From aa640fa29b5c798d379d25640e195ce20af66e08 Mon Sep 17 00:00:00 2001
From: Mitchell Hashimoto <mitchell.hashimoto@gmail.com>
Date: Tue, 14 Feb 2023 11:58:53 -0800
Subject: [PATCH] ci: build macos app

---
 .github/workflows/test.yml | 32 +++++++++++++++++++++++++++++---
 1 file changed, 29 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 944bd537d..214f6df1c 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -53,16 +53,42 @@ jobs:
         submodules: recursive
         fetch-depth: 0
 
+    - name: Install Signing Certificates
+      env:
+        MACOS_CERTIFICATE: ${{ secrets.PROD_MACOS_CERTIFICATE }}
+        MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }}
+        MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }}
+        MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}
+      run: |
+        # Turn our base64-encoded certificate back to a regular .p12 file
+        echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
+
+        # We need to create a new keychain, otherwise using the certificate will prompt
+        # with a UI dialog asking for the certificate password, which we can't
+        # use in a headless CI environment
+        security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
+        security set-keychain-settings -lut 21600 build.keychain
+        security default-keychain -s build.keychain
+        security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
+        security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
+        security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain
+
     # Install Nix and use that to run our tests so our environment matches exactly.
     - uses: cachix/install-nix-action@v19
       with:
         nix_path: nixpkgs=channel:nixos-unstable
 
-    # Cross-compile the binary. We always use static building for this
-    # because its the only way to access the headers.
-    - name: Test Build
+    # GhosttyKit is the framework that is built from Zig for our native
+    # Mac app to access.
+    - name: Build GhosttyKit
       run: nix develop -c zig build -Dstatic=true
 
+    # The native app is built with native XCode tooling. This also does
+    # codesigning. IMPORTANT: this must NOT run in a Nix environment.
+    # Nix breaks xcodebuild so this has to be run outside.
+    - name: Build Ghostty.app
+      run: cd macos && xcodebuild
+
   test:
     strategy:
       matrix: