# Copyright © SixtyFPS GmbH <info@slint.dev>
# SPDX-License-Identifier: GPL-3.0-only OR LicenseRef-Slint-Royalty-free-1.1 OR LicenseRef-Slint-commercial

---
name: Apple Codesign Binary
description: Sign the given binary with the developer certificate

inputs:
    binary:
        description: "Path to binary"
        required: true
        default: ""
    certificate:
        description: "certificate secret"
        required: true
    certificate_password:
        description: "certificate password"
        required: true
    keychain_password:
        description: "keychain password to use"
        required: true
    developer_id:
        description: "developer id to use"
        required: true

runs:
    using: composite
    steps:
        - name: Codesign binary
          shell: bash
          env:
              CERT: ${{ inputs.certificate }}
              CERT_PW: ${{ inputs.certificate_password }}
              KEYCHAIN_PW: ${{ inputs.keychain_password }}
              DEV_ID: ${{ inputs.developer_id }}
          run: |
              echo -n "$CERT" | base64 --decode -o certificate.p12
              security create-keychain -p $KEYCHAIN_PW build.keychain
              security default-keychain -s build.keychain
              security unlock-keychain -p $KEYCHAIN_PW build.keychain
              security import certificate.p12 -k build.keychain -P $CERT_PW -T /usr/bin/codesign
              security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PW build.keychain
              /usr/bin/codesign --force -s $DEV_ID "${{ inputs.binary }}" -v