Updated spec file to fix ssl error #19
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Package AutoSubs for MacOS | |
on: | |
pull_request: | |
branches: | |
- main | |
push: | |
branches: | |
- main | |
jobs: | |
build: | |
runs-on: macos-14 | |
steps: | |
- name: Checkout AutoSubs Repo Code | |
uses: actions/checkout@v4 | |
- name: Setup Node | |
uses: actions/setup-node@v4 | |
with: | |
node-version: 23 | |
- name: Set up Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: '3.12.7' | |
- name: Import Apple Certificates | |
env: | |
APP_CERTIFICATE_BASE64: ${{ secrets.APPLE_SIGNING_CERTIFICATE }} | |
APP_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} | |
INSTALLER_CERTIFICATE_BASE64: ${{ secrets.APPLE_INSTALLER_CERTIFICATE }} | |
INSTALLER_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} | |
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} | |
APPLE_NOTARIZE_KEY: ${{ secrets.APPLE_NOTARIZE_KEY }} | |
APPLE_NOTARIZE_ID: ${{ secrets.APPLE_NOTARIZE_ID }} | |
APPLE_ISSUER: ${{ secrets.APPLE_ISSUER }} | |
run: | | |
# Define paths | |
APP_CERT_PATH=$RUNNER_TEMP/app_certificate.p12 | |
INSTALLER_CERT_PATH=$RUNNER_TEMP/installer_certificate.p12 | |
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db | |
# Decode and save certificates | |
echo "$APP_CERTIFICATE_BASE64" | base64 --decode > $APP_CERT_PATH | |
echo "$INSTALLER_CERTIFICATE_BASE64" | base64 --decode > $INSTALLER_CERT_PATH | |
# Create and configure temporary keychain | |
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH | |
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
security list-keychains -s $KEYCHAIN_PATH | |
# Import Application certificate | |
security import $APP_CERT_PATH -P "$APP_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH | |
security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
# Import Installer certificate | |
security import $INSTALLER_CERT_PATH -P "$INSTALLER_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH | |
security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
# Import Notarization credentials | |
echo "$APPLE_NOTARIZE_KEY" | base64 --decode > Notarization_AuthKey.p8 | |
xcrun notarytool store-credentials "AC_PASSWORD" \ | |
--key "Notarization_AuthKey.p8" \ | |
--key-id "$APPLE_NOTARIZE_ID" \ | |
--issuer "$APPLE_ISSUER" | |
- name: Install Dependencies | |
run: | | |
cd AutoSubs-App | |
npm install | |
- name: Bundle Tauri App | |
run: | | |
cd AutoSubs-App | |
export APPLE_SIGNING_IDENTITY="Developer ID Application: ${{ secrets.APPLE_IDENTITY }}" | |
npm run tauri build -- --bundles app | |
- name: Package Python Server | |
run: | | |
cd Mac-Server | |
python3 -m venv venv | |
source venv/bin/activate | |
pip install -r requirements.txt | |
pyinstaller transcription-server.spec --noconfirm | |
deactivate | |
- name: Code Sign Python Server | |
run: | | |
# Define variables | |
IDENTITY="Developer ID Application: ${{ secrets.APPLE_IDENTITY }}" | |
ENTITLEMENTS="$(pwd)/Mac-Server/entitlements.plist" | |
APP_DIR="$(pwd)/Mac-Server/dist/Transcription-Server" | |
# Function to sign a single file | |
sign_file() { | |
local file="$1" | |
echo "Signing $file..." | |
codesign --force --options runtime --timestamp --entitlements "$ENTITLEMENTS" --sign "$IDENTITY" "$file" | |
} | |
export -f sign_file # Export the function so it's available in subshells | |
export IDENTITY # Export IDENTITY so it's available in subshells | |
export ENTITLEMENTS # Export ENTITLEMENTS so it's available in subshells | |
# Sign the main executable | |
sign_file "$APP_DIR/transcription-server" | |
# Sign all embedded binaries and executables in the _internal directory | |
find "$APP_DIR/_internal" -type f \( -name "*.dylib" -o -name "*.so" -o -name "*.exe" -o -name "*.bin" -o -name "ffmpeg*" \) -exec bash -c 'sign_file "$0"' {} \; | |
# Sign any other executables in the main app directory | |
find "$APP_DIR" -type f -perm +111 -exec bash -c 'sign_file "$0"' {} \; | |
- name: Move Python Server and App to Output Folder | |
run: | | |
mv "AutoSubs-App/src-tauri/target/release/bundle/macos/AutoSubs.app" "Output" | |
mv "Mac-Server/dist/Transcription-Server" "Output" | |
- name: Create PKG Installer | |
run: | | |
# Give permissions to the scripts | |
chmod +x ./scripts | |
# Create the package | |
pkgbuild --root "Output" \ | |
--identifier "com.tom-moroney.autosubs" \ | |
--version "2.0" \ | |
--install-location "/Library/Application Support/Blackmagic Design/DaVinci Resolve/Fusion/AutoSubs" \ | |
--scripts ./scripts \ | |
"AutoSubs-unsigned.pkg" | |
- name: Sign PKG Installer | |
run: | | |
productsign --sign "Developer ID Installer: ${{ secrets.APPLE_IDENTITY }}" \ | |
--timestamp \ | |
"AutoSubs-unsigned.pkg" \ | |
"AutoSubs-Installer-Mac-ARM.pkg" | |
- name: Notarize PKG Installer | |
run: | | |
# Submit for notarization | |
xcrun notarytool submit "AutoSubs-Installer-Mac-ARM.pkg" \ | |
--keychain-profile "AC_PASSWORD" \ | |
--wait | |
# Staple the ticket to the installer | |
xcrun stapler staple "AutoSubs-Installer-Mac-ARM.pkg" | |
- name: Get Latest Release Tag | |
id: get_latest_release | |
env: | |
GH_TOKEN: ${{ secrets.GH_TOKEN }} | |
run: | | |
latest_tag=$(gh release list --limit 1 --json tagName --jq '.[0].tagName') | |
echo "LATEST_TAG=$latest_tag" >> $GITHUB_ENV | |
- name: Upload Asset to Release | |
uses: softprops/action-gh-release@v2 | |
with: | |
tag_name: ${{ env.LATEST_TAG }} | |
files: AutoSubs-Installer-Mac-ARM.pkg | |
token: ${{ secrets.GH_TOKEN }} |