Skip to content

Updated to use Github access token #11

Updated to use Github access token

Updated to use Github access token #11

Workflow file for this run

name: Package Tauri App and Python Server for MacOS
on:
push:
branches:
- main
pull_request:
branches:
- main
jobs:
build:
runs-on: macos-14
steps:
- name: Checkout AutoSubs Repo Code
uses: actions/checkout@v4
- name: Setup Node
uses: actions/setup-node@v4
with:
node-version: 23
- name: Set up Python
uses: actions/setup-python@v2
with:
python-version: '3.12.7'
- name: Import Apple Certificates
env:
APP_CERTIFICATE_BASE64: ${{ secrets.APPLE_SIGNING_CERTIFICATE }}
APP_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
INSTALLER_CERTIFICATE_BASE64: ${{ secrets.APPLE_INSTALLER_CERTIFICATE }}
INSTALLER_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
run: |
# Define paths
APP_CERT_PATH=$RUNNER_TEMP/app_certificate.p12
INSTALLER_CERT_PATH=$RUNNER_TEMP/installer_certificate.p12
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
# Decode and save certificates
echo "$APP_CERTIFICATE_BASE64" | base64 --decode > $APP_CERT_PATH
echo "$INSTALLER_CERTIFICATE_BASE64" | base64 --decode > $INSTALLER_CERT_PATH
# Create and configure temporary keychain
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security list-keychains -s $KEYCHAIN_PATH
# Import Application certificate
security import $APP_CERT_PATH -P "$APP_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
# Import Installer certificate
security import $INSTALLER_CERT_PATH -P "$INSTALLER_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
- name: Install Dependencies
run: |
cd AutoSubs-App
npm install
- name: Build App
run: |
cd AutoSubs-App
export APPLE_SIGNING_IDENTITY="Developer ID Application: ${{ secrets.APPLE_IDENTITY }}"
npm run tauri build -- --bundles app
- name: Package Python Server
run: |
cd Mac-Server
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt
pyinstaller transcription-server.spec --noconfirm
deactivate
- name: Code Sign Python Server
run: |
# Define variables
IDENTITY="Developer ID Application: ${{ secrets.APPLE_IDENTITY }}"
ENTITLEMENTS="$(pwd)/Mac-Server/entitlements.plist"
APP_DIR="$(pwd)/Mac-Server/dist/Transcription-Server"
# Function to sign a single file
sign_file() {
local file="$1"
echo "Signing $file..."
codesign --force --options runtime --timestamp --entitlements "$ENTITLEMENTS" --sign "$IDENTITY" "$file"
}
export -f sign_file # Export the function so it's available in subshells
export IDENTITY # Export IDENTITY so it's available in subshells
export ENTITLEMENTS # Export ENTITLEMENTS so it's available in subshells
# Sign the main executable
sign_file "$APP_DIR/transcription-server"
# Sign all embedded binaries and executables in the _internal directory
find "$APP_DIR/_internal" -type f \( -name "*.dylib" -o -name "*.so" -o -name "*.exe" -o -name "*.bin" -o -name "ffmpeg*" \) -exec bash -c 'sign_file "$0"' {} \;
# Sign any other executables in the main app directory
find "$APP_DIR" -type f -perm +111 -exec bash -c 'sign_file "$0"' {} \;
- name: Move Python Server and App to Output Folder
run: |
mv AutoSubs-App/src-tauri/target/release/bundle/macos/AutoSubs.app Output/AutoSubs/
mv Mac-Server/dist/Transcription-Server Output/AutoSubs/
- name: Create PKG Installer
run: |
pkgbuild --root "Output" \
--identifier "com.tom-moroney.autosubs" \
--version "2.0" \
--install-location "/Library/Application Support/Blackmagic Design/DaVinci Resolve/Fusion/" \
"AutoSubs-unsigned.pkg"
- name: Sign PKG Installer
run: |
productsign --sign "Developer ID Installer: ${{ secrets.APPLE_IDENTITY }}" \
--timestamp \
"AutoSubs-unsigned.pkg" \
"AutoSubs-Installer.pkg"
- name: Get Latest Release Tag
id: get_latest_release
env:
GH_TOKEN: ${{ secrets.GH_TOKEN }}
run: |
latest_tag=$(gh release list --limit 1 --json tagName --jq '.[0].tagName')
echo "LATEST_TAG=$latest_tag" >> $GITHUB_ENV
- name: Upload Asset to Release
uses: softprops/action-gh-release@v2
with:
tag_name: ${{ env.LATEST_TAG }}
files: AutoSubs-Installer.pkg
token: ${{ secrets.GH_TOKEN }}