:
    description: 'Base64-encoded certificate file'
    required: true
  apple_certificate_password:
    description: 'Password for certificate file'
    required: true
  api_key_path:
    description: 'Base64-encoded API key file'
    required: true
  api_key_id:
    description: 'API Key ID'
    required: true
  api_key_issuer_id:
    description: 'API Key Issuer ID'
    required: true

runs:
  using: "composite"
  steps:
    - name: Setup environment
      run: |
        # Use the correct path where Unreal Engine is installed
        UE_PATH="/Users/Shared/Epic Games/UE_5.5"
        
        if [ ! -d "$UE_PATH" ]; then
          echo "Error: Unreal Engine is not installed in the expected location"
          echo "Please ensure Unreal Engine is installed at $UE_PATH"
          exit 1
        fi
        
        # Create directories for builds
        mkdir -p Builds/Mac
        mkdir -p PackagedReleases
        
        echo "Using Unreal Engine 5.5"
      shell: bash
    
    - name: Build for macOS
      run: |
        chmod +x ./scripts/mac_build.sh
        ./scripts/mac_build.sh
      shell: bash
    
    - name: Sign and Notarize macOS App
      if: ${{ success() }}
      env:
        APPLE_TEAM_ID: ${{ inputs.apple_team_id }}
        APPLE_CERTIFICATE_BASE64: ${{ inputs.apple_certificate_base64 }}
        APPLE_CERTIFICATE_PASSWORD: ${{ inputs.apple_certificate_password }}
        API_KEY_PATH: ${{ inputs.api_key_path }}
        API_KEY_ID: ${{ inputs.api_key_id }}
        API_KEY_ISSUER_ID: ${{ inputs.api_key_issuer_id }}
      run: |
        # Create output directory
        mkdir -p PackagedReleases
        
        # Download Apple root certificates
        echo "Downloading Apple Developer certificates..."
        curl -s -o AppleWWDRCAG3.cer https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer
        curl -s -o DeveloperIDG2.cer https://www.apple.com/certificateauthority/DeveloperIDG2.cer
        
        # Decode the base64 certificate
        echo "Setting up certificate..."
        echo $APPLE_CERTIFICATE_BASE64 | base64 --decode > certificate.p12
        
        # Create keychain and import certificate
        KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
        KEYCHAIN_PASSWORD=temporary
        
        security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
        security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
        security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
        
        # Import all certificates to our custom keychain
        security import AppleWWDRCAG3.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign
        security import DeveloperIDG2.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign
        security import certificate.p12 -P "$APPLE_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"
        
        # Set keychain for signing
        security list-keychain -d user -s "$KEYCHAIN_PATH"
        security default-keychain -s "$KEYCHAIN_PATH"
        
        # Always trust our certificates
        security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
        
        # Find app bundle
        APP_PATH=$(find Builds -type d -name "*.app" | head -1)
        
        if [ -n "$APP_PATH" ]; then
          echo "Signing app bundle: $APP_PATH"
          
          # First, handle problematic libraries separately (specifically libmujoco)
          find "$APP_PATH" -name "libmujoco*.dylib" | while read DYLIB; do
            echo "Pre-signing library: $DYLIB"
            codesign --force --options runtime --timestamp --sign "Developer ID Application: $APPLE_TEAM_ID" "$DYLIB"
          done
          
          # Now sign all other dylibs
          find "$APP_PATH" -name "*.dylib" -o -name "*.framework" | while read LIB; do
            echo "Signing library: $LIB"
            codesign --force --options runtime --timestamp --sign "Developer ID Application: $APPLE_TEAM_ID" "$LIB"
          done
          
          # Now sign the application itself
          echo "Signing main application bundle..."
          /usr/bin/codesign --force --options runtime --deep --timestamp --sign "Developer ID Application: $APPLE_TEAM_ID" --entitlements "./LuckyRobots.entitlements" "$APP_PATH"
          
          # Verify signature
          echo "Verifying signature..."
          codesign --verify --verbose "$APP_PATH"
          
          # Create a temporary file for notarization
          NOTARIZE_APP_PATH="./LuckyRobots-notarize.zip"
          ditto -c -k --keepParent "$APP_PATH" "$NOTARIZE_APP_PATH"
          
          # Decode the API key from Base64 secret
          echo "$API_KEY_PATH" | base64 --decode > api_key.p8
          API_KEY_FILE="api_key.p8"
          
          # Submit for notarization using API key
          echo "Submitting for notarization with API key..."
          xcrun notarytool submit "$NOTARIZE_APP_PATH" --key "$API_KEY_FILE" --key-id "$API_KEY_ID" --issuer "$API_KEY_ISSUER_ID" --wait
          
          # Check notarization result
          NOTARIZATION_INFO=$(xcrun notarytool history --key "$API_KEY_FILE" --key-id "$API_KEY_ID" --issuer "$API_KEY_ISSUER_ID" | grep -E '(success|invalid)' | head -1)
          
          # Clean up the API key file
          rm -f "$API_KEY_FILE"
          
          if echo "$NOTARIZATION_INFO" | grep -q "success"; then
            echo "Notarization successful"
            
            # Staple the ticket to the application
            xcrun stapler staple "$APP_PATH"
            
            # Package the notarized app
            echo "Creating final package..."
            APP_NAME=$(basename "$APP_PATH")
            (cd $(dirname "$APP_PATH") && zip -r "../../PackagedReleases/LuckyRobots-macOS.zip" "$APP_NAME")
            echo "Created packaged release: PackagedReleases/LuckyRobots-macOS.zip"
          else
            echo "Notarization failed: $NOTARIZATION_INFO"
            exit 1
          fi
        else
          echo "No app bundle found for signing and notarization"
          
          # Look for a directory that might be a bundle but not named .app
          MAIN_BUILD_DIR=$(find Builds -mindepth 1 -maxdepth 1 -type d | head -1)
          if [ -n "$MAIN_BUILD_DIR" ]; then
            echo "Found main build directory: $MAIN_BUILD_DIR"
            
            # Sign libraries first
            find "$MAIN_BUILD_DIR" -name "*.dylib" -o -name "*.framework" | while read LIB; do
              echo "Signing library: $LIB"
              codesign --force --options runtime --timestamp --sign "Developer ID Application: $APPLE_TEAM_ID" "$LIB"
            done
            
            # Then sign main directory
            /usr/bin/codesign --force --options runtime --timestamp --sign "Developer ID Application: $APPLE_TEAM_ID" --deep --entitlements "./LuckyRobots.entitlements" "$MAIN_BUILD_DIR"
            
            # Package it
            DIR_NAME=$(basename "$MAIN_BUILD_DIR")
            (cd $(dirname "$MAIN_BUILD_DIR") && zip -r "../../PackagedReleases/LuckyRobots-macOS.zip" "$DIR_NAME")
            echo "Created packaged release: PackagedReleases/LuckyRobots-macOS.zip"
          else
            echo "No main directory found, cannot sign or package"
            exit 1
          fi
        fi
        
        echo "Packaged releases:"
        ls -la PackagedReleases/
        
        # Clean up
        rm -f certificate.p12 AppleWWDRCAG3.cer DeveloperIDG2.cer
        security delete-keychain "$KEYCHAIN_PATH"
      shell: bash
    
    - name: Upload macOS Build Artifact
      uses: actions/upload-artifact@v3
      if: success()
      with:
        name: LuckyRobots-macOS
        path: PackagedReleases/LuckyRobots-macOS.zip
        retention-days: 365