CI: Fix macOS codesigning for png #1319
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build | |
| on: [push, pull_request] | |
| jobs: | |
| build-macos-public: | |
| name: Build macOS Public | |
| if: github.repository != 'strawberrymusicplayer/strawberry-private' | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| runner: [ 'macos-11' ] | |
| buildtype: [ 'release' ] | |
| runs-on: ${{ matrix.runner }} | |
| steps: | |
| - name: Set arch | |
| shell: bash | |
| run: echo "arch=$(uname -m)" >> $GITHUB_ENV | |
| - name: Set buildtype | |
| run: echo "buildtype=$(echo ${{matrix.buildtype}} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV | |
| - name: Set cmake buildtype | |
| run: echo "cmake_buildtype=$(echo ${{env.buildtype}} | awk '{print toupper(substr($0,0,1))tolower(substr($0,2))}')" >> $GITHUB_ENV | |
| - name: Uninstall homebrew | |
| run: | | |
| curl -sfLO https://raw.githubusercontent.com/Homebrew/install/master/uninstall.sh | |
| chmod +x ./uninstall.sh | |
| sudo ./uninstall.sh --force | |
| rm -f uninstall.sh | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| submodules: recursive | |
| - name: Import certificate file | |
| if: github.repository == 'strawberrymusicplayer/strawberry' && github.event.pull_request.head.repo.fork == false | |
| uses: apple-actions/import-codesign-certs@v2 | |
| with: | |
| p12-file-base64: ${{ secrets.APPLE_DEVELOPER_ID_CERTIFICATE }} | |
| p12-password: ${{ secrets.APPLE_DEVELOPER_ID_CERTIFICATE_PASSWORD }} | |
| - name: Download macOS dependencies | |
| run: curl -f -O -L https://github.com/strawberrymusicplayer/strawberry-macos-dependencies/releases/latest/download/strawberry-macos-${{env.arch}}-${{env.buildtype}}.tar.xz | |
| - name: Extract macOS dependencies | |
| run: sudo tar -C / -xf strawberry-macos-${{env.arch}}-${{env.buildtype}}.tar.xz | |
| - name: Set prefix path | |
| run: echo "prefix_path=/opt/strawberry_macos_${{env.arch}}_${{env.buildtype}}" >> $GITHUB_ENV | |
| - name: Update PATH | |
| run: echo "${{env.prefix_path}}/bin" >> $GITHUB_PATH | |
| - name: Create Build Environment | |
| run: cmake -E make_directory build | |
| - name: Configure CMake | |
| env: | |
| MACOSX_DEPLOYMENT_TARGET: 11.0 | |
| PKG_CONFIG_PATH: ${{env.prefix_path}}/lib/pkgconfig | |
| LDFLAGS: -L${{env.prefix_path}}/lib -Wl,-rpath,${{env.prefix_path}}/lib | |
| run: > | |
| cmake | |
| --log-level="DEBUG" | |
| -S . | |
| -B build | |
| -DCMAKE_BUILD_TYPE="${{env.cmake_buildtype}}" | |
| -DCMAKE_PREFIX_PATH="${{env.prefix_path}}/lib/cmake" | |
| -DBUILD_WITH_QT6=ON | |
| -DBUILD_WERROR=OFF | |
| -DUSE_BUNDLE=ON | |
| -DENABLE_DBUS=OFF | |
| -DICU_ROOT="${{env.prefix_path}}" | |
| -DFFTW3_DIR="${{env.prefix_path}}" | |
| -DAPPLE_DEVELOPER_ID=$(test '${{github.repository}}' = 'strawberrymusicplayer/strawberry' && test '${{github.event.pull_request.base.repo.full_name}}' = '${{github.event.pull_request.head.repo.full_name}}' && echo "383J84DVB6" || echo "") | |
| - name: Build | |
| run: cmake --build build --config Release --parallel 4 | |
| - name: Install | |
| working-directory: build | |
| run: make install | |
| - name: Deploy | |
| env: | |
| GIO_EXTRA_MODULES: ${{env.prefix_path}}/lib/gio/modules | |
| GST_PLUGIN_SCANNER: ${{env.prefix_path}}/libexec/gstreamer-1.0/gst-plugin-scanner | |
| GST_PLUGIN_PATH: ${{env.prefix_path}}/lib/gstreamer-1.0 | |
| LIBSOUP_LIBRARY_PATH: ${{env.prefix_path}}/lib/libsoup-3.0.0.dylib | |
| working-directory: build | |
| run: make deploy | |
| - name: Manually Codesign | |
| if: github.repository == 'strawberrymusicplayer/strawberry' && github.event.pull_request.head.repo.fork == false | |
| working-directory: build | |
| run: codesign -s 383J84DVB6 -f strawberry.app/Contents/Frameworks/{libsoup-3.0.0.dylib,libnghttp2.14.dylib,libpsl.5.dylib,libpcre2-16.0.dylib,libpng16.16.dylib,libzstd.1.dylib} strawberry.app/Contents/Frameworks/png.framework/png strawberry.app | |
| - name: Deploy check | |
| working-directory: build | |
| run: make deploycheck | |
| - name: Verify code-signing | |
| if: github.repository == 'strawberrymusicplayer/strawberry' && github.event.pull_request.head.repo.fork == false | |
| working-directory: build | |
| run: codesign --deep -v strawberry.app | |
| - name: Create DMG | |
| working-directory: build | |
| run: make dmg | |
| - name: SSH key setup | |
| if: github.repository == 'strawberrymusicplayer/strawberry' && github.event.pull_request.head.repo.fork == false && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci' || github.ref == 'refs/heads/macos') | |
| uses: shimataro/ssh-key-action@v2 | |
| with: | |
| known_hosts: ${{secrets.SSH_KNOWN_HOSTS}} | |
| key: ${{ secrets.SSH_KEY }} | |
| - name: Set is release | |
| run: echo "is_release=$(grep '^\s*set\s*(\s*INCLUDE_GIT_REVISION\s\+OFF\s*)\s*$' cmake/Version.cmake >/dev/null 2>&1 && echo 1 || echo 0)" >> $GITHUB_ENV | |
| - name: Get release version | |
| run: echo "release_version=$(git describe --tags --exact-match ${GITHUB_SHA} 2>/dev/null | head -1)" >> $GITHUB_ENV | |
| - name: Set Upload path | |
| if: github.repository == 'strawberrymusicplayer/strawberry' && github.event.pull_request.head.repo.fork == false && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci' || github.ref == 'refs/heads/macos') | |
| run: | | |
| if [ "${{env.is_release}}" = "1" ] && ! [ "${{env.release_version}}" = "" ]; then | |
| echo "upload_path=${{secrets.DOWNLOADS_PATH}}/stable_releases/macos" >> $GITHUB_ENV | |
| else | |
| echo "upload_path=${{secrets.DOWNLOADS_PATH}}/development_releases/macos" >> $GITHUB_ENV | |
| fi | |
| - name: Create server path | |
| if: github.repository == 'strawberrymusicplayer/strawberry' && github.event.pull_request.head.repo.fork == false && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci' || github.ref == 'refs/heads/macos') | |
| run: ssh -p ${{secrets.SSH_PORT}} -o StrictHostKeyChecking=no ${{secrets.SSH_USER}}@${{secrets.SSH_HOST}} mkdir -p ${{env.upload_path}} | |
| - name: rsync | |
| if: github.repository == 'strawberrymusicplayer/strawberry' && github.event.pull_request.head.repo.fork == false && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci' || github.ref == 'refs/heads/macos') | |
| run: rsync -e "ssh -p ${{secrets.SSH_PORT}} -o StrictHostKeyChecking=no" -var build/*.dmg ${{secrets.SSH_USER}}@${{secrets.SSH_HOST}}:${{env.upload_path}}/ | |
| build-macos-private: | |
| name: Build macOS Private | |
| if: github.repository == 'strawberrymusicplayer/strawberry-private' | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| runner: [ 'macos-arm64' ] | |
| buildtype: [ 'release' ] | |
| runs-on: ${{ matrix.runner }} | |
| steps: | |
| - name: Set arch | |
| shell: bash | |
| run: echo "arch=$(uname -m)" >> $GITHUB_ENV | |
| - name: Set buildtype | |
| run: echo "buildtype=$(echo ${{matrix.buildtype}} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV | |
| - name: Set cmake buildtype | |
| run: echo "cmake_buildtype=$(echo ${{env.buildtype}} | awk '{print toupper(substr($0,0,1))tolower(substr($0,2))}')" >> $GITHUB_ENV | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| submodules: recursive | |
| - name: Unlock keychain | |
| run: security unlock-keychain -p ${{ secrets.MACOS_KEYCHAIN_PASSWORD }} | |
| - name: Set prefix path | |
| run: echo "prefix_path=/opt/strawberry_macos_${{env.arch}}_${{env.buildtype}}" >> $GITHUB_ENV | |
| - name: Update PATH | |
| run: echo "${{env.prefix_path}}/bin" >> $GITHUB_PATH | |
| - name: Create Build Environment | |
| run: cmake -E make_directory build | |
| - name: Configure CMake | |
| env: | |
| MACOSX_DEPLOYMENT_TARGET: 11.0 | |
| PKG_CONFIG_PATH: ${{env.prefix_path}}/lib/pkgconfig | |
| LDFLAGS: -L${{env.prefix_path}}/lib -Wl,-rpath,${{env.prefix_path}}/lib | |
| run: > | |
| cmake | |
| --log-level="DEBUG" | |
| -S . | |
| -B build | |
| -DCMAKE_BUILD_TYPE="${{env.cmake_buildtype}}" | |
| -DCMAKE_PREFIX_PATH="${{env.prefix_path}}/lib/cmake" | |
| -DBUILD_WITH_QT6=ON | |
| -DBUILD_WERROR=OFF | |
| -DUSE_BUNDLE=ON | |
| -DENABLE_DBUS=OFF | |
| -DICU_ROOT="${{env.prefix_path}}" | |
| -DFFTW3_DIR="${{env.prefix_path}}" | |
| -DAPPLE_DEVELOPER_ID="383J84DVB6" | |
| - name: Build | |
| run: cmake --build build --config Release --parallel 4 | |
| - name: Install | |
| working-directory: build | |
| run: make install | |
| - name: Deploy | |
| env: | |
| GIO_EXTRA_MODULES: ${{env.prefix_path}}/lib/gio/modules | |
| GST_PLUGIN_SCANNER: ${{env.prefix_path}}/libexec/gstreamer-1.0/gst-plugin-scanner | |
| GST_PLUGIN_PATH: ${{env.prefix_path}}/lib/gstreamer-1.0 | |
| LIBSOUP_LIBRARY_PATH: ${{env.prefix_path}}/lib/libsoup-3.0.0.dylib | |
| working-directory: build | |
| run: make deploy | |
| - name: Manually Codesign | |
| working-directory: build | |
| run: codesign -s 383J84DVB6 -f strawberry.app/Contents/Frameworks/png.framework/png strawberry.app | |
| - name: Deploy check | |
| working-directory: build | |
| run: make deploycheck | |
| - name: Verify code-signing | |
| working-directory: build | |
| run: codesign --deep -v strawberry.app | |
| - name: Create DMG | |
| working-directory: build | |
| run: make dmg | |
| - name: Set is release | |
| run: echo "is_release=$(grep '^\s*set\s*(\s*INCLUDE_GIT_REVISION\s\+OFF\s*)\s*$' cmake/Version.cmake >/dev/null 2>&1 && echo 1 || echo 0)" >> $GITHUB_ENV | |
| - name: Set Upload path | |
| run: | | |
| if [ "${{env.is_release}}" = "1" ]; then | |
| echo "upload_path=${{secrets.DOWNLOADS_PATH}}/stable_releases/macos" >> $GITHUB_ENV | |
| else | |
| echo "upload_path=${{secrets.DOWNLOADS_PATH}}/development_releases/macos" >> $GITHUB_ENV | |
| fi | |
| - name: Create server path | |
| run: ssh -p ${{secrets.SSH_PORT}} -o StrictHostKeyChecking=no ${{secrets.SSH_USER}}@${{secrets.SSH_HOST}} mkdir -p ${{env.upload_path}} | |
| - name: rsync | |
| run: rsync -e "ssh -p ${{secrets.SSH_PORT}} -o StrictHostKeyChecking=no" -var build/*.dmg ${{secrets.SSH_USER}}@${{secrets.SSH_HOST}}:${{env.upload_path}}/ | |