Update package-mac.yml #27

Summary
Jobs
- build
Run details
- Usage
- Workflow file

Workflow file for this run

.github/workflows/package-mac.yml at 3802453

	name: Package AutoSubs for MacOS
	on:
	pull_request:
	branches:
	- main
	push:
	branches:
	- main

	jobs:
	build:
	runs-on: macos-14

	steps:
	- name: Checkout AutoSubs Repo Code
	uses: actions/checkout@v4

	- name: Setup Node
	uses: actions/setup-node@v4
	with:
	node-version: 23

	- name: Set up Python
	uses: actions/setup-python@v5
	with:
	python-version: '3.12.7'

	- name: Import Apple Certificates
	env:
	APP_CERTIFICATE_BASE64: ${{ secrets.APPLE_SIGNING_CERTIFICATE }}
	APP_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
	INSTALLER_CERTIFICATE_BASE64: ${{ secrets.APPLE_INSTALLER_CERTIFICATE }}
	INSTALLER_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
	KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
	APPLE_NOTARIZE_KEY: ${{ secrets.APPLE_NOTARIZE_KEY }}
	APPLE_NOTARIZE_ID: ${{ secrets.APPLE_NOTARIZE_ID }}
	APPLE_ISSUER: ${{ secrets.APPLE_ISSUER }}

	run: \|
	# Define paths
	APP_CERT_PATH=$RUNNER_TEMP/app_certificate.p12
	INSTALLER_CERT_PATH=$RUNNER_TEMP/installer_certificate.p12
	KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db

	# Decode and save certificates
	echo "$APP_CERTIFICATE_BASE64" \| base64 --decode > $APP_CERT_PATH
	echo "$INSTALLER_CERTIFICATE_BASE64" \| base64 --decode > $INSTALLER_CERT_PATH

	# Create and configure temporary keychain
	security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
	security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
	security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
	security list-keychains -s $KEYCHAIN_PATH

	# Import Application certificate
	security import $APP_CERT_PATH -P "$APP_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
	security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH

	# Import Installer certificate
	security import $INSTALLER_CERT_PATH -P "$INSTALLER_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
	security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH

	# Import Notarization credentials
	echo "$APPLE_NOTARIZE_KEY" \| base64 --decode > Notarization_AuthKey.p8
	xcrun notarytool store-credentials "AC_PASSWORD" \
	--key "Notarization_AuthKey.p8" \
	--key-id "$APPLE_NOTARIZE_ID" \
	--issuer "$APPLE_ISSUER"

	- name: Package Python Server
	run: \|
	cd Transcription-Server
	python3 -m venv venv
	source venv/bin/activate
	pip install -r requirements-mac.txt
	pyinstaller package-server.spec --noconfirm
	deactivate

	- name: Code Sign Python Server
	run: \|
	# Define variables
	IDENTITY="Developer ID Application: ${{ secrets.APPLE_IDENTITY }}"
	ENTITLEMENTS="$(pwd)/Signing/entitlements.plist"
	APP_DIR="$(pwd)/Transcription-Server/dist/Transcription-Server"
	FRAMEWORK_DIR="$APP_DIR/_internal/Python.framework"
	ACTUAL_BINARY="$APP_DIR/_internal/Python.framework/Versions/3.12/Python"

	# Function to sign a single file with entitlements
	sign_file() {
	local file="$1"
	echo "Signing $file with entitlements..."
	codesign --force --options runtime --timestamp --entitlements "$ENTITLEMENTS" --sign "$IDENTITY" "$file"
	}

	# Function to sign a file without entitlements (for testing framework issues)
	sign_file_no_entitlements() {
	local file="$1"
	echo "Signing $file without entitlements..."
	codesign --force --options runtime --timestamp --sign "$IDENTITY" "$file"
	}

	export -f sign_file
	export -f sign_file_no_entitlements
	export IDENTITY
	export ENTITLEMENTS

	# Sign the main executable
	sign_file "$APP_DIR/transcription-server"

	# Sign known-extension binaries in _internal
	find "$APP_DIR/_internal" -type f $ -name ".dylib" -o -name ".so" -o -name ".exe" -o -name ".bin" -o -name "ffmpeg*" $ \
	-exec bash -c 'sign_file "$0"' {} \;

	# Clear extended attributes on the framework to avoid conflicts
	if [ -d "$FRAMEWORK_DIR" ]; then
	echo "Clearing extended attributes from $FRAMEWORK_DIR..."
	xattr -cr "$FRAMEWORK_DIR"

	# If the actual binary exists, sign it directly without entitlements first
	if [ -f "$ACTUAL_BINARY" ]; then
	echo "Signing the actual Python binary at $ACTUAL_BINARY..."
	sign_file_no_entitlements "$ACTUAL_BINARY"
	fi

	# Now sign the entire framework directory without entitlements to see if that helps
	echo "Signing framework at $FRAMEWORK_DIR without entitlements..."
	sign_file_no_entitlements "$FRAMEWORK_DIR"
	fi

	# Sign any other executables in the main app directory (user-executable)
	# Using -perm -100 to find files where the owner has execute permission
	find "$APP_DIR" -type f -perm -100 -exec bash -c 'sign_file "$0"' {} \;

	- name: Move Python Server to resources folder
	run: \|
	mv "Transcription-Server/dist/Transcription-Server" "AutoSubs-App/src-tauri/resources"

	- name: Install Dependencies
	run: \|
	cd AutoSubs-App
	npm install

	- name: Bundle Tauri App
	run: \|
	cd AutoSubs-App
	export APPLE_SIGNING_IDENTITY="Developer ID Application: ${{ secrets.APPLE_IDENTITY }}"
	npm run tauri build

	- name: Create Mac Package
	run: \|
	# Create the package directory
	mkdir Mac-Package/Payload

	# Copy the app to the package
	cp -r AutoSubs-App/src-tauri/target/release/bundle/macos/AutoSubs.app Mac-Package/Payload

	- name: Create PKG Installer
	run: \|
	# Give permissions to the scripts
	chmod +x Mac-Package/Scripts/*

	# Create the package
	pkgbuild --identifier com.tom-moroney.autosubs \
	--version 2.0 \
	--install-location "/Applications" \
	--root Mac-Package/Payload \
	--scripts Mac-Package/Scripts \
	AutoSubs-unsigned.pkg

	- name: Sign PKG Installer
	run: \|
	productsign --sign "Developer ID Installer: ${{ secrets.APPLE_IDENTITY }}" \
	--timestamp \
	"AutoSubs-unsigned.pkg" \
	"AutoSubs-Mac-ARM.pkg"

	- name: Notarize PKG Installer
	run: \|
	# Submit for notarization
	xcrun notarytool submit "AutoSubs-Mac-ARM.pkg" \
	--keychain-profile "AC_PASSWORD" \
	--wait

	# Staple the ticket to the installer
	xcrun stapler staple "AutoSubs-Mac-ARM.pkg"

	- name: Get Latest Release Tag
	id: get_latest_release
	env:
	GH_TOKEN: ${{ secrets.GH_TOKEN }}
	run: \|
	latest_tag=$(gh release list --limit 1 --json tagName --jq '.[0].tagName')
	echo "LATEST_TAG=$latest_tag" >> $GITHUB_ENV

	- name: Upload Asset to Release
	uses: softprops/action-gh-release@v2
	with:
	tag_name: ${{ env.LATEST_TAG }}
	files: AutoSubs-Mac-ARM.pkg
	token: ${{ secrets.GH_TOKEN }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update package-mac.yml #27

Workflow file

Update package-mac.yml #27

Jobs

Run details

Workflow file for this run