Updated Windows cache location #39
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Package AutoSubs for MacOS | |
on: | |
pull_request: | |
branches: | |
- main | |
push: | |
branches: | |
- main | |
jobs: | |
build: | |
runs-on: macos-14 | |
steps: | |
- name: Checkout AutoSubs Repo Code | |
uses: actions/checkout@v4 | |
- name: Setup Node | |
uses: actions/setup-node@v4 | |
with: | |
node-version: 23 | |
- name: Set up Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: '3.12.7' | |
- name: Import Apple Certificates | |
env: | |
APP_CERTIFICATE_BASE64: ${{ secrets.APPLE_SIGNING_CERTIFICATE }} | |
APP_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} | |
INSTALLER_CERTIFICATE_BASE64: ${{ secrets.APPLE_INSTALLER_CERTIFICATE }} | |
INSTALLER_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} | |
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} | |
APPLE_NOTARIZE_KEY: ${{ secrets.APPLE_NOTARIZE_KEY }} | |
APPLE_NOTARIZE_ID: ${{ secrets.APPLE_NOTARIZE_ID }} | |
APPLE_ISSUER: ${{ secrets.APPLE_ISSUER }} | |
run: | | |
# Define paths | |
APP_CERT_PATH=$RUNNER_TEMP/app_certificate.p12 | |
INSTALLER_CERT_PATH=$RUNNER_TEMP/installer_certificate.p12 | |
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db | |
# Decode and save certificates | |
echo "$APP_CERTIFICATE_BASE64" | base64 --decode > $APP_CERT_PATH | |
echo "$INSTALLER_CERTIFICATE_BASE64" | base64 --decode > $INSTALLER_CERT_PATH | |
# Create and configure temporary keychain | |
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH | |
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
security list-keychains -s $KEYCHAIN_PATH | |
# Import Application certificate | |
security import $APP_CERT_PATH -P "$APP_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH | |
security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
# Import Installer certificate | |
security import $INSTALLER_CERT_PATH -P "$INSTALLER_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH | |
security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
# Import Notarization credentials | |
echo "$APPLE_NOTARIZE_KEY" | base64 --decode > Notarization_AuthKey.p8 | |
xcrun notarytool store-credentials "AC_PASSWORD" \ | |
--key "Notarization_AuthKey.p8" \ | |
--key-id "$APPLE_NOTARIZE_ID" \ | |
--issuer "$APPLE_ISSUER" | |
- name: Install Dependencies | |
run: | | |
cd AutoSubs-App | |
npm install | |
- name: Bundle Tauri App | |
run: | | |
cd AutoSubs-App | |
export APPLE_SIGNING_IDENTITY="Developer ID Application: ${{ secrets.APPLE_IDENTITY }}" | |
npm run tauri build | |
- name: Create Mac Package | |
run: | | |
# Create the package directory | |
mkdir Mac-Package/Payload | |
# Move the app to the package | |
mv AutoSubs-App/src-tauri/target/release/bundle/macos/AutoSubs.app Mac-Package/Payload | |
- name: Package Python Server | |
run: | | |
cd Transcription-Server | |
python3 -m venv venv | |
source venv/bin/activate | |
pip install -r requirements-mac.txt | |
pyinstaller package-server.spec --noconfirm | |
deactivate | |
- name: Move Python Server to resources folder | |
run: | | |
mv "Transcription-Server/dist/Transcription-Server" "Mac-Package/Payload/AutoSubs.app/Contents/Resources/resources" | |
- name: Code Sign Python Server | |
run: | | |
# Define variables | |
IDENTITY="Developer ID Application: ${{ secrets.APPLE_IDENTITY }}" | |
ENTITLEMENTS="$(pwd)/Signing/entitlements.plist" # Use absolute path to avoid issues | |
APP_DIR="$(pwd)/Mac-Package/Payload/AutoSubs.app/Contents/Resources/resources/Transcription-Server" # Use absolute path | |
AUTOSUBS_BINARY="$(pwd)/Mac-Package/Payload/AutoSubs.app/Contents/MacOS/autosubs" # Use absolute path | |
# Function to sign a single file | |
sign_file() { | |
local file="$1" | |
echo "Signing $file..." | |
codesign --force --options runtime --timestamp --entitlements "$ENTITLEMENTS" --sign "$IDENTITY" "$file" | |
} | |
export -f sign_file # Export the function so it's available in subshells | |
export IDENTITY # Export IDENTITY so it's available in subshells | |
export ENTITLEMENTS # Export ENTITLEMENTS so it's available in subshells | |
# Sign the main executable | |
sign_file "$APP_DIR/transcription-server" | |
# Sign all embedded binaries and executables in the _internal directory | |
find "$APP_DIR/_internal" -type f \( -name "*.dylib" -o -name "*.so" -o -name "*.exe" -o -name "*.bin" -o -name "ffmpeg*" -o -name "Python" \) -exec bash -c 'sign_file "$0"' {} \; | |
# Sign any other executables in the main app directory | |
find "$APP_DIR" -type f -perm +111 -exec bash -c 'sign_file "$0"' {} \; | |
# Sign the main app binary | |
codesign --force --options runtime --timestamp --entitlements "$ENTITLEMENTS" --sign "$IDENTITY" "$AUTOSUBS_BINARY" | |
- name: Create PKG Installer | |
run: | | |
# Give permissions to the scripts | |
chmod +x Mac-Package/Scripts/* | |
# Create the package | |
pkgbuild --identifier com.tom-moroney.autosubs \ | |
--version 2.0 \ | |
--install-location "/Applications" \ | |
--root Mac-Package/Payload \ | |
--scripts Mac-Package/Scripts \ | |
AutoSubs-unsigned.pkg | |
- name: Sign PKG Installer | |
run: | | |
productsign --sign "Developer ID Installer: ${{ secrets.APPLE_IDENTITY }}" \ | |
--timestamp \ | |
"AutoSubs-unsigned.pkg" \ | |
"AutoSubs-Mac-ARM.pkg" | |
- name: Notarize PKG Installer | |
run: | | |
# Submit for notarization | |
xcrun notarytool submit "AutoSubs-Mac-ARM.pkg" \ | |
--keychain-profile "AC_PASSWORD" \ | |
--wait | |
# Staple the ticket to the installer | |
xcrun stapler staple "AutoSubs-Mac-ARM.pkg" | |
- name: Get Latest Release Tag | |
id: get_latest_release | |
env: | |
GH_TOKEN: ${{ secrets.GH_TOKEN }} | |
run: | | |
latest_tag=$(gh release list --limit 1 --json tagName --jq '.[0].tagName') | |
echo "LATEST_TAG=$latest_tag" >> $GITHUB_ENV | |
- name: Upload Asset to Release | |
uses: softprops/action-gh-release@v2 | |
with: | |
tag_name: ${{ env.LATEST_TAG }} | |
files: AutoSubs-Mac-ARM.pkg | |
token: ${{ secrets.GH_TOKEN }} |