fish-shell/.github/workflows/mac_codesign.yml

name: macOS build and codesign

on:
  workflow_dispatch: # Enables manual trigger from GitHub UI

jobs:
  build-and-code-sign:
    runs-on: macos-latest
    environment: macos-codesign
    steps:
      - uses: actions/checkout@v4
      - name: Install Rust
        uses: ./.github/actions/rust-toolchain@oldest-supported
        with:
          targets: x86_64-apple-darwin
      - name: Install Rust Stable
        uses: ./.github/actions/rust-toolchain@stable
        with:
          targets: aarch64-apple-darwin
      - name: build-and-codesign
        run: |
          cargo install apple-codesign
          mkdir -p "$FISH_ARTEFACT_PATH"
          echo "$MAC_CODESIGN_APP_P12_BASE64" | base64 --decode > /tmp/app.p12
          echo "$MAC_CODESIGN_INSTALLER_P12_BASE64" | base64 --decode > /tmp/installer.p12
          echo "$MACOS_NOTARIZE_JSON" > /tmp/notarize.json
          ./build_tools/make_pkg.sh -s -f /tmp/app.p12 -i /tmp/installer.p12 -p "$MAC_CODESIGN_PASSWORD" -n -j /tmp/notarize.json
          rm /tmp/installer.p12 /tmp/app.p12 /tmp/notarize.json
        env:
          MAC_CODESIGN_APP_P12_BASE64: ${{ secrets.MAC_CODESIGN_APP_P12_BASE64 }}
          MAC_CODESIGN_INSTALLER_P12_BASE64: ${{ secrets.MAC_CODESIGN_INSTALLER_P12_BASE64 }}
          MAC_CODESIGN_PASSWORD: ${{ secrets.MAC_CODESIGN_PASSWORD }}
          MACOS_NOTARIZE_JSON: ${{ secrets.MACOS_NOTARIZE_JSON }}
          # macOS runners keep having issues loading Cargo.toml dependencies from git (GitHub) instead
          # of crates.io, so give this a try. It's also sometimes significantly faster on all platforms.
          CARGO_NET_GIT_FETCH_WITH_CLI: true
          FISH_ARTEFACT_PATH: /tmp/fish-built
      - uses: actions/upload-artifact@v4
        with:
          name: macOS Artefacts
          path: /tmp/fish-built/*
          if-no-files-found: error