From a953146ef1e995b2cc3eb16e981ca8a7947060fe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=D0=9F=D0=B0=D0=B2=D0=B5=D0=BB=20=D0=96=D1=83=D0=BA=D0=BE?=
 =?UTF-8?q?=D0=B2?= <33721692+LeaveMyYard@users.noreply.github.com>
Date: Sat, 27 May 2023 19:21:58 +0300
Subject: Rework apple certificate, add grapheme fix

---
 .github/workflows/build-on-release.yml | 44 ++++++++++++++++++++++++++++------
 1 file changed, 37 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/build-on-release.yml b/.github/workflows/build-on-release.yml
index 93d8d47..6d983cf 100644
--- a/.github/workflows/build-on-release.yml
+++ b/.github/workflows/build-on-release.yml
@@ -31,16 +31,40 @@ jobs:
       run: |
         sudo apt-get install -y binutils
 
-    - name: Build with PyInstaller
-      run: |
-        pyinstaller krr.py
-
-    - name: Sign the application
+    - name: Install the Apple certificate and provisioning profile
       if: matrix.os == 'macos-latest'
       env:
-        APPLE_DEV_PASSWORD: ${{ secrets.APPLE_DEV_PASSWORD }}
+        BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
+        P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
+        BUILD_PROVISION_PROFILE_BASE64: ${{ secrets.BUILD_PROVISION_PROFILE_BASE64 }}
+        KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
+      run: |
+        # create variables
+        CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
+        PP_PATH=$RUNNER_TEMP/build_pp.mobileprovision
+        KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
+
+        # import certificate and provisioning profile from secrets
+        echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH
+        echo -n "$BUILD_PROVISION_PROFILE_BASE64" | base64 --decode -o $PP_PATH
+
+        # create temporary keychain
+        security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+        security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
+        security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+
+        # import certificate to keychain
+        security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+        security list-keychain -d user -s $KEYCHAIN_PATH
+
+        # apply provisioning profile
+        mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
+        cp $PP_PATH ~/Library/MobileDevice/Provisioning\ Profiles
+
+    - name: Build with PyInstaller
       run: |
-        codesign --force --options runtime --sign "Developer ID Application: pavel@robusta.dev" --keychain-password "$APPLE_DEV_PASSWORD" dist/krr/krr
+        pyinstaller krr.py
+        ${{ fromJSON('{"ubuntu-latest":"cp","macos-latest":"cp","windows-latest":"copy"}')[matrix.os] || matrix.os }} $(python3.9 -c "import grapheme; print(grapheme.__path__[0] + '/data/grapheme_break_property.json')") ./dist/krr/grapheme/data/grapheme_break_property.json
 
     - name: Zip the application
       run: |
@@ -55,3 +79,9 @@ jobs:
         asset_path: ./krr-${{ matrix.os }}-${{ github.ref_name }}.zip
         asset_name: krr-${{ matrix.os }}-${{ github.ref_name }}.zip
         asset_content_type: application/octet-stream
+
+    - name: Clean up keychain and provisioning profile
+      if: (matrix.os == 'macos-latest') && always()
+      run: |
+        security delete-keychain $RUNNER_TEMP/app-signing.keychain-db
+        rm ~/Library/MobileDevice/Provisioning\ Profiles/build_pp.mobileprovision
-- 
cgit v1.2.3