# Production Apple client builds — runs on the macos-arm64 runner (home-mac-mini-1). # # Tag v* (or workflow_dispatch): # macOS -> Developer ID signed + notarized + stapled .dmg, attached to a Gitea # release on tag pushes # iOS -> archive + upload straight to TestFlight (App Store Connect) # tvOS -> not built: the Rust core needs tier-3 targets (nightly -Zbuild-std) # macOS App Store/TestFlight -> deferred: needs App Sandbox entitlements first # (network client + Bonjour); the Developer ID build covers macOS today. # # One App Store listing for all platforms (universal purchase): every target shares the # bundle ID io.unom.punktfunk. # # Secrets: DEVID_CERT_P12_B64 / DEVID_CERT_PASSWORD (Developer ID Application cert), # ASC_API_KEY_P8 / ASC_API_KEY_ID / ASC_API_ISSUER_ID (App Store Connect API key — # notarization, TestFlight upload, and automatic-signing profile fetch). # # Needs a RELEASE Xcode on the runner (App Store rejects beta-SDK builds); the workflow # picks the first non-beta /Applications/Xcode*.app and only falls back to a beta with a # loud warning. name: release on: push: tags: ['v*'] workflow_dispatch: inputs: testflight: description: "Upload the iOS build to TestFlight (true/false)" required: false default: "true" jobs: apple: runs-on: macos-arm64 timeout-minutes: 120 env: TEAM_ID: F4H37KF6WC PROJECT: clients/apple/Punktfunk.xcodeproj steps: - uses: actions/checkout@v4 - name: Select release Xcode run: | DEV_DIR="" for app in /Applications/Xcode.app /Applications/Xcode_*.app /Applications/Xcode-*.app; do case "$app" in *beta*|*Beta*) continue;; esac [ -x "$app/Contents/Developer/usr/bin/xcodebuild" ] && DEV_DIR="$app/Contents/Developer" && break done if [ -z "$DEV_DIR" ]; then for app in /Applications/Xcode*.app; do [ -x "$app/Contents/Developer/usr/bin/xcodebuild" ] && DEV_DIR="$app/Contents/Developer" && break done echo "::warning::No release Xcode found — using $DEV_DIR. TestFlight/App Store REJECTS beta-SDK builds." fi [ -n "$DEV_DIR" ] || { echo "no usable Xcode found" >&2; exit 1; } # Scoped to xcodebuild steps only (XCODE_DEV_DIR, not DEVELOPER_DIR): cargo must # keep the system-default linker — a newer-than-OS Xcode's ld produces dylibs the # running dyld rejects, killing proc-macro loads (see build-xcframework.sh). echo "XCODE_DEV_DIR=$DEV_DIR" >> "$GITHUB_ENV" DEVELOPER_DIR="$DEV_DIR" xcodebuild -version - name: Version from tag run: | case "$GITHUB_REF" in refs/tags/v*) V="${GITHUB_REF_NAME#v}" ;; *) V="0.0.${GITHUB_RUN_NUMBER}" ;; esac echo "VERSION=$V" >> "$GITHUB_ENV" echo "BUILD_NUM=$GITHUB_RUN_NUMBER" >> "$GITHUB_ENV" echo "version $V build $GITHUB_RUN_NUMBER" - name: Rust toolchain (mac + iOS slices) run: | RUSTUP="$(command -v rustup || echo "$HOME/.cargo/bin/rustup")" dirname "$RUSTUP" >> "$GITHUB_PATH" "$RUSTUP" target add aarch64-apple-darwin x86_64-apple-darwin \ aarch64-apple-ios aarch64-apple-ios-sim x86_64-apple-ios - name: Build PunktfunkCore.xcframework (mac + iOS) run: BUILD_IOS=1 bash scripts/build-xcframework.sh - name: Import signing certificates (throwaway keychain) env: P12_B64: ${{ secrets.DEVID_CERT_P12_B64 }} P12_PASSWORD: ${{ secrets.DEVID_CERT_PASSWORD }} IOS_P12_B64: ${{ secrets.IOS_DIST_CERT_P12_B64 }} IOS_P12_PASSWORD: ${{ secrets.IOS_DIST_CERT_PASSWORD }} run: | KEYCHAIN="$RUNNER_TEMP/punktfunk-ci.keychain-db" KEYCHAIN_PASS="$(uuidgen)" echo "KEYCHAIN=$KEYCHAIN" >> "$GITHUB_ENV" security create-keychain -p "$KEYCHAIN_PASS" "$KEYCHAIN" security set-keychain-settings -lut 7200 "$KEYCHAIN" security unlock-keychain -p "$KEYCHAIN_PASS" "$KEYCHAIN" # xcodebuild's signing lookup consults the DEFAULT keychain — being on the # search list alone isn't enough (find-identity sees the cert, export doesn't). security default-keychain -d user -s "$KEYCHAIN" # Apple's intermediates — without the issuing CA in the chain the leaf is "invalid" # and dropped from find-identity -v (cert imports fine, just isn't a *valid* # identity). Fresh boxes don't ship all WWDR/Developer ID intermediates. RETRY: a # single transient miss here is exactly what silently broke iOS — Apple Distribution # chains through WWDR G3, while Developer ID (-> DeveloperIDG2CA) kept working. for ca in DeveloperIDG2CA AppleWWDRCAG3 AppleWWDRCAG4; do for attempt in 1 2 3; do curl -fsS "https://www.apple.com/certificateauthority/$ca.cer" \ -o "$RUNNER_TEMP/$ca.cer" \ && security import "$RUNNER_TEMP/$ca.cer" -k "$KEYCHAIN" -t cert >/dev/null 2>&1 \ && break [ "$attempt" = 3 ] && echo "::warning::could not stage intermediate $ca after 3 tries" sleep 2 done done # Chain-vs-clock diagnostic: is the WWDR intermediate (Apple Distribution's issuer) # actually present, and is the runner's clock past the cert's notBefore? echo "runner date (UTC): $(date -u)" security find-certificate -c "Apple Worldwide Developer Relations Certification Authority" \ "$KEYCHAIN" >/dev/null 2>&1 \ && echo "WWDR intermediate (Apple Distribution issuer): present in keychain" \ || echo "::warning::WWDR intermediate MISSING — Apple Distribution leaf will be invalid" printf '%s' "$P12_B64" | base64 -d > "$RUNNER_TEMP/devid.p12" security import "$RUNNER_TEMP/devid.p12" -k "$KEYCHAIN" -P "$P12_PASSWORD" \ -T /usr/bin/codesign -T /usr/bin/security rm -f "$RUNNER_TEMP/devid.p12" # iOS App Store distribution identity (optional — imported only when the secret is # set; the iOS/TestFlight job stays best-effort). Self-diagnosing: prints secret # byte-lengths + decoded p12 size + import rc (never the secret value) so a bad iOS # cert is explained in-log. Does NOT fail this shared step on an iOS-cert problem — # that would also block the macOS release; the gate below only warns. Apple # Distribution chains through WWDR G3, fetched above (G6 is not used for it). echo "cert-secret lengths: ios_b64=${#IOS_P12_B64} devid_b64=${#P12_B64}" if [ -n "$IOS_P12_B64" ]; then printf '%s' "$IOS_P12_B64" | tr -d '\r\n ' | base64 -d > "$RUNNER_TEMP/ios-dist.p12" \ || echo "::warning::IOS_DIST_CERT_P12_B64 is not valid base64" echo "ios_p12_bytes=$(wc -c < "$RUNNER_TEMP/ios-dist.p12" 2>/dev/null || echo 0)" set +e security import "$RUNNER_TEMP/ios-dist.p12" -k "$KEYCHAIN" -P "$IOS_P12_PASSWORD" \ -T /usr/bin/codesign -T /usr/bin/security echo "ios_import_rc=$?" set -e rm -f "$RUNNER_TEMP/ios-dist.p12" fi security set-key-partition-list -S apple-tool:,apple:,codesign: \ -s -k "$KEYCHAIN_PASS" "$KEYCHAIN" >/dev/null security list-keychains -d user -s "$KEYCHAIN" login.keychain-db security find-identity -v -p codesigning "$KEYCHAIN" # Non-fatal explainer: if the iOS secret was set but produced no VALID Apple # Distribution identity, name the likely reason and list ALL (incl. invalid) # identities — WITHOUT failing this step, so the macOS release still proceeds. if [ -n "$IOS_P12_B64" ] \ && ! security find-identity -v -p codesigning "$KEYCHAIN" | grep -q "Apple Distribution"; then echo "::warning::IOS_DIST_CERT_P12_B64 set but no VALID 'Apple Distribution' identity — but it may still be usable (see trust verdict below); codesign is less strict than find-identity -v." echo "all codesigning identities (incl. invalid):" security find-identity -p codesigning "$KEYCHAIN" || true echo "--- trust verdict for the Apple Distribution leaf (codeSign policy) ---" security find-certificate -c "Apple Distribution" -p "$KEYCHAIN" > "$RUNNER_TEMP/appledist.pem" 2>/dev/null || true security verify-cert -p codeSign -c "$RUNNER_TEMP/appledist.pem" -k "$KEYCHAIN" 2>&1 || true rm -f "$RUNNER_TEMP/appledist.pem" fi - name: Stage App Store Connect API key env: ASC_P8: ${{ secrets.ASC_API_KEY_P8 }} run: | printf '%s' "$ASC_P8" > "$RUNNER_TEMP/asc.p8" chmod 600 "$RUNNER_TEMP/asc.p8" - name: Archive macOS (unsigned — signed by codesign below) run: | # Archive WITHOUT signing, then codesign with Developer ID in the next step. We do # NOT let xcodebuild sign during archive because the app's keychain-access-groups # entitlement is the "Keychain Sharing" capability, and Xcode's archive gate demands # a provisioning profile for it under BOTH automatic and manual signing — even # though a Developer ID app honours that team-prefixed entitlement at RUNTIME with # no profile (the gate is an Xcode build-phase check, not a real requirement). Raw # codesign has no such gate. Safe because the bundle is a single statically-linked # binary: static PunktfunkCore.xcframework, SPM static products, macOS 14 target (no # embedded Swift dylibs), and no Embed-Frameworks phase — so nothing nested to sign. DEVELOPER_DIR="$XCODE_DEV_DIR" xcodebuild archive \ -project "$PROJECT" -scheme Punktfunk \ -destination 'generic/platform=macOS' \ -archivePath "$RUNNER_TEMP/Punktfunk-macos.xcarchive" \ MARKETING_VERSION="$VERSION" CURRENT_PROJECT_VERSION="$BUILD_NUM" \ CODE_SIGNING_ALLOWED=NO - name: Sign macOS app (Developer ID, hardened runtime) run: | APP="$RUNNER_TEMP/Punktfunk-macos.xcarchive/Products/Applications/Punktfunk.app" # codesign does NOT expand $(AppIdentifierPrefix) (an Xcode build-setting var), so # resolve it to the real team prefix — otherwise keychain-access-groups would be the # literal string instead of the team-scoped group. RESOLVED="$RUNNER_TEMP/Punktfunk.entitlements" sed "s/\$(AppIdentifierPrefix)/${TEAM_ID}./g" \ clients/apple/Config/Punktfunk.entitlements > "$RESOLVED" # codesign must be pointed at the throwaway keychain explicitly: on this runner the # default keychain search list does not reliably carry across steps, so a bare # --sign "Developer ID Application" reports "no identity found" even though the # import step found it there. Re-assert the search list + default keychain in THIS # step's context (no password needed — it stays unlocked with a codesign-allowed # partition list from the import step) AND scope codesign to it with --keychain. security list-keychains -d user -s "$KEYCHAIN" login.keychain-db security default-keychain -d user -s "$KEYCHAIN" echo "signing identity keychain: $KEYCHAIN" security find-identity -v -p codesigning "$KEYCHAIN" # Inside-out: sign any nested Mach-O first (defensive — the static build normally # has none), then the app bundle with the resolved entitlements + hardened runtime + # secure timestamp, which is what notarization requires. if [ -d "$APP/Contents/Frameworks" ]; then find "$APP/Contents/Frameworks" -depth \( -name '*.framework' -o -name '*.dylib' \) \ -print0 | while IFS= read -r -d '' f; do codesign --force --options runtime --timestamp \ --keychain "$KEYCHAIN" \ --sign "Developer ID Application" "$f" done fi codesign --force --options runtime --timestamp \ --keychain "$KEYCHAIN" \ --entitlements "$RESOLVED" \ --sign "Developer ID Application" "$APP" codesign --verify --strict --verbose=2 "$APP" # Stage where the DMG step expects it ($RUNNER_TEMP/export-devid/Punktfunk.app). mkdir -p "$RUNNER_TEMP/export-devid" rm -rf "$RUNNER_TEMP/export-devid/Punktfunk.app" cp -R "$APP" "$RUNNER_TEMP/export-devid/Punktfunk.app" - name: Notarized DMG run: | STAGE="$RUNNER_TEMP/dmg-stage" mkdir -p "$STAGE" cp -R "$RUNNER_TEMP/export-devid/Punktfunk.app" "$STAGE/" ln -s /Applications "$STAGE/Applications" DMG="$RUNNER_TEMP/Punktfunk-$VERSION.dmg" hdiutil create -volname "Punktfunk" -srcfolder "$STAGE" -ov -format UDZO "$DMG" DEVELOPER_DIR="$XCODE_DEV_DIR" xcrun notarytool submit "$DMG" --wait \ --key "$RUNNER_TEMP/asc.p8" \ --key-id "${{ secrets.ASC_API_KEY_ID }}" \ --issuer "${{ secrets.ASC_API_ISSUER_ID }}" DEVELOPER_DIR="$XCODE_DEV_DIR" xcrun stapler staple "$DMG" echo "DMG=$DMG" >> "$GITHUB_ENV" - name: Attach DMG to Gitea release if: startsWith(gitea.ref, 'refs/tags/') env: TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | API="${{ gitea.server_url }}/api/v1/repos/${{ gitea.repository }}" # Create the release (409 -> already exists, fetch it instead). ID=$(curl -sf -X POST "$API/releases" \ -H "Authorization: token $TOKEN" -H 'Content-Type: application/json' \ -d "{\"tag_name\":\"$GITHUB_REF_NAME\",\"name\":\"$GITHUB_REF_NAME\"}" \ | python3 -c 'import json,sys;print(json.load(sys.stdin)["id"])' \ || curl -sf "$API/releases/tags/$GITHUB_REF_NAME" -H "Authorization: token $TOKEN" \ | python3 -c 'import json,sys;print(json.load(sys.stdin)["id"])') curl -sf -X POST "$API/releases/$ID/assets?name=Punktfunk-$VERSION.dmg" \ -H "Authorization: token $TOKEN" \ -F "attachment=@$DMG" >/dev/null echo "attached Punktfunk-$VERSION.dmg to release $GITHUB_REF_NAME" - name: Archive iOS + upload to TestFlight if: gitea.event_name != 'workflow_dispatch' || inputs.testflight == 'true' # Best-effort until the App Store Connect app record for io.unom.punktfunk # exists — the upload errors without one. Drop this once TestFlight onboarding # is done so real upload failures fail the run. continue-on-error: true env: IOS_PROFILE_B64: ${{ secrets.IOS_PROFILE_B64 }} run: | # The iOS platform SDK is a separate Xcode component and isn't installed on every # runner; without it `archive` dies with "iOS 26.5 is not installed". Skip cleanly # (this is best-effort anyway) instead of a red step — install it on the runner with # `xcodebuild -downloadPlatform iOS` when iOS/TestFlight is ready to go live. if ! DEVELOPER_DIR="$XCODE_DEV_DIR" xcodebuild -showsdks 2>/dev/null | grep -q iphoneos; then echo "::warning::iOS platform SDK not installed on this runner — skipping iOS/TestFlight." exit 0 fi # App Store signing: MANUAL with the Apple Distribution identity + an App Store # provisioning profile (IOS_PROFILE_B64). Automatic signing during `archive` resolves # to iOS App *Development* — it wants an Apple Development cert (and tries to revoke # the account's orphaned one) plus a dev profile, neither of which we have or want. # Manual distribution signing skips all of that. Gate on the MATCHING identity list # (find-identity without -v): a fresh cert can be dropped from -v by a pending # revocation check that codesign does NOT enforce. if ! security find-identity -p codesigning "$KEYCHAIN" | grep -q "Apple Distribution"; then echo "::warning::no Apple Distribution identity present — set IOS_DIST_CERT_P12_B64. Skipping iOS/TestFlight." exit 0 fi if [ -z "$IOS_PROFILE_B64" ]; then echo "::warning::IOS_PROFILE_B64 not set — need an App Store provisioning profile for io.unom.punktfunk. Skipping iOS/TestFlight." exit 0 fi # A running Xcode.app actively MANAGES ~/Library/Developer/Xcode/UserData/Provisioning # Profiles — it prunes manually-installed profiles it doesn't recognise from its # account, deleting ours from the very dir xcodebuild reads right before signing # (hence 'No profile matching ...' even though the file was installed). Quit it; # headless CI doesn't need the GUI Xcode and xcodebuild runs independently. osascript -e 'tell application "Xcode" to quit' >/dev/null 2>&1 || true pkill -x Xcode 2>/dev/null || true sleep 2 # Stage the App Store provisioning profile + read its Name/UUID (the archive + # export reference it by name; Xcode finds it by UUID under the profiles dirs). printf '%s' "$IOS_PROFILE_B64" | tr -d '\r\n ' | base64 -d > "$RUNNER_TEMP/appstore.mobileprovision" \ || { echo "::warning::IOS_PROFILE_B64 is not valid base64 — skipping iOS"; exit 0; } echo "profile bytes: $(wc -c < "$RUNNER_TEMP/appstore.mobileprovision")" # A .mobileprovision is a CMS-signed plist — extract it (security, openssl fallback). security cms -D -i "$RUNNER_TEMP/appstore.mobileprovision" \ -o "$RUNNER_TEMP/appstore-profile.plist" 2>"$RUNNER_TEMP/cms.err" \ || openssl smime -inform DER -verify -noverify \ -in "$RUNNER_TEMP/appstore.mobileprovision" \ -out "$RUNNER_TEMP/appstore-profile.plist" 2>>"$RUNNER_TEMP/cms.err" || true if [ ! -s "$RUNNER_TEMP/appstore-profile.plist" ]; then echo "::warning::could not extract the plist from the profile — is IOS_PROFILE_B64 the base64 of the .mobileprovision FILE?" cat "$RUNNER_TEMP/cms.err" 2>/dev/null || true echo "first bytes of decoded profile:"; head -c 64 "$RUNNER_TEMP/appstore.mobileprovision" | xxd | head -2 || true exit 0 fi PROFILE_NAME=$(/usr/libexec/PlistBuddy -c 'Print :Name' "$RUNNER_TEMP/appstore-profile.plist" 2>/dev/null) PROFILE_UUID=$(/usr/libexec/PlistBuddy -c 'Print :UUID' "$RUNNER_TEMP/appstore-profile.plist" 2>/dev/null) case "$PROFILE_UUID" in ""|*[!A-Fa-f0-9-]*) echo "::warning::profile UUID not readable (got: '$PROFILE_UUID') — skipping iOS"; exit 0;; esac for d in "$HOME/Library/MobileDevice/Provisioning Profiles" \ "$HOME/Library/Developer/Xcode/UserData/Provisioning Profiles"; do mkdir -p "$d" cp "$RUNNER_TEMP/appstore.mobileprovision" "$d/$PROFILE_UUID.mobileprovision" done echo "iOS App Store profile: '$PROFILE_NAME' ($PROFILE_UUID)" # Where did it land, and where does xcodebuild look? (manual-signing profile lookup # reads ~/Library/MobileDevice + ~/Library/Developer/Xcode/UserData; confirm HOME.) echo "HOME=$HOME whoami=$(whoami)" echo "--- MobileDevice profiles ---"; ls -la "$HOME/Library/MobileDevice/Provisioning Profiles/" 2>&1 | tail -4 echo "--- UserData profiles ---"; ls -la "$HOME/Library/Developer/Xcode/UserData/Provisioning Profiles/" 2>&1 | tail -4 echo "--- profile team(s) (want F4H37KF6WC) + name ---" /usr/libexec/PlistBuddy -c 'Print :TeamIdentifier' "$RUNNER_TEMP/appstore-profile.plist" 2>/dev/null | head -4 security list-keychains -d user -s "$KEYCHAIN" login.keychain-db security default-keychain -d user -s "$KEYCHAIN" DEVELOPER_DIR="$XCODE_DEV_DIR" xcodebuild archive \ -project "$PROJECT" -scheme Punktfunk-iOS \ -destination 'generic/platform=iOS' \ -archivePath "$RUNNER_TEMP/Punktfunk-ios.xcarchive" \ MARKETING_VERSION="$VERSION" CURRENT_PROJECT_VERSION="$BUILD_NUM" \ CODE_SIGN_STYLE=Manual \ CODE_SIGN_IDENTITY="Apple Distribution" \ DEVELOPMENT_TEAM="$TEAM_ID" \ PROVISIONING_PROFILE_SPECIFIER="$PROFILE_NAME" \ || { echo "=== archive failed — profile dirs AT FAILURE TIME ==="; \ ls -la "$HOME/Library/MobileDevice/Provisioning Profiles/" 2>&1 | tail -4; \ ls -la "$HOME/Library/Developer/Xcode/UserData/Provisioning Profiles/" 2>&1 | tail -4; \ exit 1; } cat > "$RUNNER_TEMP/export-appstore.plist" < methodapp-store-connect destinationupload teamID$TEAM_ID signingStylemanual signingCertificateApple Distribution provisioningProfiles io.unom.punktfunk$PROFILE_NAME EOF DEVELOPER_DIR="$XCODE_DEV_DIR" xcodebuild -exportArchive \ -archivePath "$RUNNER_TEMP/Punktfunk-ios.xcarchive" \ -exportOptionsPlist "$RUNNER_TEMP/export-appstore.plist" \ -exportPath "$RUNNER_TEMP/export-appstore" \ -authenticationKeyPath "$RUNNER_TEMP/asc.p8" \ -authenticationKeyID "${{ secrets.ASC_API_KEY_ID }}" \ -authenticationKeyIssuerID "${{ secrets.ASC_API_ISSUER_ID }}" - name: Clean up keychain + API key if: always() run: | security default-keychain -d user -s login.keychain-db 2>/dev/null || true [ -n "${KEYCHAIN:-}" ] && security delete-keychain "$KEYCHAIN" 2>/dev/null || true security list-keychains -d user -s login.keychain-db rm -f "$RUNNER_TEMP/asc.p8"