From a7e076f2ffd8a53017f52259716295aab0cee54c Mon Sep 17 00:00:00 2001
From: Tim Angus <tim@ngus.net>
Date: Tue, 16 Sep 2025 14:53:07 +0100
Subject: [PATCH] Import macOS code signing certificate from environment
 variables

---
 .github/workflows/build.yml           |  8 ++++++++
 misc/ci-macos-import-codesign-cert.sh | 24 ++++++++++++++++++++++++
 2 files changed, 32 insertions(+)
 create mode 100755 misc/ci-macos-import-codesign-cert.sh

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 4d33fada..6cc14b3e 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -122,6 +122,14 @@ jobs:
     runs-on: macos-13
     steps:
     - uses: actions/checkout@v4
+    - name: Import Code Signing Certificate
+      if: github.ref_name == 'main'
+      run: |
+        misc/ci-macos-import-codesign-cert.sh
+        echo "APPLE_CERTIFICATE_ID=${{ secrets.APPLE_CERTIFICATE_ID }}" >> $GITHUB_ENV
+      env:
+        APPLE_CERTIFICATE_P12_BASE64: ${{ secrets.APPLE_CERTIFICATE_P12_BASE64 }}
+        APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
     - name: Compile
       run: |
         cmake -S . -B build -G Ninja -DCMAKE_BUILD_TYPE=Release
diff --git a/misc/ci-macos-import-codesign-cert.sh b/misc/ci-macos-import-codesign-cert.sh
new file mode 100755
index 00000000..061f6c65
--- /dev/null
+++ b/misc/ci-macos-import-codesign-cert.sh
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+set -e
+
+CERTIFICATE_P12_FILE=certificate.p12
+
+if [ -n "${APPLE_CERTIFICATE_P12_BASE64}" ] && [ -n "${APPLE_CERTIFICATE_PASSWORD}" ]
+then
+    echo ${APPLE_CERTIFICATE_P12_BASE64} | base64 --decode > ${CERTIFICATE_P12_FILE}
+
+    echo "Creating keychain..."
+    KEYCHAIN_PASSWORD=$(openssl rand -hex 12)
+    security create-keychain -p ${KEYCHAIN_PASSWORD} build.keychain
+    security default-keychain -s build.keychain
+    security unlock-keychain -p ${KEYCHAIN_PASSWORD} build.keychain
+
+    echo "Importing certificate into keychain..."
+    security import ${CERTIFICATE_P12_FILE} -k build.keychain \
+        -P ${APPLE_CERTIFICATE_PASSWORD} -T /usr/bin/codesign
+    security set-key-partition-list -S apple-tool:,apple: -s \
+        -k ${KEYCHAIN_PASSWORD} build.keychain
+
+    rm -rf ${CERTIFICATE_P12_FILE}
+fi