name: pkgx/pantry/setup-codesign
description: Codesigns macOS binaries using Apple tools

inputs:
  p12-file-base64:
    description: Base64 encoded p12 file
    required: true
  p12-password:
    description: Password for p12 file
    required: true
  APPLE_IDENTITY:
    required: false

runs:
  using: composite
  steps:
    # - name: purge tool PATH
    #   run: |
    #     if [ -d /usr/local/bin ]; then
    #       tmp=$(mktemp -d)
    #       sudo mv /usr/local/bin $tmp
    #     fi
    #   shell: bash

    - name: export APPLE_IDENTITY
      run: echo 'APPLE_IDENTITY=${{inputs.identity || '-'}}' >> $GITHUB_ENV
      shell: bash

    # the next three steps bless our code for Apple. It might be the case they should be
    # encapulated separately.
    # FIXME: using an explicit commit in a PR isn't great, but the last release was almost 3 years
    # ago, and we need bugfixes.
    # FIXME: replace this with a pkgx script based on https://localazy.com/blog/how-to-automatically-sign-macos-apps-using-github-actions
    # github has a doc with similar content, but it's not returning to me atm.

    # apple-actions/import-codesign-certs will fail if the keychain already exists, so we prophylactically
    # delete it if it does.
    - name: Delete keychain
      shell: sh
      if: runner.os == 'macOS' && inputs.p12-file-password && inputs.p12-file-base64
      run: security delete-keychain signing_temp.keychain || true

    - uses: apple-actions/import-codesign-certs@v2
      if: runner.os == 'macOS' && inputs.p12-file-password && inputs.p12-file-base64
      with:
        p12-file-base64: ${{ inputs.p12-file-base64 }}
        p12-password: ${{ inputs.p12-password }}

    # Needed for self-hosted runner, since it doesn't destroy itself automatically.
    - name: Delete keychain
      uses: webiny/action-post-run@3.0.0
      if: runner.os == 'macOS' && inputs.p12-file-password && inputs.p12-file-base64
      with:
        run: security delete-keychain signing_temp.keychain