CI: codesign plugin bundles and optional pkg signing #13
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Build and release AceForge Bridge AU + VST3 (macOS) on release | |
| name: Build and release plugins (macOS) | |
| on: | |
| push: | |
| branches: [main] | |
| release: | |
| types: [published] | |
| workflow_dispatch: | |
| permissions: | |
| contents: write # Required to upload release assets | |
| jobs: | |
| build-macos: | |
| runs-on: macos-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Xcode | |
| run: | | |
| sudo xcode-select -switch /Applications/Xcode.app/Contents/Developer | |
| xcodebuild -version | |
| - name: Set compiler environment | |
| run: | | |
| echo "CC=/usr/bin/clang" >> $GITHUB_ENV | |
| echo "CXX=/usr/bin/clang++" >> $GITHUB_ENV | |
| - name: Configure CMake | |
| run: | | |
| cmake -B build -G Xcode \ | |
| -DCMAKE_OSX_ARCHITECTURES=arm64 \ | |
| -DCMAKE_BUILD_TYPE=Release | |
| - name: Build | |
| run: | | |
| cmake --build build --config Release -- -quiet | |
| - name: Locate plugin artefacts | |
| id: artefacts | |
| run: | | |
| set -e | |
| AU=$(find build -name "AceForge Bridge.component" -type d 2>/dev/null | head -1) | |
| VST3=$(find build -name "AceForge Bridge.vst3" -type d 2>/dev/null | head -1) | |
| [ -n "$AU" ] || AU=$(find build -name "*.component" -type d 2>/dev/null | head -1) | |
| [ -n "$VST3" ] || VST3=$(find build -name "*.vst3" -type d 2>/dev/null | head -1) | |
| echo "au_path=$AU" >> $GITHUB_OUTPUT | |
| echo "vst3_path=$VST3" >> $GITHUB_OUTPUT | |
| echo "Found AU: $AU" | |
| echo "Found VST3: $VST3" | |
| if [ -z "$AU" ] || [ -z "$VST3" ]; then | |
| echo "Plugin artefacts not found. Build tree:" | |
| find build -type d \( -name "*.component" -o -name "*.vst3" \) 2>/dev/null || true | |
| exit 1 | |
| fi | |
| - name: Create zip archives for release | |
| run: | | |
| mkdir -p release-artefacts | |
| cp -R "${{ steps.artefacts.outputs.au_path }}" "release-artefacts/AceForge Bridge.component" | |
| cp -R "${{ steps.artefacts.outputs.vst3_path }}" "release-artefacts/AceForge Bridge.vst3" | |
| echo "zip_path=release-artefacts/AceForgeBridge-macOS-AU-VST3.zip" >> $GITHUB_ENV | |
| # Sign AU/VST3 (for zip and for pkg). Without secret: ad-hoc. With MACOS_SIGNING_IDENTITY (Developer ID Application): proper sign. | |
| - name: Codesign plugin bundles | |
| env: | |
| MACOS_SIGNING_IDENTITY: ${{ secrets.MACOS_SIGNING_IDENTITY }} | |
| run: | | |
| IDENTITY="${MACOS_SIGNING_IDENTITY:--}" | |
| echo "Signing plugins with identity: $IDENTITY" | |
| if [ "$IDENTITY" = "-" ]; then | |
| xcrun codesign --force --sign - --deep "release-artefacts/AceForge Bridge.component" | |
| xcrun codesign --force --sign - --deep "release-artefacts/AceForge Bridge.vst3" | |
| else | |
| xcrun codesign --force --sign "$IDENTITY" --options runtime --timestamp --deep \ | |
| "release-artefacts/AceForge Bridge.component" | |
| xcrun codesign --force --sign "$IDENTITY" --options runtime --timestamp --deep \ | |
| "release-artefacts/AceForge Bridge.vst3" | |
| fi | |
| cd release-artefacts && zip -r "AceForgeBridge-macOS-AU-VST3.zip" "AceForge Bridge.component" "AceForge Bridge.vst3" && cd .. | |
| echo "Plugin bundles signed; zip created." | |
| - name: Prepare pkg payload | |
| run: | | |
| mkdir -p payload/Library/Audio/Plug-Ins/Components | |
| mkdir -p payload/Library/Audio/Plug-Ins/VST3 | |
| cp -R "release-artefacts/AceForge Bridge.component" "payload/Library/Audio/Plug-Ins/Components/" | |
| cp -R "release-artefacts/AceForge Bridge.vst3" "payload/Library/Audio/Plug-Ins/VST3/" | |
| - name: Build macOS installer (.pkg) | |
| run: | | |
| pkgbuild \ | |
| --root payload \ | |
| --identifier com.aceforge.bridge \ | |
| --version 0.1.0 \ | |
| --install-location / \ | |
| release-artefacts/AceForgeBridge-macOS-Installer.pkg | |
| echo "Installer places AU in /Library/Audio/Plug-Ins/Components and VST3 in /Library/Audio/Plug-Ins/VST3" | |
| # Sign the .pkg so macOS doesn't show "unidentified developer". Use Developer ID Installer cert. | |
| - name: Codesign installer (.pkg) | |
| env: | |
| MACOS_SIGNING_IDENTITY: ${{ secrets.MACOS_SIGNING_IDENTITY }} | |
| MACOS_INSTALLER_SIGNING_IDENTITY: ${{ secrets.MACOS_INSTALLER_SIGNING_IDENTITY }} | |
| run: | | |
| IDENTITY="${MACOS_INSTALLER_SIGNING_IDENTITY:-$MACOS_SIGNING_IDENTITY}" | |
| IDENTITY="${IDENTITY:--}" | |
| if [ "$IDENTITY" != "-" ] && [ -n "$IDENTITY" ]; then | |
| echo "Signing installer pkg with identity: $IDENTITY" | |
| mv release-artefacts/AceForgeBridge-macOS-Installer.pkg release-artefacts/AceForgeBridge-macOS-Installer-unsigned.pkg | |
| productsign --sign "$IDENTITY" --timestamp \ | |
| release-artefacts/AceForgeBridge-macOS-Installer-unsigned.pkg \ | |
| release-artefacts/AceForgeBridge-macOS-Installer.pkg | |
| rm release-artefacts/AceForgeBridge-macOS-Installer-unsigned.pkg | |
| echo "Installer pkg signed." | |
| else | |
| echo "No signing identity secret; installer pkg is unsigned (plugins are ad-hoc signed)." | |
| fi | |
| - name: Upload release assets | |
| if: github.event_name == 'release' | |
| uses: softprops/action-gh-release@v2 | |
| with: | |
| files: | | |
| release-artefacts/AceForgeBridge-macOS-AU-VST3.zip | |
| release-artefacts/AceForgeBridge-macOS-Installer.pkg | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Upload artefacts (push / workflow_dispatch or no release) | |
| if: github.event_name != 'release' || github.event.release == null | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: AceForgeBridge-macOS-plugins | |
| path: release-artefacts/ |