# Production Apple client builds — runs on the macos-arm64 runner (home-mac-mini-1). # # Tag v* (or workflow_dispatch): # macOS -> Developer ID signed + notarized + stapled .dmg, attached to a Gitea # release on tag pushes # iOS -> archive + upload straight to TestFlight (App Store Connect) # tvOS -> not built: the Rust core needs tier-3 targets (nightly -Zbuild-std) # macOS App Store/TestFlight -> deferred: needs App Sandbox entitlements first # (network client + Bonjour); the Developer ID build covers macOS today. # # One App Store listing for all platforms (universal purchase): every target shares the # bundle ID io.unom.punktfunk. # # Secrets: DEVID_CERT_P12_B64 / DEVID_CERT_PASSWORD (Developer ID Application cert), # ASC_API_KEY_P8 / ASC_API_KEY_ID / ASC_API_ISSUER_ID (App Store Connect API key — # notarization, TestFlight upload, and automatic-signing profile fetch). # # Needs a RELEASE Xcode on the runner (App Store rejects beta-SDK builds); the workflow # picks the first non-beta /Applications/Xcode*.app and only falls back to a beta with a # loud warning. name: release on: push: tags: ['v*'] workflow_dispatch: inputs: testflight: description: "Upload the iOS build to TestFlight (true/false)" required: false default: "true" jobs: apple: runs-on: macos-arm64 timeout-minutes: 120 env: TEAM_ID: F4H37KF6WC PROJECT: clients/apple/Punktfunk.xcodeproj steps: - uses: actions/checkout@v4 - name: Select release Xcode run: | DEV_DIR="" for app in /Applications/Xcode.app /Applications/Xcode_*.app /Applications/Xcode-*.app; do case "$app" in *beta*|*Beta*) continue;; esac [ -x "$app/Contents/Developer/usr/bin/xcodebuild" ] && DEV_DIR="$app/Contents/Developer" && break done if [ -z "$DEV_DIR" ]; then for app in /Applications/Xcode*.app; do [ -x "$app/Contents/Developer/usr/bin/xcodebuild" ] && DEV_DIR="$app/Contents/Developer" && break done echo "::warning::No release Xcode found — using $DEV_DIR. TestFlight/App Store REJECTS beta-SDK builds." fi [ -n "$DEV_DIR" ] || { echo "no usable Xcode found" >&2; exit 1; } # Scoped to xcodebuild steps only (XCODE_DEV_DIR, not DEVELOPER_DIR): cargo must # keep the system-default linker — a newer-than-OS Xcode's ld produces dylibs the # running dyld rejects, killing proc-macro loads (see build-xcframework.sh). echo "XCODE_DEV_DIR=$DEV_DIR" >> "$GITHUB_ENV" DEVELOPER_DIR="$DEV_DIR" xcodebuild -version - name: Version from tag run: | case "$GITHUB_REF" in refs/tags/v*) V="${GITHUB_REF_NAME#v}" ;; *) V="0.0.${GITHUB_RUN_NUMBER}" ;; esac echo "VERSION=$V" >> "$GITHUB_ENV" echo "BUILD_NUM=$GITHUB_RUN_NUMBER" >> "$GITHUB_ENV" echo "version $V build $GITHUB_RUN_NUMBER" - name: Rust toolchain (mac + iOS slices) run: | RUSTUP="$(command -v rustup || echo "$HOME/.cargo/bin/rustup")" dirname "$RUSTUP" >> "$GITHUB_PATH" "$RUSTUP" target add aarch64-apple-darwin x86_64-apple-darwin \ aarch64-apple-ios aarch64-apple-ios-sim x86_64-apple-ios - name: Build PunktfunkCore.xcframework (mac + iOS) run: BUILD_IOS=1 bash scripts/build-xcframework.sh - name: Import Developer ID certificate (throwaway keychain) env: P12_B64: ${{ secrets.DEVID_CERT_P12_B64 }} P12_PASSWORD: ${{ secrets.DEVID_CERT_PASSWORD }} run: | KEYCHAIN="$RUNNER_TEMP/punktfunk-ci.keychain-db" KEYCHAIN_PASS="$(uuidgen)" echo "KEYCHAIN=$KEYCHAIN" >> "$GITHUB_ENV" security create-keychain -p "$KEYCHAIN_PASS" "$KEYCHAIN" security set-keychain-settings -lut 7200 "$KEYCHAIN" security unlock-keychain -p "$KEYCHAIN_PASS" "$KEYCHAIN" # xcodebuild's signing lookup consults the DEFAULT keychain — being on the # search list alone isn't enough (find-identity sees the cert, export doesn't). security default-keychain -d user -s "$KEYCHAIN" # Apple's intermediates — without the issuing CA in the chain the identity is # "invalid" and xcodebuild reports "No signing certificate ... found" even # though the cert imported fine (fresh boxes don't ship all WWDR/Developer ID # intermediates). for ca in DeveloperIDG2CA AppleWWDRCAG3 AppleWWDRCAG4; do curl -sf "https://www.apple.com/certificateauthority/$ca.cer" \ -o "$RUNNER_TEMP/$ca.cer" \ && security import "$RUNNER_TEMP/$ca.cer" -k "$KEYCHAIN" -t cert >/dev/null \ || echo "::warning::could not stage intermediate $ca" done printf '%s' "$P12_B64" | base64 -d > "$RUNNER_TEMP/devid.p12" security import "$RUNNER_TEMP/devid.p12" -k "$KEYCHAIN" -P "$P12_PASSWORD" \ -T /usr/bin/codesign -T /usr/bin/security rm -f "$RUNNER_TEMP/devid.p12" security set-key-partition-list -S apple-tool:,apple:,codesign: \ -s -k "$KEYCHAIN_PASS" "$KEYCHAIN" >/dev/null security list-keychains -d user -s "$KEYCHAIN" login.keychain-db security find-identity -v -p codesigning "$KEYCHAIN" - name: Stage App Store Connect API key env: ASC_P8: ${{ secrets.ASC_API_KEY_P8 }} run: | printf '%s' "$ASC_P8" > "$RUNNER_TEMP/asc.p8" chmod 600 "$RUNNER_TEMP/asc.p8" - name: Archive macOS (unsigned — signed by codesign below) run: | # Archive WITHOUT signing, then codesign with Developer ID in the next step. We do # NOT let xcodebuild sign during archive because the app's keychain-access-groups # entitlement is the "Keychain Sharing" capability, and Xcode's archive gate demands # a provisioning profile for it under BOTH automatic and manual signing — even # though a Developer ID app honours that team-prefixed entitlement at RUNTIME with # no profile (the gate is an Xcode build-phase check, not a real requirement). Raw # codesign has no such gate. Safe because the bundle is a single statically-linked # binary: static PunktfunkCore.xcframework, SPM static products, macOS 14 target (no # embedded Swift dylibs), and no Embed-Frameworks phase — so nothing nested to sign. DEVELOPER_DIR="$XCODE_DEV_DIR" xcodebuild archive \ -project "$PROJECT" -scheme Punktfunk \ -destination 'generic/platform=macOS' \ -archivePath "$RUNNER_TEMP/Punktfunk-macos.xcarchive" \ MARKETING_VERSION="$VERSION" CURRENT_PROJECT_VERSION="$BUILD_NUM" \ CODE_SIGNING_ALLOWED=NO - name: Sign macOS app (Developer ID, hardened runtime) run: | APP="$RUNNER_TEMP/Punktfunk-macos.xcarchive/Products/Applications/Punktfunk.app" # codesign does NOT expand $(AppIdentifierPrefix) (an Xcode build-setting var), so # resolve it to the real team prefix — otherwise keychain-access-groups would be the # literal string instead of the team-scoped group. RESOLVED="$RUNNER_TEMP/Punktfunk.entitlements" sed "s/\$(AppIdentifierPrefix)/${TEAM_ID}./g" \ clients/apple/Config/Punktfunk.entitlements > "$RESOLVED" # Inside-out: sign any nested Mach-O first (defensive — the static build normally # has none), then the app bundle with the resolved entitlements + hardened runtime + # secure timestamp, which is what notarization requires. if [ -d "$APP/Contents/Frameworks" ]; then find "$APP/Contents/Frameworks" -depth \( -name '*.framework' -o -name '*.dylib' \) \ -print0 | while IFS= read -r -d '' f; do codesign --force --options runtime --timestamp \ --sign "Developer ID Application" "$f" done fi codesign --force --options runtime --timestamp \ --entitlements "$RESOLVED" \ --sign "Developer ID Application" "$APP" codesign --verify --strict --verbose=2 "$APP" # Stage where the DMG step expects it ($RUNNER_TEMP/export-devid/Punktfunk.app). mkdir -p "$RUNNER_TEMP/export-devid" rm -rf "$RUNNER_TEMP/export-devid/Punktfunk.app" cp -R "$APP" "$RUNNER_TEMP/export-devid/Punktfunk.app" - name: Notarized DMG run: | STAGE="$RUNNER_TEMP/dmg-stage" mkdir -p "$STAGE" cp -R "$RUNNER_TEMP/export-devid/Punktfunk.app" "$STAGE/" ln -s /Applications "$STAGE/Applications" DMG="$RUNNER_TEMP/Punktfunk-$VERSION.dmg" hdiutil create -volname "Punktfunk" -srcfolder "$STAGE" -ov -format UDZO "$DMG" DEVELOPER_DIR="$XCODE_DEV_DIR" xcrun notarytool submit "$DMG" --wait \ --key "$RUNNER_TEMP/asc.p8" \ --key-id "${{ secrets.ASC_API_KEY_ID }}" \ --issuer "${{ secrets.ASC_API_ISSUER_ID }}" DEVELOPER_DIR="$XCODE_DEV_DIR" xcrun stapler staple "$DMG" echo "DMG=$DMG" >> "$GITHUB_ENV" - name: Attach DMG to Gitea release if: startsWith(gitea.ref, 'refs/tags/') env: TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | API="${{ gitea.server_url }}/api/v1/repos/${{ gitea.repository }}" # Create the release (409 -> already exists, fetch it instead). ID=$(curl -sf -X POST "$API/releases" \ -H "Authorization: token $TOKEN" -H 'Content-Type: application/json' \ -d "{\"tag_name\":\"$GITHUB_REF_NAME\",\"name\":\"$GITHUB_REF_NAME\"}" \ | python3 -c 'import json,sys;print(json.load(sys.stdin)["id"])' \ || curl -sf "$API/releases/tags/$GITHUB_REF_NAME" -H "Authorization: token $TOKEN" \ | python3 -c 'import json,sys;print(json.load(sys.stdin)["id"])') curl -sf -X POST "$API/releases/$ID/assets?name=Punktfunk-$VERSION.dmg" \ -H "Authorization: token $TOKEN" \ -F "attachment=@$DMG" >/dev/null echo "attached Punktfunk-$VERSION.dmg to release $GITHUB_REF_NAME" - name: Archive iOS + upload to TestFlight if: gitea.event_name != 'workflow_dispatch' || inputs.testflight == 'true' # Best-effort until the App Store Connect app record for io.unom.punktfunk # exists — the upload errors without one. Drop this once TestFlight onboarding # is done so real upload failures fail the run. continue-on-error: true run: | DEVELOPER_DIR="$XCODE_DEV_DIR" xcodebuild archive \ -project "$PROJECT" -scheme Punktfunk-iOS \ -destination 'generic/platform=iOS' \ -archivePath "$RUNNER_TEMP/Punktfunk-ios.xcarchive" \ MARKETING_VERSION="$VERSION" CURRENT_PROJECT_VERSION="$BUILD_NUM" \ -allowProvisioningUpdates \ -authenticationKeyPath "$RUNNER_TEMP/asc.p8" \ -authenticationKeyID "${{ secrets.ASC_API_KEY_ID }}" \ -authenticationKeyIssuerID "${{ secrets.ASC_API_ISSUER_ID }}" cat > "$RUNNER_TEMP/export-appstore.plist" < methodapp-store-connect destinationupload teamID$TEAM_ID EOF DEVELOPER_DIR="$XCODE_DEV_DIR" xcodebuild -exportArchive \ -archivePath "$RUNNER_TEMP/Punktfunk-ios.xcarchive" \ -exportOptionsPlist "$RUNNER_TEMP/export-appstore.plist" \ -exportPath "$RUNNER_TEMP/export-appstore" \ -allowProvisioningUpdates \ -authenticationKeyPath "$RUNNER_TEMP/asc.p8" \ -authenticationKeyID "${{ secrets.ASC_API_KEY_ID }}" \ -authenticationKeyIssuerID "${{ secrets.ASC_API_ISSUER_ID }}" - name: Clean up keychain + API key if: always() run: | security default-keychain -d user -s login.keychain-db 2>/dev/null || true [ -n "${KEYCHAIN:-}" ] && security delete-keychain "$KEYCHAIN" 2>/dev/null || true security list-keychains -d user -s login.keychain-db rm -f "$RUNNER_TEMP/asc.p8"