Follow up macOS CI

- Update macOS CI to use flatlane - Test macOS - Use Github tokens - Pass MATCH_PASSWORD - Fix wrong path - Update keychain file - Change keychain path - Update macOS release - Triggered on release, not main - Try notarize macOS app - Triggered on test branch - Triggered by release - Rename lane names to avoid infinite recurse - Init dev workflow - Triggered by tags - Rename workflow name - Update workflows - Allow all tags - Fix on - Add codesign options - Add missing = - Update options - Test sign - Fix options - Update macOS template - Use identifier - Fix minor issues - Try not notarize - try not sign package - Try sign without runtime option - Try notarize without runtime option - Use entitlements - Add back runtime option - Pack the whole directory to see what happened - Chmod +x love - Try with strict and print app info - Change step order - Break into two step Zip first with `ditto`. Push back zipping Don't check the `zip` file Stop zipping it over and over and over and over Try zipping right
2021-10-22 18:45:09 +08:00
parent 0ff2e6e273
commit c9d74a4cdf
6 changed files with 254 additions and 51 deletions
--- a/.github/actions/build-macos/action.yml
+++ b/.github/actions/build-macos/action.yml
@@ -3,46 +3,95 @@ description: 'build Mac OS package'
 inputs:
  name:
    required: true
+  type:
+    required: true
  icon:
    required: true
-  MACOS_CERTIFICATE:
+  DEVELOPER_APP_IDENTIFIER:
    required: true
-  MACOS_CERTIFICATE_ID:
+  MATCH_PASSWORD:
    required: true
-  MACOS_CERTIFICATE_PWD:
+  GIT_AUTHORIZATION:
+    required: true
+  TEMP_KEYCHAIN_PASSWORD:
+    required: true
+  TEMP_KEYCHAIN_USER:
+    required: true
+  APPLE_KEY_ID:
+    required: true
+  APPLE_ISSUER_ID:
+    required: true
+  APPLE_KEY_CONTENT:
    required: true
 runs:
  using: "composite"
  steps:
    - uses: ./.github/actions/build-love
-
-    - name: Download template
-      uses: ./.github/actions/get-unzip
+    - name: Checkout template
+      uses: actions/checkout@v2
      with:
-        url: https://github.com/26F-Studio/Techmino-CI-template/releases/download/1.0/macos.app.zip
-
+        repository: '26F-Studio/Techmino-macOS'
+        path: 'Techmino-macOS'
    - name: Download ColdClear
      uses: ./.github/actions/get-cc
      with:
        arch: macOS
+    - name: Fastlane match
+      uses: maierj/fastlane-action@v2.0.1
+      with:
+        lane: 'get_cert'
+        subdirectory: 'Techmino-macOS'
+      env:
+          DEVELOPER_APP_IDENTIFIER: '${{ inputs.DEVELOPER_APP_IDENTIFIER }}'
+          MATCH_PASSWORD: '${{ inputs.MATCH_PASSWORD }}'
+          GIT_AUTHORIZATION: '${{ inputs.GIT_AUTHORIZATION }}'
+          TEMP_KEYCHAIN_PASSWORD: '${{ inputs.TEMP_KEYCHAIN_PASSWORD }}'
+          TEMP_KEYCHAIN_USER: '${{ inputs.TEMP_KEYCHAIN_USER }}'
+          APPLE_KEY_ID: '${{ inputs.APPLE_KEY_ID }}'
+          APPLE_ISSUER_ID: '${{ inputs.APPLE_ISSUER_ID }}'
+          APPLE_KEY_CONTENT: '${{ inputs.APPLE_KEY_CONTENT }}'
    - name: Modify template
      shell: bash
      run: |
-        python3 .github/workflows/updateVersion.py -T macOS -N ${{ inputs.name }}
-        mv Techmino.love Techmino.app/Contents/Resources
-        mv CCloader.dylib Techmino.app/Contents/Frameworks
-        mv ${{ inputs.icon }} Techmino.app/Contents/Resources/iconfile.icns
+        python3 .github/workflows/updateVersion.py -T macOS_${{ inputs.type }} -N ${{ inputs.name }}
+        mv Techmino.love Techmino-macOS/Techmino.app/Contents/Resources
+        mv CCloader.dylib Techmino-macOS/Techmino.app/Contents/Frameworks
+        mv ${{ inputs.icon }} Techmino-macOS/Techmino.app/Contents/Resources/iconfile.icns
+
+        chmod +x Techmino-macOS/Techmino.app/Contents/Frameworks/CCloader.dylib
+        chmod +x Techmino-macOS/Techmino.app/Contents/MacOS/love
    - name: Codesign executable
-      # In secrets:
-      #   - MACOS_CERTIFICATE: the *.p12 Developer ID Certificate, encoded in base64
-      #   - MACOS_CERTIFICATE_PWD: The password
      shell: bash
      run: |
-        echo ${{ inputs.MACOS_CERTIFICATE }} | base64 --decode > certificate.p12
-        security create-keychain -p Techminohaowan build.keychain
-        security default-keychain -s build.keychain
-        security unlock-keychain -p Techminohaowan build.keychain
-        security import certificate.p12 -k build.keychain -P ${{ inputs.MACOS_CERTIFICATE_PWD }} -T /usr/bin/codesign
-        security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k Techminohaowan build.keychain
-        /usr/bin/codesign --force --deep -s ${{ inputs.MACOS_CERTIFICATE_ID }} Techmino.app -v
-        security delete-keychain build.keychain
+        security unlock-keychain -p ${{ inputs.TEMP_KEYCHAIN_PASSWORD }} \
+        ~/Library/Keychains/${{ inputs.TEMP_KEYCHAIN_USER }}-db
+
+        [[ $(security find-identity) =~ ([0-9A-F]{40}) ]]
+
+        codesign --timestamp --force --strict --deep -v \
+        --options runtime \
+        -s ${BASH_REMATCH[1]} \
+        --entitlements Techmino-macOS/love.entitlements \
+        Techmino-macOS/Techmino.app
+    - name: Fastlane notarize
+      uses: maierj/fastlane-action@v2.0.1
+      with:
+        lane: 'make_safe'
+        subdirectory: 'Techmino-macOS'
+      env:
+          APPLE_KEY_ID: '${{ inputs.APPLE_KEY_ID }}'
+          APPLE_ISSUER_ID: '${{ inputs.APPLE_ISSUER_ID }}'
+          APPLE_KEY_CONTENT: '${{ inputs.APPLE_KEY_CONTENT }}'
+    - name: Check codesign
+      shell: bash
+      run: |
+        codesign -dvvv Techmino-macOS/Techmino.app
+    - name: Check for access
+      shell: bash
+      run: |
+        spctl --assess -vv Techmino-macOS/Techmino.app
+    - name: Ditto zip
+      shell: bash
+      run: |
+        ditto Techmino-macOS/Techmino.app  Archive/
+        ditto -c Archive Techmino.zip
--- a/.github/build/macOS/info.plist.template
+++ b/.github/build/macOS/info.plist.template
@@ -11,7 +11,7 @@
    <key>CFBundleIconFile</key>
    <string>iconfile</string>
    <key>CFBundleIdentifier</key>
-    <string>org.love2d.MrZ.Techmino</string>
+    <string>org.26f-studio.Techmino.@buildType</string>
    <key>CFBundleInfoDictionaryVersion</key>
    <string>6.0</string>
    <key>CFBundleName</key>
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,10 +1,10 @@
-name: Techmino CI
+name: Techmino Develop CI

 on:
  push:
-    branches: [ main, ci* ]
+    branches: [ main ]
  pull_request:
-    branches: [ main, ci* ]
+    branches: [ main ]

 jobs:
  get-info:
@@ -99,11 +99,17 @@ jobs:
        commit: ${{ needs.get-info.outputs.commit }}
    - uses: ./.github/actions/build-macos
      with:
-        name: ${{ needs.get-info.outputs.name }}
+        name: '${{ needs.get-info.outputs.name }}'
+        type: 'dev'
        icon: .github/build/macOS/icon_snapshot.icns
-        MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
-        MACOS_CERTIFICATE_ID: ${{ secrets.MACOS_CERTIFICATE_ID }}
-        MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
+        DEVELOPER_APP_IDENTIFIER: '${{ secrets.APP_IDENTIFIER_DEV }}'
+        MATCH_PASSWORD: '${{ secrets.MATCH_PASSWORD }}'
+        GIT_AUTHORIZATION: '${{ secrets.GIT_AUTHORIZATION }}'
+        TEMP_KEYCHAIN_PASSWORD: '${{ secrets.TEMP_KEYCHAIN_PASSWORD }}'
+        TEMP_KEYCHAIN_USER: '${{ secrets.TEMP_KEYCHAIN_USER }}'
+        APPLE_KEY_ID: '${{ secrets.APPLE_KEY_ID }}'
+        APPLE_ISSUER_ID: '${{ secrets.APPLE_ISSUER_ID }}'
+        APPLE_KEY_CONTENT: '${{ secrets.APPLE_KEY_CONTENT }}'
    - name: Pack Techmino
      run: |
        zip -r -y Techmino.zip Techmino.app
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -3,10 +3,11 @@ name: Techmino Release CI
 on:
  push:
    tags:
-    - '*'
+      - '*'

 jobs:
  get-info:
+    if: startWith(github.event.base_ref, 'ref/heads/pre')
    runs-on: ubuntu-20.04
    outputs:
      name: ${{ steps.actual-get-info.outputs.name }}
@@ -156,10 +157,16 @@ jobs:
    - uses: ./.github/actions/build-macos
      with:
        name: ${{ needs.get-info.outputs.name }}
+        type: 'release'
        icon: .github/build/macOS/icon.icns
-        MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
-        MACOS_CERTIFICATE_ID: ${{ secrets.MACOS_CERTIFICATE_ID }}
-        MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
+        DEVELOPER_APP_IDENTIFIER: '${{ secrets.APP_IDENTIFIER_RELEASE }}'
+        MATCH_PASSWORD: '${{ secrets.MATCH_PASSWORD }}'
+        GIT_AUTHORIZATION: '${{ secrets.GIT_AUTHORIZATION }}'
+        TEMP_KEYCHAIN_PASSWORD: '${{ secrets.TEMP_KEYCHAIN_PASSWORD }}'
+        TEMP_KEYCHAIN_USER: '${{ secrets.TEMP_KEYCHAIN_USER }}'
+        APPLE_KEY_ID: '${{ secrets.APPLE_KEY_ID }}'
+        APPLE_ISSUER_ID: '${{ secrets.APPLE_ISSUER_ID }}'
+        APPLE_KEY_CONTENT: '${{ secrets.APPLE_KEY_CONTENT }}'
    - name: Pack Techmino
      run: |
        cp ".github/build/macOS/打不开？Can’t open the App？.pdf" ./
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -0,0 +1,148 @@
+name: Techmino Test CI
+
+on:
+  push:
+    branches: [ pre*, ci* ]
+  pull_request:
+    branches: [ pre*, ci* ]
+
+jobs:
+  get-info:
+    runs-on: ubuntu-20.04
+    outputs:
+      name: ${{ steps.actual-get-info.outputs.name }}
+      apkCode: ${{ steps.actual-get-info.outputs.apkCode }}
+      code: ${{ steps.actual-get-info.outputs.code }}
+      commit: ${{ steps.actual-get-info.outputs.commit }}
+    steps:
+    - uses: actions/checkout@v2
+    - name: Install lua
+      run: |
+        sudo apt-get install lua5.3 -y
+    - name: Get Version
+      id: actual-get-info
+      run: |
+        echo "::set-output name=name::$(lua .github/workflows/getVersion.lua -name)"
+        echo "::set-output name=apkCode::$(lua .github/workflows/getVersion.lua -apkCode)"
+        echo "::set-output name=code::$(lua .github/workflows/getVersion.lua -code)"
+        echo "::set-output name=commit::$(git rev-parse --short ${{ GITHUB.SHA }})"
+
+  # build-windows:
+  #   runs-on: windows-latest
+  #   needs: get-info
+  #   steps:
+  #   - uses: actions/checkout@v2
+  #   - uses: ./.github/actions/snapshot-update
+  #     with:
+  #       commit: ${{ needs.get-info.outputs.commit }}
+  #   - uses: ./.github/actions/build-windows
+  #     with:
+  #       love-url: https://github.com/love2d/love/releases/download/11.3/love-11.3-win64.zip
+  #       love-dir: love-11.3-win64
+  #       arch: win64
+  #       version: ${{ needs.get-info.outputs.name }}
+  #       icon: .\.github\build\Windows\icon_snapshot.ico
+  #   - name: Upload
+  #     uses: actions/upload-artifact@v2
+  #     with:
+  #       name: Techmino_${{ needs.get-info.outputs.name }}_${{ GITHUB.RUN_NUMBER }}_${{ needs.get-info.outputs.commit }}_Windows
+  #       path: love
+
+  # build-linux:
+  #   runs-on: ubuntu-20.04
+  #   needs: get-info
+  #   steps:
+  #   - uses: actions/checkout@v2
+  #   - uses: ./.github/actions/snapshot-update
+  #     with:
+  #       commit: ${{ needs.get-info.outputs.commit }}
+  #   - uses: ./.github/actions/build-linux
+  #     with:
+  #       icon: .github/build/Linux/icon_snapshot.png
+  #   - name: Upload
+  #     uses: actions/upload-artifact@v2
+  #     with:
+  #       name: Techmino_${{ needs.get-info.outputs.name }}_${{ GITHUB.RUN_NUMBER }}_${{ needs.get-info.outputs.commit }}_Linux
+  #       path: Techmino.AppImage
+
+  # build-android:
+  #   runs-on: ubuntu-20.04
+  #   needs: get-info
+  #   steps:
+  #   - uses: actions/checkout@v2
+  #   - uses: ./.github/actions/snapshot-update
+  #     with:
+  #       commit: ${{ needs.get-info.outputs.commit }}
+  #   - uses: ./.github/actions/build-android
+  #     with:
+  #       type: Snapshot
+  #       apkCode: ${{ needs.get-info.outputs.apkCode }}
+  #       name: ${{ needs.get-info.outputs.name }}
+  #       file-path: Techmino_Snapshot.apk
+  #       SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
+  #       KEY_STORE_PASSWORD: ${{ secrets.KEY_STORE_PASSWORD }}
+  #       ALIAS: ${{ secrets.ALIAS }}
+  #       KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}
+  #   - name: Upload
+  #     uses: actions/upload-artifact@v2
+  #     with:
+  #       name: Techmino_${{ needs.get-info.outputs.name }}_${{ GITHUB.RUN_NUMBER }}_${{ needs.get-info.outputs.commit }}_Android
+  #       path: Techmino_Snapshot.apk
+
+  build-macOS:
+    runs-on: macos-10.15
+    needs: get-info
+    steps:
+    - uses: actions/checkout@v2
+    - uses: ./.github/actions/snapshot-update
+      with:
+        commit: ${{ needs.get-info.outputs.commit }}
+    - uses: ./.github/actions/build-macos
+      with:
+        name: '${{ needs.get-info.outputs.name }}'
+        type: 'dev'
+        icon: .github/build/macOS/icon_snapshot.icns
+        DEVELOPER_APP_IDENTIFIER: '${{ secrets.APP_IDENTIFIER_DEV }}'
+        MATCH_PASSWORD: '${{ secrets.MATCH_PASSWORD }}'
+        GIT_AUTHORIZATION: '${{ secrets.GIT_AUTHORIZATION }}'
+        TEMP_KEYCHAIN_PASSWORD: '${{ secrets.TEMP_KEYCHAIN_PASSWORD }}'
+        TEMP_KEYCHAIN_USER: '${{ secrets.TEMP_KEYCHAIN_USER }}'
+        APPLE_KEY_ID: '${{ secrets.APPLE_KEY_ID }}'
+        APPLE_ISSUER_ID: '${{ secrets.APPLE_ISSUER_ID }}'
+        APPLE_KEY_CONTENT: '${{ secrets.APPLE_KEY_CONTENT }}'
+    - name: Upload
+      uses: actions/upload-artifact@v2
+      with:
+        name: Techmino_${{ needs.get-info.outputs.name }}_${{ GITHUB.RUN_NUMBER }}_${{ needs.get-info.outputs.commit }}_macOS
+        path: Techmino.zip
+
+  # build-iOS:
+  #   runs-on: macos-latest
+  #   needs: get-info
+  #   steps:
+  #   - uses: actions/checkout@v2
+  #   - uses: ./.github/actions/snapshot-update
+  #     with:
+  #       commit: ${{ needs.get-info.outputs.commit }}
+  #   - uses: ./.github/actions/build-ios
+  #     with:
+  #       name: ${{ needs.get-info.outputs.name }}
+  #       type: 'test'
+  #       DEVELOPER_APP_ID: '${{ secrets.APP_ID_DEV }}'
+  #       DEVELOPER_APP_IDENTIFIER: '${{ secrets.APP_IDENTIFIER_DEV }}'
+  #       FASTLANE_APPLE_ID: '${{ secrets.FASTLANE_APPLE_ID }}'
+  #       MATCH_PASSWORD: '${{ secrets.MATCH_PASSWORD }}'
+  #       GIT_AUTHORIZATION: '${{ secrets.GIT_AUTHORIZATION }}'
+  #       PROVISIONING_PROFILE_SPECIFIER: '${{ secrets.PROVISIONING_PROFILE_SPECIFIER_DEV }}'
+  #       TEMP_KEYCHAIN_PASSWORD: '${{ secrets.TEMP_KEYCHAIN_PASSWORD }}'
+  #       TEMP_KEYCHAIN_USER: '${{ secrets.TEMP_KEYCHAIN_USER }}'
+  #       APPLE_KEY_ID: '${{ secrets.APPLE_KEY_ID }}'
+  #       APPLE_ISSUER_ID: '${{ secrets.APPLE_ISSUER_ID }}'
+  #       APPLE_KEY_CONTENT: '${{ secrets.APPLE_KEY_CONTENT }}'
+  #       PROJECT_BUILD_NUMBER: '${{ needs.get-info.outputs.code }}.${{ github.run_number }}'
+  #       PILOT_CHANGE_LOG: '${{ github.event.commits[0].message }}'
+  #   - name: Upload
+  #     uses: actions/upload-artifact@v2
+  #     with:
+  #       name: Techmino_${{ needs.get-info.outputs.name }}_${{ GITHUB.RUN_NUMBER }}_${{ needs.get-info.outputs.commit }}_iOS
+  #       path: "Techmino.ipa"
--- a/.github/workflows/updateVersion.py
+++ b/.github/workflows/updateVersion.py
@@ -22,23 +22,16 @@ def updateVersion(args):    #更新版本号
        file.flush()
        file.write(data)

-def updateMacOS(args):  #更新macOS打包信息
+def updateMacOS(args, type):  #更新macOS打包信息
    import datetime
    thisYear = str(datetime.datetime.today().year)
    with open('./.github/build/macOS/info.plist.template', 'r', encoding='utf-8') as file:
        data = file.read()
        data = data\
-            .replace('@versionName', args.Name)\
-            .replace('@thisYear', thisYear)
-    with open('./Techmino.app/Contents/info.plist', 'w+', encoding='utf-8') as file:
-        file.write(data)
-
-def updateIOS(args):  #更新iOS打包信息
-    with open('./Techmino-iOS/platform/xcode/Techmino.xcodeproj/project.pbxproj', 'r') as file:
-        data = file.read()
-        data = data.replace('__VERSION__', re.search(r'([0-9]+\.[0-9]+\.[0-9]+)', args.Name, re.I).group(1))
-
-    with open('./Techmino-iOS/platform/xcode/Techmino.xcodeproj/project.pbxproj', 'w') as file:
+            .replace('@versionName', args.Name[1:])\
+            .replace('@thisYear', thisYear)\
+            .replace('@buildType', type)
+    with open('./Techmino-macOS/Techmino.app/Contents/info.plist', 'w+', encoding='utf-8') as file:
        file.write(data)

 def updateWindows(args):    #更新Windows打包信息
@@ -98,10 +91,10 @@ if __name__ == '__main__':
        updateVersion(args)
    elif args.Type == 'Windows':
        updateWindows(args)
-    elif args.Type == 'macOS':
-        updateMacOS(args)
-    elif args.Type == 'iOS':
-        updateIOS(args)
+    elif args.Type == 'macOS_release':
+        updateMacOS(args, 'release')
+    elif args.Type == 'macOS_dev':
+        updateMacOS(args, 'dev')
    elif args.Type == 'AndroidRelease':
        updateAndroid(args, 'Release')
    elif args.Type == 'AndroidSnapshot':