jeirmeister/Cockatrice
1
0
Fork 0
mirror of https://github.com/Cockatrice/Cockatrice.git synced 2026-06-11 00:24:47 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Revert changes related to #5999 to unbreak CI (#6011)

Browse source 
* Revert "Attempt to fix Sign MacOS Pt1"

This reverts commit 208f8349a6.

* Revert "fetch logs on error (#6003)"

This reverts commit 32e71b0386.

* Revert "Fix Build Attest pt3"

This reverts commit 1c687e7a45.

* Revert "Fix Build Attest pt2"

This reverts commit 53ed028663.

* Revert "Fix Build Attest"

This reverts commit 2a4ebe1b3e.

* Revert "Add write permissions for `contents` (#6002)"

This reverts commit df863355b7.

* Revert "make script executable (#6000)"

This reverts commit b69091a51a.

* Revert "move signing mac apps to own script (#5999)"

This reverts commit 0fe30ebe49.
This commit is contained in:
RickyRister 2025-06-29 18:49:47 -07:00 committed by GitHub
parent 8615c4c3b0
commit 6b44b9ae1e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 62 additions and 103 deletions
Download patch file Download diff file Expand all files Collapse all files

23
.ci/compile.sh
View file

@ -128,13 +128,30 @@ function ccachestatsverbose() {
} }
# Compile # Compile
if [[ $RUNNER_OS == macOS ]]; then
echo "::group::Signing Certificate"
if [[ -n "$MACOS_CERTIFICATE_NAME" ]]; then
echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
security default-keychain -s build.keychain
security set-keychain-settings -t 3600 -l build.keychain
security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain
echo "macOS signing certificate successfully imported and keychain configured."
else
echo "No signing certificate configured. Skipping set up of keychain in macOS environment."
fi
echo "::endgroup::"
fi
if [[ $USE_CCACHE ]]; then if [[ $USE_CCACHE ]]; then
echo "::group::Show ccache stats (before)" echo "::group::Show ccache stats"
ccachestatsverbose ccachestatsverbose
echo "::endgroup::" echo "::endgroup::"
fi fi
echo "::group::Configure CMake" echo "::group::Configure cmake"
cmake --version cmake --version
cmake .. "${flags[@]}" cmake .. "${flags[@]}"
echo "::endgroup::" echo "::endgroup::"
@ -150,7 +167,7 @@ fi
echo "::endgroup::" echo "::endgroup::"
if [[ $USE_CCACHE ]]; then if [[ $USE_CCACHE ]]; then
echo "::group::Show ccache stats (after)" echo "::group::Show ccache stats again"
ccachestatsverbose ccachestatsverbose
echo "::endgroup::" echo "::endgroup::"
fi fi

95
.ci/sign_macos.sh
View file

@ -1,95 +0,0 @@
#!/bin/bash
# Used by CI to sign, noratize and staple build artifacts under macOS
set -e
APP_PATH="$1"
if [[ -z "$APP_PATH" ]]; then
echo "Error: No input path supplied. Usage: $0 <path-to-app-bundle>"
exit 1
fi
if [[ ! -e "$APP_PATH" ]]; then
echo "Error: Input path '$APP_PATH' does not exist."
exit 1
fi
echo "::group::Set up certificate"
if [[ -n "$MACOS_CERTIFICATE_NAME" ]]; then
echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
security default-keychain -s build.keychain
security set-keychain-settings -t 3600 -l build.keychain
security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain
else
echo "No signing certificate configured."
fi
echo "::endgroup::"
echo "::group::Sign app"
if [[ -n "$MACOS_CERTIFICATE_NAME" ]]; then
security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
/usr/bin/codesign --sign="$MACOS_CERTIFICATE_NAME" --entitlements=".ci/macos.entitlements" --options=runtime --force --deep --timestamp --verbose=3 "$APP_PATH"
else
echo "No signing certificate configured."
fi
echo "::endgroup::"
echo "::group::Notarize app"
if [[ -n "$MACOS_NOTARIZATION_APPLE_ID" ]]; then
# Store the notarization credentials so that we can prevent a UI password dialog from blocking the CI
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD"
echo ""
# We can't notarize an app bundle directly, but we need to compress it as an archive.
# Therefore, we create a zip file containing our app bundle, so that we can send it to the
# notarization service
echo "Creating temp notarization archive"
ditto -c -k --keepParent "$APP_PATH" "notarization.zip"
echo ""
# Here we send the notarization request to the Apple's Notarization service, waiting for the result.
# This typically takes a few seconds inside a CI environment, but it might take more depending on the App
# characteristics. Visit the Notarization docs for more information and strategies on how to optimize it if
# you're curious
# Submit for notarization and capture output
NOTARY_OUTPUT=$(xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait --output-format json)
# Parse the submission ID from the JSON output
SUBMISSION_ID=$(echo "$NOTARY_OUTPUT" | jq -r '.id')
# Parse the status field in the JSON
STATUS=$(echo "$NOTARY_OUTPUT" | jq -r '.status')
if [[ "$STATUS" != "Accepted" ]]; then
echo "Notarization failed (status: $STATUS). Fetching detailed log..."
# Fetch and print the notarization log
xcrun notarytool log "$SUBMISSION_ID" --keychain-profile "notarytool-profile"
exit 1
fi
else
echo "No Apple ID configured."
fi
echo "::endgroup::"
echo "::group::Staple app"
if [[ -n "$MACOS_NOTARIZATION_APPLE_ID" ]]; then
# Finally, we need to "attach the staple" to our executable, which will allow our app to be
# validated by macOS even when an internet connection is not available.
xcrun stapler staple "$APP_PATH"
else
echo "No Apple ID configured."
fi
echo "::endgroup::"
echo "::group::Cleanup"
# Cleanup keychain and files to avoid leaking credentials
echo "Deleting keychain"
security delete-keychain build.keychain
rm -f certificate.p12 notarization.zip
echo "::endgroup::"

47
.github/workflows/desktop-build.yml vendored
View file

@ -1,7 +1,6 @@
name: Build Desktop name: Build Desktop
permissions: permissions:
contents: write
id-token: write id-token: write
attestations: write attestations: write
@ -210,6 +209,7 @@ jobs:
if: steps.upload_release.outcome == 'success' if: steps.upload_release.outcome == 'success'
uses: actions/attest-build-provenance@v2 uses: actions/attest-build-provenance@v2
with: with:
subject-path: ${{steps.build.outputs.path}}
subject-name: ${{steps.build.outputs.name}} subject-name: ${{steps.build.outputs.name}}
subject-digest: sha256:${{ steps.upload_artifact.outputs.artifact-digest }} subject-digest: sha256:${{ steps.upload_artifact.outputs.artifact-digest }}
@ -292,6 +292,10 @@ jobs:
BUILDTYPE: '${{matrix.type}}' BUILDTYPE: '${{matrix.type}}'
MAKE_PACKAGE: '${{matrix.make_package}}' MAKE_PACKAGE: '${{matrix.make_package}}'
PACKAGE_SUFFIX: '-macOS${{matrix.target}}_${{matrix.soc}}' PACKAGE_SUFFIX: '-macOS${{matrix.target}}_${{matrix.soc}}'
MACOS_CERTIFICATE: ${{ secrets.PROD_MACOS_CERTIFICATE }}
MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }}
MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }}
MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}
CMAKE_GENERATOR: '${{env.CMAKE_GENERATOR}}' CMAKE_GENERATOR: '${{env.CMAKE_GENERATOR}}'
run: .ci/compile.sh --server --test --ccache "$CCACHE_SIZE" run: .ci/compile.sh --server --test --ccache "$CCACHE_SIZE"
@ -304,16 +308,47 @@ jobs:
- name: Sign app bundle - name: Sign app bundle
if: matrix.make_package && (github.ref == 'refs/heads/master' || needs.configure.outputs.tag != null) if: matrix.make_package && (github.ref == 'refs/heads/master' || needs.configure.outputs.tag != null)
shell: bash
env: env:
MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }} MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }}
MACOS_CERTIFICATE: ${{ secrets.PROD_MACOS_CERTIFICATE }}
MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }}
MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }} MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}
run: |
if [[ -n "$MACOS_CERTIFICATE_NAME" ]]
then
security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
/usr/bin/codesign --sign="$MACOS_CERTIFICATE_NAME" --entitlements=".ci/macos.entitlements" --options=runtime --force --deep --timestamp --verbose ${{steps.build.outputs.path}}
fi
- name: Notarize app bundle
if: matrix.make_package && (github.ref == 'refs/heads/master' || needs.configure.outputs.tag != null)
env:
MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }} MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}
MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }} MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }}
MACOS_NOTARIZATION_PWD: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }} MACOS_NOTARIZATION_PWD: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }}
run: .ci/sign_macos.sh ${{steps.build.outputs.path}} run: |
if [[ -n "$MACOS_NOTARIZATION_APPLE_ID" ]]
then
# Store the notarization credentials so that we can prevent a UI password dialog from blocking the CI
echo "Create keychain profile"
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD"
# We can't notarize an app bundle directly, but we need to compress it as an archive.
# Therefore, we create a zip file containing our app bundle, so that we can send it to the
# notarization service
echo "Creating temp notarization archive"
ditto -c -k --keepParent ${{steps.build.outputs.path}} "notarization.zip"
# Here we send the notarization request to the Apple's Notarization service, waiting for the result.
# This typically takes a few seconds inside a CI environment, but it might take more depending on the App
# characteristics. Visit the Notarization docs for more information and strategies on how to optimize it if
# you're curious
echo "Notarize app"
xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait
# Finally, we need to "attach the staple" to our executable, which will allow our app to be
# validated by macOS even when an internet connection is not available.
echo "Attach staple"
xcrun stapler staple ${{steps.build.outputs.path}}
fi
- name: Upload artifact - name: Upload artifact
id: upload_artifact id: upload_artifact
@ -340,6 +375,7 @@ jobs:
if: steps.upload_release.outcome == 'success' if: steps.upload_release.outcome == 'success'
uses: actions/attest-build-provenance@v2 uses: actions/attest-build-provenance@v2
with: with:
subject-path: ${{steps.build.outputs.path}}
subject-name: ${{steps.build.outputs.name}} subject-name: ${{steps.build.outputs.name}}
subject-digest: sha256:${{ steps.upload_artifact.outputs.artifact-digest }} subject-digest: sha256:${{ steps.upload_artifact.outputs.artifact-digest }}
@ -443,6 +479,7 @@ jobs:
if: steps.upload_release.outcome == 'success' if: steps.upload_release.outcome == 'success'
uses: actions/attest-build-provenance@v2 uses: actions/attest-build-provenance@v2
with: with:
subject-path: ${{steps.build.outputs.path}}
subject-name: ${{steps.build.outputs.name}} subject-name: ${{steps.build.outputs.name}}
subject-digest: sha256:${{ steps.upload_artifact.outputs.artifact-digest }} subject-digest: sha256:${{ steps.upload_artifact.outputs.artifact-digest }}