@@ -35,16 +35,52 @@ jobs:
3535 fail-fast : false
3636 matrix :
3737 config :
38- - {name: "ubuntu-22.04", os: "ubuntu-22.04", cmake_extra: "-DLSL_BUNDLED_PUGIXML=OFF" }
39- - {name: "ubuntu-24.04", os: "ubuntu-24.04", cmake_extra: "-DLSL_BUNDLED_PUGIXML=OFF" }
40- - {name: "windows-x64", os: "windows-latest", cmake_extra: "-T v142,host=x86"}
41- - {name: "windows-32", os: "windows-latest", cmake_extra: "-T v142,host=x86 -A Win32"}
38+ # - {name: "ubuntu-22.04", os: "ubuntu-22.04", cmake_extra: "-DLSL_BUNDLED_PUGIXML=OFF" }
39+ # - {name: "ubuntu-24.04", os: "ubuntu-24.04", cmake_extra: "-DLSL_BUNDLED_PUGIXML=OFF" }
40+ # - {name: "windows-x64", os: "windows-latest", cmake_extra: "-T v142,host=x86"}
41+ # - {name: "windows-32", os: "windows-latest", cmake_extra: "-T v142,host=x86 -A Win32"}
4242 - {name: "macOS-latest", os: "macOS-latest", cmake_extra: "-DCMAKE_OSX_DEPLOYMENT_TARGET=10.15 -DCMAKE_OSX_ARCHITECTURES=x86_64;arm64 -DLSL_FRAMEWORK=ON" }
4343
4444 steps :
4545 - uses : actions/checkout@v4
4646
47+ - name : Install certificates and provisioning profiles
48+ if : matrix.config.os == 'macOS-latest'
49+ env :
50+ MACOS_CERTIFICATE_APP : ${{ secrets.PROD_MACOS_CERTIFICATE }}
51+ MACOS_CERTIFICATE_INST : ${{ secrets.PROD_MACOS_CERTIFICATE_INST }}
52+ MACOS_CERTIFICATE_PWD : ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }}
53+ MACOS_CI_KEYCHAIN_PWD : ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}
54+ run : |
55+ # Create temporary keychain
56+ KEYCHAIN_PATH=$RUNNER_TEMP/build.keychain
57+ security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" $KEYCHAIN_PATH
58+ security default-keychain -s $KEYCHAIN_PATH
59+ security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
60+ security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" $KEYCHAIN_PATH
61+
62+ # Import certificates from secrets ...
63+ CERTIFICATE_PATH_APP=$RUNNER_TEMP/build_certificate_app.p12
64+ CERTIFICATE_PATH_INST=$RUNNER_TEMP/build_certificate_inst.p12
65+ echo -n "$MACOS_CERTIFICATE_APP" | base64 --decode -o $CERTIFICATE_PATH_APP
66+ echo -n "$MACOS_CERTIFICATE_INST" | base64 --decode -o $CERTIFICATE_PATH_INST
67+ # ... to keychain
68+ security import $CERTIFICATE_PATH_APP -P "$MACOS_CERTIFICATE_PWD" -k $KEYCHAIN_PATH -A -t cert -f pkcs12
69+ security import $CERTIFICATE_PATH_INST -P "$MACOS_CERTIFICATE_PWD" -k $KEYCHAIN_PATH -A -t cert -f pkcs12
70+
71+ # Set trusted partitions (groups of applications) that can access the keychain items
72+ security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" $KEYCHAIN_PATH
73+ security list-keychain -d user -s $KEYCHAIN_PATH
74+
75+ # Get certificate identities into environment variables
76+ CERT_IDENTITY_APP=$(security find-identity -v -p codesigning $KEYCHAIN_PATH | grep "Developer ID Application" | head -1 | awk -F'"' '{print $2}')
77+ echo "APPLE_CODE_SIGN_IDENTITY_APP=$CERT_IDENTITY_APP" >> $GITHUB_ENV
78+ CERT_IDENTITY_INST=$(security find-identity -v -p basic $KEYCHAIN_PATH | grep "Developer ID Installer" | head -1 | awk -F'"' '{print $2}')
79+ echo "APPLE_CODE_SIGN_IDENTITY_INST=$CERT_IDENTITY_INST" >> $GITHUB_ENV
80+
4781name : Configure CMake
82+ env :
83+ APPLE_DEVELOPMENT_TEAM : ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }}
4884 run : |
4985 if [[ "${{ matrix.config.name }}" = ubuntu-2* ]]; then
5086 sudo apt-get install -y --no-install-recommends libpugixml-dev
6096 -Dlslgitbranch=${{ github.ref }} \
6197 ${{ matrix.config.cmake_extra }} \
6298 ${{ github.event.inputs.cmakeextra }}
63- echo ${PWD}
99+ echo ${PWD}
64100
65101name : make
66102 run : cmake --build build --config Release -j
@@ -99,6 +135,31 @@ jobs:
99135 cmake -E remove_directory package/_CPack_Packages
100136 cp testing/lslcfgs/default.cfg .
101137
138+ name : package and notarize (macOS)
139+ if : matrix.config.os == 'macOS-latest'
140+ env :
141+ APPLE_DEVELOPMENT_TEAM : ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }}
142+ APPLE_NOTARIZE_USERNAME : ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}
143+ APPLE_NOTARIZE_PASSWORD : ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }}
144+ run : |
145+ # CMake does a lousy job of creating .pkg files for macOS, so we do it manually
146+ # TODO: However, we need to get the version number from the CMake package!
147+ productbuild --sign "$APPLE_CODE_SIGN_IDENTITY_INST" \
148+ --component install/Frameworks/lsl.framework \
149+ /Library/Frameworks liblsl-1.16.2-Darwin-universal.pkg
150+ # Notarize the package
151+ xcrun notarytool submit liblsl-1.16.2-Darwin-universal.pkg \
152+ --apple-id "$APPLE_NOTARIZE_USERNAME" \
153+ --password "$APPLE_NOTARIZE_PASSWORD" \
154+ --team-id "$APPLE_DEVELOPMENT_TEAM" \
155+ --wait
156+ # Staple the notarization ticket to the package
157+ xcrun stapler staple liblsl-1.16.2-Darwin-universal.pkg
158+ # If notarization fails, you can get the history of notarization requests:
159+ # xcrun notarytool history --apple-id "$APPLE_NOTARIZE_USERNAME" --password "$APPLE_NOTARIZE_PASSWORD" --team-id "$APPLE_DEVELOPMENT_TEAM"
160+ # Then you can check the status of a specific request:
161+ # xcrun notarytool log <request-id> --apple-id "$APPLE_NOTARIZE_USERNAME" --password "$APPLE_NOTARIZE_PASSWORD" --team-id "$APPLE_DEVELOPMENT_TEAM"
162+
102163name : upload install dir
103164 uses : actions/upload-artifact@master
104165 with :
@@ -120,7 +181,7 @@ jobs:
120181 ip route
121182 ip -6 route
122183 fi
123-
184+
124185# run internal tests
125186 - name : unit tests
126187 run : |
@@ -159,3 +220,8 @@ jobs:
159220 MIME=$(file --mime-type $pkg|cut -d ' ' -f2)
160221 curl -X POST -H "Accept: application/vnd.github.v3+json" -H "Authorization: $TOKEN" -H "Content-Type: $MIME" --data-binary @$pkg $UPLOAD_URL?name=$NAME
161222 done
223+
224+ name : Clean up keychain
225+ if : matrix.config.os == 'macOS-latest'
226+ run : |
227+ security delete-keychain $RUNNER_TEMP/app-signing.keychain-db || true
0 commit comments