Adding OIL to Autosubs #47

Workflow file for this run

.github/workflows/package-mac.yml at f11ead5

	name: Package AutoSubs for MacOS
	on:
	pull_request:
	branches:
	- main
	push:
	branches:
	- main

	jobs:
	build:
	runs-on: macos-14

	steps:
	- name: Checkout AutoSubs Repo Code
	uses: actions/checkout@v4

	- name: Setup Node
	uses: actions/setup-node@v4
	with:
	node-version: 23

	- name: Set up Python
	uses: actions/setup-python@v5
	with:
	python-version: '3.12.7'

	- name: Import Apple Certificates
	env:
	APP_CERTIFICATE_BASE64: ${{ secrets.APPLE_SIGNING_CERTIFICATE }}
	APP_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
	INSTALLER_CERTIFICATE_BASE64: ${{ secrets.APPLE_INSTALLER_CERTIFICATE }}
	INSTALLER_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
	KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
	APPLE_NOTARIZE_KEY: ${{ secrets.APPLE_NOTARIZE_KEY }}
	APPLE_NOTARIZE_ID: ${{ secrets.APPLE_NOTARIZE_ID }}
	APPLE_ISSUER: ${{ secrets.APPLE_ISSUER }}

	run: \|
	# Define paths
	APP_CERT_PATH=$RUNNER_TEMP/app_certificate.p12
	INSTALLER_CERT_PATH=$RUNNER_TEMP/installer_certificate.p12
	KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db

	# Decode and save certificates
	echo "$APP_CERTIFICATE_BASE64" \| base64 --decode > $APP_CERT_PATH
	echo "$INSTALLER_CERTIFICATE_BASE64" \| base64 --decode > $INSTALLER_CERT_PATH

	# Create and configure temporary keychain
	security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
	security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
	security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
	security list-keychains -s $KEYCHAIN_PATH

	# Import Application certificate
	security import $APP_CERT_PATH -P "$APP_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
	security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH

	# Import Installer certificate
	security import $INSTALLER_CERT_PATH -P "$INSTALLER_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
	security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH

	# Import Notarization credentials
	echo "$APPLE_NOTARIZE_KEY" \| base64 --decode > Notarization_AuthKey.p8
	xcrun notarytool store-credentials "AC_PASSWORD" \
	--key "Notarization_AuthKey.p8" \
	--key-id "$APPLE_NOTARIZE_ID" \
	--issuer "$APPLE_ISSUER"

	- name: Install Dependencies
	run: \|
	cd AutoSubs-App
	npm install

	- name: Bundle Tauri App
	run: \|
	cd AutoSubs-App
	export APPLE_SIGNING_IDENTITY="Developer ID Application: ${{ secrets.APPLE_IDENTITY }}"
	npm run tauri build

	- name: Create Mac Package
	run: \|
	# Create the package directory
	mkdir Mac-Package/Payload

	# Move the app to the package
	mv AutoSubs-App/src-tauri/target/release/bundle/macos/AutoSubs.app Mac-Package/Payload

	- name: Package Python Server
	run: \|
	cd Transcription-Server
	python3 -m venv venv
	source venv/bin/activate
	pip install -r requirements-mac.txt
	pyinstaller package-server.spec --noconfirm
	deactivate

	- name: Move Python Server to resources folder
	run: \|
	mv "Transcription-Server/dist/Transcription-Server" "Mac-Package/Payload/AutoSubs.app/Contents/Resources/resources"

	- name: Code Sign Python Server
	run: \|
	# Define variables
	IDENTITY="Developer ID Application: ${{ secrets.APPLE_IDENTITY }}"
	ENTITLEMENTS="$(pwd)/Signing/entitlements.plist" # Use absolute path to avoid issues
	APP_DIR="$(pwd)/Mac-Package/Payload/AutoSubs.app/Contents/Resources/resources/Transcription-Server" # Use absolute path
	AUTOSUBS_BINARY="$(pwd)/Mac-Package/Payload/AutoSubs.app/Contents/MacOS/autosubs" # Use absolute path

	# Function to sign a single file
	sign_file() {
	local file="$1"
	echo "Signing $file..."
	codesign --force --options runtime --timestamp --entitlements "$ENTITLEMENTS" --sign "$IDENTITY" "$file"
	}

	export -f sign_file # Export the function so it's available in subshells
	export IDENTITY # Export IDENTITY so it's available in subshells
	export ENTITLEMENTS # Export ENTITLEMENTS so it's available in subshells

	# Sign the main executable
	sign_file "$APP_DIR/transcription-server"

	# Sign all embedded binaries and executables in the _internal directory
	find "$APP_DIR/_internal" -type f $ -name ".dylib" -o -name ".so" -o -name ".exe" -o -name ".bin" -o -name "ffmpeg*" -o -name "Python" $ -exec bash -c 'sign_file "$0"' {} \;

	# Sign any other executables in the main app directory
	find "$APP_DIR" -type f -perm +111 -exec bash -c 'sign_file "$0"' {} \;

	# Sign the main app binary
	codesign --force --options runtime --timestamp --entitlements "$ENTITLEMENTS" --sign "$IDENTITY" "$AUTOSUBS_BINARY"

	- name: Create PKG Installer
	run: \|
	# Give permissions to the scripts
	chmod +x Mac-Package/Scripts/*

	# Create the package
	pkgbuild --identifier com.tom-moroney.autosubs \
	--version 2.0 \
	--install-location "/Applications" \
	--root Mac-Package/Payload \
	--scripts Mac-Package/Scripts \
	AutoSubs-unsigned.pkg

	- name: Sign PKG Installer
	run: \|
	productsign --sign "Developer ID Installer: ${{ secrets.APPLE_IDENTITY }}" \
	--timestamp \
	"AutoSubs-unsigned.pkg" \
	"AutoSubs-Mac-ARM.pkg"

	- name: Notarize PKG Installer
	run: \|
	# Submit for notarization
	xcrun notarytool submit "AutoSubs-Mac-ARM.pkg" \
	--keychain-profile "AC_PASSWORD" \
	--wait

	# Staple the ticket to the installer
	xcrun stapler staple "AutoSubs-Mac-ARM.pkg"

	- name: Get Latest Release Tag
	id: get_latest_release
	env:
	GH_TOKEN: ${{ secrets.GH_TOKEN }}
	run: \|
	latest_tag=$(gh release list --limit 1 --json tagName --jq '.[0].tagName')
	echo "LATEST_TAG=$latest_tag" >> $GITHUB_ENV

	- name: Upload Asset to Release
	uses: softprops/action-gh-release@v2
	with:
	tag_name: ${{ env.LATEST_TAG }}
	files: AutoSubs-Mac-ARM.pkg
	token: ${{ secrets.GH_TOKEN }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Adding OIL to Autosubs #47

Workflow file

Adding OIL to Autosubs #47

Jobs

Run details

Workflow file for this run