name: Build Mac Bundle on: workflow_dispatch: {} push: branches: - master jobs: build: runs-on: macos-latest env: WASM_BINDGEN_CLI_VERSION: "0.2.100" steps: - name: Checkout uses: actions/checkout@v4 - name: Setup Rust uses: actions-rust-lang/setup-rust-toolchain@v1 with: toolchain: stable override: true rustflags: "" target: wasm32-unknown-unknown - name: Cache Cargo uses: actions/cache@v4 with: path: | ~/.cargo/registry ~/.cargo/git target key: cargo-${{ runner.os }}-${{ hashFiles('**/Cargo.lock') }} - name: Setup Node uses: actions/setup-node@v4 with: node-version-file: .nvmrc cache: npm cache-dependency-path: | package-lock.json frontend/package-lock.json - name: Install Native Dependencies env: GITHUB_TOKEN: ${{ github.token }} BINSTALL_DISABLE_TELEMETRY: "true" run: | brew update brew install \ pkg-config \ openssl@3 \ binaryen \ llvm \ cargo-binstall echo "OPENSSL_DIR=$(brew --prefix openssl@3)" >> $GITHUB_ENV echo "PKG_CONFIG_PATH=$(brew --prefix openssl@3)/lib/pkgconfig" >> $GITHUB_ENV echo "$(brew --prefix llvm)/bin" >> $GITHUB_PATH cargo binstall --no-confirm --force wasm-pack cargo binstall --no-confirm --force cargo-about cargo binstall --no-confirm --force "wasm-bindgen-cli@${WASM_BINDGEN_CLI_VERSION}" - name: Build Mac Bundle env: CARGO_TERM_COLOR: always run: npm run build-desktop - name: Stage Artifacts shell: bash run: | rm -rf target/artifacts mkdir -p target/artifacts cp -R target/release/Graphite.app target/artifacts/Graphite.app - name: Upload Mac Bundle uses: actions/upload-artifact@v4 with: name: graphite-mac-bundle path: target/artifacts - name: Sign and Notarize Mac Bundle Preparation if: github.ref == 'refs/heads/master' env: APPLE_CERT_BASE64: ${{ secrets.APPLE_CERT_BASE64 }} APPLE_CERT_PASSWORD: ${{ secrets.APPLE_CERT_PASSWORD }} run: | mkdir -p .sign echo "$APPLE_CERT_BASE64" | base64 --decode > .sign/certificate.p12 security create-keychain -p "" .sign/main.keychain security default-keychain -s .sign/main.keychain security unlock-keychain -p "" .sign/main.keychain security set-keychain-settings -t 3600 -u .sign/main.keychain security import .sign/certificate.p12 -k .sign/main.keychain -P "$APPLE_CERT_PASSWORD" -T /usr/bin/codesign -T /usr/bin/productsign security set-key-partition-list -S apple-tool:,apple: -s -k "" .sign/main.keychain cat > .sign/entitlements.plist <<'EOF' com.apple.security.cs.allow-jit com.apple.security.cs.allow-unsigned-executable-memory com.apple.security.cs.disable-executable-page-protection com.apple.security.cs.disable-library-validation EOF - name: Sign and Notarize Mac Bundle if: github.ref == 'refs/heads/master' env: APPLE_EMAIL: ${{ secrets.APPLE_EMAIL }} APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }} APPLE_CERT_NAME: ${{ secrets.APPLE_CERT_NAME }} run: | CERTIFICATE="$APPLE_CERT_NAME" ENTITLEMENTS=".sign/entitlements.plist" APP_PATH="target/artifacts/Graphite.app" ZIP_PATH=".sign/Graphite.zip" codesign --force --options runtime --entitlements "$ENTITLEMENTS" --sign "$CERTIFICATE" "$APP_PATH/Contents/Frameworks/Graphite Helper.app" codesign --force --options runtime --entitlements "$ENTITLEMENTS" --sign "$CERTIFICATE" "$APP_PATH/Contents/Frameworks/Graphite Helper (GPU).app" codesign --force --options runtime --entitlements "$ENTITLEMENTS" --sign "$CERTIFICATE" "$APP_PATH/Contents/Frameworks/Graphite Helper (Renderer).app" codesign --force --options runtime --entitlements "$ENTITLEMENTS" --sign "$CERTIFICATE" "$APP_PATH/Contents/Frameworks/Chromium Embedded Framework.framework" codesign --force --options runtime --entitlements "$ENTITLEMENTS" --sign "$CERTIFICATE" "$APP_PATH/Contents/Frameworks/Chromium Embedded Framework.framework/Libraries/libcef_sandbox.dylib" codesign --force --options runtime --entitlements "$ENTITLEMENTS" --sign "$CERTIFICATE" "$APP_PATH/Contents/Frameworks/Chromium Embedded Framework.framework/Libraries/libEGL.dylib" codesign --force --options runtime --entitlements "$ENTITLEMENTS" --sign "$CERTIFICATE" "$APP_PATH/Contents/Frameworks/Chromium Embedded Framework.framework/Libraries/libGLESv2.dylib" codesign --force --options runtime --entitlements "$ENTITLEMENTS" --sign "$CERTIFICATE" "$APP_PATH/Contents/Frameworks/Chromium Embedded Framework.framework/Libraries/libvk_swiftshader.dylib" codesign --force --options runtime --entitlements "$ENTITLEMENTS" --sign "$CERTIFICATE" "$APP_PATH" --deep codesign --verify --deep --strict --verbose=4 "$APP_PATH" ditto -c -k --keepParent "$APP_PATH" "$ZIP_PATH" xcrun notarytool submit "$ZIP_PATH" --wait --apple-id "$APPLE_EMAIL" --team-id "$APPLE_TEAM_ID" --password "$APPLE_PASSWORD" rm "$ZIP_PATH" xcrun stapler staple -v "$APP_PATH" spctl -a -vv "$APP_PATH" - name: Upload Mac Bundle Signed if: github.ref == 'refs/heads/master' uses: actions/upload-artifact@v4 with: name: graphite-mac-bundle-signed path: target/artifacts