From 86b4c0696d9ff64dda449be876017536b33ab587 Mon Sep 17 00:00:00 2001
From: Martin Pulec <martin.pulec@cesnet.cz>
Date: Fri, 9 Feb 2024 16:03:20 +0100
Subject: [PATCH] CI mac: move signing key import to environment.sh

The signing key is actually needed in the ccpp.yml workflow earlier than
`prepare.sh` is run, namely in cache-macos-nonfree-sdks step.
---
 .github/scripts/environment.sh   | 20 ++++++++++++++++++++
 .github/scripts/macOS/prepare.sh | 21 ---------------------
 .github/workflows/ccpp.yml       |  6 +++---
 3 files changed, 23 insertions(+), 24 deletions(-)

diff --git a/.github/scripts/environment.sh b/.github/scripts/environment.sh
index 6db3e956b..f053425d7 100644
--- a/.github/scripts/environment.sh
+++ b/.github/scripts/environment.sh
@@ -96,3 +96,23 @@ if [ "$(uname -s)" = Darwin ] && [ "$(uname -m)" != arm64 ]; then
         printf 'UG_ARCH=-msse4.2\n' >> "$GITHUB_ENV"
 fi
 
+import_signing_key() {
+        if [ "$(uname -s)" != Darwin ] || [ -z "$apple_key_p12_b64" ]; then
+                return 0
+        fi
+        # Inspired by https://www.update.rocks/blog/osx-signing-with-travis/
+        KEY_CHAIN=build.keychain
+        KEY_CHAIN_PASS=build
+        KEY_FILE=/tmp/signing_key.p12
+        KEY_FILE_PASS=dummy
+        echo "$apple_key_p12_b64" | base64 -d > $KEY_FILE
+        security create-keychain -p $KEY_CHAIN_PASS $KEY_CHAIN || true
+        security default-keychain -s $KEY_CHAIN
+        security unlock-keychain -p $KEY_CHAIN_PASS $KEY_CHAIN
+        security import "$KEY_FILE" -A -P "$KEY_FILE_PASS"
+        security set-key-partition-list -S apple-tool:,apple: -s -k $KEY_CHAIN_PASS $KEY_CHAIN
+        printf '%b' "KEY_CHAIN_PASS=$KEY_CHAIN_PASS\nKEY_CHAIN=$KEY_CHAIN\n" \
+                >> "$GITHUB_ENV"
+}
+import_signing_key
+
diff --git a/.github/scripts/macOS/prepare.sh b/.github/scripts/macOS/prepare.sh
index 3380a73a2..31e759ea6 100755
--- a/.github/scripts/macOS/prepare.sh
+++ b/.github/scripts/macOS/prepare.sh
@@ -13,25 +13,6 @@ if [ -z "${GITHUB_ENV-}" ]; then
         GITHUB_PATH=/dev/null
 fi
 
-import_signing_key() {
-        if [ -z "$apple_key_p12_b64" ]; then
-                return 0
-        fi
-        # Inspired by https://www.update.rocks/blog/osx-signing-with-travis/
-        KEY_CHAIN=build.keychain
-        KEY_CHAIN_PASS=build
-        KEY_FILE=/tmp/signing_key.p12
-        KEY_FILE_PASS=dummy
-        echo "$apple_key_p12_b64" | base64 -d > $KEY_FILE
-        security create-keychain -p $KEY_CHAIN_PASS $KEY_CHAIN || true
-        security default-keychain -s $KEY_CHAIN
-        security unlock-keychain -p $KEY_CHAIN_PASS $KEY_CHAIN
-        security import "$KEY_FILE" -A -P "$KEY_FILE_PASS"
-        security set-key-partition-list -S apple-tool:,apple: -s -k $KEY_CHAIN_PASS $KEY_CHAIN
-        printf '%b' "KEY_CHAIN_PASS=$KEY_CHAIN_PASS\nKEY_CHAIN=$KEY_CHAIN\n" \
-                >> "$GITHUB_ENV"
-}
-
 export CPATH=/usr/local/include
 export DYLIBBUNDLER_FLAGS="${DYLIBBUNDLER_FLAGS:+$DYLIBBUNDLER_FLAGS }-s /usr/local/lib"
 export LIBRARY_PATH=/usr/local/lib
@@ -49,8 +30,6 @@ echo "PKG_CONFIG_PATH=/usr/local/lib/pkgconfig" >> "$GITHUB_ENV"
 echo "/usr/local/opt/qt/bin" >> "$GITHUB_PATH"
 echo "DYLIBBUNDLER_FLAGS=$DYLIBBUNDLER_FLAGS" >> "$GITHUB_ENV"
 
-import_signing_key
-
 brew install autoconf automake libtool pkg-config \
         asciidoctor
 brew install libsoxr speexdsp
diff --git a/.github/workflows/ccpp.yml b/.github/workflows/ccpp.yml
index fc454cd1c..5000e1341 100644
--- a/.github/workflows/ccpp.yml
+++ b/.github/workflows/ccpp.yml
@@ -165,6 +165,8 @@ jobs:
         echo "nonfree=$($GITHUB_WORKSPACE/.github/scripts/get-etags.sh $SDK_URL/VideoMaster_SDK_MacOSX.zip)" >> $GITHUB_OUTPUT
         echo "ndi=$($GITHUB_WORKSPACE/.github/scripts/get-etags.sh https://downloads.ndi.tv/SDK/NDI_SDK_Mac/Install_NDI_SDK_v5_Apple.pkg)" >> $GITHUB_OUTPUT
         echo "ximea=$($GITHUB_WORKSPACE/.github/scripts/get-etags.sh https://www.ximea.com/downloads/recent/XIMEA_OSX_SP.dmg)" >> $GITHUB_OUTPUT
+    - name: Set environment
+      run: . .github/scripts/environment.sh
     - name: Cache Non-Free SDKs
       id: cache-macos-nonfree-sdks
       uses: actions/cache@main
@@ -198,9 +200,7 @@ jobs:
       if: steps.cache-ndi.outputs.cache-hit != 'true'
       run: curl -L https://downloads.ndi.tv/SDK/NDI_SDK_Mac/Install_NDI_SDK_v5_Apple.pkg -o /private/var/tmp/Install_NDI_SDK_Apple.pkg
     - name: bootstrap
-      run: |
-        . .github/scripts/environment.sh
-        .github/scripts/macOS/prepare.sh
+      run: .github/scripts/macOS/prepare.sh
     - name: configure
       run: "ARCH=$UG_ARCH ./autogen.sh $FEATURES || { RC=$?; cat config.log; exit $RC; }"
     - name: make bundle