.github/workflows/package-mac.yml

name: Package AutoSubs for MacOS
on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main

jobs:
  build:
    runs-on: macos-14

    steps:
    - name: Checkout AutoSubs Repo Code
      uses: actions/checkout@v4

    - name: Setup Node
      uses: actions/setup-node@v4
      with:
        node-version: 23
    
    - name: Set up Python
      uses: actions/setup-python@v2
      with:
        python-version: '3.12.7'

    - name: Import Apple Certificates
      env:
        APP_CERTIFICATE_BASE64: ${{ secrets.APPLE_SIGNING_CERTIFICATE }}
        APP_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
        INSTALLER_CERTIFICATE_BASE64: ${{ secrets.APPLE_INSTALLER_CERTIFICATE }}
        INSTALLER_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
        KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
        APPLE_NOTARIZE_KEY: ${{ secrets.APPLE_NOTARIZE_KEY }}
        APPLE_NOTARIZE_ID: ${{ secrets.APPLE_NOTARIZE_ID }}
        APPLE_ISSUER: ${{ secrets.APPLE_ISSUER }}

      run: |
        # Define paths
        APP_CERT_PATH=$RUNNER_TEMP/app_certificate.p12
        INSTALLER_CERT_PATH=$RUNNER_TEMP/installer_certificate.p12
        KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db

        # Decode and save certificates
        echo "$APP_CERTIFICATE_BASE64" | base64 --decode > $APP_CERT_PATH
        echo "$INSTALLER_CERTIFICATE_BASE64" | base64 --decode > $INSTALLER_CERT_PATH

        # Create and configure temporary keychain
        security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
        security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
        security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
        security list-keychains -s $KEYCHAIN_PATH

        # Import Application certificate
        security import $APP_CERT_PATH -P "$APP_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
        security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH

        # Import Installer certificate
        security import $INSTALLER_CERT_PATH -P "$INSTALLER_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
        security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH

        # Import Notarization credentials
        echo "$APPLE_NOTARIZE_KEY" | base64 --decode > Notarization_AuthKey.p8
        xcrun notarytool store-credentials "AC_PASSWORD" \
          --key "Notarization_AuthKey.p8" \
          --key-id "$APPLE_NOTARIZE_ID" \
          --issuer "$APPLE_ISSUER"
      
    - name: Install Dependencies
      run: |
        cd AutoSubs-App
        npm install

    - name: Build App
      run: |
        cd AutoSubs-App
        export APPLE_SIGNING_IDENTITY="Developer ID Application: ${{ secrets.APPLE_IDENTITY }}"
        npm run tauri build -- --bundles app

    - name: Package Python Server
      run: |
        cd Mac-Server
        python3 -m venv venv
        source venv/bin/activate
        pip install -r requirements.txt
        pyinstaller transcription-server.spec --noconfirm
        deactivate

    - name: Code Sign Python Server
      run: |
        # Define variables
        IDENTITY="Developer ID Application: ${{ secrets.APPLE_IDENTITY }}"
        ENTITLEMENTS="$(pwd)/Mac-Server/entitlements.plist"
        APP_DIR="$(pwd)/Mac-Server/dist/Transcription-Server"

        # Function to sign a single file
        sign_file() {
            local file="$1"
            echo "Signing $file..."
            codesign --force --options runtime --timestamp --entitlements "$ENTITLEMENTS" --sign "$IDENTITY" "$file"
        }

        export -f sign_file  # Export the function so it's available in subshells
        export IDENTITY       # Export IDENTITY so it's available in subshells
        export ENTITLEMENTS   # Export ENTITLEMENTS so it's available in subshells

        # Sign the main executable
        sign_file "$APP_DIR/transcription-server"

        # Sign all embedded binaries and executables in the _internal directory
        find "$APP_DIR/_internal" -type f \( -name "*.dylib" -o -name "*.so" -o -name "*.exe" -o -name "*.bin" -o -name "ffmpeg*" \) -exec bash -c 'sign_file "$0"' {} \;

        # Sign any other executables in the main app directory
        find "$APP_DIR" -type f -perm +111 -exec bash -c 'sign_file "$0"' {} \;

    - name: Move Python Server and App to Output Folder
      run: |
        mv "AutoSubs-App/src-tauri/target/release/bundle/macos/AutoSubs.app" "Output/AutoSubs"
        mv "Mac-Server/dist/Transcription-Server" "Output/AutoSubs"

    - name: Create PKG Installer
      run: |
        pkgbuild --root "Output" \
         --identifier "com.tom-moroney.autosubs" \
         --version "2.0" \
         --install-location "/Library/Application Support/Blackmagic Design/DaVinci Resolve/Fusion/" \
         "AutoSubs-unsigned.pkg"

    - name: Sign PKG Installer
      run: |
        productsign --sign "Developer ID Installer: ${{ secrets.APPLE_IDENTITY }}" \
          --timestamp \
          "AutoSubs-unsigned.pkg" \
          "AutoSubs-Installer.pkg"

    - name: Notarize PKG Installer
      run: |
        # Submit for notarization
        xcrun notarytool submit "AutoSubs-Installer.pkg" \
            --keychain-profile "AC_PASSWORD" \
            --wait

        # Staple the ticket to the installer
        xcrun stapler staple "AutoSubs-Installer.pkg"

    - name: Get Latest Release Tag
      id: get_latest_release
      env:
        GH_TOKEN: ${{ secrets.GH_TOKEN }}
      run: |
        latest_tag=$(gh release list --limit 1 --json tagName --jq '.[0].tagName')
        echo "LATEST_TAG=$latest_tag" >> $GITHUB_ENV

    - name: Upload Asset to Release
      uses: softprops/action-gh-release@v2
      with:
        tag_name: ${{ env.LATEST_TAG }}
        files: AutoSubs-Installer.pkg
        token: ${{ secrets.GH_TOKEN }}