name: Package for macOS
description: Create a macOS package for MeshMC

inputs:
  version:
    description: Launcher version
    required: true
  build-type:
    description: Type for the build
    required: true
    default: Debug
  artifact-name:
    description: Name of the uploaded artifact
    required: true
    default: macOS
  apple-codesign-cert:
    description: Certificate for signing macOS builds
    required: false
  apple-codesign-password:
    description: Password for signing macOS builds
    required: false
  apple-codesign-id:
    description: Certificate ID for signing macOS builds
    required: false
  apple-notarize-apple-id:
    description: Apple ID used for notarizing macOS builds
    required: false
  apple-notarize-team-id:
    description: Team ID used for notarizing macOS builds
    required: false
  apple-notarize-password:
    description: Password used for notarizing macOS builds
    required: false
  sparkle-ed25519-key:
    description: Private key for signing Sparkle updates
    required: false

runs:
  using: composite

  steps:
    - name: Fetch codesign certificate
      shell: bash
      run: |
        echo '${{ inputs.apple-codesign-cert }}' | base64 --decode > codesign.p12
        if [ -n '${{ inputs.apple-codesign-id }}' ]; then
          security create-keychain -p '${{ inputs.apple-codesign-password }}' build.keychain
          security default-keychain -s build.keychain
          security unlock-keychain -p '${{ inputs.apple-codesign-password }}' build.keychain
          security import codesign.p12 -k build.keychain -P '${{ inputs.apple-codesign-password }}' -T /usr/bin/codesign
          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k '${{ inputs.apple-codesign-password }}' build.keychain
        else
          echo ":warning: Using ad-hoc code signing for macOS, as certificate was not present." >> $GITHUB_STEP_SUMMARY
        fi

    - name: Package
      shell: bash
      env:
        BUILD_DIR: build
        INSTALL_DIR: install
      run: |
        cmake --install ${{ env.BUILD_DIR }} --config ${{ inputs.build-type }}

        cd ${{ env.INSTALL_DIR }}
        chmod +x "MeshMC.app/Contents/MacOS/meshmc"

        if [ -n '${{ inputs.apple-codesign-id }}' ]; then
          APPLE_CODESIGN_ID='${{ inputs.apple-codesign-id }}'
          ENTITLEMENTS_FILE='../branding/App.entitlements'
        else
          APPLE_CODESIGN_ID='-'
          ENTITLEMENTS_FILE='../branding/AdhocSignedApp.entitlements'
        fi

        sudo codesign --sign "$APPLE_CODESIGN_ID" --deep --force --entitlements "$ENTITLEMENTS_FILE" --options runtime "MeshMC.app/Contents/MacOS/meshmc"

    - name: Notarize
      shell: bash
      env:
        INSTALL_DIR: install
      run: |
        cd ${{ env.INSTALL_DIR }}

        if [ -n '${{ inputs.apple-notarize-password }}' ]; then
          ditto -c -k --sequesterRsrc --keepParent "MeshMC.app" ../MeshMC.zip
          xcrun notarytool submit ../MeshMC.zip \
            --wait --progress \
            --apple-id '${{ inputs.apple-notarize-apple-id }}' \
            --team-id '${{ inputs.apple-notarize-team-id }}' \
            --password '${{ inputs.apple-notarize-password }}'

          xcrun stapler staple "MeshMC.app"
        else
          echo ":warning: Skipping notarization as credentials are not present." >> $GITHUB_STEP_SUMMARY
        fi
        ditto -c -k --sequesterRsrc --keepParent "MeshMC.app" ../MeshMC.zip

    - name: Create DMG
      shell: bash
      env:
        INSTALL_DIR: install
      run: |
        cd ${{ env.INSTALL_DIR }}

        mkdir -p src
        cp -R "MeshMC.app" src/

        ln -s /Applications src/

        hdiutil create \
            -volname "MeshMC ${{ inputs.version }}" \
            -srcfolder src \
            -ov -format ULMO \
            "../MeshMC.dmg"

    - name: Make Sparkle signature
      shell: bash
      run: |
        if [ '${{ inputs.sparkle-ed25519-key }}' != '' ]; then
          echo '${{ inputs.sparkle-ed25519-key }}' > ed25519-priv.pem
          signature_zip=$(/opt/homebrew/opt/openssl@3/bin/openssl pkeyutl -sign -rawin -in ${{ github.workspace }}/MeshMC.zip -inkey ed25519-priv.pem | openssl base64 | tr -d \\n)
          signature_dmg=$(/opt/homebrew/opt/openssl@3/bin/openssl pkeyutl -sign -rawin -in ${{ github.workspace }}/MeshMC.dmg -inkey ed25519-priv.pem | openssl base64 | tr -d \\n) 
          rm ed25519-priv.pem
          cat >> $GITHUB_STEP_SUMMARY << EOF
        ### Artifact Information :information_source:
        - :memo: Sparkle Signature (ed25519): \`$signature_zip\` (ZIP)
        - :memo: Sparkle Signature (ed25519): \`$signature_dmg\` (DMG)
        EOF
        else
          cat >> $GITHUB_STEP_SUMMARY << EOF
        ### Artifact Information :information_source:
        - :warning: Sparkle Signature (ed25519): No private key available (likely a pull request or fork)
        EOF
        fi

    - name: Upload binary tarball
      uses: actions/upload-artifact@v7
      with:
        name: MeshMC-${{ inputs.artifact-name }}-${{ inputs.version }}-${{ inputs.build-type }}
        path: MeshMC.zip

    - name: Upload disk image
      uses: actions/upload-artifact@v7
      with:
        name: MeshMC-${{ inputs.artifact-name }}-${{ inputs.version }}-${{ inputs.build-type }}.dmg
        path: MeshMC.dmg