GHA MacOS Only Sign/Notarize if self repo (#5437)

2025-12-12 07:40:30 -08:00 · 2025-01-10 16:46:05 -05:00
parent 59ca4397e2
commit 2b3c47148e
2 changed files with 42 additions and 31 deletions
--- a/.github/workflows/desktop-build.yml
+++ b/.github/workflows/desktop-build.yml
@@ -270,6 +270,8 @@ jobs:
        # https://docs.github.com/en/actions/using-github-hosted-runners/using-github-hosted-runners/about-github-hosted-runners#standard-github-hosted-runners-for-public-repositories
        # https://github.com/actions/runner-images?tab=readme-ov-file#available-images
        run: |
+          if [[ -n "$MACOS_CERTIFICATE_NAME" ]]
+          then
            echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
            security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
            security default-keychain -s build.keychain
@@ -277,6 +279,7 @@ jobs:
            security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
            security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
            security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain
+          fi
          .ci/compile.sh --server --parallel ${{matrix.core_count}}

      - name: Sign app bundle
@@ -285,8 +288,11 @@ jobs:
          MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }}
          MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}
        run: |
+          if [[ -n "$MACOS_CERTIFICATE_NAME" ]]
+          then
            security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
            /usr/bin/codesign --sign="$MACOS_CERTIFICATE_NAME" --entitlements=".ci/macos.entitlements" --options=runtime --force --deep --timestamp --verbose ${{steps.build.outputs.path}}
+          fi

      - name: Notarize app bundle
        if: matrix.make_package
@@ -295,6 +301,8 @@ jobs:
          MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }}
          MACOS_NOTARIZATION_PWD: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }}
        run: |
+          if [[ -n "$MACOS_NOTARIZATION_APPLE_ID" ]]
+          then
            # Store the notarization credentials so that we can prevent a UI password dialog from blocking the CI
            echo "Create keychain profile"
            xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD"
@@ -316,6 +324,7 @@ jobs:
            # validated by macOS even when an internet connection is not available.
            echo "Attach staple"
            xcrun stapler staple ${{steps.build.outputs.path}}
+          fi

      - name: Upload artifact
        if: matrix.make_package
--- a/cmake/SignMacApplications.cmake
+++ b/cmake/SignMacApplications.cmake
@@ -1,6 +1,8 @@
 # This script re-signs all apps after CPack packages them. This is necessary because CPack modifies
 # the library references used by Cockatrice to App relative paths, invalidating the code signature.
-if(APPLE)
+string(LENGTH $ENV{MACOS_CERTIFICATE_NAME} MACOS_CERTIFICATE_NAME_LEN)
+
+if(APPLE AND MACOS_CERTIFICATE_NAME_LEN GREATER 0)
  set(APPLICATIONS "cockatrice" "servatrice" "oracle" "dbconverter")
  foreach(app_name IN LISTS APPLICATIONS)
    set(FULL_APP_PATH "${CPACK_TEMPORARY_INSTALL_DIRECTORY}/${app_name}.app")