name: macOS Build on: push: branches: - master pull_request: branches: - master jobs: macos_build_arm64: runs-on: macos-15-arm64 steps: - uses: actions/checkout@v4 with: submodules: true - name: Install build dependencies run: | set -eux brew update brew install \ meson ninja pkg-config gettext perl \ gtk+3 gdk-pixbuf pango adwaita-icon-theme \ hicolor-icon-theme glib dbus \ enchant gtk-mac-integration if ! command -v gtk-mac-bundler >/dev/null 2>&1 && ! python3 -c 'import gtk_mac_bundler' >/dev/null 2>&1; then curl -fsSL https://codeload.github.com/jralls/gtk-mac-bundler/tar.gz/refs/heads/master -o /tmp/gtk-mac-bundler.tar.gz rm -rf /tmp/gtk-mac-bundler mkdir -p /tmp/gtk-mac-bundler tar -xzf /tmp/gtk-mac-bundler.tar.gz -C /tmp/gtk-mac-bundler --strip-components=1 (cd /tmp/gtk-mac-bundler && make install) fi - name: Configure and build (arm64) run: | set -eux rm -rf build-macos-arm64 stage/arm64 CFLAGS="-arch arm64" LDFLAGS="-arch arm64" meson setup build-macos-arm64 \ --prefix="$PWD/stage/arm64" \ -Dgtk3=true \ -Dtext-frontend=true \ -Dlibcanberra=disabled \ -Dwith-perl=perl \ -Dwith-python=python3 \ -Dauto_features=enabled CFLAGS="-arch arm64" LDFLAGS="-arch arm64" meson compile -C build-macos-arm64 meson install -C build-macos-arm64 - name: Stage runtime dependencies for bundling (arm64) run: | set -eux STAGE_PREFIX="$PWD/stage/arm64" BREW_PREFIX="$(brew --prefix)" ENCHANT_PREFIX="$(brew --prefix enchant)" mkdir -p "$STAGE_PREFIX/lib" "$STAGE_PREFIX/share" rsync -a "$BREW_PREFIX/lib/gtk-3.0" "$STAGE_PREFIX/lib/" rsync -a "$BREW_PREFIX/lib/gdk-pixbuf-2.0" "$STAGE_PREFIX/lib/" rsync -a "$BREW_PREFIX/share/locale" "$STAGE_PREFIX/share/" mkdir -p "$STAGE_PREFIX/opt" rm -rf "$STAGE_PREFIX/opt/enchant" cp -a "$ENCHANT_PREFIX" "$STAGE_PREFIX/opt/enchant" - name: Package unsigned .app (arm64) run: | set -eux VERSION="$(git describe --tags --always)" export VERSION ( cd osx BUNDLE_PREFIX="$PWD/../stage/arm64" \ ENCHANT_PREFIX="$PWD/../stage/arm64/opt/enchant" \ TARGET_ARCHES="arm64" \ ./makebundle.sh ) mv osx/ZoiteChat-*.app.zip ./ZoiteChat-arm64.app.zip - name: Upload arm64 macOS app artifact uses: actions/upload-artifact@v4 with: name: zoitechat-macos-arm64 path: ZoiteChat-arm64.app.zip if-no-files-found: error retention-days: 14 macos_build_x86_64: runs-on: macos-15-intel steps: - uses: actions/checkout@v4 with: submodules: true - name: Install build dependencies run: | set -eux brew update brew install \ meson ninja pkg-config gettext perl \ gtk+3 gdk-pixbuf pango adwaita-icon-theme \ hicolor-icon-theme glib dbus \ enchant gtk-mac-integration if ! command -v gtk-mac-bundler >/dev/null 2>&1 && ! python3 -c 'import gtk_mac_bundler' >/dev/null 2>&1; then curl -fsSL https://codeload.github.com/jralls/gtk-mac-bundler/tar.gz/refs/heads/master -o /tmp/gtk-mac-bundler.tar.gz rm -rf /tmp/gtk-mac-bundler mkdir -p /tmp/gtk-mac-bundler tar -xzf /tmp/gtk-mac-bundler.tar.gz -C /tmp/gtk-mac-bundler --strip-components=1 (cd /tmp/gtk-mac-bundler && make install) fi - name: Configure and build (x86_64) run: | set -eux rm -rf build-macos-x86_64 stage/x86_64 CFLAGS="-arch x86_64" LDFLAGS="-arch x86_64" meson setup build-macos-x86_64 \ --prefix="$PWD/stage/x86_64" \ -Dgtk3=true \ -Dtext-frontend=true \ -Dlibcanberra=disabled \ -Ddarwin-arch-sanity-check=true \ -Dwith-perl=perl \ -Dwith-python=python3 \ -Dauto_features=enabled CFLAGS="-arch x86_64" LDFLAGS="-arch x86_64" meson compile -C build-macos-x86_64 - name: Stage runtime dependencies for bundling (x86_64) run: | set -eux STAGE_PREFIX="$PWD/stage/x86_64" BREW_PREFIX="$(brew --prefix)" ENCHANT_PREFIX="$(brew --prefix enchant)" mkdir -p "$STAGE_PREFIX/lib" "$STAGE_PREFIX/share" rsync -a "$BREW_PREFIX/lib/gtk-3.0" "$STAGE_PREFIX/lib/" rsync -a "$BREW_PREFIX/lib/gdk-pixbuf-2.0" "$STAGE_PREFIX/lib/" rsync -a "$BREW_PREFIX/share/locale" "$STAGE_PREFIX/share/" mkdir -p "$STAGE_PREFIX/opt" rm -rf "$STAGE_PREFIX/opt/enchant" cp -a "$ENCHANT_PREFIX" "$STAGE_PREFIX/opt/enchant" - name: Package unsigned .app (x86_64) run: | set -eux VERSION="$(git describe --tags --always)" export VERSION ( cd osx BUNDLE_PREFIX="$PWD/../stage/x86_64" \ ENCHANT_PREFIX="$PWD/../stage/x86_64/opt/enchant" \ TARGET_ARCHES="x86_64" \ ./makebundle.sh ) mv osx/ZoiteChat-*.app.zip ./ZoiteChat-x86_64.app.zip - name: Upload x86_64 macOS app artifact uses: actions/upload-artifact@v4 with: name: zoitechat-macos-x86_64 path: ZoiteChat-x86_64.app.zip if-no-files-found: error retention-days: 14 macos_assemble_universal_unsigned: needs: - macos_build_arm64 - macos_build_x86_64 runs-on: macos-latest steps: - name: Download arm64 app artifact uses: actions/download-artifact@v4 with: name: zoitechat-macos-arm64 path: dist/arm64 - name: Download x86_64 app artifact uses: actions/download-artifact@v4 with: name: zoitechat-macos-x86_64 path: dist/x86_64 - name: Merge app bundles into universal run: | set -eux unzip -q dist/arm64/ZoiteChat-arm64.app.zip -d dist/arm64 unzip -q dist/x86_64/ZoiteChat-x86_64.app.zip -d dist/x86_64 ARM_APP="$(find dist/arm64 -maxdepth 2 -name 'ZoiteChat.app' -type d | head -n 1)" X86_APP="$(find dist/x86_64 -maxdepth 2 -name 'ZoiteChat.app' -type d | head -n 1)" UNIVERSAL_APP="dist/universal/ZoiteChat.app" rm -rf "$UNIVERSAL_APP" mkdir -p dist/universal cp -a "$ARM_APP" "$UNIVERSAL_APP" while IFS= read -r relpath; do arm_file="$ARM_APP/$relpath" x86_file="$X86_APP/$relpath" out_file="$UNIVERSAL_APP/$relpath" if [ -f "$x86_file" ] && file -b "$arm_file" | grep -q 'Mach-O'; then mkdir -p "$(dirname "$out_file")" lipo -create "$arm_file" "$x86_file" -output "$out_file" fi done < <(cd "$ARM_APP" && find . -type f | sed 's|^./||') while IFS= read -r macho_path; do archs="$(lipo -archs "$macho_path")" echo "$macho_path -> $archs" echo " $archs " | grep -q ' arm64 ' echo " $archs " | grep -q ' x86_64 ' done < <(find "$UNIVERSAL_APP" -type f -exec sh -c 'file -b "$1" | grep -q "Mach-O" && printf "%s\n" "$1"' _ {} \;) VERSION="$(git -C "$GITHUB_WORKSPACE" describe --tags --always)" ditto -c -k --sequesterRsrc --keepParent "$UNIVERSAL_APP" "dist/ZoiteChat-$VERSION.app.zip" - name: Upload unsigned macOS app artifact uses: actions/upload-artifact@v4 with: name: zoitechat-macos-unsigned path: dist/ZoiteChat-*.app.zip if-no-files-found: error retention-days: 14 macos_release_signed: needs: macos_assemble_universal_unsigned runs-on: macos-latest if: >- github.event_name == 'push' && github.ref == 'refs/heads/master' steps: - name: Check signing secrets availability id: signing_secrets env: APPLE_DEVELOPER_ID_APPLICATION: ${{ secrets.APPLE_DEVELOPER_ID_APPLICATION }} APPLE_DEVELOPER_ID_CERT_P12: ${{ secrets.APPLE_DEVELOPER_ID_CERT_P12 }} APPLE_DEVELOPER_ID_CERT_P12_PASSWORD: ${{ secrets.APPLE_DEVELOPER_ID_CERT_P12_PASSWORD }} APPLE_NOTARY_API_KEY: ${{ secrets.APPLE_NOTARY_API_KEY }} APPLE_NOTARY_API_KEY_ID: ${{ secrets.APPLE_NOTARY_API_KEY_ID }} APPLE_NOTARY_ISSUER_ID: ${{ secrets.APPLE_NOTARY_ISSUER_ID }} run: | set -eu required_secrets=( APPLE_DEVELOPER_ID_APPLICATION APPLE_DEVELOPER_ID_CERT_P12 APPLE_DEVELOPER_ID_CERT_P12_PASSWORD APPLE_NOTARY_API_KEY APPLE_NOTARY_API_KEY_ID APPLE_NOTARY_ISSUER_ID ) missing=0 for key in "${required_secrets[@]}"; do if [ -z "${!key:-}" ]; then echo "Missing secret: $key" missing=1 fi done if [ "$missing" -eq 1 ]; then echo "ready=false" >> "$GITHUB_OUTPUT" else echo "ready=true" >> "$GITHUB_OUTPUT" fi - name: Skip signing because required secrets are missing if: steps.signing_secrets.outputs.ready != 'true' run: echo "Signing and notarization skipped due to missing required secrets." - name: Download unsigned app artifact if: steps.signing_secrets.outputs.ready == 'true' uses: actions/download-artifact@v4 with: name: zoitechat-macos-unsigned path: dist - name: Import Developer ID certificate if: steps.signing_secrets.outputs.ready == 'true' env: CERT_P12_BASE64: ${{ secrets.APPLE_DEVELOPER_ID_CERT_P12 }} CERT_PASSWORD: ${{ secrets.APPLE_DEVELOPER_ID_CERT_P12_PASSWORD }} run: | set -eux echo "$CERT_P12_BASE64" | base64 --decode > certificate.p12 security create-keychain -p "" build.keychain security set-keychain-settings -lut 21600 build.keychain security unlock-keychain -p "" build.keychain security import certificate.p12 -k build.keychain -P "$CERT_PASSWORD" -A -T /usr/bin/codesign security list-keychains -d user -s build.keychain $(security list-keychains -d user | tr -d '"') security set-key-partition-list -S apple-tool:,apple: -s -k "" build.keychain - name: Codesign app bundle if: steps.signing_secrets.outputs.ready == 'true' env: CODESIGN_IDENTITY: ${{ secrets.APPLE_DEVELOPER_ID_APPLICATION }} run: | set -eux unzip -q dist/ZoiteChat-*.app.zip -d dist APP_PATH="$(find dist -maxdepth 1 -name 'ZoiteChat.app' -type d | head -n 1)" codesign --force --deep --options runtime --timestamp \ --sign "$CODESIGN_IDENTITY" "$APP_PATH" codesign --verify --deep --strict --verbose=2 "$APP_PATH" spctl --assess --type execute --verbose "$APP_PATH" - name: Notarize and staple if: steps.signing_secrets.outputs.ready == 'true' env: NOTARY_API_KEY_BASE64: ${{ secrets.APPLE_NOTARY_API_KEY }} NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_API_KEY_ID }} NOTARY_ISSUER_ID: ${{ secrets.APPLE_NOTARY_ISSUER_ID }} run: | set -eux APP_PATH="$(find dist -maxdepth 1 -name 'ZoiteChat.app' -type d | head -n 1)" NOTARY_ZIP="dist/ZoiteChat-notarize.zip" SIGNED_ZIP="dist/ZoiteChat-signed.app.zip" echo "$NOTARY_API_KEY_BASE64" | base64 --decode > AuthKey_${NOTARY_KEY_ID}.p8 ditto -c -k --keepParent "$APP_PATH" "$NOTARY_ZIP" xcrun notarytool submit "$NOTARY_ZIP" \ --key "AuthKey_${NOTARY_KEY_ID}.p8" \ --key-id "$NOTARY_KEY_ID" \ --issuer "$NOTARY_ISSUER_ID" \ --wait xcrun stapler staple "$APP_PATH" xcrun stapler validate "$APP_PATH" ditto -c -k --sequesterRsrc --keepParent "$APP_PATH" "$SIGNED_ZIP" - name: Upload signed macOS app artifact if: steps.signing_secrets.outputs.ready == 'true' uses: actions/upload-artifact@v4 with: name: zoitechat-macos-signed path: dist/ZoiteChat-signed.app.zip if-no-files-found: error retention-days: 30