local_drop/.github/workflows/build-macos.yml at main · Algorithm-LLC/local_drop · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
name: Build macOS (DMG)

on:
  workflow_dispatch:

env:
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"

jobs:
  build-macos:
    runs-on: macos-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v5

      - name: Setup Flutter (stable)
        uses: subosito/flutter-action@v2
        with:
          channel: stable
          cache: true

      - name: Flutter pub get
        run: flutter pub get

      - name: Build macOS (release)
        run: flutter build macos --release

      - name: Package DMG (drag & drop)
        shell: bash
        run: |
          set -e
          VERSION=$(grep '^version:' pubspec.yaml | awk '{print $2}' | cut -d'+' -f1)

          APP_SRC="build/macos/Build/Products/Release/LocalDrop.app"
          if [ ! -d "$APP_SRC" ]; then
            echo "ERROR: macOS app not found at $APP_SRC"
            ls -la build/macos/Build/Products/Release || true
            exit 1
          fi

          STAGE_DIR="build/macos/dmg/LocalDrop"
          rm -rf "build/macos/dmg"
          mkdir -p "$STAGE_DIR"

          ENTITLEMENTS_FILE="macos/Runner/Release.entitlements"
          if [ ! -f "$ENTITLEMENTS_FILE" ]; then
            echo "ERROR: entitlements file not found at $ENTITLEMENTS_FILE"
            exit 1
          fi

          # Copy and rename app bundle to requested casing.
          cp -R "$APP_SRC" "$STAGE_DIR/LocalDrop.app"

          # macOS 15+ can refuse to load unsigned embedded frameworks.
          # Ad-hoc sign (no identity) so dyld can load embedded frameworks/plugins.
          # This is the minimum needed to *run* on modern macOS without a paid cert.
          APP_BUNDLE="$STAGE_DIR/LocalDrop.app"

          # Sign nested frameworks/binaries first (more reliable than relying on --deep).
          if [ -d "$APP_BUNDLE/Contents/Frameworks" ]; then
            find "$APP_BUNDLE/Contents/Frameworks" -type d -name "*.framework" -print0 \
              | while IFS= read -r -d '' fw; do
                  codesign --force --sign - "$fw" || true
                done
            find "$APP_BUNDLE/Contents/Frameworks" -type f \( -name "*.dylib" -o -name "*.so" \) -print0 \
              | while IFS= read -r -d '' lib; do
                  codesign --force --sign - "$lib" || true
                done
          fi

          # Sign the app bundle last.
          codesign --force --sign - --entitlements "$ENTITLEMENTS_FILE" "$APP_BUNDLE"
          codesign --verify --deep --strict "$APP_BUNDLE"

          ENTITLEMENTS_DUMP=$(mktemp)
          codesign -d --entitlements :- "$APP_BUNDLE" > "$ENTITLEMENTS_DUMP" 2>/dev/null
          if ! grep -q "com.apple.security.files.user-selected.read-write" "$ENTITLEMENTS_DUMP"; then
            echo "ERROR: staged macOS app is missing user-selected file access entitlements"
            cat "$ENTITLEMENTS_DUMP"
            exit 1
          fi

          ln -s /Applications "$STAGE_DIR/Applications"

          DMG_NAME="LocalDrop-macos-v${VERSION}.dmg"
          hdiutil create \
            -volname "LocalDrop" \
            -srcfolder "$STAGE_DIR" \
            -ov \
            -format UDZO \
            "$DMG_NAME"

          echo "Created $DMG_NAME"

      - name: Upload DMG artifact
        uses: actions/upload-artifact@v6
        with:
          name: LocalDrop-macos
          path: LocalDrop-macos-v*.dmg