Follow up macOS CI

- Update macOS CI to use flatlane

- Test macOS

- Use Github tokens

- Pass MATCH_PASSWORD

- Fix wrong path

- Update keychain file

- Change keychain path

- Update macOS release

- Triggered on release, not main

- Try notarize macOS app

- Triggered on test branch

- Triggered by release

- Rename lane names to avoid infinite recurse

- Init dev workflow

- Triggered by tags

- Rename workflow name

- Update workflows

- Allow all tags

- Fix on

- Add codesign options

- Add missing =

- Update options

- Test sign

- Fix options

- Update macOS template
- Use identifier

- Fix minor issues

- Try not notarize

- try not sign package

- Try sign without runtime option

- Try notarize without runtime option

- Use entitlements

- Add back runtime option

- Pack the whole directory to see what happened

- Chmod +x love

- Try with strict and print app info

- Change step order

- Break into two step

Zip first with `ditto`.

Push back zipping

Don't check the `zip` file

Stop zipping it over and over and over and over

Try zipping right

.github/actions/build-macos/action.yml

@@ -3,46 +3,95 @@ description: 'build Mac OS package'
 inputs:
   name:
     required: true
+  type:
+    required: true
   icon:
     required: true
-  MACOS_CERTIFICATE:
+  DEVELOPER_APP_IDENTIFIER:
     required: true
-  MACOS_CERTIFICATE_ID:
+  MATCH_PASSWORD:
     required: true
-  MACOS_CERTIFICATE_PWD:
+  GIT_AUTHORIZATION:
+    required: true
+  TEMP_KEYCHAIN_PASSWORD:
+    required: true
+  TEMP_KEYCHAIN_USER:
+    required: true
+  APPLE_KEY_ID:
+    required: true
+  APPLE_ISSUER_ID:
+    required: true
+  APPLE_KEY_CONTENT:
     required: true
 runs:
   using: "composite"
   steps:
     - uses: ./.github/actions/build-love
-
-    - name: Download template
-      uses: ./.github/actions/get-unzip
+    - name: Checkout template
+      uses: actions/checkout@v2
       with:
-        url: https://github.com/26F-Studio/Techmino-CI-template/releases/download/1.0/macos.app.zip
-
+        repository: '26F-Studio/Techmino-macOS'
+        path: 'Techmino-macOS'
     - name: Download ColdClear
       uses: ./.github/actions/get-cc
       with:
         arch: macOS
+    - name: Fastlane match
+      uses: maierj/fastlane-action@v2.0.1
+      with:
+        lane: 'get_cert'
+        subdirectory: 'Techmino-macOS'
+      env:
+          DEVELOPER_APP_IDENTIFIER: '${{ inputs.DEVELOPER_APP_IDENTIFIER }}'
+          MATCH_PASSWORD: '${{ inputs.MATCH_PASSWORD }}'
+          GIT_AUTHORIZATION: '${{ inputs.GIT_AUTHORIZATION }}'
+          TEMP_KEYCHAIN_PASSWORD: '${{ inputs.TEMP_KEYCHAIN_PASSWORD }}'
+          TEMP_KEYCHAIN_USER: '${{ inputs.TEMP_KEYCHAIN_USER }}'
+          APPLE_KEY_ID: '${{ inputs.APPLE_KEY_ID }}'
+          APPLE_ISSUER_ID: '${{ inputs.APPLE_ISSUER_ID }}'
+          APPLE_KEY_CONTENT: '${{ inputs.APPLE_KEY_CONTENT }}'
     - name: Modify template
       shell: bash
       run: |
-        python3 .github/workflows/updateVersion.py -T macOS -N ${{ inputs.name }}
-        mv Techmino.love Techmino.app/Contents/Resources
-        mv CCloader.dylib Techmino.app/Contents/Frameworks
-        mv ${{ inputs.icon }} Techmino.app/Contents/Resources/iconfile.icns
+        python3 .github/workflows/updateVersion.py -T macOS_${{ inputs.type }} -N ${{ inputs.name }}
+        mv Techmino.love Techmino-macOS/Techmino.app/Contents/Resources
+        mv CCloader.dylib Techmino-macOS/Techmino.app/Contents/Frameworks
+        mv ${{ inputs.icon }} Techmino-macOS/Techmino.app/Contents/Resources/iconfile.icns
+
+        chmod +x Techmino-macOS/Techmino.app/Contents/Frameworks/CCloader.dylib
+        chmod +x Techmino-macOS/Techmino.app/Contents/MacOS/love
     - name: Codesign executable
-      # In secrets:
-      #   - MACOS_CERTIFICATE: the *.p12 Developer ID Certificate, encoded in base64
-      #   - MACOS_CERTIFICATE_PWD: The password
       shell: bash
       run: |
-        echo ${{ inputs.MACOS_CERTIFICATE }} | base64 --decode > certificate.p12
-        security create-keychain -p Techminohaowan build.keychain
-        security default-keychain -s build.keychain
-        security unlock-keychain -p Techminohaowan build.keychain
-        security import certificate.p12 -k build.keychain -P ${{ inputs.MACOS_CERTIFICATE_PWD }} -T /usr/bin/codesign
-        security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k Techminohaowan build.keychain
-        /usr/bin/codesign --force --deep -s ${{ inputs.MACOS_CERTIFICATE_ID }} Techmino.app -v
-        security delete-keychain build.keychain
+        security unlock-keychain -p ${{ inputs.TEMP_KEYCHAIN_PASSWORD }} \
+        ~/Library/Keychains/${{ inputs.TEMP_KEYCHAIN_USER }}-db
+
+        [[ $(security find-identity) =~ ([0-9A-F]{40}) ]]
+
+        codesign --timestamp --force --strict --deep -v \
+        --options runtime \
+        -s ${BASH_REMATCH[1]} \
+        --entitlements Techmino-macOS/love.entitlements \
+        Techmino-macOS/Techmino.app
+    - name: Fastlane notarize
+      uses: maierj/fastlane-action@v2.0.1
+      with:
+        lane: 'make_safe'
+        subdirectory: 'Techmino-macOS'
+      env:
+          APPLE_KEY_ID: '${{ inputs.APPLE_KEY_ID }}'
+          APPLE_ISSUER_ID: '${{ inputs.APPLE_ISSUER_ID }}'
+          APPLE_KEY_CONTENT: '${{ inputs.APPLE_KEY_CONTENT }}'
+    - name: Check codesign
+      shell: bash
+      run: |
+        codesign -dvvv Techmino-macOS/Techmino.app
+    - name: Check for access
+      shell: bash
+      run: |
+        spctl --assess -vv Techmino-macOS/Techmino.app
+    - name: Ditto zip
+      shell: bash
+      run: |
+        ditto Techmino-macOS/Techmino.app  Archive/
+        ditto -c Archive Techmino.zip