simpliplay-desktop/.github/workflows/build-macos.yml

name: Build macOS

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  build:
    runs-on: macos-latest

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Set up Node.js
        uses: actions/setup-node@v4
        with:
          node-version: 22

      - name: Clean up caches
        run: |
          npm cache clean --force
          rm -rf ~/Library/Caches/electron-builder          
        working-directory: simpliplay

      - name: Install dependencies
        run: npm install
        working-directory: simpliplay

      # This step creates the DMG with the UI, and the app bundle inside is unsigned.
      # This is the single, simple step that handles the complex parts for you.
      - name: Create unsigned DMGs with UI
        run: npx electron-builder --mac
        working-directory: simpliplay

      # A more robust step to find, sign, and convert all DMGs.
      - name: Sign and finalize DMGs
        run: |
          # Find all DMG files created by Electron Builder.
          DMGS=$(find dist/mac -name "*.dmg" -print)
          
          # Loop through each DMG file.
          for DMG_PATH in $DMGS; do
            echo "Processing DMG: $DMG_PATH"
            
            MOUNT_PATH="/Volumes/electron-builder-dmg"
            
            # Attach the DMG as a read/write volume.
            hdiutil attach "$DMG_PATH" -mountpoint "$MOUNT_PATH"
            
            # The app bundle path inside the mounted DMG.
            APP_PATH="$MOUNT_PATH/SimpliPlay.app"
            
            # Ad-hoc sign the app bundle.
            echo "Signing app at $APP_PATH"
            codesign --force --deep --sign - "$APP_PATH"
            
            # Unmount the DMG.
            hdiutil detach "$MOUNT_PATH"
            
            # Get the output filename for the finalized DMG.
            FINAL_DMG_NAME=$(basename "$DMG_PATH" .dmg)
            FINAL_DMG_PATH="dist/${FINAL_DMG_NAME}-signed.dmg"
            
            # Convert the read/write DMG to a read-only, compressed DMG.
            echo "Converting to compressed, read-only DMG: $FINAL_DMG_PATH"
            hdiutil convert "$DMG_PATH" -format UDZO -o "$FINAL_DMG_PATH"
          done          
        working-directory: simpliplay

      - name: Upload artifacts
        uses: actions/upload-artifact@v4
        with:
          name: builds
          path: simpliplay/dist/*-signed.dmg