meshmc/.github/actions/package/macos/action.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146

name: Package for macOS
description: Create a macOS package for MeshMC

inputs:
  version:
    description: Launcher version
    required: true
  build-type:
    description: Type for the build
    required: true
    default: Debug
  artifact-name:
    description: Name of the uploaded artifact
    required: true
    default: macOS
  apple-codesign-cert:
    description: Certificate for signing macOS builds
    required: false
  apple-codesign-password:
    description: Password for signing macOS builds
    required: false
  apple-codesign-id:
    description: Certificate ID for signing macOS builds
    required: false
  apple-notarize-apple-id:
    description: Apple ID used for notarizing macOS builds
    required: false
  apple-notarize-team-id:
    description: Team ID used for notarizing macOS builds
    required: false
  apple-notarize-password:
    description: Password used for notarizing macOS builds
    required: false
  sparkle-ed25519-key:
    description: Private key for signing Sparkle updates
    required: false

runs:
  using: composite

  steps:
    - name: Fetch codesign certificate
      shell: bash
      run: |
        echo '${{ inputs.apple-codesign-cert }}' | base64 --decode > codesign.p12
        if [ -n '${{ inputs.apple-codesign-id }}' ]; then
          security create-keychain -p '${{ inputs.apple-codesign-password }}' build.keychain
          security default-keychain -s build.keychain
          security unlock-keychain -p '${{ inputs.apple-codesign-password }}' build.keychain
          security import codesign.p12 -k build.keychain -P '${{ inputs.apple-codesign-password }}' -T /usr/bin/codesign
          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k '${{ inputs.apple-codesign-password }}' build.keychain
        else
          echo ":warning: Using ad-hoc code signing for macOS, as certificate was not present." >> $GITHUB_STEP_SUMMARY
        fi

    - name: Package
      shell: bash
      env:
        BUILD_DIR: build
        INSTALL_DIR: install
      run: |
        cmake --install ${{ env.BUILD_DIR }} --config ${{ inputs.build-type }}

        cd ${{ env.INSTALL_DIR }}
        chmod +x "MeshMC.app/Contents/MacOS/meshmc"

        if [ -n '${{ inputs.apple-codesign-id }}' ]; then
          APPLE_CODESIGN_ID='${{ inputs.apple-codesign-id }}'
          ENTITLEMENTS_FILE='../branding/App.entitlements'
        else
          APPLE_CODESIGN_ID='-'
          ENTITLEMENTS_FILE='../branding/AdhocSignedApp.entitlements'
        fi

        sudo codesign --sign "$APPLE_CODESIGN_ID" --deep --force --entitlements "$ENTITLEMENTS_FILE" --options runtime "MeshMC.app/Contents/MacOS/meshmc"

    - name: Notarize
      shell: bash
      env:
        INSTALL_DIR: install
      run: |
        cd ${{ env.INSTALL_DIR }}

        if [ -n '${{ inputs.apple-notarize-password }}' ]; then
          ditto -c -k --sequesterRsrc --keepParent "MeshMC.app" ../MeshMC.zip
          xcrun notarytool submit ../MeshMC.zip \
            --wait --progress \
            --apple-id '${{ inputs.apple-notarize-apple-id }}' \
            --team-id '${{ inputs.apple-notarize-team-id }}' \
            --password '${{ inputs.apple-notarize-password }}'

          xcrun stapler staple "MeshMC.app"
        else
          echo ":warning: Skipping notarization as credentials are not present." >> $GITHUB_STEP_SUMMARY
        fi
        ditto -c -k --sequesterRsrc --keepParent "MeshMC.app" ../MeshMC.zip

    - name: Create DMG
      shell: bash
      env:
        INSTALL_DIR: install
      run: |
        cd ${{ env.INSTALL_DIR }}

        mkdir -p src
        cp -R "MeshMC.app" src/

        ln -s /Applications src/

        hdiutil create \
            -volname "MeshMC ${{ inputs.version }}" \
            -srcfolder src \
            -ov -format ULMO \
            "../MeshMC.dmg"

    - name: Make Sparkle signature
      shell: bash
      run: |
        if [ '${{ inputs.sparkle-ed25519-key }}' != '' ]; then
          echo '${{ inputs.sparkle-ed25519-key }}' > ed25519-priv.pem
          signature_zip=$(/opt/homebrew/opt/openssl@3/bin/openssl pkeyutl -sign -rawin -in ${{ github.workspace }}/MeshMC.zip -inkey ed25519-priv.pem | openssl base64 | tr -d \\n)
          signature_dmg=$(/opt/homebrew/opt/openssl@3/bin/openssl pkeyutl -sign -rawin -in ${{ github.workspace }}/MeshMC.dmg -inkey ed25519-priv.pem | openssl base64 | tr -d \\n) 
          rm ed25519-priv.pem
          cat >> $GITHUB_STEP_SUMMARY << EOF
        ### Artifact Information :information_source:
        - :memo: Sparkle Signature (ed25519): \`$signature_zip\` (ZIP)
        - :memo: Sparkle Signature (ed25519): \`$signature_dmg\` (DMG)
        EOF
        else
          cat >> $GITHUB_STEP_SUMMARY << EOF
        ### Artifact Information :information_source:
        - :warning: Sparkle Signature (ed25519): No private key available (likely a pull request or fork)
        EOF
        fi

    - name: Upload binary tarball
      uses: actions/upload-artifact@v7
      with:
        name: MeshMC-${{ inputs.artifact-name }}-${{ inputs.version }}-${{ inputs.build-type }}
        path: MeshMC.zip

    - name: Upload disk image
      uses: actions/upload-artifact@v7
      with:
        name: MeshMC-${{ inputs.artifact-name }}-${{ inputs.version }}-${{ inputs.build-type }}.dmg
        path: MeshMC.dmg