Skip to content

Commit 1c27641

Browse files
committed
Add release workflow
1 parent 60a3e79 commit 1c27641

3 files changed

Lines changed: 145 additions & 2 deletions

File tree

Lines changed: 104 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,104 @@
1+
name: Release macOS
2+
3+
on:
4+
push:
5+
tags: ["mac-v*"]
6+
7+
permissions:
8+
contents: write
9+
10+
jobs:
11+
release:
12+
name: ${{ matrix.name }}
13+
runs-on: macos-15
14+
timeout-minutes: 90
15+
environment: release
16+
17+
strategy:
18+
fail-fast: false
19+
matrix:
20+
include:
21+
- name: Path of Building
22+
lua_tree: PathOfBuilding
23+
version: "2.63.0"
24+
bundle_name: "Path of Building"
25+
bundle_id: ch.spidy.PathOfBuildingMac
26+
app_support_dir: PathOfBuildingMac
27+
- name: Path of Building - PoE2
28+
lua_tree: PathOfBuilding-PoE2
29+
version: "0.15.0"
30+
bundle_name: "Path of Building - PoE2"
31+
bundle_id: ch.spidy.PathOfBuildingMacPoE2
32+
app_support_dir: PathOfBuildingMacPoE2
33+
34+
env:
35+
VCPKG_BINARY_SOURCES: "clear;x-gha,readwrite"
36+
37+
steps:
38+
- name: Checkout (with submodules)
39+
uses: actions/checkout@v4
40+
with:
41+
submodules: recursive
42+
43+
- name: Export Actions Cache env vars for vcpkg
44+
uses: actions/github-script@v7
45+
with:
46+
script: |
47+
core.exportVariable('ACTIONS_CACHE_URL', process.env.ACTIONS_CACHE_URL || '');
48+
core.exportVariable('ACTIONS_RUNTIME_TOKEN', process.env.ACTIONS_RUNTIME_TOKEN || '');
49+
50+
- name: Import signing certificate
51+
env:
52+
CERT_P12_BASE64: ${{ secrets.MACOS_CERT_P12_BASE64 }}
53+
CERT_P12_PASSWORD: ${{ secrets.MACOS_CERT_P12_PASSWORD }}
54+
run: |
55+
CERT_FILE=$(mktemp)
56+
KEYCHAIN=$(mktemp -u).keychain-db
57+
echo "$CERT_P12_BASE64" | base64 --decode > "$CERT_FILE"
58+
security create-keychain -p "" "$KEYCHAIN"
59+
security set-keychain-settings "$KEYCHAIN"
60+
security unlock-keychain -p "" "$KEYCHAIN"
61+
security import "$CERT_FILE" -k "$KEYCHAIN" -P "$CERT_P12_PASSWORD" -T /usr/bin/codesign
62+
security set-key-partition-list -S apple-tool:,apple: -k "" "$KEYCHAIN"
63+
security list-keychains -d user -s "$KEYCHAIN" $(security list-keychains -d user | tr -d '"')
64+
rm "$CERT_FILE"
65+
echo "CODESIGN_KEYCHAIN=$KEYCHAIN" >> "$GITHUB_ENV"
66+
67+
- name: Configure
68+
run: >
69+
cmake -B build -DCMAKE_BUILD_TYPE=Release
70+
-DPOB_LUA_TREE="${{ github.workspace }}/${{ matrix.lua_tree }}"
71+
-DPOB_BUNDLE_VERSION="${{ matrix.version }}"
72+
-DPOB_BUNDLE_NAME="${{ matrix.bundle_name }}"
73+
-DPOB_BUNDLE_ID="${{ matrix.bundle_id }}"
74+
-DPOB_APP_SUPPORT_DIR="${{ matrix.app_support_dir }}"
75+
76+
- name: Build
77+
run: cmake --build build
78+
79+
- name: Install
80+
run: cmake --install build --prefix "${{ runner.temp }}/stage"
81+
82+
- name: Sign with Developer ID
83+
env:
84+
CODESIGN_IDENTITY: "Developer ID Application: Steven Schmid (7TVVHXAFFG)"
85+
run: macos/sign.sh "${{ runner.temp }}/stage/${{ matrix.bundle_name }}.app"
86+
87+
- name: Package DMG
88+
run: macos/make-dmg.sh "${{ runner.temp }}/stage/${{ matrix.bundle_name }}.app" "${{ runner.temp }}/${{ matrix.bundle_name }}.dmg"
89+
90+
- name: Notarize and staple
91+
env:
92+
NOTARYTOOL_PROFILE: ci-notarytool
93+
run: |
94+
xcrun notarytool store-credentials "ci-notarytool" \
95+
--apple-id "${{ secrets.APPLE_ID }}" \
96+
--team-id "7TVVHXAFFG" \
97+
--password "${{ secrets.NOTARYTOOL_PASSWORD }}"
98+
macos/notarize.sh "${{ runner.temp }}/${{ matrix.bundle_name }}.dmg"
99+
100+
- name: Upload release DMG
101+
uses: softprops/action-gh-release@v2
102+
with:
103+
files: ${{ runner.temp }}/${{ matrix.bundle_name }}.dmg
104+
fail_on_unmatched_files: true

macos/notarize.sh

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
#!/usr/bin/env bash
2+
#
3+
# Notarize and staple a Path of Building .dmg.
4+
#
5+
# Usage:
6+
# macos/notarize.sh [path/to/Name.dmg]
7+
#
8+
# Requires a notarytool keychain profile named "pob-notarytool". Create one
9+
# locally with:
10+
# xcrun notarytool store-credentials "pob-notarytool" \
11+
# --apple-id "YOU@example.com" --team-id "TEAMID" --password "xxxx-xxxx-xxxx-xxxx"
12+
#
13+
# In CI, the profile is created from secrets at workflow runtime.
14+
15+
set -euo pipefail
16+
17+
PROFILE="${NOTARYTOOL_PROFILE:-pob-notarytool}"
18+
DMG="${1:?Usage: notarize.sh <path/to/Name.dmg>}"
19+
20+
if [[ ! -f "$DMG" ]]; then
21+
echo "error: DMG not found: $DMG" >&2
22+
exit 1
23+
fi
24+
25+
echo "==> Submitting $DMG to Apple notary service (profile=$PROFILE)"
26+
xcrun notarytool submit "$DMG" \
27+
--keychain-profile "$PROFILE" \
28+
--wait
29+
30+
echo
31+
echo "==> Stapling notarization ticket to $DMG"
32+
xcrun stapler staple "$DMG"
33+
34+
echo
35+
echo "==> Verifying"
36+
spctl --assess --type open --context context:primary-signature --verbose=2 "$DMG" 2>&1 || true
37+
38+
echo
39+
echo "ok: $DMG notarized and stapled"

macos/sign.sh

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -59,7 +59,7 @@ echo "==> [1/2] Signing dylibs"
5959
find "$APP_PATH/Contents/MacOS" -type f -name '*.dylib' -print0 |
6060
while IFS= read -r -d '' dylib; do
6161
echo " $(basename "$dylib")"
62-
codesign --force --options runtime --timestamp=none \
62+
codesign --force --options runtime --timestamp \
6363
--sign "$IDENTITY" "$dylib"
6464
done
6565

@@ -69,7 +69,7 @@ done
6969
# main exe's signature and are what gets checked at exec time.
7070
echo
7171
echo "==> [2/2] Signing bundle with entitlements"
72-
codesign --force --options runtime --timestamp=none \
72+
codesign --force --options runtime --timestamp \
7373
--entitlements "$ENTITLEMENTS" \
7474
--sign "$IDENTITY" "$APP_PATH"
7575

0 commit comments

Comments
 (0)