-
Notifications
You must be signed in to change notification settings - Fork 40
141 lines (125 loc) · 5.73 KB
/
job_build_tr1_macos.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
name: Build TR1X and the installer (macOS)
on:
workflow_call:
inputs:
target:
type: string
description: "Target to build for"
required: true
let_mac_fail:
type: boolean
description: "Do not require Mac builds to pass"
required: false
default: false
env:
FFMPEG_INSTALL_FINAL: /opt/local
FFMPEG_INSTALL_TMP_UNIVERSAL: /tmp/install_universal
FFMPEG_INSTALL_TMP_ARM64: /tmp/install_arm64
FFMPEG_INSTALL_TMP_X86_64: /tmp/install_x86_64
CACHE_TMP_DIR: /tmp/opt_local/
CACHE_DST_DIR: /opt/local/
C_INCLUDE_PATH: /opt/local/include/uthash/:/opt/local/include/
jobs:
build:
name: Build release assets (mac)
runs-on: macos-14
continue-on-error: ${{ inputs.let_mac_fail == true || inputs.let_mac_fail == 'true' }}
steps:
- name: Set up signing certificate
env:
MACOS_KEYCHAIN_PWD: ${{ secrets.MACOS_KEYCHAIN_PWD }}
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
run: |
echo ${{ secrets.MACOS_KEYCHAIN_PWD }}
echo ${{ secrets.MACOS_CERTIFICATE }}
echo ${{ secrets.MACOS_CERTIFICATE_PWD }}
CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
echo -n "$MACOS_CERTIFICATE" | base64 --decode -o $CERTIFICATE_PATH
security create-keychain -p "$MACOS_KEYCHAIN_PWD" $KEYCHAIN_PATH
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
security unlock-keychain -p "$MACOS_KEYCHAIN_PWD" $KEYCHAIN_PATH
security import $CERTIFICATE_PATH -P "$MACOS_KEYCHAIN_PWD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH -T /usr/bin/codesign
security list-keychain -d user -s $KEYCHAIN_PATH
security set-key-partition-list -S "apple-tool:,apple:,codesign:" -s -k $MACOS_KEYCHAIN_PWD $KEYCHAIN_PATH
- name: Checkout
uses: actions/checkout@v4
with:
submodules: 'true'
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha || github.sha }}
- name: Extend PATH for MacPorts
run: |
echo -e "/opt/local/bin" >> $GITHUB_PATH
echo -e "/opt/local/sbin" >> $GITHUB_PATH
- name: "Try restore dependencies from cache"
id: restore-cache
uses: actions/cache/restore@v4
with:
key: ${{ runner.os }}-tooling-${{ hashFiles('.github/actions/prepare_macos_tooling/action.yml') }}
path: |
/tmp/opt_local/
- name: "Build MacOS dependencies"
if: steps.restore-cache.outputs.cache-hit != 'true'
uses: ./.github/actions/prepare_macos_tooling
with:
CACHE_DIR: /tmp/opt_local/
- name: "Prepare cached dependencies for use"
if: steps.restore-cache.outputs.cache-hit == 'true'
shell: bash
run: |
sudo rsync -arvq /tmp/opt_local/ /opt/local/
- name: Setup CA
run: |
sudo port -N install apple-pki-bundle curl-ca-bundle
- name: Build arm64 and create app bundle
run: |
BUILD_DIR=build-arm64
BUILD_OPTIONS="src/tr1 --prefix=/tmp/TR1X.app --bindir=Contents/MacOS --buildtype ${{ inputs.target }}"
meson setup $BUILD_DIR $BUILD_OPTIONS
meson install -C $BUILD_DIR
- name: Build x86-64
run: |
BUILD_DIR=build-x86-64
BUILD_OPTIONS="src/tr1 --prefix=/tmp/TR1X.app --bindir=Contents/MacOS --cross-file tools/shared/mac/x86-64_cross_file.txt --buildtype ${{ inputs.target }}"
meson setup $BUILD_DIR $BUILD_OPTIONS
meson compile -C $BUILD_DIR
- name: Fuse universal executable
run: |
BUNDLE_EXEC_DIR=/tmp/TR1X.app/Contents/MacOS
# Fuse executable and move it into the app bundle.
lipo -create build-x86-64/TR1X $BUNDLE_EXEC_DIR/TR1X -output $BUNDLE_EXEC_DIR/TR1X_universal
mv $BUNDLE_EXEC_DIR/TR1X_universal $BUNDLE_EXEC_DIR/TR1X
# Update dynamic library links in the fused executable.
./tools/shared/mac/bundle_dylibs -a TR1X --links-only
- name: Sign app bundle
run: |
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
IDENTITY=$(security find-identity -v -p codesigning $KEYCHAIN_PATH | awk -F'"' '{print $2}')
xattr -cr /tmp/TR1X.app
/usr/bin/codesign --force --deep --options runtime -s "${IDENTITY}" --keychain $KEYCHAIN_PATH -v /tmp/TR1X.app
- name: Create, sign and notarize disk image
env:
MACOS_APPLEID: ${{ secrets.MACOS_APPLEID }}
MACOS_APP_PWD: ${{ secrets.MACOS_APP_PWD }}
MACOS_TEAMID: ${{ secrets.MACOS_TEAMID }}
run: |
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
IDENTITY=$(security find-identity -v -p codesigning $KEYCHAIN_PATH | awk -F'"' '{print $2}')
tools/shared/mac/create_installer -a TR1X -i data/tr1/mac/icon.icns
xattr -cr TR1X-Installer.dmg
/usr/bin/codesign --force --options runtime -s "${IDENTITY}" --keychain $KEYCHAIN_PATH -v TR1X-Installer.dmg
xcrun notarytool submit --wait --apple-id "$MACOS_APPLEID" --password "$MACOS_APP_PWD" --team-id "$MACOS_TEAMID" TR1X-Installer.dmg
xcrun stapler staple -v TR1X-Installer.dmg
mv TR1X-Installer.dmg "TR1X-$(tools/get_version 1)-Installer.dmg"
- id: vars
name: Prepare variables
run: echo "version=$(tools/get_version 1)" >> $GITHUB_OUTPUT
- name: Upload signed+notarized installer image
uses: actions/upload-artifact@v4
with:
name: TR1X-${{ steps.vars.outputs.version }}-mac
path: |
*.dmg
compression-level: 0 # .dmg is already compressed.