jeirmeister/Cockatrice
1
0
Fork 0
mirror of https://github.com/Cockatrice/Cockatrice.git synced 2026-06-16 20:17:45 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge cbab00b721 into f28ede7ae3

Browse source
This commit is contained in:
tooomm 2026-06-14 05:05:46 +00:00 committed by GitHub
commit 16a6ef29f7
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 107 additions and 68 deletions
Download patch file Download diff file Expand all files Collapse all files

77
.ci/sign_macos_bundle.sh Executable file
View file

@ -0,0 +1,77 @@
#!/bin/bash
# This script is to be used by the ci environment.
# Signs and notarizes a macOS app bundle
# Requires: $1 - path to the app bundle
# Environment variables:
# - MACOS_CERTIFICATE_NAME: Name of the certificate for signing (optional, skips signing if not set)
# - MACOS_CI_KEYCHAIN_PWD: Password for the CI keychain (required if MACOS_CERTIFICATE_NAME is set)
# - MACOS_NOTARIZATION_APPLE_ID: Apple ID for notarization (optional, skips notarization if not set)
# - MACOS_NOTARIZATION_PWD: Password for notarization (required if MACOS_NOTARIZATION_APPLE_ID is set)
# - MACOS_NOTARIZATION_TEAM_ID: Team ID for notarization (required if MACOS_NOTARIZATION_APPLE_ID is set)
# exitcode: 1 for failure, 2 for invalid arguments
set -e
# Check input arguments
if [[ $# -lt 1 ]]; then
echo "::error file=$0::No argument passed to the script - provide <path_to_app_bundle>"
exit 2
fi
APP_BUNDLE_PATH="$1"
# Verify that app bundle exists
if [[ ! -f "$APP_BUNDLE_PATH" ]]; then
echo "::error file=$0::App bundle not found at: $APP_BUNDLE_PATH"
exit 1
fi
# Sign app bundle
if [[ -n "$MACOS_CERTIFICATE_NAME" ]]; then
echo "::group::Sign app bundle"
security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
/usr/bin/codesign --sign="$MACOS_CERTIFICATE_NAME" --entitlements=".ci/macos.entitlements" --options=runtime --force --deep --timestamp --verbose "$APP_BUNDLE_PATH"
echo "::endgroup::"
else
echo "::error file=$0::MACOS_CERTIFICATE_NAME not set. Can not sign app bundle."
exit 1
fi
# Notarize app bundle
if [[ -n "$MACOS_NOTARIZATION_APPLE_ID" ]]; then
echo "::group::Notarize app bundle"
# Store the notarization credentials so that we can prevent a UI password dialog from blocking the CI
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD"
# We can't notarize an app bundle directly, but we need to compress it as an archive.
# Therefore, we create a zip file containing our app bundle, so that we can send it to the notarization service
echo ""
echo "Creating temp notarization archive..."
ditto -c -k --keepParent "$APP_BUNDLE_PATH" "notarization.zip"
# Here we send the notarization request to the Apple's Notarization service, waiting for the result.
# This typically takes a few seconds inside a CI environment, but it might take more depending on the App characteristics.
# Visit the Notarization docs for more information and strategies on how to optimize it if you're curious.
echo ""
xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait
echo "::endgroup::"
echo "::group::Staple app"
# Finally, we need to "attach the staple" to our executable, which will allow our app to be
# validated by macOS even when an internet connection is not available.
echo "Attach staple"
xcrun stapler staple "$APP_BUNDLE_PATH"
echo "::endgroup::"
else
echo "::error file=$0::MACOS_NOTARIZATION_APPLE_ID not set. Can not notarize app bundle."
exit 1
fi
echo "::group::Cleanup"
# Cleanup keychain and files to avoid leaking credentials
echo "Deleting keychain"
security delete-keychain build.keychain
rm -f certificate.p12 notarization.zip
echo "::endgroup::"

98
.github/workflows/desktop-build.yml vendored
View file

@ -7,6 +7,17 @@ permissions:
id-token: write # needed for signing certificate in attestation
on:
pull_request:
paths:
- '*/**' # matches all files not in root
- '!**.md'
- '!.github/**'
- '!.tx/**'
- '!doc/**'
- '.github/workflows/desktop-build.yml'
- 'CMakeLists.txt'
- 'vcpkg.json'
- 'vcpkg' # needed to match submodule bumps (gitlink)
push:
branches:
- master
@ -22,30 +33,19 @@ on:
- 'vcpkg' # needed to match submodule bumps (gitlink)
tags:
- '*'
pull_request:
paths:
- '*/**' # matches all files not in root
- '!**.md'
- '!.github/**'
- '!.tx/**'
- '!doc/**'
- '.github/workflows/desktop-build.yml'
- 'CMakeLists.txt'
- 'vcpkg.json'
- 'vcpkg' # needed to match submodule bumps (gitlink)
# Cancel earlier, unfinished runs of this workflow on the same branch (unless on release)
concurrency:
group: "${{ github.workflow }} @ ${{ github.ref_name }}"
cancel-in-progress: ${{ github.ref_type != 'tag' }}
group: "${{ github.workflow }} @ ${{ github.ref_name }}"
jobs:
configure:
name: Configure
runs-on: ubuntu-slim
outputs:
tag: ${{ steps.configure.outputs.tag }}
sha: ${{ steps.configure.outputs.sha }}
tag: ${{ steps.configure.outputs.tag }}
steps:
- name: "Configure"
@ -54,7 +54,7 @@ jobs:
run: |
tag_regex='^refs/tags/'
if [[ $GITHUB_EVENT_NAME == pull-request ]]; then # pull request
sha="${{github.event.pull_request.head.sha}}"
sha="${{ github.event.pull_request.head.sha }}"
elif [[ $GITHUB_REF =~ $tag_regex ]]; then # release
sha="$GITHUB_SHA"
tag="${GITHUB_REF/refs\/tags\//}"
@ -71,8 +71,8 @@ jobs:
fetch-depth: 0 # fetch all history for all branches and tags
- name: "Prepare release parameters"
id: prepare
if: steps.configure.outputs.tag != null
id: prepare
shell: bash
env:
TAG: ${{ steps.configure.outputs.tag }}
@ -83,12 +83,12 @@ jobs:
id: create_release
shell: bash
env:
body_path: ${{ steps.prepare.outputs.body_path }}
GH_TOKEN: ${{ github.token }}
prerelease: ${{ steps.prepare.outputs.is_beta }}
release_name: ${{ steps.prepare.outputs.title }}
tag_name: ${{ steps.configure.outputs.tag }}
target: ${{ steps.configure.outputs.sha }}
release_name: ${{ steps.prepare.outputs.title }}
body_path: ${{ steps.prepare.outputs.body_path }}
prerelease: ${{ steps.prepare.outputs.is_beta }}
run: |
args=()
[[ $prerelease == yes ]] && args+=(--prerelease)
@ -188,13 +188,13 @@ jobs:
--cmake-generator "$CMAKE_GENERATOR"
- name: "Build release package"
id: build
if: matrix.package != 'skip'
id: build
shell: bash
env:
SUFFIX: '-${{ matrix.distro }}${{ matrix.version }}'
package: '${{ matrix.package }}'
server_only: '${{ matrix.server_only }}'
SUFFIX: '-${{ matrix.distro }}${{ matrix.version }}'
run: |
source .ci/docker.sh
args=()
@ -225,8 +225,8 @@ jobs:
path: ${{ env.CACHE }}
- name: "Upload artifact"
id: upload_artifact
if: matrix.package != 'skip'
id: upload_artifact
uses: actions/upload-artifact@v7
with:
archive: false
@ -234,8 +234,8 @@ jobs:
path: ${{ steps.build.outputs.path }}
- name: "Upload to release"
id: upload_release
if: matrix.package != 'skip' && needs.configure.outputs.tag != null
id: upload_release
shell: bash
env:
asset_name: ${{ steps.build.outputs.fullname }}
@ -245,8 +245,8 @@ jobs:
run: gh release upload "$tag_name" "$asset_path#$asset_name"
- name: "Attest binary provenance"
id: attestation
if: steps.upload_release.outcome == 'success'
id: attestation
uses: actions/attest@v4
with:
show-summary: false
@ -268,7 +268,6 @@ jobs:
target: 13
runner: macos-15-intel
ccache_eviction_age: 7d
cmake_generator: Ninja
make_package: 1
override_target: 13
@ -285,7 +284,6 @@ jobs:
target: 14
runner: macos-14
ccache_eviction_age: 7d
cmake_generator: Ninja
make_package: 1
package_suffix: "-macOS14"
@ -301,7 +299,6 @@ jobs:
target: 15
runner: macos-15
ccache_eviction_age: 7d
cmake_generator: Ninja
make_package: 1
package_suffix: "-macOS15"
@ -317,7 +314,6 @@ jobs:
target: 15
runner: macos-15
ccache_eviction_age: 7d
cmake_generator: Ninja
qt_version: 6.11.0
qt_arch: clang_64
@ -346,6 +342,7 @@ jobs:
timeout-minutes: 100
env:
CCACHE_DIR: ${{ github.workspace }}/.cache/
CCACHE_EVICTION_AGE: 7d
CCACHE_SIZE: 550M # space of all repo is 10Gi: https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#usage-limits-and-eviction-policy
steps:
@ -443,8 +440,7 @@ jobs:
id: build
shell: bash
env:
BUILDTYPE: '${{ matrix.type }}'
CCACHE_EVICTION_AGE: ${{ matrix.ccache_eviction_age }}
BUILDTYPE: ${{ matrix.type }}
CMAKE_GENERATOR: ${{ matrix.cmake_generator }}
CMAKE_GENERATOR_PLATFORM: ${{ matrix.cmake_generator_platform }}
DEVELOPER_DIR: '/Applications/Xcode_${{ matrix.xcode }}.app/Contents/Developer'
@ -452,8 +448,8 @@ jobs:
MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }}
MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }}
MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}
MAKE_PACKAGE: '${{ matrix.make_package }}'
PACKAGE_SUFFIX: '${{ matrix.package_suffix }}'
MAKE_PACKAGE: ${{ matrix.make_package }}
PACKAGE_SUFFIX: ${{ matrix.package_suffix }}
TARGET_MACOS_VERSION: ${{ matrix.override_target }}
USE_CCACHE: ${{ matrix.use_ccache }}
VCPKG_BINARY_SOURCES: 'clear;files,${{ steps.vcpkg-cache.outputs.path }},readwrite'
@ -478,50 +474,16 @@ jobs:
key: ${{ steps.ccache_restore.outputs.cache-primary-key }}
path: ${{ env.CCACHE_DIR }}
- name: "[macOS] Sign app bundle"
- name: "[macOS] Sign & notarize app bundle"
if: matrix.os == 'macOS' && matrix.make_package && needs.configure.outputs.tag != null
id: sign_macos
shell: bash
env:
MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }}
MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}
run: |
if [[ -n "$MACOS_CERTIFICATE_NAME" ]]
then
security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
/usr/bin/codesign --sign="$MACOS_CERTIFICATE_NAME" --entitlements=".ci/macos.entitlements" --options=runtime --force --deep --timestamp --verbose "${{ steps.build.outputs.path }}"
fi
- name: "[macOS] Notarize app bundle"
if: matrix.os == 'macOS' && steps.sign_macos.outcome == 'success'
env:
MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}
MACOS_NOTARIZATION_PWD: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }}
MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }}
run: |
if [[ -n "$MACOS_NOTARIZATION_APPLE_ID" ]]
then
# Store the notarization credentials so that we can prevent a UI password dialog from blocking the CI
echo "Create keychain profile"
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD"
# We can't notarize an app bundle directly, but we need to compress it as an archive.
# Therefore, we create a zip file containing our app bundle, so that we can send it to the
# notarization service
echo "Creating temp notarization archive"
ditto -c -k --keepParent "${{ steps.build.outputs.path }}" "notarization.zip"
# Here we send the notarization request to the Apple's Notarization service, waiting for the result.
# This typically takes a few seconds inside a CI environment, but it might take more depending on the App
# characteristics. Visit the Notarization docs for more information and strategies on how to optimize it if
# you're curious
echo "Notarize app"
xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait
# Finally, we need to "attach the staple" to our executable, which will allow our app to be
# validated by macOS even when an internet connection is not available.
echo "Attach staple"
xcrun stapler staple "${{ steps.build.outputs.path }}"
fi
run: .ci/sign_macos_bundle.sh "${{ steps.build.outputs.path }}"
- name: "Upload artifact"
if: matrix.make_package