Fix macOS notarization: drop --deep, exclude LV2, add error handling #38
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build | |
| on: | |
| push: | |
| branches: [master] | |
| pull_request: | |
| branches: [master] | |
| workflow_dispatch: | |
| jobs: | |
| build: | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: [macos-latest, windows-latest, ubuntu-latest] | |
| runs-on: ${{ matrix.os }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install dependencies (Linux) | |
| if: runner.os == 'Linux' | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y libasound2-dev libfreetype6-dev libx11-dev \ | |
| libxrandr-dev libxcursor-dev libxinerama-dev libwebkit2gtk-4.1-dev \ | |
| libcurl4-openssl-dev | |
| - name: Configure | |
| run: cmake -B build -DCMAKE_BUILD_TYPE=Release | |
| - name: Build | |
| run: cmake --build build --config Release --parallel 2 | |
| - name: Import Apple Certificate | |
| if: runner.os == 'macOS' | |
| uses: apple-actions/import-codesign-certs@v3 | |
| with: | |
| p12-file-base64: ${{ secrets.APPLE_CERTIFICATE }} | |
| p12-password: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} | |
| - name: Sign macOS Artifacts | |
| if: runner.os == 'macOS' | |
| env: | |
| APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }} | |
| run: | | |
| # Sign macOS bundles (VST3, AU, Standalone) | |
| find build -type d \( -name "*.vst3" -o -name "*.component" -o -name "*.app" \) | while read -r bundle; do | |
| echo "Signing: $bundle" | |
| codesign --force --strict --timestamp --options runtime \ | |
| --sign "$APPLE_SIGNING_IDENTITY" "$bundle" | |
| done | |
| # Sign LV2 plugin binaries (not macOS bundles, sign dylibs directly) | |
| find build -type f -name "*.dylib" -path "*.lv2/*" | while read -r dylib; do | |
| echo "Signing: $dylib" | |
| codesign --force --strict --timestamp --options runtime \ | |
| --sign "$APPLE_SIGNING_IDENTITY" "$dylib" | |
| done | |
| # Verify all signatures | |
| find build -type d \( -name "*.vst3" -o -name "*.component" -o -name "*.app" \) | while read -r bundle; do | |
| echo "Verifying: $bundle" | |
| codesign --verify --strict "$bundle" | |
| done | |
| - name: Notarize macOS Artifacts | |
| if: runner.os == 'macOS' | |
| env: | |
| APPLE_ID: ${{ secrets.APPLE_ID }} | |
| APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }} | |
| APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} | |
| run: | | |
| mkdir -p $RUNNER_TEMP/notarize | |
| # Only include proper macOS bundles (no LV2) | |
| find build -type d \( -name "*.vst3" -o -name "*.component" -o -name "*.app" \) \ | |
| -exec cp -R {} $RUNNER_TEMP/notarize/ \; | |
| ditto -c -k $RUNNER_TEMP/notarize $RUNNER_TEMP/notarize.zip | |
| # Submit and capture output | |
| SUBMIT_OUTPUT=$(xcrun notarytool submit $RUNNER_TEMP/notarize.zip \ | |
| --apple-id "$APPLE_ID" \ | |
| --password "$APPLE_PASSWORD" \ | |
| --team-id "$APPLE_TEAM_ID" \ | |
| --wait 2>&1) | |
| echo "$SUBMIT_OUTPUT" | |
| # Extract submission ID | |
| SUBMISSION_ID=$(echo "$SUBMIT_OUTPUT" | grep "id:" | head -1 | awk '{print $2}') | |
| # Check for success | |
| if echo "$SUBMIT_OUTPUT" | grep -q "status: Accepted"; then | |
| echo "Notarization succeeded" | |
| else | |
| echo "Notarization failed — fetching log..." | |
| xcrun notarytool log "$SUBMISSION_ID" \ | |
| --apple-id "$APPLE_ID" \ | |
| --password "$APPLE_PASSWORD" \ | |
| --team-id "$APPLE_TEAM_ID" | |
| exit 1 | |
| fi | |
| - name: Staple Notarization Tickets | |
| if: runner.os == 'macOS' | |
| run: | | |
| find build -type d \( -name "*.vst3" -o -name "*.component" -o -name "*.app" \) | while read -r bundle; do | |
| echo "Stapling: $bundle" | |
| xcrun stapler staple "$bundle" | |
| done | |
| - name: Collect artifacts (macOS) | |
| if: runner.os == 'macOS' | |
| run: | | |
| mkdir -p artifacts/{VST3,AU,LV2,Standalone} | |
| find build -name "*.vst3" -type d -exec cp -R {} artifacts/VST3/ \; | |
| find build -name "*.component" -type d -exec cp -R {} artifacts/AU/ \; | |
| find build -name "*.lv2" -type d -exec cp -R {} artifacts/LV2/ \; | |
| find build -name "*.app" -type d -exec cp -R {} artifacts/Standalone/ \; | |
| - name: Collect artifacts (Linux) | |
| if: runner.os == 'Linux' | |
| run: | | |
| mkdir -p artifacts/{VST3,LV2,Standalone} | |
| find build -name "*.vst3" -type d -exec cp -R {} artifacts/VST3/ \; | |
| find build -name "*.lv2" -type d -exec cp -R {} artifacts/LV2/ \; | |
| find build -type f -executable -path "*/Standalone/*" -exec cp {} artifacts/Standalone/ \; | |
| - name: Collect artifacts (Windows) | |
| if: runner.os == 'Windows' | |
| shell: bash | |
| run: | | |
| mkdir -p artifacts/{VST3,Standalone} | |
| find build -name "*.vst3" -type d -exec cp -R {} artifacts/VST3/ \; | |
| find build -name "*.exe" ! -name "*_vst3_helper.exe" -exec cp {} artifacts/Standalone/ \; | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: smartelectronix-${{ runner.os }} | |
| path: artifacts/ | |
| if-no-files-found: error | |
| release: | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/master' | |
| needs: build | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| steps: | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| path: all-artifacts | |
| - name: Zip artifacts | |
| run: | | |
| cd all-artifacts | |
| for dir in */; do | |
| (cd "$dir" && zip -r "../../${dir%/}.zip" .) | |
| done | |
| - name: Delete existing release | |
| run: gh release delete latest --yes --cleanup-tag || true | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GH_REPO: ${{ github.repository }} | |
| - name: Create Release | |
| uses: softprops/action-gh-release@v2 | |
| with: | |
| tag_name: latest | |
| name: Smartelectronix Plugins (Latest Build) | |
| body: | | |
| Latest build from commit ${{ github.sha }} | |
| Built on ${{ github.event.head_commit.timestamp }} | |
| files: '*.zip' | |
| prerelease: false |