attempted consolidate sign and package runner

Mach1Studios · Jan 22, 2024 · 2c7a51d · 2c7a51d
1 parent 6e59305
commit 2c7a51d
Showing 1 changed file with 22 additions and 39 deletions.
diff --git a/.github/workflows/juce_ci.yml b/.github/workflows/juce_ci.yml
@@ -87,59 +87,42 @@ jobs:
       shell: bash
       run: cmake --build build --config $BUILD_TYPE
 
-    - name: OM & OC Extract Keys and Codesign (macos)
+    - name: OS Package (macos)
       if: runner.os == 'MacOS'
-      # Extract the secrets we defined earlier as environment variables
-      env: 
+      shell: bash
+      env:
+        DIST_DIR: ${{ github.workspace }}/osc_client/build/M1-OrientationOSC_artefacts/Release
+        INSTALL_DIR: /Application/Mach1/OSC-Tool
+        BUNDLE_ID: ${{ env.OC_BUNDLE_ID }}
+        VERSION: ${{ env.VERSION }}
         MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
-        MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
         MACOS_CERTIFICATE_NAME: ${{ secrets.MACOS_CERTIFICATE_NAME }}
+        MACOS_INSTALLER_CERTIFICATE: ${{ secrets.MACOS_INSTALLER_CERTIFICATE }}
+        MACOS_INSTALLER_CERTIFICATE_NAME: ${{ secrets.MACOS_INSTALLER_CERTIFICATE_NAME }}
+        MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
         MACOS_CI_KEYCHAIN_PWD: ${{ secrets.MACOS_CI_KEYCHAIN_PWD }}
       run: |
-        # Turn our base64-encoded certificate back to a regular .p12 file
-        
         echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
-
-        # We need to create a new keychain, otherwise using the certificate will prompt
-        # with a UI dialog asking for the certificate password, which we can't
-        # use in a headless CI environment
-        
-        security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain 
+        echo $MACOS_INSTALLER_CERTIFICATE | base64 --decode > installer.p12
+        RANDOM_PWD=`date | md5`
+        security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
         security default-keychain -s build.keychain
         security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
         security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
+        security import installer.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/productbuild
         security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain
 
-        # We finally codesign our app bundle, specifying the Hardened runtime option
-        
         /usr/bin/codesign -v --force -s "$MACOS_CERTIFICATE_NAME" --options runtime --entitlements Resources/entitlements.mac.plist --timestamp osc_client/build/M1-OrientationOSC_artefacts/Release/M1-OrientationOSC.app/Contents/MacOS/m1-orientationmanager
         /usr/bin/codesign -v --force -s "$MACOS_CERTIFICATE_NAME" --options runtime --entitlements osc_client/Resources/M1-OrientationOSC.entitlements --timestamp osc_client/build/M1-OrientationOSC_artefacts/Release/M1-OrientationOSC.app
 
-    - name: OC Package (macos)
-      if: runner.os == 'MacOS'
-      uses: akiojin/generate-mac-installer-github-action@v0.1.0
-      with:
-        root-directory: ${{ github.workspace }}/osc_client/build/M1-OrientationOSC_artefacts/Release
-        bundle-path: M1-OrientationOSC.app
-        identifier: ${{ env.OC_BUNDLE_ID }}
-        install-location: /Application/Mach1/OSC-Tool
-        version: ${{ env.VERSION }}
-        output-directory: ${{ github.workspace }}/osc_client/build/m1-OrientationOSC_artefacts/Release
-
-    - name: "OC Sign Package (macos)"
-      if: runner.os == 'MacOS'
-      # Extract the secrets we defined earlier as environment variables
-      env: 
-        MACOS_INSTALLER_CERTIFICATE: ${{ secrets.MACOS_INSTALLER_CERTIFICATE }}
-        MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
-        MACOS_INSTALLER_CERTIFICATE_NAME: ${{ secrets.MACOS_INSTALLER_CERTIFICATE_NAME }}
-        MACOS_CI_KEYCHAIN_PWD: ${{ secrets.MACOS_CI_KEYCHAIN_PWD }}
-      run: |
-        echo $MACOS_INSTALLER_CERTIFICATE | base64 --decode > installer_certificate.p12
-        security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
-        security import installer_certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign -T /usr/bin/productsign
-        security set-key-partition-list -S apple-tool:,apple:,codesign:,productsign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain
-        productsign --sign "${{ secrets.MACOS_INSTALLER_CERTIFICATE_NAME }}" ${{ github.workspace }}/osc_client/build/M1-OrientationOSC_artefacts/Release/M1-OrientationOSC.pkg ${{ github.workspace }}/osc_client/build/M1-OrientationOSC_artefacts/Release/signed/M1-OrientationOSC.pkg
+        pkgbuild --identifier ${BUNDLE_ID} --version ${VERSION} --component ${DIST_DIR}/M1-OrientationOSC.app \
+        --install-location "${INSTALL_DIR}" ${DIST_DIR}/M1-OrientationOSC.app.pkg 
+
+        productbuild --synthesize \
+        --package "${DIST_DIR}/M1-OrientationOSC.app.pkg" \
+        distribution.xml
+
+        productbuild --sign "$MACOS_INSTALLER_CERTIFICATE_NAME" --distribution distribution.xml --package-path ${DIST_DIR} ${DIST_DIR}/M1-OrientationOSC.pkg
 
     - name: OC Notarize (macos)
       if: runner.os == 'MacOS'