name: Apple Codesigning
description: Codesigns macOS binaries

inputs:
  p12-file-base64:
    description: Base64 encoded p12 file
    required: true
  p12-password:
    description: Password for p12 file
    required: true
  identity:
    description: Identity to use for signing
    required: true
  paths:
    description: paths to sign
    required: true

runs:
  using: composite
  steps:
    # Only runs on macOS
    - name: Check platform
      shell: sh
      run: |
        if [[ "$RUNNER_OS" != "macOS" ]]; then
          echo "This action only runs on macOS"
          exit 1
        fi

    # the next three steps bless our code for Apple. It might be the case they should be
    # encapulated separately.
    # FIXME: using an explicit commit in a PR isn't great, but the last release was almost 3 years
    # ago, and we need bugfixes.
    # FIXME: replace this with a tea script based on https://localazy.com/blog/how-to-automatically-sign-macos-apps-using-github-actions
    # github has a doc with similar content, but it's not returning to me atm.

    # apple-actions/import-codesign-certs will fail if the keychain already exists, so we prophylactically
    # delete it if it does.
    - name: Delete keychain
      shell: sh
      run: security delete-keychain signing_temp.keychain || true

    - uses: apple-actions/import-codesign-certs@d54750db52a4d3eaed0fc107a8bab3958f3f7494
      with:
        p12-file-base64: ${{ inputs.p12-file-base64 }}
        p12-password: ${{ inputs.p12-password }}

    - name: Create file list
      shell: sh
      id: files
      run: |
        echo "sign<<EOF" >> $GITHUB_OUTPUT
        /usr/bin/find $PATHS \
          -type f \
          -not -name '*.py' \
          -not -name '*.pyc' \
          -not -name '*.txt' \
          -not -name '*.h' | \
          /usr/bin/sed -e 's/ /\\ /g' >> $GITHUB_OUTPUT
        echo "EOF" >> $GITHUB_OUTPUT

        # `tea` won't pass strict checking due to a deno bug with the way
        # MachO headers are created
        # https://github.com/denoland/deno/issues/17753
        echo "check<<EOF" >> $GITHUB_OUTPUT
        /usr/bin/find $PATHS \
          -type f \
          -not -name '*.py' \
          -not -name '*.pyc' \
          -not -name '*.txt' \
          -not -name '*.h' \
          -not -name tea | \
          /usr/bin/sed -e 's/ /\\ /g' >> $GITHUB_OUTPUT
        echo "EOF" >> $GITHUB_OUTPUT
      env:
        PATHS: ${{ inputs.paths }}

    - name: Codesign files
      shell: sh
      run: |
        echo "$FILES" | \
          /usr/bin/xargs /usr/bin/codesign -s "$IDENTITY" --force -v --timestamp || true
      env:
        FILES: ${{ steps.files.outputs.sign }}
        IDENTITY: ${{ inputs.identity }}

    # This isn't very informative, but even a no-op is safer than none
    - name: Check codesigning
      shell: sh
      run: echo "$FILES" | /usr/bin/xargs /usr/bin/codesign -vvv --strict
      env:
        FILES: ${{ steps.files.outputs.check }}

    # Needed for self-hosted runner, since it doesn't destroy itself automatically.
    - name: Delete keychain
      if: always()
      shell: sh
      run: security delete-keychain signing_temp.keychain