.github/workflows/pro-release.yaml

name: Pro Release

on:
  push:
    tags:
      - '*v'
  workflow_run:
    workflows:
      - 'Pro Bump'
    types:
      - completed

permissions:
  contents: write

env:
  TAG: ${{ github.sha }}
  appcast: ''
  Identity: ''
  SCHEME: GitOK
  DESTINATION: 'generic/platform=macOS'
  ArchivePath: './myapp'
  BuildPath: './temp'
  BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}

jobs:
  build_with_signing:
    runs-on: macos-15
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          ref: main
      - name: 读取版本号
        run: |
          # 读取配置文件路径
          projectFile=$(find $(pwd) ! -path "*Resources*" -type f -name "*.pbxproj" | head -n 1)

          # 读取文件中的版本号
          version=$(grep -o 'MARKETING_VERSION = [^"]*' $projectFile | head -n 1 | grep -o '[0-9]\+\.[0-9]\+\.[0-9]\+')

          echo "版本号->$version"

          build=$(agvtool what-version -terse)

          echo "TAG=v$version" >> $GITHUB_ENV
      # https://docs.github.com/zh/actions/deployment/deploying-xcode-applications/installing-an-apple-certificate-on-macos-runners-for-xcode-development
      - name: Install the Apple certificate and provisioning profile
        env:
          P12_PASSWORD: ${{ secrets.BUILD_CERTIFICATE_P12_PASSWORD }}
          BUILD_PROVISION_PROFILE_BASE64: ${{ secrets.BUILD_PROVISION_PROFILE_BASE64_GITOK_MACOS }}
          KEYCHAIN_PASSWORD: 'xxx'
        run: |
          # create variables
          CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
          PP_PATH=$RUNNER_TEMP/build_pp.provisionprofile
          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db

          # import certificate and provisioning profile from secrets
          echo -n "${{ env.BUILD_CERTIFICATE_BASE64 }}" | base64 --decode -o $CERTIFICATE_PATH
          echo -n "$BUILD_PROVISION_PROFILE_BASE64" | base64 --decode -o $PP_PATH

          # create temporary keychain
          security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
          security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH

          # import certificate to keychain
          security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
          security list-keychain -d user -s $KEYCHAIN_PATH

          # apply provisioning profile
          mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
          cp $PP_PATH ~/Library/MobileDevice/Provisioning\ Profiles
      - name: 生成 App Store Connect API 的 AuthKey
        run: |
          mkdir -p ./private_keys
          echo -n "${{ secrets.APP_STORE_CONNECT_KEY_BASE64 }}" | base64 --decode -o ./private_keys/AuthKey_${{ secrets.APP_STORE_CONNECT_KEY_ID }}.p8
      - run: security find-identity -v
      # Build
      - name: Build
        run: xcodebuild -scheme ${{ env.SCHEME }} -configuration Release -derivedDataPath ${{ env.BuildPath }} clean build

      - name: find identity
        run: |
          i=$(security find-identity -v -p codesigning | grep '^[[:space:]]*1)' | awk -F'[(|)]' '{print $3}')
          echo "Identity=$i" >> $GITHUB_ENV

      # Codesign sparkle
      - name: Codesign sparkle
        run: |
          codesign -f -s ${{ env.Identity }} -o runtime temp/Build/Products/Release/${{ env.SCHEME }}.app/Contents/Frameworks/Sparkle.framework/Versions/B/XPCServices/Installer.xpc
          codesign -f -s ${{ env.Identity }} -o runtime --preserve-metadata=entitlements temp/Build/Products/Release/${{ env.SCHEME }}.app/Contents/Frameworks/Sparkle.framework/Versions/B/XPCServices/Downloader.xpc
          codesign -f -s ${{ env.Identity }} -o runtime temp/Build/Products/Release/${{ env.SCHEME }}.app/Contents/Frameworks/Sparkle.framework/Versions/B/Autoupdate
          codesign -f -s ${{ env.Identity }} -o runtime temp/Build/Products/Release/${{ env.SCHEME }}.app/Contents/Frameworks/Sparkle.framework/Versions/B/Updater.app
          codesign -f -s ${{ env.Identity }} -o runtime temp/Build/Products/Release/${{ env.SCHEME }}.app/Contents/Frameworks/Sparkle.framework

      # Codesign
      - name: Codesign
        run: |
          codesign --force -s ${{ env.Identity }} --option=runtime temp/Build/Products/Release/${{ env.SCHEME }}.app

      - name: Codesign Check
        run: codesign -dv temp/Build/Products/Release/${{ env.SCHEME }}.app

      - name: Codesign Check 2
        continue-on-error: true
        run: codesign -vvv --deep --strict temp/Build/Products/Release/${{ env.SCHEME }}.app

      - name: Create DMG
        run: |
          npm i -g create-dmg
          create-dmg "temp/Build/Products/Release/${{ env.SCHEME }}.app"
          for file in *.dmg; do
              mv "$file" "${file// /-}"
          done
          ls -alh

      - name: Notary
        continue-on-error: true
        run: |
          file=$(find . -maxdepth 1 -type f -name "*.dmg" | head -n 1)
          xcrun notarytool submit "$file" \
            --key ./private_keys/AuthKey_${{ secrets.APP_STORE_CONNECT_KEY_ID }}.p8 \
            --key-id=${{ secrets.APP_STORE_CONNECT_KEY_ID }} \
            --issuer ${{ secrets.APP_STORE_CONNECT_KEY_ISSER_ID }} \
            --wait \
            --timeout 10m
          stapler staple "$file"

          # 如果出现错误，查询日志
          # xcrun notarytool log f66d58e3-d03a-4202-937e-5fca4e7cea83 
          #   --key ./private_keys/AuthKey_${{ secrets.APP_STORE_CONNECT_KEY_ID }}.p8 \
          #   --key-id ${{ secrets.APP_STORE_CONNECT_KEY_ID }} \
          #   --issuer ${{ secrets.APP_STORE_CONNECT_KEY_ISSER_ID }}
      - name: 公证结果
        continue-on-error: true
        run: |
          file=$(find . -maxdepth 1 -type f -name "*.dmg" | head -n 1)
          stapler validate "$file"
      # - name: Generate Changelog
      #   run: echo ""> ${{ github.workspace }}-CHANGELOG.txt
      - name: Check
        run: |
          ls -alh
          mkdir updates
          cp *.dmg updates/
          echo "the updates is in ${{ github.workspace }}/updates"
          ls -alh updates
      - name: generate appcast
        continue-on-error: true
        run: |
          pwd
          xcodebuild -resolvePackageDependencies
          cd $(ls -d ~/Library/Developer/Xcode/DerivedData/${{ env.SCHEME }}*/ | head -n 1)
          cd SourcePackages/artifacts/sparkle/Sparkle/bin
          echo "${{ secrets.SPARKLE_PRIVATE_KEY_GITOK }}" | ./generate_appcast --ed-key-file - ${{ github.workspace }}/updates

      - name: make appcast.xml
        run: |
          pwd
          cd updates

          # 获取第一个 dmg 文件的名字
          dmg_file=$(ls *.dmg 2>/dev/null | head -n 1)

          echo $dmg_file

          # 使用 sed 替换 enclosure 中 url 的内容
          u="https://github.com/CofficLab/GitOK/releases/latest/download/$dmg_file" 

          echo $u

          # 使用 sed 替换 enclosure 中的 url
          sed -i '' "s|\(enclosure url=\"\)[^\"]*|\1$u|" "appcast.xml"

          mv appcast.xml ../appcast.xml
      - uses: softprops/action-gh-release@v2
        with:
          tag_name: ${{ env.TAG }}
          # body_path: ${{ github.workspace }}-CHANGELOG.txt
          prerelease: false
          files: |
            ./updates/*.dmg
            ./appcast.xml

      - name: 推送到仓库
        uses: stefanzweifel/git-auto-commit-action@v4
        with:
          commit_message: '🎨 Update appcast.yml'
          commit_user_name: GitHub Action
          file_pattern: 'appcast.xml'