-
-
Notifications
You must be signed in to change notification settings - Fork 43
180 lines (149 loc) · 6.56 KB
/
package-mac.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
name: Package AutoSubs for MacOS
on:
pull_request:
branches:
- main
push:
branches:
- main
jobs:
build:
runs-on: macos-14
steps:
- name: Checkout AutoSubs Repo Code
uses: actions/checkout@v4
- name: Setup Node
uses: actions/setup-node@v4
with:
node-version: 23
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.12.7'
- name: Import Apple Certificates
env:
APP_CERTIFICATE_BASE64: ${{ secrets.APPLE_SIGNING_CERTIFICATE }}
APP_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
INSTALLER_CERTIFICATE_BASE64: ${{ secrets.APPLE_INSTALLER_CERTIFICATE }}
INSTALLER_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
APPLE_NOTARIZE_KEY: ${{ secrets.APPLE_NOTARIZE_KEY }}
APPLE_NOTARIZE_ID: ${{ secrets.APPLE_NOTARIZE_ID }}
APPLE_ISSUER: ${{ secrets.APPLE_ISSUER }}
run: |
# Define paths
APP_CERT_PATH=$RUNNER_TEMP/app_certificate.p12
INSTALLER_CERT_PATH=$RUNNER_TEMP/installer_certificate.p12
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
# Decode and save certificates
echo "$APP_CERTIFICATE_BASE64" | base64 --decode > $APP_CERT_PATH
echo "$INSTALLER_CERTIFICATE_BASE64" | base64 --decode > $INSTALLER_CERT_PATH
# Create and configure temporary keychain
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security list-keychains -s $KEYCHAIN_PATH
# Import Application certificate
security import $APP_CERT_PATH -P "$APP_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
# Import Installer certificate
security import $INSTALLER_CERT_PATH -P "$INSTALLER_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
# Import Notarization credentials
echo "$APPLE_NOTARIZE_KEY" | base64 --decode > Notarization_AuthKey.p8
xcrun notarytool store-credentials "AC_PASSWORD" \
--key "Notarization_AuthKey.p8" \
--key-id "$APPLE_NOTARIZE_ID" \
--issuer "$APPLE_ISSUER"
- name: Package Python Server
run: |
cd Mac-Server
python3 -m venv venv
source venv/bin/activate
pip install -r requirements-mac.txt
pyinstaller package-server.spec --noconfirm
deactivate
- name: Code Sign Python Server
run: |
# Define variables
IDENTITY="Developer ID Application: ${{ secrets.APPLE_IDENTITY }}"
ENTITLEMENTS="$(pwd)/Signing/entitlements.plist"
APP_DIR="$(pwd)/Transcription-Server/dist/Transcription-Server"
# Function to sign a single file
sign_file() {
local file="$1"
echo "Signing $file..."
codesign --force --options runtime --timestamp --entitlements "$ENTITLEMENTS" --sign "$IDENTITY" "$file"
}
export -f sign_file # Export the function so it's available in subshells
export IDENTITY # Export IDENTITY so it's available in subshells
export ENTITLEMENTS # Export ENTITLEMENTS so it's available in subshells
# Sign the main executable
sign_file "$APP_DIR/transcription-server"
# Sign all embedded binaries and executables in the _internal directory based on known extensions
find "$APP_DIR/_internal" -type f \( -name "*.dylib" -o -name "*.so" -o -name "*.exe" -o -name "*.bin" -o -name "ffmpeg*" \) -exec bash -c 'sign_file "$0"' {} \;
# Sign the entire Python framework directory (recursively) to ensure the actual binary is signed
FRAMEWORK_DIR="$APP_DIR/_internal/Python.framework"
if [ -d "$FRAMEWORK_DIR" ]; then
echo "Signing framework at $FRAMEWORK_DIR..."
codesign --force --deep --options runtime --timestamp --entitlements "$ENTITLEMENTS" --sign "$IDENTITY" "$FRAMEWORK_DIR"
fi
# Sign any other executables in the main app directory
# Use -perm /111 to match executables on macOS/BSD
find "$APP_DIR" -type f -perm /111 -exec bash -c 'sign_file "$0"' {} \;
- name: Move Python Server to resources folder
run: |
mv "Transcription-Server/dist/Transcription-Server" "AutoSubs-App/src-tauri/resources"
- name: Install Dependencies
run: |
cd AutoSubs-App
npm install
- name: Bundle Tauri App
run: |
cd AutoSubs-App
export APPLE_SIGNING_IDENTITY="Developer ID Application: ${{ secrets.APPLE_IDENTITY }}"
npm run tauri build
- name: Create Mac Package
run: |
# Create the package directory
mkdir Mac-Package/Payload
# Copy the app to the package
cp -r AutoSubs-App/src-tauri/target/release/bundle/macos/AutoSubs.app Mac-Package/Payload
- name: Create PKG Installer
run: |
# Give permissions to the scripts
chmod +x Mac-Package/Scripts/*
# Create the package
pkgbuild --identifier com.tom-moroney.autosubs \
--version 2.0 \
--install-location "/Applications" \
--root Mac-Package/Payload \
--scripts Mac-Package/Scripts \
AutoSubs-unsigned.pkg
- name: Sign PKG Installer
run: |
productsign --sign "Developer ID Installer: ${{ secrets.APPLE_IDENTITY }}" \
--timestamp \
"AutoSubs-unsigned.pkg" \
"AutoSubs-Mac-ARM.pkg"
- name: Notarize PKG Installer
run: |
# Submit for notarization
xcrun notarytool submit "AutoSubs-Mac-ARM.pkg" \
--keychain-profile "AC_PASSWORD" \
--wait
# Staple the ticket to the installer
xcrun stapler staple "AutoSubs-Mac-ARM.pkg"
- name: Get Latest Release Tag
id: get_latest_release
env:
GH_TOKEN: ${{ secrets.GH_TOKEN }}
run: |
latest_tag=$(gh release list --limit 1 --json tagName --jq '.[0].tagName')
echo "LATEST_TAG=$latest_tag" >> $GITHUB_ENV
- name: Upload Asset to Release
uses: softprops/action-gh-release@v2
with:
tag_name: ${{ env.LATEST_TAG }}
files: AutoSubs-Installer-Mac-ARM.pkg
token: ${{ secrets.GH_TOKEN }}