godot-cpp-template/.github/actions/sign/action.yml

# This file incorporates work covered by the following copyright and permission notice:  
# 
#     Copyright (c) Mikael Hermansson and Godot Jolt contributors.
#     Copyright (c) Dragos Daian.
# 
#     Permission is hereby granted, free of charge, to any person obtaining a copy of
#     this software and associated documentation files (the "Software"), to deal in
#     the Software without restriction, including without limitation the rights to
#     use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
#     the Software, and to permit persons to whom the Software is furnished to do so,
#     subject to the following conditions:
# 
#     The above copyright notice and this permission notice shall be included in all
#     copies or substantial portions of the Software.
# 
#     THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
#     IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
#     FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
#     COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
#     IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
#     CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

name: GDExtension Sign
description: Sign Mac GDExtension

inputs:
  FRAMEWORK_PATH:
    description: The path of the artifact. Eg. bin/addons/my_addon/bin/libmy_addon.macos.template_release.universal.framework
    required: true
  SIGN_FLAGS:
    description: The extra flags to use. Eg. --deep
    required: false
  APPLE_CERT_BASE64:
    required: true
    description: Base64 file from p12 certificate.
  APPLE_CERT_PASSWORD:
    required: true
    description: Password set when creating p12 certificate from .cer certificate.
  APPLE_DEV_PASSWORD:
    required: true
    description: Apple App-Specific Password. Eg. abcd-abcd-abcd-abcd
  APPLE_DEV_ID:
    required: true
    description: Email used for Apple Id. Eg. email@provider.com
  APPLE_DEV_TEAM_ID:
    required: true
    description: Apple Team Id. Eg. 1ABCD23EFG
  APPLE_DEV_APP_ID:
    required: true
    description: |
      Certificate name from get info -> Common name . Eg. Developer ID Application: Common Name (1ABCD23EFG)      
outputs:
  zip_path:
    value: ${{ steps.sign.outputs.path }}


runs:
  using: composite
  steps:
  - name: Sign
    id: sign
    shell: pwsh
    run: |
      #!/usr/bin/env pwsh

      # Copyright (c) Mikael Hermansson and Godot Jolt contributors.

      # Permission is hereby granted, free of charge, to any person obtaining a copy of
      # this software and associated documentation files (the "Software"), to deal in
      # the Software without restriction, including without limitation the rights to
      # use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
      # the Software, and to permit persons to whom the Software is furnished to do so,
      # subject to the following conditions:

      # The above copyright notice and this permission notice shall be included in all
      # copies or substantial portions of the Software.

      # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
      # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
      # FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
      # COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
      # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
      # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

      # Taken from https://github.com/godot-jolt/godot-jolt/blob/master/scripts/ci_sign_macos.ps1

      Set-StrictMode -Version Latest
      $ErrorActionPreference = "Stop"

      $CodesignPath = Get-Command codesign | Resolve-Path

      $CertificateBase64 = "${{inputs.APPLE_CERT_BASE64}}"
      $CertificatePassword = "${{inputs.APPLE_CERT_PASSWORD}}"
      $CertificatePath = [IO.Path]::ChangeExtension((New-TemporaryFile), "p12")

      $Keychain = "ephemeral.keychain"
      $KeychainPassword = (New-Guid).ToString().Replace("-", "")

      $DevId = "${{ inputs.APPLE_DEV_ID }}"
      $DevTeamId = "${{ inputs.APPLE_DEV_TEAM_ID }}"
      $DevPassword = "${{ inputs.APPLE_DEV_PASSWORD }}"
      $DeveloperIdApplication = "${{ inputs.APPLE_DEV_APP_ID }}"

      if (!$CertificateBase64) { throw "No certificate provided" }
      if (!$CertificatePassword) { throw "No certificate password provided" }
      if (!$DevId) { throw "No Apple Developer ID provided" }
      if (!$DeveloperIdApplication) { throw "No Apple Developer ID Application provided" }
      if (!$DevTeamId) { throw "No Apple Team ID provided" }
      if (!$DevPassword) { throw "No Apple Developer password provided" }

      Write-Output "Decoding certificate..."

      $Certificate = [Convert]::FromBase64String($CertificateBase64)

      Write-Output "Writing certificate to disk..."

      [IO.File]::WriteAllBytes($CertificatePath, $Certificate)

      Write-Output "Creating keychain..."

      security create-keychain -p $KeychainPassword $Keychain

      Write-Output "Setting keychain as default..."

      security default-keychain -s $Keychain

      Write-Output "Importing certificate into keychain..."
      security import $CertificatePath `
        -k ~/Library/Keychains/$Keychain `
        -P $CertificatePassword `
        -T $CodesignPath
      Write-Output "Check identities..."

      security find-identity

      Write-Output "Granting access to keychain..."

      security set-key-partition-list -S "apple-tool:,apple:" -s -k $KeychainPassword $Keychain

      $Framework = "${{ inputs.FRAMEWORK_PATH }}"
      $SignFlags = "${{ inputs.SIGN_FLAGS }}"
      $Archive = [IO.Path]::ChangeExtension((New-TemporaryFile), "zip")

      Write-Output "Signing '$Framework'..."

      & $CodesignPath --verify --timestamp --verbose "$SignFlags" --sign $DeveloperIdApplication "$Framework"

      Write-Output "Verifying signing..."

      & $CodesignPath --verify -dvvv "$Framework"

      Get-ChildItem -Force -Recurse -Path "$Framework"

      Write-Output "Archiving framework to '$Archive'..."

      ditto -ck -rsrc --sequesterRsrc --keepParent "$Framework" "$Archive"

      Write-Output "Submitting archive for notarization..."

      $output = xcrun notarytool submit "$Archive" `
        --apple-id $DevId `
        --team-id $DevTeamId `
        --password $DevPassword `
        --wait
      echo $output
      $matches = $output -match '((\d|[a-z])+-(\d|[a-z])+-(\d|[a-z])+-(\d|[a-z])+-(\d|[a-z])+)'
      if ($output) {
        $id_res = $matches[0].Substring(6)
      }
      xcrun notarytool log $id_res `
        --apple-id $DevId `
        --team-id $DevTeamId `
        --password $DevPassword `
        developer_log.json
      get-content developer_log.json

      echo "path=$Archive" >> $env:GITHUB_OUTPUT