1 files changed, 146 insertions, 0 deletions
diff --git a/meshmc/.github/actions/package/macos/action.yml b/meshmc/.github/actions/package/macos/action.yml
new file mode 100644
index 0000000000..2a1c432a6d
--- /dev/null
+++ b/meshmc/.github/actions/package/macos/action.yml
@@ -0,0 +1,146 @@
+name: Package for macOS
+description: Create a macOS package for MeshMC
+
+inputs:
+  version:
+    description: Launcher version
+    required: true
+  build-type:
+    description: Type for the build
+    required: true
+    default: Debug
+  artifact-name:
+    description: Name of the uploaded artifact
+    required: true
+    default: macOS
+  apple-codesign-cert:
+    description: Certificate for signing macOS builds
+    required: false
+  apple-codesign-password:
+    description: Password for signing macOS builds
+    required: false
+  apple-codesign-id:
+    description: Certificate ID for signing macOS builds
+    required: false
+  apple-notarize-apple-id:
+    description: Apple ID used for notarizing macOS builds
+    required: false
+  apple-notarize-team-id:
+    description: Team ID used for notarizing macOS builds
+    required: false
+  apple-notarize-password:
+    description: Password used for notarizing macOS builds
+    required: false
+  sparkle-ed25519-key:
+    description: Private key for signing Sparkle updates
+    required: false
+
+runs:
+  using: composite
+
+  steps:
+    - name: Fetch codesign certificate
+      shell: bash
+      run: |
+        echo '${{ inputs.apple-codesign-cert }}' | base64 --decode > codesign.p12
+        if [ -n '${{ inputs.apple-codesign-id }}' ]; then
+          security create-keychain -p '${{ inputs.apple-codesign-password }}' build.keychain
+          security default-keychain -s build.keychain
+          security unlock-keychain -p '${{ inputs.apple-codesign-password }}' build.keychain
+          security import codesign.p12 -k build.keychain -P '${{ inputs.apple-codesign-password }}' -T /usr/bin/codesign
+          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k '${{ inputs.apple-codesign-password }}' build.keychain
+        else
+          echo ":warning: Using ad-hoc code signing for macOS, as certificate was not present." >> $GITHUB_STEP_SUMMARY
+        fi
+
+    - name: Package
+      shell: bash
+      env:
+        BUILD_DIR: build
+        INSTALL_DIR: install
+      run: |
+        cmake --install ${{ env.BUILD_DIR }} --config ${{ inputs.build-type }}
+
+        cd ${{ env.INSTALL_DIR }}
+        chmod +x "MeshMC.app/Contents/MacOS/meshmc"
+
+        if [ -n '${{ inputs.apple-codesign-id }}' ]; then
+          APPLE_CODESIGN_ID='${{ inputs.apple-codesign-id }}'
+          ENTITLEMENTS_FILE='../branding/App.entitlements'
+        else
+          APPLE_CODESIGN_ID='-'
+          ENTITLEMENTS_FILE='../branding/AdhocSignedApp.entitlements'
+        fi
+
+        sudo codesign --sign "$APPLE_CODESIGN_ID" --deep --force --entitlements "$ENTITLEMENTS_FILE" --options runtime "MeshMC.app/Contents/MacOS/meshmc"
+
+    - name: Notarize
+      shell: bash
+      env:
+        INSTALL_DIR: install
+      run: |
+        cd ${{ env.INSTALL_DIR }}
+
+        if [ -n '${{ inputs.apple-notarize-password }}' ]; then
+          ditto -c -k --sequesterRsrc --keepParent "MeshMC.app" ../MeshMC.zip
+          xcrun notarytool submit ../MeshMC.zip \
+            --wait --progress \
+            --apple-id '${{ inputs.apple-notarize-apple-id }}' \
+            --team-id '${{ inputs.apple-notarize-team-id }}' \
+            --password '${{ inputs.apple-notarize-password }}'
+
+          xcrun stapler staple "MeshMC.app"
+        else
+          echo ":warning: Skipping notarization as credentials are not present." >> $GITHUB_STEP_SUMMARY
+        fi
+        ditto -c -k --sequesterRsrc --keepParent "MeshMC.app" ../MeshMC.zip
+
+    - name: Create DMG
+      shell: bash
+      env:
+        INSTALL_DIR: install
+      run: |
+        cd ${{ env.INSTALL_DIR }}
+
+        mkdir -p src
+        cp -R "MeshMC.app" src/
+
+        ln -s /Applications src/
+
+        hdiutil create \
+            -volname "MeshMC ${{ inputs.version }}" \
+            -srcfolder src \
+            -ov -format ULMO \
+            "../MeshMC.dmg"
+
+    - name: Make Sparkle signature
+      shell: bash
+      run: |
+        if [ '${{ inputs.sparkle-ed25519-key }}' != '' ]; then
+          echo '${{ inputs.sparkle-ed25519-key }}' > ed25519-priv.pem
+          signature_zip=$(/opt/homebrew/opt/openssl@3/bin/openssl pkeyutl -sign -rawin -in ${{ github.workspace }}/MeshMC.zip -inkey ed25519-priv.pem | openssl base64 | tr -d \\n)
+          signature_dmg=$(/opt/homebrew/opt/openssl@3/bin/openssl pkeyutl -sign -rawin -in ${{ github.workspace }}/MeshMC.dmg -inkey ed25519-priv.pem | openssl base64 | tr -d \\n) 
+          rm ed25519-priv.pem
+          cat >> $GITHUB_STEP_SUMMARY << EOF
+        ### Artifact Information :information_source:
+        - :memo: Sparkle Signature (ed25519): \`$signature_zip\` (ZIP)
+        - :memo: Sparkle Signature (ed25519): \`$signature_dmg\` (DMG)
+        EOF
+        else
+          cat >> $GITHUB_STEP_SUMMARY << EOF
+        ### Artifact Information :information_source:
+        - :warning: Sparkle Signature (ed25519): No private key available (likely a pull request or fork)
+        EOF
+        fi
+
+    - name: Upload binary tarball
+      uses: actions/upload-artifact@v7
+      with:
+        name: MeshMC-${{ inputs.artifact-name }}-${{ inputs.version }}-${{ inputs.build-type }}
+        path: MeshMC.zip
+
+    - name: Upload disk image
+      uses: actions/upload-artifact@v7
+      with:
+        name: MeshMC-${{ inputs.artifact-name }}-${{ inputs.version }}-${{ inputs.build-type }}.dmg
+        path: MeshMC.dmg