Skip to content

Updated mac workflow script #38

Updated mac workflow script

Updated mac workflow script #38

Workflow file for this run

name: Package AutoSubs for MacOS
on:
pull_request:
branches:
- main
push:
branches:
- main
jobs:
build:
runs-on: macos-14
steps:
- name: Checkout AutoSubs Repo Code
uses: actions/checkout@v4
- name: Setup Node
uses: actions/setup-node@v4
with:
node-version: 23
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.12.7'
- name: Import Apple Certificates
env:
APP_CERTIFICATE_BASE64: ${{ secrets.APPLE_SIGNING_CERTIFICATE }}
APP_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
INSTALLER_CERTIFICATE_BASE64: ${{ secrets.APPLE_INSTALLER_CERTIFICATE }}
INSTALLER_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
APPLE_NOTARIZE_KEY: ${{ secrets.APPLE_NOTARIZE_KEY }}
APPLE_NOTARIZE_ID: ${{ secrets.APPLE_NOTARIZE_ID }}
APPLE_ISSUER: ${{ secrets.APPLE_ISSUER }}
run: |
# Define paths
APP_CERT_PATH=$RUNNER_TEMP/app_certificate.p12
INSTALLER_CERT_PATH=$RUNNER_TEMP/installer_certificate.p12
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
# Decode and save certificates
echo "$APP_CERTIFICATE_BASE64" | base64 --decode > $APP_CERT_PATH
echo "$INSTALLER_CERTIFICATE_BASE64" | base64 --decode > $INSTALLER_CERT_PATH
# Create and configure temporary keychain
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security list-keychains -s $KEYCHAIN_PATH
# Import Application certificate
security import $APP_CERT_PATH -P "$APP_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
# Import Installer certificate
security import $INSTALLER_CERT_PATH -P "$INSTALLER_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
# Import Notarization credentials
echo "$APPLE_NOTARIZE_KEY" | base64 --decode > Notarization_AuthKey.p8
xcrun notarytool store-credentials "AC_PASSWORD" \
--key "Notarization_AuthKey.p8" \
--key-id "$APPLE_NOTARIZE_ID" \
--issuer "$APPLE_ISSUER"
- name: Install Dependencies
run: |
cd AutoSubs-App
npm install
- name: Bundle Tauri App
run: |
cd AutoSubs-App
export APPLE_SIGNING_IDENTITY="Developer ID Application: ${{ secrets.APPLE_IDENTITY }}"
npm run tauri build
- name: Create Mac Package
run: |
# Create the package directory
mkdir Mac-Package/Payload
# Move the app to the package
mv AutoSubs-App/src-tauri/target/release/bundle/macos/AutoSubs.app Mac-Package/Payload
- name: Package Python Server
run: |
cd Transcription-Server
python3 -m venv venv
source venv/bin/activate
pip install -r requirements-mac.txt
pyinstaller package-mac.spec --noconfirm
deactivate
- name: Move Python Server to resources folder
run: |
mv "Transcription-Server/dist/Transcription-Server" "Mac-Package/Payload/AutoSubs.app/Contents/Resources/resources"
- name: Code Sign Python Server
run: |
# Define variables
IDENTITY="Developer ID Application: ${{ secrets.APPLE_IDENTITY }}"
ENTITLEMENTS="$(pwd)/Signing/entitlements.plist" # Use absolute path to avoid issues
APP_DIR="$(pwd)/Mac-Package/Payload/AutoSubs.app/Contents/Resources/resources/Transcription-Server" # Use absolute path
AUTOSUBS_BINARY="$(pwd)/Mac-Package/Payload/AutoSubs.app/Contents/MacOS/autosubs" # Use absolute path
# Function to sign a single file
sign_file() {
local file="$1"
echo "Signing $file..."
codesign --force --options runtime --timestamp --entitlements "$ENTITLEMENTS" --sign "$IDENTITY" "$file"
}
export -f sign_file # Export the function so it's available in subshells
export IDENTITY # Export IDENTITY so it's available in subshells
export ENTITLEMENTS # Export ENTITLEMENTS so it's available in subshells
# Sign the main executable
sign_file "$APP_DIR/transcription-server"
# Sign all embedded binaries and executables in the _internal directory
find "$APP_DIR/_internal" -type f \( -name "*.dylib" -o -name "*.so" -o -name "*.exe" -o -name "*.bin" -o -name "ffmpeg*" -o -name "Python" \) -exec bash -c 'sign_file "$0"' {} \;
# Sign any other executables in the main app directory
find "$APP_DIR" -type f -perm +111 -exec bash -c 'sign_file "$0"' {} \;
# Sign the main app binary
codesign --force --options runtime --timestamp --entitlements "$ENTITLEMENTS" --sign "$IDENTITY" "$AUTOSUBS_BINARY"
- name: Create PKG Installer
run: |
# Give permissions to the scripts
chmod +x Mac-Package/Scripts/*
# Create the package
pkgbuild --identifier com.tom-moroney.autosubs \
--version 2.0 \
--install-location "/Applications" \
--root Mac-Package/Payload \
--scripts Mac-Package/Scripts \
AutoSubs-unsigned.pkg
- name: Sign PKG Installer
run: |
productsign --sign "Developer ID Installer: ${{ secrets.APPLE_IDENTITY }}" \
--timestamp \
"AutoSubs-unsigned.pkg" \
"AutoSubs-Mac-ARM.pkg"
- name: Notarize PKG Installer
run: |
# Submit for notarization
xcrun notarytool submit "AutoSubs-Mac-ARM.pkg" \
--keychain-profile "AC_PASSWORD" \
--wait
# Staple the ticket to the installer
xcrun stapler staple "AutoSubs-Mac-ARM.pkg"
- name: Get Latest Release Tag
id: get_latest_release
env:
GH_TOKEN: ${{ secrets.GH_TOKEN }}
run: |
latest_tag=$(gh release list --limit 1 --json tagName --jq '.[0].tagName')
echo "LATEST_TAG=$latest_tag" >> $GITHUB_ENV
- name: Upload Asset to Release
uses: softprops/action-gh-release@v2
with:
tag_name: ${{ env.LATEST_TAG }}
files: AutoSubs-Mac-ARM.pkg
token: ${{ secrets.GH_TOKEN }}