CI: Add codesign steps and update some workflows

Also updates the README in preparation for the first release.
YuriSizov · Jun 7, 2024 · 15acb45 · 15acb45
1 parent 65858f8
commit 15acb45
Show file tree

Hide file tree

Showing 9 changed files with 252 additions and 14 deletions.
diff --git a/.github/actions/export-godot-project/action.yml b/.github/actions/export-godot-project/action.yml
@@ -27,7 +27,7 @@ runs:
       run: |
         godot --headless --path ${{ inputs.project-path }} --import
 
-    - name: Export project (${{ inputs.preset }})
+    - name: Export the project (${{ inputs.preset }})
       id: export-project-step
       shell: bash
       env:
@@ -39,3 +39,16 @@ runs:
         echo "Exporting the project..."
         godot --headless --path ${{ inputs.project-path }} --export-release "${{ inputs.preset }}" ${{ env.EXPORT_OUTPUT_PATH }}/${{ inputs.output }}
         echo "export-path=${{ inputs.project-path }}/${{ env.EXPORT_OUTPUT_PATH }}" >> "$GITHUB_OUTPUT"
+
+    # Perform post-export steps.
+
+    # We need the .app folder on macOS, not the zip that Godot produces.
+    - name: Unzip the project (macos)
+      if: ${{ inputs.platform == 'macos' }}
+      shell: bash
+      env:
+        EXPORT_OUTPUT_PATH: export/${{ inputs.platform }}/${{ inputs.arch }}
+      run: |
+        cd ${{ inputs.project-path }}/${{ env.EXPORT_OUTPUT_PATH }}
+        unzip ${{ inputs.output }}
+        rm -f ${{ inputs.output }}
diff --git a/.github/actions/make-release/release-notes.md b/.github/actions/make-release/release-notes.md
@@ -2,9 +2,9 @@ If you experience issues, [please report them](https://github.com/YuriSizov/bosc
 
 ## Downloads
 
-* [Download for Linux (x86_64)](https://github.com/YuriSizov/boscaceoil-blue/releases/download/${VERSION_TAG}/boscaceoil-blue-linux-x86_64.zip)
-* [Download for macOS (Universal)](https://github.com/YuriSizov/boscaceoil-blue/releases/download/${VERSION_TAG}/boscaceoil-blue-macos-universal.zip)
-* [Download for Windows (x86_64)](https://github.com/YuriSizov/boscaceoil-blue/releases/download/${VERSION_TAG}/boscaceoil-blue-windows-x86_64.zip)
-* [Download for Windows (x86_32)](https://github.com/YuriSizov/boscaceoil-blue/releases/download/${VERSION_TAG}/boscaceoil-blue-windows-x86_32.zip)
+* **[Download for Linux (x86_64)](https://github.com/YuriSizov/boscaceoil-blue/releases/download/${VERSION_TAG}/boscaceoil-blue-linux-x86_64.zip)**
+* **[Download for macOS (Universal)](https://github.com/YuriSizov/boscaceoil-blue/releases/download/${VERSION_TAG}/boscaceoil-blue-macos-universal.zip)**
+* **[Download for Windows (x86_64)](https://github.com/YuriSizov/boscaceoil-blue/releases/download/${VERSION_TAG}/boscaceoil-blue-windows-x86_64.zip)**
+* **[Download for Windows (x86_32)](https://github.com/YuriSizov/boscaceoil-blue/releases/download/${VERSION_TAG}/boscaceoil-blue-windows-x86_32.zip)**
 
 _Built from commit [${COMMIT_HASH}](https://github.com/YuriSizov/boscaceoil-blue/commits/${COMMIT_HASH}/)._
diff --git a/.github/actions/sign-godot-project/action.yml b/.github/actions/sign-godot-project/action.yml
@@ -0,0 +1,66 @@
+name: Codesign Godot Project
+description: Codesign and notarize Godot project export artifacts.
+
+inputs:
+  platform:
+    description: Target platform.
+    required: true
+
+  setup-env:
+    description: Flag that enables the setup step.
+    default: false
+  codesign:
+    description: Flag that enables the codesign step.
+    default: false
+
+  # Setup arguments.
+  apple-cert-base64:
+    required: true
+  apple-cert-password:
+    required: true
+
+  # Codesign arguments.
+  apple-dev-id:
+    required: true
+  apple-dev-app-id:
+    required: true
+  apple-dev-team-id:
+    required: true
+  apple-dev-password:
+    required: true
+
+  # Input/output arguments.
+  directory:
+    description: Path to the folder with the project.
+    required: true
+  target-name:
+    description: Name of the project executable file or folder (like on macOS).
+    required: true
+
+runs:
+  using: composite
+  steps:
+    # macOS-specific steps.
+
+    # Setup.
+
+    - name: Set up the signing environment (macos)
+      if: ${{ inputs.platform == 'macos' && inputs.setup-env == 'true' }}
+      shell: bash
+      env:
+        APPLE_CERT_BASE64:   ${{ inputs.apple-cert-base64 }}
+        APPLE_CERT_PASSWORD: ${{ inputs.apple-cert-password }}
+      run: $GITHUB_ACTION_PATH/macos/setup.sh
+
+    # Codesign.
+
+    - name: Sign and notarize the project (macos)
+      if: ${{ inputs.platform == 'macos' && inputs.codesign == 'true' }}
+      shell: bash
+      env:
+        APPLE_DEV_ID:       ${{ inputs.apple-dev-id }}
+        APPLE_DEV_APP_ID:   ${{ inputs.apple-dev-app-id }}
+        APPLE_DEV_TEAM_ID:  ${{ inputs.apple-dev-team-id }}
+        APPLE_DEV_PASSWORD: ${{ inputs.apple-dev-password }}
+        APP_PATH:           ${{ inputs.directory }}/${{ inputs.target-name }}
+      run: $GITHUB_ACTION_PATH/macos/sign.sh
diff --git a/.github/actions/sign-godot-project/macos/setup.sh b/.github/actions/sign-godot-project/macos/setup.sh
@@ -0,0 +1,42 @@
+#!/bin/bash
+
+# Based on https://github.com/godot-jolt/godot-jolt/blob/master/scripts/ci_sign_macos.ps1
+
+certificate_base64="$APPLE_CERT_BASE64"
+certificate_password="$APPLE_CERT_PASSWORD"
+
+if [ -z "${certificate_base64}" ]; then
+  echo "ERROR: Missing codesign certificate."
+  exit 1
+fi
+if [ -z "${certificate_password}" ]; then
+  echo "ERROR: Missing codesign certificate password."
+  exit 1
+fi
+
+# Convert the certificate back to its file form.
+
+echo "Decoding the base64 certificate..."
+
+certificate_path="certificate.p12"
+base64 --decode -o ${certificate_path} <<< "${certificate_base64}"
+
+# Set up the keychain and import the certificate.
+
+keychain="ephemeral.keychain"
+keychain_password="$(openssl rand -base64 16)"
+
+echo "Creating the default keychain..."
+
+security create-keychain -p ${keychain_password} ${keychain}
+security default-keychain -s ${keychain}
+
+echo "Importing the certificate into the keychain..."
+
+security import ${certificate_path} -k ~/Library/Keychains/${keychain} -P ${certificate_password} -T /usr/bin/codesign
+security find-identity
+
+echo "Granting access to the keychain..."
+
+security set-key-partition-list -S "apple-tool:,apple:" -s -k ${keychain_password} ${keychain}
+security set-keychain-settings ${keychain}
diff --git a/.github/actions/sign-godot-project/macos/sign.sh b/.github/actions/sign-godot-project/macos/sign.sh
@@ -0,0 +1,52 @@
+#!/bin/bash
+
+# Based on https://github.com/godot-jolt/godot-jolt/blob/master/scripts/ci_sign_macos.ps1
+
+apple_dev_id="$APPLE_DEV_ID"
+apple_dev_app_id="$APPLE_DEV_APP_ID"
+apple_dev_team_id="$APPLE_DEV_TEAM_ID"
+apple_dev_password="$APPLE_DEV_PASSWORD"
+
+app_path="$APP_PATH"
+archive_path="$APP_PATH.zip"
+
+if [ -z "${apple_dev_id}" ]; then
+  echo "ERROR: Missing Apple developer ID."
+  exit 1
+fi
+if [ -z "${apple_dev_app_id}" ]; then
+  echo "ERROR: Missing Apple developer application ID."
+  exit 1
+fi
+if [ -z "${apple_dev_team_id}" ]; then
+  echo "ERROR: Missing Apple team ID."
+  exit 1
+fi
+if [ -z "${apple_dev_password}" ]; then
+  echo "ERROR: Missing Apple developer password."
+  exit 1
+fi
+if [ -z "${app_path}" ]; then
+  echo "ERROR: Missing application path to sign."
+  exit 1
+fi
+
+# Sign, notarize, and staple the app.
+
+echo "Signing and verifying the app at '${app_path}'..."
+
+codesign --timestamp --verbose --deep --force --options runtime --sign "${apple_dev_app_id}" "${app_path}"
+codesign --verify "${app_path}"
+
+echo "Archiving and notarizing the signed app..."
+
+ditto -ck --keepParent "${app_path}" "${archive_path}"
+xcrun notarytool submit "${archive_path}" --apple-id ${apple_dev_id} --team-id ${apple_dev_team_id} --password ${apple_dev_password} --wait
+
+echo "Stapling the notarization ticket to the signed app..."
+
+xcrun stapler staple "${app_path}"
+
+echo "Cleaning up..."
+
+rm -f "${archive_path}"
diff --git a/.github/workflows/build-release-tagged.yml b/.github/workflows/build-release-tagged.yml
@@ -16,6 +16,9 @@ jobs:
   export-project:
     name: Export the project for target platforms
     uses: ./.github/workflows/export-project.yml
+    secrets: inherit
+    with:
+      with-codesign: true
 
   publish-project:
     name: Package and publish the project

diff --git a/.github/workflows/export-project.yml b/.github/workflows/export-project.yml
@@ -2,6 +2,10 @@ name: Export Project
 
 on:
   workflow_call:
+    inputs:
+      with-codesign:
+        type: boolean
+        default: false
 
 # Make sure jobs cannot overlap.
 concurrency:
@@ -10,7 +14,7 @@ concurrency:
 
 env:
   GODOT_VERSION: "4.3.0-beta1"
-  GDSION_VERSION: "0.7-beta0"
+  GDSION_VERSION: "0.7-beta1"
 
 jobs:
   export-publish:
@@ -22,31 +26,37 @@ jobs:
             arch: x86_64
             preset: "Linux - x86_64"
             output: "boscaceoil-blue.x86_64"
+            app-name: "boscaceoil-blue.x86_64"
             runs-on: ubuntu-latest
 
           - platform: macos
             arch: universal
             preset: "macOS - Universal"
             output: "boscaceoil-blue.zip"
+            app-name: "Bosca Ceoil- The Blue Album.app"
             runs-on: macos-latest
 
           - platform: windows
             arch: x86_64
             preset: "Windows - x86_64"
             output: "boscaceoil-blue.exe"
+            app-name: "boscaceoil-blue.exe"
             runs-on: windows-latest
 
           - platform: windows
             arch: x86_32
             preset: "Windows - x86_32"
             output: "boscaceoil-blue.exe"
+            app-name: "boscaceoil-blue.exe"
             runs-on: windows-latest
 
     name: Export the project (${{ matrix.preset }})
     runs-on: ${{ matrix.runs-on }}
     steps:
       - uses: actions/checkout@v4
 
+      # Set up prerequisites.
+
       - name: Install Godot ${{ env.GODOT_VERSION }}
         uses: chickensoft-games/setup-godot@v2
         with:
@@ -65,6 +75,8 @@ jobs:
           platform: ${{ matrix.platform }}
           gdsion-version: ${{ env.GDSION_VERSION }}
 
+      # Export the project.
+
       - name: Export the project
         id: export-project-step
         uses: ./.github/actions/export-godot-project
@@ -74,9 +86,42 @@ jobs:
           preset: ${{ matrix.preset }}
           output: ${{ matrix.output }}
 
+      # Codesign if necessary.
+
+      - name: Set up codesign environment
+        if: ${{ inputs.with-codesign }}
+        uses: ./.github/actions/sign-godot-project
+        with:
+          platform: ${{ matrix.platform }}
+          setup-env: true
+          apple-cert-base64:   ${{ secrets.APPLE_CERT_BASE64 }}
+          apple-cert-password: ${{ secrets.APPLE_CERT_PASSWORD }}
+
+      - name: Sign the exported project
+        if: ${{ inputs.with-codesign }}
+        uses: ./.github/actions/sign-godot-project
+        with:
+          platform: ${{ matrix.platform }}
+          codesign: true
+          directory: ${{ steps.export-project-step.outputs.export-path }}
+          target-name: ${{ matrix.app-name }}
+          apple-dev-id:        ${{ secrets.APPLE_DEV_ID }}
+          apple-dev-app-id:    ${{ secrets.APPLE_DEV_APP_ID }}
+          apple-dev-team-id:   ${{ secrets.APPLE_DEV_TEAM_ID }}
+          apple-dev-password:  ${{ secrets.APPLE_DEV_PASSWORD }}
+
+      # Upload the results.
+
+      # This step helps to preserve file permissions.
+      - name: Tar up the example project
+        shell: bash
+        working-directory: "${{ steps.export-project-step.outputs.export-path }}"
+        run: |
+          tar -cvf boscaceoil-blue.tar .
+
       - name: Upload the project
         uses: actions/upload-artifact@v4
         with:
           name: boscaceoil-blue-${{ matrix.platform }}-${{ matrix.arch }}
-          path: "${{ steps.export-project-step.outputs.export-path }}/*"
+          path: "${{ steps.export-project-step.outputs.export-path }}/boscaceoil-blue.tar"
           retention-days: 14
diff --git a/.github/workflows/publish-project.yml b/.github/workflows/publish-project.yml
@@ -1,4 +1,4 @@
-name: Publish Example Project
+name: Publish Project
 
 on:
   workflow_call:
@@ -26,6 +26,19 @@ jobs:
           path: export
           pattern: boscaceoil-blue-*
 
+      - name: Untar downloaded artifacts
+        shell: bash
+        working-directory: export
+        run: |
+          for name in ./*; do
+            if [ -d "$name" ]; then
+              cd "./$name"
+              tar -xvf boscaceoil-blue.tar
+              rm -f boscaceoil-blue.tar
+              cd ..
+            fi
+          done
+
       - name: Archive project exports
         uses: ./.github/actions/zip-folder
         with:

diff --git a/README.md b/README.md
@@ -31,16 +31,20 @@ Powered by a versatile software synthesizer, _Bosca Ceoil Blue_ offers you prett
 Export your creations to WAV and MIDI. Share them with the world, or use them for your next game or video!
 
 
-## Project status
+## Download
 
-**_Bosca Ceoil Blue_ is feature complete!** Every feature and mechanic of the original app has been ported, with some improvements here and there.
+**_Bosca Ceoil Blue_ is currently in the _beta_ phase!** This means it's feature complete and is looking for users and testers to offer feedback and validate its stability.
 
-The project is now in the beta stage, looking for users and testers to report issues and validate functionality in production environment. At this moment, only desktop platforms are targeted (Linux, macOS, and Windows). Web and Android exports are planned in the future.
+If you find a usability issue or a bug, please [file a report](https://github.com/YuriSizov/boscaceoil-blue/issues). If you don't have a GitHub account, you can also reach out on [Discord](https://discord.gg/S657Y9KPF9).
 
-Download links for user testing will soon be provided. For now, you can test the project using the Godot editor (see [Contributing](#contributing)).
+### Current release: 3.0-beta1
 
-> [!NOTE]
-> A significant part of the port involves recreation of the [SiON software synthesizer](https://github.com/keim/SiON), which the original _Bosca Ceoil_ is based on, as a GDExtension. The progress on that is tracked in a separate project, [GDSiON](https://github.com/YuriSizov/gdsion).
+* **[Download for Linux (x86_64)](https://github.com/YuriSizov/boscaceoil-blue/releases/download/3.0-beta1/boscaceoil-blue-linux-x86_64.zip)**
+* **[Download for macOS (Universal)](https://github.com/YuriSizov/boscaceoil-blue/releases/download/3.0-beta1/boscaceoil-blue-macos-universal.zip)**
+* **[Download for Windows (x86_64)](https://github.com/YuriSizov/boscaceoil-blue/releases/download/3.0-beta1/boscaceoil-blue-windows-x86_64.zip)**
+* **[Download for Windows (x86_32)](https://github.com/YuriSizov/boscaceoil-blue/releases/download/3.0-beta1/boscaceoil-blue-windows-x86_32.zip)**
+
+_Web and Android versions are planned in the future._
 
 
 ## Contributing