CI: Sign and notarize macos binaries

2025-01-30 11:58:13 -05:00 · 2025-01-30 11:58:13 -05:00 · ef5d5c780b
parent 0887002ad4
commit ef5d5c780b
3 changed files with 23 additions and 1 deletions
--- a/.github/workflows/macos_build.yml
+++ b/.github/workflows/macos_build.yml
@ -25,6 +25,10 @@ on:
        required: false
        type: boolean
        default: false
+      sign:
+        required: false
+        type: boolean
+        default: false

 jobs:
  build_macos:
@ -143,6 +147,22 @@ jobs:
        run: make -j$(getconf _NPROCESSORS_ONLN) unittests

      - name: Prepare Build Artifacts
+        run: mv build/pcsx2*/PCSX2.app Build.app
+
+      - name: Sign binary
+        if: ${{ inputs.sign }}
+        uses: lando/code-sign-action@v2
+        with:
+          file: "Build.app"
+          certificate-data: ${{ secrets.APPLE_CERT_DATA }}
+          certificate-password: ${{ secrets.APPLE_CERT_PASSWORD }}
+          apple-notary-user: ${{ secrets.APPLE_NOTARY_USER }}
+          apple-notary-password: ${{ secrets.APPLE_NOTARY_PASSWORD }}
+          apple-team-id: ${{ secrets.APPLE_TEAM_ID }}
+          apple-notary-tool: altool
+          apple-product-id: net.pcsx2.pcsx2
+
+      - name: Zip Build Artifacts
        run: |
          TAG="$(git tag --points-at HEAD)"
          if [ -z "$TAG" ]; then
@ -150,7 +170,7 @@ jobs:
          else
            APPNAME="PCSX2-$TAG"
          fi
-          mv build/pcsx2*/PCSX2.app "$APPNAME.app"
+          mv Build.app "$APPNAME.app"
          tar --options xz:compression-level=9 -cvJf "${{ steps.artifact-metadata.outputs.artifact-name }}.tar.xz" "$APPNAME.app"
          mkdir ci-artifacts
          cp "${{ steps.artifact-metadata.outputs.artifact-name }}.tar.xz" ci-artifacts/macOS.tar.xz
--- a/.github/workflows/macos_build_matrix.yml
+++ b/.github/workflows/macos_build_matrix.yml
@ -16,4 +16,5 @@ jobs:
    with:
      jobName: "MacOS Build"
      artifactPrefixName: "PCSX2-macos-Qt"
+      sign: true # testing 
    secrets: inherit
--- a/.github/workflows/release_cut_new.yml
+++ b/.github/workflows/release_cut_new.yml
@ -148,6 +148,7 @@ jobs:
      artifactPrefixName: "PCSX2-macos-Qt"
      fetchTags: true
      stableBuild: ${{ github.event_name == 'workflow_dispatch' && inputs.is_prelease == 'false' }}
+      sign: true
    secrets: inherit

  # Upload the Artifacts