name: macOS build and codesign

on:
  workflow_dispatch: # Enables manual trigger from GitHub UI

jobs:
  build-and-code-sign:
    runs-on: macos-latest
    environment: macos-codesign
    steps:
      - uses: actions/checkout@v4
      - uses: dtolnay/rust-toolchain@1.70
        with:
          components: apple-codesign
      - name: build
        run: |
          echo "$MAC_CODESIGN_APP_P12_BASE64" | base64 --decode > /tmp/app.p12
          echo "$MAC_CODESIGN_INSTALLER_P12_BASE64" | base64 --decode > /tmp/installer.p12
          ./build_tools/make_pkg.sh -s -f /tmp/app.p12 -i /tmp/installer.p12 -p "$MAC_CODESIGN_PASSWORD"
          rm /tmp/installer.p12 /tmp/app.p12
        env:
          MAC_CODESIGN_APP_P12_BASE64: ${{ secrets.MAC_CODESIGN_APP_P12_BASE64 }}
          MAC_CODESIGN_INSTALLER_P12_BASE64: ${{ secrets.MAC_CODESIGN_INSTALLER_P12_BASE64 }}
          MAC_CODESIGN_PASSWORD: ${{ secrets.MAC_CODESIGN_PASSWORD }}
          # macOS runners keep having issues loading Cargo.toml dependencies from git (GitHub) instead
          # of crates.io, so give this a try. It's also sometimes significantly faster on all platforms.
          CARGO_NET_GIT_FETCH_WITH_CLI: true
          FISH_ARTEFACT_PATH: /tmp/fish-built