Updated mac package script #24
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Package AutoSubs for MacOS | |
on: | |
pull_request: | |
branches: | |
- main | |
push: | |
branches: | |
- main | |
jobs: | |
build: | |
runs-on: macos-14 | |
steps: | |
- name: Checkout AutoSubs Repo Code | |
uses: actions/checkout@v4 | |
- name: Setup Node | |
uses: actions/setup-node@v4 | |
with: | |
node-version: 23 | |
- name: Set up Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: '3.12.7' | |
- name: Import Apple Certificates | |
env: | |
APP_CERTIFICATE_BASE64: ${{ secrets.APPLE_SIGNING_CERTIFICATE }} | |
APP_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} | |
INSTALLER_CERTIFICATE_BASE64: ${{ secrets.APPLE_INSTALLER_CERTIFICATE }} | |
INSTALLER_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} | |
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} | |
APPLE_NOTARIZE_KEY: ${{ secrets.APPLE_NOTARIZE_KEY }} | |
APPLE_NOTARIZE_ID: ${{ secrets.APPLE_NOTARIZE_ID }} | |
APPLE_ISSUER: ${{ secrets.APPLE_ISSUER }} | |
run: | | |
# Define paths | |
APP_CERT_PATH=$RUNNER_TEMP/app_certificate.p12 | |
INSTALLER_CERT_PATH=$RUNNER_TEMP/installer_certificate.p12 | |
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db | |
# Decode and save certificates | |
echo "$APP_CERTIFICATE_BASE64" | base64 --decode > $APP_CERT_PATH | |
echo "$INSTALLER_CERTIFICATE_BASE64" | base64 --decode > $INSTALLER_CERT_PATH | |
# Create and configure temporary keychain | |
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH | |
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
security list-keychains -s $KEYCHAIN_PATH | |
# Import Application certificate | |
security import $APP_CERT_PATH -P "$APP_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH | |
security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
# Import Installer certificate | |
security import $INSTALLER_CERT_PATH -P "$INSTALLER_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH | |
security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
# Import Notarization credentials | |
echo "$APPLE_NOTARIZE_KEY" | base64 --decode > Notarization_AuthKey.p8 | |
xcrun notarytool store-credentials "AC_PASSWORD" \ | |
--key "Notarization_AuthKey.p8" \ | |
--key-id "$APPLE_NOTARIZE_ID" \ | |
--issuer "$APPLE_ISSUER" | |
- name: Package Python Server | |
run: | | |
cd Mac-Server | |
python3 -m venv venv | |
source venv/bin/activate | |
pip install -r requirements-mac.txt | |
pyinstaller package-server.spec --noconfirm | |
deactivate | |
- name: Code Sign Python Server | |
run: | | |
# Define variables | |
IDENTITY="Developer ID Application: ${{ secrets.APPLE_IDENTITY }}" | |
ENTITLEMENTS="$(pwd)/Signing/entitlements.plist" | |
APP_DIR="$(pwd)/Transcription-Server/dist/Transcription-Server" | |
# Function to sign a single file | |
sign_file() { | |
local file="$1" | |
echo "Signing $file..." | |
codesign --force --options runtime --timestamp --entitlements "$ENTITLEMENTS" --sign "$IDENTITY" "$file" | |
} | |
export -f sign_file # Export the function so it's available in subshells | |
export IDENTITY # Export IDENTITY so it's available in subshells | |
export ENTITLEMENTS # Export ENTITLEMENTS so it's available in subshells | |
# Sign the main executable | |
sign_file "$APP_DIR/transcription-server" | |
# Sign all embedded binaries and executables in the _internal directory based on known extensions | |
find "$APP_DIR/_internal" -type f \( -name "*.dylib" -o -name "*.so" -o -name "*.exe" -o -name "*.bin" -o -name "ffmpeg*" \) -exec bash -c 'sign_file "$0"' {} \; | |
# Sign the entire Python framework directory (recursively) to ensure the actual binary is signed | |
FRAMEWORK_DIR="$APP_DIR/_internal/Python.framework" | |
if [ -d "$FRAMEWORK_DIR" ]; then | |
echo "Signing framework at $FRAMEWORK_DIR..." | |
codesign --force --deep --options runtime --timestamp --entitlements "$ENTITLEMENTS" --sign "$IDENTITY" "$FRAMEWORK_DIR" | |
fi | |
# Sign any other executables in the main app directory | |
# Use -perm /111 to match executables on macOS/BSD | |
find "$APP_DIR" -type f -perm /111 -exec bash -c 'sign_file "$0"' {} \; | |
- name: Move Python Server to resources folder | |
run: | | |
mv "Transcription-Server/dist/Transcription-Server" "AutoSubs-App/src-tauri/resources" | |
- name: Install Dependencies | |
run: | | |
cd AutoSubs-App | |
npm install | |
- name: Bundle Tauri App | |
run: | | |
cd AutoSubs-App | |
export APPLE_SIGNING_IDENTITY="Developer ID Application: ${{ secrets.APPLE_IDENTITY }}" | |
npm run tauri build | |
- name: Create Mac Package | |
run: | | |
# Create the package directory | |
mkdir Mac-Package/Payload | |
# Copy the app to the package | |
cp -r AutoSubs-App/src-tauri/target/release/bundle/macos/AutoSubs.app Mac-Package/Payload | |
- name: Create PKG Installer | |
run: | | |
# Give permissions to the scripts | |
chmod +x Mac-Package/Scripts/* | |
# Create the package | |
pkgbuild --identifier com.tom-moroney.autosubs \ | |
--version 2.0 \ | |
--install-location "/Applications" \ | |
--root Mac-Package/Payload \ | |
--scripts Mac-Package/Scripts \ | |
AutoSubs-unsigned.pkg | |
- name: Sign PKG Installer | |
run: | | |
productsign --sign "Developer ID Installer: ${{ secrets.APPLE_IDENTITY }}" \ | |
--timestamp \ | |
"AutoSubs-unsigned.pkg" \ | |
"AutoSubs-Mac-ARM.pkg" | |
- name: Notarize PKG Installer | |
run: | | |
# Submit for notarization | |
xcrun notarytool submit "AutoSubs-Mac-ARM.pkg" \ | |
--keychain-profile "AC_PASSWORD" \ | |
--wait | |
# Staple the ticket to the installer | |
xcrun stapler staple "AutoSubs-Mac-ARM.pkg" | |
- name: Get Latest Release Tag | |
id: get_latest_release | |
env: | |
GH_TOKEN: ${{ secrets.GH_TOKEN }} | |
run: | | |
latest_tag=$(gh release list --limit 1 --json tagName --jq '.[0].tagName') | |
echo "LATEST_TAG=$latest_tag" >> $GITHUB_ENV | |
- name: Upload Asset to Release | |
uses: softprops/action-gh-release@v2 | |
with: | |
tag_name: ${{ env.LATEST_TAG }} | |
files: AutoSubs-Installer-Mac-ARM.pkg | |
token: ${{ secrets.GH_TOKEN }} |