From d1ce9d5a83f6454a8336fe4f3accfca282cac30e Mon Sep 17 00:00:00 2001
From: Michael Bucari-Tovo <mbucari1@gmail.com>
Date: Fri, 14 Nov 2025 10:04:14 -0700
Subject: [PATCH] Update Mac Workflow

- Add new repo variables
  - `SIGN_MAC_APP_ON_VALIDATE` will force sign/notarize on the validate workflow (normally only done for releases)
  - `WAIT_FOR_NOTARIZE` Causes the build-mac workflow to wait for apple to notarize the bundle so that it can be stapled. This is usually fast (1-2 mis), but can be very long and may cause workflow runners to time out.
---
 .github/workflows/build-mac.yml | 25 +++++++++++++++----------
 .github/workflows/build.yml     |  4 ++++
 .github/workflows/release.yml   |  1 +
 .github/workflows/validate.yml  |  1 +
 Scripts/Bundle_MacOS.sh         | 10 +++++++---
 5 files changed, 28 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/build-mac.yml b/.github/workflows/build-mac.yml
index 75ba2863..7681b26d 100644
--- a/.github/workflows/build-mac.yml
+++ b/.github/workflows/build-mac.yml
@@ -18,24 +18,24 @@ on:
         type: boolean
       retention-days:
         type: number
+      sign-app:
+        type: boolean
+        description: "Wheather to sign an notorize the app bundle and dmg."
       architecture:
         type: string
         description: "CPU architecture targeted by the build."
         required: true
 
-env:
-  WAIT_FOR_NOTARIZE: true
-
 jobs:
   build:
     name: "macOS-${{ inputs.architecture }}"
     runs-on: macos-latest
     env:
       RUNTIME_ID: "osx-${{ inputs.architecture }}"
-      CAN_SIGN: ${{ secrets.APPLE_TEAM_ID != '' && vars.APPLE_DEV_EMAIL != '' && secrets.APPLE_DEV_PASSWORD != '' }}
+      WAIT_FOR_NOTARIZE: ${{ vars.WAIT_FOR_NOTARIZE == 'true' }}
     steps:    
       - uses: apple-actions/import-codesign-certs@v3
-        if: ${{ env.CAN_SIGN == 'true' }}
+        if: ${{ inputs.sign-app }}
         with: 
           p12-file-base64: ${{ secrets.DISTRIBUTION_SIGNING_CERT }}
           p12-password: ${{ secrets.DISTRIBUTION_SIGNING_CERT_PW }}       
@@ -74,20 +74,25 @@ jobs:
         run: |
           SCRIPT=./Scripts/Bundle_MacOS.sh
           chmod +rx ${SCRIPT}
-          ${SCRIPT} ./bin "${{ inputs.libation-version }}" "${{ inputs.architecture }}" ${{ env.CAN_SIGN }}
+          ${SCRIPT} ./bin "${{ inputs.libation-version }}" "${{ inputs.architecture }}" "${{ inputs.sign-app }}"
           artifact=$(ls ./bundle)
           echo "artifact=${artifact}" >> "${GITHUB_OUTPUT}"
 
       - name: Notarize bundle
-        if: ${{ env.CAN_SIGN == 'true' }}
+        if: ${{ inputs.sign-app }}
         run: |          
-          if [ ${{ env.WAIT_FOR_NOTARIZE }} ]; then
+          if [ ${{ vars.WAIT_FOR_NOTARIZE == 'true' }} ]; then
             WAIT="--wait"
           fi
+          echo "::debug::Submitting the disk image for notarization"
+          RESPONSE=$(xcrun notarytool submit ./bundle/${{ steps.bundle.outputs.artifact }} $WAIT --no-progress --apple-id ${{ vars.APPLE_DEV_EMAIL }} --password ${{ secrets.APPLE_DEV_PASSWORD }} --team-id ${{ secrets.APPLE_TEAM_ID }} 2>&1)
+          SUBMISSION_ID=$(echo "$RESPONSE" | awk '/id: / { print $2;exit; }')
           
-          xcrun notarytool submit ./bundle/${{ steps.bundle.outputs.artifact }} $WAIT --no-progress --apple-id ${{ vars.APPLE_DEV_EMAIL }} --password ${{ secrets.APPLE_DEV_PASSWORD }} --team-id ${{ secrets.APPLE_TEAM_ID }}
+          echo "$RESPONSE"
+          echo "::notice::Noraty Submission Id: $SUBMISSION_ID"
           
-          if [ ${{ env.WAIT_FOR_NOTARIZE }} ]; then
+          if [ ${{ vars.WAIT_FOR_NOTARIZE == 'true' }} ]; then
+            echo "::debug::Stapling the notarization ticket to the disk image"
             xcrun stapler staple "./bundle/${{ steps.bundle.outputs.artifact }}"
           fi
 
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 9880c23d..fe4a90cc 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -20,6 +20,9 @@ on:
       publish-r2r:
         type: boolean
         description: "Whether to publish assemblies as ReadyToRun."
+      release:
+        type: boolean
+        description: "Whether this workflow is being called as a release"
       retention-days:
         type: number
         description: "Number of days the artifacts are to be retained."
@@ -46,6 +49,7 @@ jobs:
       publish-r2r: ${{ inputs.publish-r2r }}
       retention-days: ${{ inputs.retention-days }}
       architecture: ${{ matrix.architecture }}
+      sign-app: ${{ inputs.release || vars.SIGN_MAC_APP_ON_VALIDATE == 'true' }}
     secrets: inherit
 
   linux:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 867f56e3..0a575e2e 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -35,6 +35,7 @@ jobs:
     with:
       libation-version: ${{ needs.prerelease.outputs.version }}
       publish-r2r: true
+      release: true
 
   release:
     needs: [prerelease, build]
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index 89877043..892b2680 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -24,6 +24,7 @@ jobs:
   build:
     needs: [get_version]
     uses: ./.github/workflows/build.yml
+    secrets: inherit
     with:
       libation-version: ${{ needs.get_version.outputs.version }}
       retention-days: 14
diff --git a/Scripts/Bundle_MacOS.sh b/Scripts/Bundle_MacOS.sh
index 09bd9d03..d023a10b 100644
--- a/Scripts/Bundle_MacOS.sh
+++ b/Scripts/Bundle_MacOS.sh
@@ -31,7 +31,7 @@ fi
 
 if [ "$SIGN_WITH_KEY" != "true" ]
 then
-  echo "[WARNING] App will fail Gatekeeper verification without valid Apple Team information."
+  echo "::warning:: App will fail Gatekeeper verification without valid Apple Team information."
 fi
 
 BUNDLE=./Libation.app
@@ -80,7 +80,6 @@ mv $BUNDLE_MACOS/background.png ./background.png
 
 echo "Moving background.png file..."
 mv $BUNDLE_MACOS/Libation.entitlements ./Libation.entitlements
-ENTITLEMENTS="./Libation.entitlements"
 
 PLIST_ARCH=$(echo $ARCH | sed 's/x64/x86_64/')
 echo "Set LSArchitecturePriority to $PLIST_ARCH"
@@ -103,7 +102,7 @@ identity=$(echo ${all_identities} | sed -n 's/.*"\(.*\)".*/\1/p')
 
 if [ "$SIGN_WITH_KEY" == "true" ]; then
   echo "Signing executables in: $BUNDLE"
-  codesign --force --deep --timestamp --options=runtime --entitlements "$ENTITLEMENTS" --sign "${identity}" "$BUNDLE"
+  codesign --force --deep --timestamp --options=runtime --entitlements "./Libation.entitlements" --sign "${identity}" "$BUNDLE"
   codesign --verify --verbose "$BUNDLE"
 else
   echo "Signing with empty key: $BUNDLE"
@@ -119,6 +118,11 @@ mv background.png Libation/.background/
 ln -s /Applications "./Libation/ "
 mkdir ./bundle
 hdiutil create -srcFolder ./Libation -o "./bundle/$DMG_FILE"
+# Create a .DS_Store by:
+#  - mounting an existing image in shadow mode (hdiutil attach Libation.dmg -shadow junk.dmg)
+#  - Open the folder and edit it to your liking.
+#  - Copy the .DS_Store from the directory and save it to Libation_DS_Store
+
 
 if [ "$SIGN_WITH_KEY" == "true" ]; then
   echo "Signing $DMG_FILE"