CI: Add codesign to example project

Also reorganizes existing configurations for extension builds and codesign to have a slightly better structure, which can also be mirrored by the project export & codesign routine. Also bumps Godot to 4.3-beta1 for project exports.
YuriSizov · Jun 6, 2024 · 14b4183 · 14b4183
1 parent 62e6376
commit 14b4183
Show file tree

Hide file tree

Showing 16 changed files with 306 additions and 96 deletions.
diff --git a/.github/actions/build-extension/action.yml b/.github/actions/build-extension/action.yml
@@ -6,7 +6,11 @@ inputs:
     description: The build configuration target (editor, template_release, template_debug).
     default: "template_release"
   sconsflags:
+    description: Additional build flags for scons.
     default: ""
+  finalize-binaries:
+    description: Flag that enables finalization steps, like stripping.
+    default: true
 
 runs:
   using: "composite"
@@ -25,3 +29,28 @@ runs:
         ls -l bin/
         echo "Example project build results:"
         ls -l example/bin/
+
+      # Linux-specific post-build steps.
+
+      - name: Prepare the binaries (Linux)
+        if: ${{ env.SCONS_PLATFORM == 'linux' && inputs.finalize-binaries == 'true' }}
+        shell: bash
+        run: |
+          strip bin/libgdsion.linux.*
+          chmod +x bin/libgdsion.linux.*
+
+      # macOS-specific post-build steps.
+
+      - name: Prepare the binaries (macOS)
+        if: ${{ env.SCONS_PLATFORM == 'macos' && inputs.finalize-binaries == 'true' }}
+        shell: bash
+        run: |
+          chmod +x bin/libgdsion.macos.*
+
+      # Windows-specific post-build steps.
+
+      - name: Prepare the binaries (Windows)
+        if: ${{ env.SCONS_PLATFORM == 'windows' && inputs.finalize-binaries == 'true' }}
+        shell: powershell
+        run: |
+          Remove-Item bin/* -Include *.exp,*.lib,*.pdb -Force
diff --git a/.github/actions/export-godot-project/action.yml b/.github/actions/export-godot-project/action.yml
@@ -25,9 +25,9 @@ runs:
       shell: bash
       continue-on-error: true
       run: |
-        godot --headless --path ${{ inputs.project-path }} --editor --quit
+        godot --headless --path ${{ inputs.project-path }} --import
 
-    - name: Export project (${{ inputs.preset }})
+    - name: Export the project (${{ inputs.preset }})
       id: export-project-step
       shell: bash
       env:
@@ -39,3 +39,16 @@ runs:
         echo "Exporting the project..."
         godot --headless --path ${{ inputs.project-path }} --export-release "${{ inputs.preset }}" ${{ env.EXPORT_OUTPUT_PATH }}/${{ inputs.output }}
         echo "export-path=${{ inputs.project-path }}/${{ env.EXPORT_OUTPUT_PATH }}" >> "$GITHUB_OUTPUT"
+
+    # Perform post-export steps.
+
+    # We need the .app folder on macOS, not the zip that Godot produces.
+    - name: Unzip the project (macos)
+      if: ${{ inputs.platform == 'macos' }}
+      shell: bash
+      env:
+        EXPORT_OUTPUT_PATH: export/${{ inputs.platform }}/${{ inputs.arch }}
+      run: |
+        cd ${{ inputs.project-path }}/${{ env.EXPORT_OUTPUT_PATH }}
+        unzip ${{ inputs.output }}
+        rm -f ${{ inputs.output }}
diff --git a/.github/actions/sign-extension/action.yml b/.github/actions/sign-extension/action.yml
@@ -1,5 +1,5 @@
-name: Codesign GDSiON (macos)
-description: Configure the environment and sign the build artifacts for macOS.
+name: Codesign GDSiON
+description: Codesign and notarize extension build artifacts.
 
 inputs:
   setup-env:
@@ -27,10 +27,10 @@ inputs:
 
   # Input/output arguments.
   directory:
-    description: Path to the root folder of the .framework folder.
+    description: Path to the folder with the extension.
     required: true
   target-name:
-    description: Exact name of the .framework folder.
+    description: Name of the extension executable file or folder (like on macOS).
     required: true
 
 runs:
@@ -40,7 +40,7 @@ runs:
 
     # Setup.
 
-    - name: Set up the signing environment
+    - name: Set up the signing environment (macos)
       if: ${{ env.SCONS_PLATFORM == 'macos' && inputs.setup-env == 'true' }}
       shell: bash
       env:
@@ -59,7 +59,7 @@ runs:
         mkdir $RESOURCES_PATH
         sed 's/\${FRAMEWORK_NAME}/${{ inputs.target-name }}/g' $GITHUB_ACTION_PATH/macos/Info.plist > $RESOURCES_PATH/Info.plist
 
-    - name: Sign and notarize the framework
+    - name: Sign and notarize the extension (macos)
       if: ${{ env.SCONS_PLATFORM == 'macos' && inputs.codesign == 'true' }}
       shell: bash
       env:

diff --git a/.github/actions/sign-extension/macos/sign.sh b/.github/actions/sign-extension/macos/sign.sh
@@ -8,7 +8,7 @@ apple_dev_team_id="$APPLE_DEV_TEAM_ID"
 apple_dev_password="$APPLE_DEV_PASSWORD"
 
 framework_path="$FRAMEWORK_PATH"
-archive_path="$ARCHIVE_PATH.zip"
+archive_path="$FRAMEWORK_PATH.zip"
 
 if [ -z "${apple_dev_id}" ]; then
   echo "ERROR: Missing Apple developer ID."

diff --git a/.github/actions/sign-godot-project/action.yml b/.github/actions/sign-godot-project/action.yml
@@ -0,0 +1,62 @@
+name: Codesign Godot Project
+description: Codesign and notarize Godot project export artifacts.
+
+inputs:
+  setup-env:
+    description: Flag that enables the setup step.
+    default: false
+  codesign:
+    description: Flag that enables the codesign step.
+    default: false
+
+  # Setup arguments.
+  apple-cert-base64:
+    required: true
+  apple-cert-password:
+    required: true
+
+  # Codesign arguments.
+  apple-dev-id:
+    required: true
+  apple-dev-app-id:
+    required: true
+  apple-dev-team-id:
+    required: true
+  apple-dev-password:
+    required: true
+
+  # Input/output arguments.
+  directory:
+    description: Path to the folder with the project.
+    required: true
+  target-name:
+    description: Name of the project executable file or folder (like on macOS).
+    required: true
+
+runs:
+  using: composite
+  steps:
+    # macOS-specific steps.
+
+    # Setup.
+
+    - name: Set up the signing environment (macos)
+      if: ${{ env.SCONS_PLATFORM == 'macos' && inputs.setup-env == 'true' }}
+      shell: bash
+      env:
+        APPLE_CERT_BASE64:   ${{ inputs.apple-cert-base64 }}
+        APPLE_CERT_PASSWORD: ${{ inputs.apple-cert-password }}
+      run: $GITHUB_ACTION_PATH/macos/setup.sh
+
+    # Codesign.
+
+    - name: Sign and notarize the project (macos)
+      if: ${{ env.SCONS_PLATFORM == 'macos' && inputs.codesign == 'true' }}
+      shell: bash
+      env:
+        APPLE_DEV_ID:       ${{ inputs.apple-dev-id }}
+        APPLE_DEV_APP_ID:   ${{ inputs.apple-dev-app-id }}
+        APPLE_DEV_TEAM_ID:  ${{ inputs.apple-dev-team-id }}
+        APPLE_DEV_PASSWORD: ${{ inputs.apple-dev-password }}
+        APP_PATH:           ${{ inputs.directory }}/${{ inputs.target-name }}
+      run: $GITHUB_ACTION_PATH/macos/sign.sh
diff --git a/.github/actions/sign-godot-project/macos/setup.sh b/.github/actions/sign-godot-project/macos/setup.sh
@@ -0,0 +1,42 @@
+#!/bin/bash
+
+# Based on https://github.com/godot-jolt/godot-jolt/blob/master/scripts/ci_sign_macos.ps1
+
+certificate_base64="$APPLE_CERT_BASE64"
+certificate_password="$APPLE_CERT_PASSWORD"
+
+if [ -z "${certificate_base64}" ]; then
+  echo "ERROR: Missing codesign certificate."
+  exit 1
+fi
+if [ -z "${certificate_password}" ]; then
+  echo "ERROR: Missing codesign certificate password."
+  exit 1
+fi
+
+# Convert the certificate back to its file form.
+
+echo "Decoding the base64 certificate..."
+
+certificate_path="certificate.p12"
+base64 --decode -o ${certificate_path} <<< "${certificate_base64}"
+
+# Set up the keychain and import the certificate.
+
+keychain="ephemeral.keychain"
+keychain_password="$(openssl rand -base64 16)"
+
+echo "Creating the default keychain..."
+
+security create-keychain -p ${keychain_password} ${keychain}
+security default-keychain -s ${keychain}
+
+echo "Importing the certificate into the keychain..."
+
+security import ${certificate_path} -k ~/Library/Keychains/${keychain} -P ${certificate_password} -T /usr/bin/codesign
+security find-identity
+
+echo "Granting access to the keychain..."
+
+security set-key-partition-list -S "apple-tool:,apple:" -s -k ${keychain_password} ${keychain}
+security set-keychain-settings ${keychain}
diff --git a/.github/actions/sign-godot-project/macos/sign.sh b/.github/actions/sign-godot-project/macos/sign.sh
@@ -0,0 +1,48 @@
+#!/bin/bash
+
+# Based on https://github.com/godot-jolt/godot-jolt/blob/master/scripts/ci_sign_macos.ps1
+
+apple_dev_id="$APPLE_DEV_ID"
+apple_dev_app_id="$APPLE_DEV_APP_ID"
+apple_dev_team_id="$APPLE_DEV_TEAM_ID"
+apple_dev_password="$APPLE_DEV_PASSWORD"
+
+app_path="$APP_PATH"
+archive_path="$APP_PATH.zip"
+
+if [ -z "${apple_dev_id}" ]; then
+  echo "ERROR: Missing Apple developer ID."
+  exit 1
+fi
+if [ -z "${apple_dev_app_id}" ]; then
+  echo "ERROR: Missing Apple developer application ID."
+  exit 1
+fi
+if [ -z "${apple_dev_team_id}" ]; then
+  echo "ERROR: Missing Apple team ID."
+  exit 1
+fi
+if [ -z "${apple_dev_password}" ]; then
+  echo "ERROR: Missing Apple developer password."
+  exit 1
+fi
+if [ -z "${app_path}" ]; then
+  echo "ERROR: Missing application path to sign."
+  exit 1
+fi
+
+# Sign, notarize, and staple the app.
+
+echo "Signing and verifying the app at '${app_path}'..."
+
+codesign --timestamp --verbose --deep --force --options runtime --sign "${apple_dev_app_id}" "${app_path}"
+codesign --verify "${app_path}"
+
+echo "Archiving and notarizing the signed app..."
+
+ditto -ck "${app_path}" "${archive_path}"
+xcrun notarytool submit "${archive_path}" --apple-id ${apple_dev_id} --team-id ${apple_dev_team_id} --password ${apple_dev_password} --wait
+
+echo "Stapling the notarization ticket to the signed app..."
+
+xcrun stapler staple "${app_path}"
diff --git a/.github/actions/upload-extension/action.yml b/.github/actions/upload-extension/action.yml
@@ -1,91 +1,9 @@
 name: Upload GDSiON release
-description: Strip and upload build artifacts.
-
-inputs:
-  sign-extension:
-    description: Flag that enables the codesign routine for platforms that support it.
-    default: false
-
-  # Explicit secrets passthrough for codesign.
-  apple-cert-base64:
-    required: true
-  apple-cert-password:
-    required: true
-  apple-dev-id:
-    required: true
-  apple-dev-app-id:
-    required: true
-  apple-dev-team-id:
-    required: true
-  apple-dev-password:
-    required: true
+description: Upload build artifacts to GitHub.
 
 runs:
   using: "composite"
   steps:
-
-    # Linux-specific steps.
-
-    - name: Prepare the binaries (Linux)
-      if: ${{ env.SCONS_PLATFORM == 'linux' }}
-      shell: bash
-      run: |
-        strip bin/libgdsion.linux.*
-        chmod +x bin/libgdsion.linux.*
-
-    # macOS-specific steps.
-
-    - name: Prepare the binaries (macOS)
-      if: ${{ env.SCONS_PLATFORM == 'macos' }}
-      shell: bash
-      run: |
-        chmod +x bin/libgdsion.macos.*
-
-    - name: Set up codesign (macOS)
-      if: ${{ env.SCONS_PLATFORM == 'macos' && inputs.sign-extension }}
-      uses: ./.github/actions/sign-extension
-      with:
-        setup-env: true
-
-        apple-cert-base64:   ${{ inputs.apple-cert-base64 }}
-        apple-cert-password: ${{ inputs.apple-cert-password }}
-
-    - name: Sign the binaries (macOS, debug)
-      if: ${{ env.SCONS_PLATFORM == 'macos' && inputs.sign-extension }}
-      uses: ./.github/actions/sign-extension
-      with:
-        codesign: true
-        directory: bin
-        target-name: libgdsion.macos.template_debug.framework
-
-        apple-dev-id:        ${{ inputs.apple-dev-id }}
-        apple-dev-app-id:    ${{ inputs.apple-dev-app-id }}
-        apple-dev-team-id:   ${{ inputs.apple-dev-team-id }}
-        apple-dev-password:  ${{ inputs.apple-dev-password }}
-
-    - name: Sign the binaries (macOS, release)
-      if: ${{ env.SCONS_PLATFORM == 'macos' && inputs.sign-extension }}
-      uses: ./.github/actions/sign-extension
-      with:
-        codesign: true
-        directory: bin
-        target-name: libgdsion.macos.template_release.framework
-
-        apple-dev-id:        ${{ inputs.apple-dev-id }}
-        apple-dev-app-id:    ${{ inputs.apple-dev-app-id }}
-        apple-dev-team-id:   ${{ inputs.apple-dev-team-id }}
-        apple-dev-password:  ${{ inputs.apple-dev-password }}
-
-    # Windows-specific steps.
-
-    - name: Prepare the binaries (Windows)
-      if: ${{ env.SCONS_PLATFORM == 'windows' }}
-      shell: powershell
-      run: |
-        Remove-Item bin/* -Include *.exp,*.lib,*.pdb -Force
-
-    # Common final steps.
-
     - name: Upload the binaries as an artifact
       uses: actions/upload-artifact@v4
       with:

diff --git a/.github/workflows/build-release-tagged.yml b/.github/workflows/build-release-tagged.yml
@@ -74,6 +74,9 @@ jobs:
     name: Export the example project for target platforms
     needs: [ release-all ]
     uses: ./.github/workflows/example-export-project.yml
+    secrets: inherit
+    with:
+      with-codesign: true
 
   publish-example-project:
     name: Package and publish the example project

diff --git a/.github/workflows/build-release-unstable.yml b/.github/workflows/build-release-unstable.yml
@@ -59,6 +59,9 @@ jobs:
     name: Export the example project for target platforms
     needs: [ build-linux, build-macos, build-windows, build-web, build-android ]
     uses: ./.github/workflows/example-export-project.yml
+    secrets: inherit
+    with:
+      with-codesign: true
 
   publish-example-project:
     name: Package and publish the example project