[email protected] (#18)

- added new inputs
  - `test-groups`: One or more test groups to automatically add to the build when uploading to TestFlight. When using multiple groups, separate them with commas.
  - `archive-type`: The archive type to use when exporting macOS applications when not uploading to the App Store. Can be one of `app` or `pkg`.
  - `submit-for-review`: Automatically submit beta build for review and notify testers
  - `developer-id-application-certificate`: The `Developer ID Application` certificate encoded as base64 string. Used for signing macOS app bundles when not uploading to app store.
  - `developer-id-application-certificate-password`: The password for the `Developer ID Application` certificate.
  - `developer-id-installer-certificate`: The `Developer ID Installer` certificate encoded as base64 string. Used for signing installer packages for macOS applications.
  - `developer-id-installer-certificate-password`: The password for the `Developer ID Installer` certificate.
- renamed inputs:
  - `certificate` -> `manual-signing-certificate`
  - `certificate-password` -> `manual-certificate-password`
  - `signing-identity` -> `manual-signing-identity`
- fixed notarization workflow
- extended test detail upload polling
- adjusted export option handling
- improvements to credential import and cleanup

Author: StephenHodgson

.github/workflows/update-release-tags.yml

@@ -1,7 +1,7 @@
 name: Update Release Tags
 on:
   push:
-    tags: '*'
+    tags: ['*']
   workflow_dispatch:
 jobs:
   update-release-tags:

.github/workflows/validate.yml

@@ -1,12 +1,10 @@
 name: validate
 on:
   push:
-    branches:
-      - 'main'
+    branches: ['main']
   pull_request:
     types: [opened, reopened, synchronize, ready_for_review]
-    branches:
-      - '*'
+    branches: ['*']
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 concurrency:
@@ -16,16 +14,19 @@ jobs:
   unity-build:
     if: github.event.pull_request.draft == false
     name: '(${{ matrix.unity-version }}) ${{ matrix.build-target }}'
+    permissions:
+      contents: read
     env:
       VERSION: ''
       TEMPLATE_PATH: ''
+      EXPORT_OPTION: ''
       UNITY_PROJECT_PATH: ''
     runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
       matrix:
         os: [macos-latest]
-        unity-version: [2021.x, 2022.3.x, 6000.x]
+        unity-version: [2021.x, 2022.x, 6000.x]
         build-target:
           - iOS
           - StandaloneOSX
@@ -34,14 +35,12 @@ jobs:
           - os: macos-latest
             unity-version: 2021.x
             build-target: VisionOS
+          - os: macos-latest
+            unity-version: 2022.x
+            build-target: VisionOS
     steps:
       - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
       - run: 'npm install -g openupm-cli'
-        # Installs the Unity Editor based on your project version text file
-        # sets -> env.UNITY_EDITOR_PATH
-        # sets -> env.UNITY_PROJECT_PATH
       - uses: buildalon/unity-setup@v1
         with:
           version-file: 'None'
@@ -69,6 +68,21 @@ jobs:
               exit 1
             }
           echo "VERSION=$version" >> $env:GITHUB_ENV
+
+          # if the unity-version is 6000.x then set export option to app-store-connect otherwise set it to development
+          if ('${{ matrix.unity-version }}' -eq '6000.x') {
+            echo "EXPORT_OPTION=app-store-connect" >> $env:GITHUB_ENV
+          } else {
+            if ('${{ matrix.build-target }}' -eq 'StandaloneOSX') {
+                if ('${{ matrix.unity-version }}' -eq '2022.x') {
+                  echo "EXPORT_OPTION=steam" >> $env:GITHUB_ENV
+                } else {
+                  echo "EXPORT_OPTION=developer-id" >> $env:GITHUB_ENV
+                }
+            } else {
+              echo "EXPORT_OPTION=development" >> $env:GITHUB_ENV
+            }
+          }
         shell: pwsh
       - uses: buildalon/activate-unity-license@v1
         with:
@@ -95,6 +109,31 @@ jobs:
           build-target: ${{ matrix.build-target }}
           log-name: '${{ matrix.build-target }}-Build'
           args: '-quit -nographics -batchmode -executeMethod Buildalon.Editor.BuildPipeline.UnityPlayerBuildTools.StartCommandLineBuild -sceneList Assets/Scenes/SampleScene.unity -export -enableAppleAutomaticSigning -bundleIdentifier com.test.buildalon.xcode -versionName ${{ env.VERSION }}'
+      - name: Update Info.Plist with encryption compliance
+        shell: bash
+        run: |
+          set -xe
+          # find the Info.plist file in the build directory
+          # MacOSStandalone Info.plist path: /Users/runner/work/unity-xcode-builder/unity-xcode-builder/UnityProject/Builds/StandaloneOSX/com.test.buildalon.xcode/UnityProject/UnityProject/Info.plist
+          # all others: /Users/runner/work/unity-xcode-builder/unity-xcode-builder/UnityProject/Builds/iOS/com.test.buildalon.xcode/Info.plist
+          EXPORT_OPTION=${{ env.EXPORT_OPTION }}
+          if [ "$EXPORT_OPTION" != "app-store-connect" ]; then
+            exit 0
+          fi
+          TARGET_PLATFORM=${{ matrix.build-target }}
+          if [ "$TARGET_PLATFORM" == "StandaloneOSX" ]; then
+            INFO_PLIST_PATH="${{ env.UNITY_PROJECT_PATH }}/Builds/${{ matrix.build-target }}/com.test.buildalon.xcode/UnityProject/UnityProject/Info.plist"
+          else
+            INFO_PLIST_PATH="${{ env.UNITY_PROJECT_PATH }}/Builds/${{ matrix.build-target }}/com.test.buildalon.xcode/Info.plist"
+          fi
+          # make sure plist buddy is installed
+          if ! command -v /usr/libexec/PlistBuddy &> /dev/null
+          then
+              echo "PlistBuddy could not be found"
+              exit 1
+          fi
+          # set ITSAppUsesNonExemptEncryption to false in Info.plist using PlistBuddy
+          /usr/libexec/PlistBuddy -c "Add :ITSAppUsesNonExemptEncryption bool false" "$INFO_PLIST_PATH"
       - uses: ./ # buildalon/unity-xcode-builder
         id: xcode-build
         with:
@@ -103,8 +142,14 @@ jobs:
           app-store-connect-key-id: ${{ secrets.APP_STORE_CONNECT_KEY_ID }}
           app-store-connect-issuer-id: ${{ secrets.APP_STORE_CONNECT_ISSUER_ID }}
           team-id: ${{ secrets.APPLE_TEAM_ID }}
-          export-option: app-store
-          upload: ${{ matrix.unity-version == '6000.x' }}
+          export-option: ${{ env.EXPORT_OPTION }}
+          notarize: ${{ matrix.unity-version != '6000.x' }}
+          archive-type: pkg
+          test-groups: Beta
+          developer-id-application-certificate: ${{ secrets.DEVELOPER_ID_APPLICATION_CERT }}
+          developer-id-application-certificate-password: ${{ secrets.SIGNING_CERT_PASSWORD }}
+          developer-id-installer-certificate: ${{ secrets.DEVELOPER_ID_INSTALLER_CERT }}
+          developer-id-installer-certificate-password: ${{ secrets.SIGNING_CERT_PASSWORD }}
       - name: print outputs
         if: always()
         run: |

README.md

@@ -51,25 +51,32 @@ This action requires several secrets that need to be setup in the repository or
 | `app-store-connect-key` | The App Store Connect API AuthKey_*.p8 key encoded as base64 string. | true |
 | `app-store-connect-key-id` | The App Store Connect API key id. | true |
 | `app-store-connect-issuer-id` | The issuer ID of the App Store Connect API key. | true |
-| `certificate` | Exported signing certificate.p12 encoded as base64 string. Overrides the automatic signing in Xcode. | Defaults to Automatic signing. |
-| `certificate-password` | The password for the exported certificate. | Required if `certificate` is provided. |
-| `signing-identity` | The signing identity to use for signing the Xcode project. | Parsed from the `certificate` if not provided. |
+| `manual-signing-certificate` | Exported signing certificate.p12 encoded as base64 string. Overrides the automatic signing in Xcode. | Defaults to Automatic signing. |
+| `manual-signing-certificate-password` | The password for the exported certificate. | Required if `manual-signing-certificate` is provided. |
+| `manual-signing-identity` | The signing identity to use for signing the Xcode project. | Parsed from the `manual-signing-certificate` if not provided. |
 | `provisioning-profile` | The provisioning profile to use as base64 string. Use when manually signing the Xcode project. | Defaults to Automatic signing. |
 | `provisioning-profile-name` | The name of the provisioning profile file, including the type to use for signing the Xcode project. Must end with either `.mobileprovision` or `.provisionprofile`. | Required if `provisioning-profile` is provided. |
-| `team-id` | The team ID to use for signing the Xcode project. | Defaults to parsing team ID from `certificate` if provided. |
+| `team-id` | The team ID to use for signing the Xcode project. | Defaults to parsing team ID from `manual-signing-certificate` if provided. |
 | `bundle-id` | The bundle ID of the Xcode project. Overrides the value in the exported Unity project. | Defaults to parsing bundle ID from `.xcodeproj`. |
 | `configuration` | The configuration to build the Xcode project with. | Defaults to `Release`. |
 | `scheme` | The scheme to use when building the xcode project. | false |
 | `destination` | The destination to use when building the xcode project. | Defaults to `generic/platform={platform}`. |
 | `platform` | The platform to build for. Can be one of `iOS`, `macOS`, `tvOS`, `visionOS`. | Defaults to parsing platform from `.xcodeproj`. |
 | `platform-sdk-version` | The version of the platform SDK to use for building the Xcode project. | Defaults to the latest version of the platform SDK defined in the `.xcodeproj`. |
-| `export-option` | The export option to use for exporting the Xcode project. Can be one of `app-store-connect`, `steam`, `release-testing`, `package`, `enterprise`, `debugging`, `developer-id`, `mac-application`. | Defaults to `development` |
+| `export-option` | The export option to use for exporting the Xcode project. Can be one of `app-store-connect`, `steam`, `release-testing`, `enterprise`, `debugging`, `developer-id`, `mac-application`. | Defaults to `development` |
 | `export-option-plist` | The path to custom export option plist file to use when exporting the Xcode project. | Overrides `export-option`. |
 | `entitlements-plist` | The path to custom entitlements plist file. | Generates [default hardened runtime entitlements](https://developer.apple.com/documentation/security/hardened-runtime) if not provided. |
 | `notarize` | Whether to notarize the exported Xcode project. | Defaults to `true` if `export-option !== app-store-connect`. |
+| `archive-type` | The archive type to use when exporting macOS applications when not uploading to the App Store. Can be one of `app` or `pkg`. | Defaults to `app`. Forces `app` if `export-option === steam`. |
 | `upload` | Whether to upload the exported Xcode project to App Store Connect. | Defaults to `true` if `export-option === app-store-connect`. |
-| `whats-new` | When `uploading === true`, Let your testers know what you would like them to test in this build. This information will be available to testers in all groups who have access to this build. | Defaults to the last git commit sha, current branch name, and commit message. |
-| `auto-increment-build-number` | Whether to automatically increment the CFBundleVersion in the Xcode project. | Defaults to `true` if `export-option === app-store-connect`. |
+| `whats-new` | When `uploading === true`, Let your testers know what you would like them to test in this build. This information will be available to testers in all groups who have access to this build. | Defaults to the last git commit sha, current branch name, and commit message up to 4000 characters. |
+| `auto-increment-build-number` | Whether to automatically increment the `CFBundleVersion` in the Xcode project. | Defaults to `true` if `export-option === app-store-connect`. |
+| `test-groups` | One or more test groups to automatically add to the build when uploading to TestFlight. When using multiple groups, separate them with commas. | None by default. |
+| `submit-for-review` | Whether to submit the build for review when uploading to App Store Connect. | Defaults to `false`. |
+| `developer-id-application-certificate` | The `Developer ID Application` certificate encoded as base64 string. | Required if `export-option === steam` or `export-option === developer-id` or `notarize === true`. |
+| `developer-id-application-certificate-password` | The password for the `Developer ID Application` certificate. | Required if `developer-id-application-certificate` is provided. |
+| `developer-id-installer-certificate` | The `Developer ID Installer` certificate encoded as base64 string. | Required when creating an installer package for macOS application. |
+| `developer-id-installer-certificate-password` | The password for the `Developer ID Installer` certificate. | Required if `developer-id-installer-certificate` is provided. |
 
 ### outputs
 

action.yml

@@ -5,12 +5,12 @@ branding:
   color: red
 inputs:
   xcode-version:
-    description: The version of Xcode to use for building the Xcode project. Defaults to the active version of Xcode on the runner.
+    description: The version of Xcode to use for building the Xcode project. Defaults to the [latest version of Xcode on the runner](https://github.com/actions/runner-images#available-images).
     required: false
     default: latest
   project-path:
     description: The directory that contains the exported xcode project from Unity.
-    required: true
+    required: false
   app-store-connect-key:
     description: The App Store Connect API AuthKey_*.p8 key encoded as base64 string.
     required: true
@@ -23,26 +23,38 @@ inputs:
   certificate:
     description: Exported signing certificate.p12 encoded as base64 string. Overrides the automatic signing in Xcode.
     required: false
+    deprecationMessage: use `manual-signing-certificate` instead.
+  manual-signing-certificate:
+    description: Exported signing certificate.p12 encoded as base64 string. Overrides the automatic signing in Xcode.
+    required: false
   certificate-password:
     description: The password for the exported certificate. Required if `certificate` is provided.
     required: false
+    deprecationMessage: use `manual-signing-certificate-password` instead.
+  manual-signing-certificate-password:
+    description: The password for the exported certificate. Required if `manual-signing-certificate` is provided.
+    required: false
   signing-identity:
-    description: The signing identity to use for signing the Xcode project. Parsed from the `certificate` if not provided.
+    description: The signing identity to use for signing the Xcode project. Parsed from the `manual-signing-certificate` if not provided.
+    required: false
+    deprecationMessage: use `manual-signing-identity` instead.
+  manual-signing-identity:
+    description: The signing identity to use for signing the Xcode project. Parsed from the `manual-signing-certificate` if not provided.
     required: false
   provisioning-profile:
-    description: The provisioning profile to use as base64 string. Overrides the automatic signing in Xcode.
+    description: The provisioning profile to use as base64 string. Use when manually signing the Xcode project.
     required: false
   provisioning-profile-name:
-    description: The name of the provisioning profile file, including the type to use for signing the Xcode project. Required if `provisioning-profile` is provided. Must end with either `.mobileprovision` or `.provisionprofile`.
+    description: The name of the provisioning profile file, including the type to use for signing the Xcode project. Must end with either `.mobileprovision` or `.provisionprofile`. Required if `provisioning-profile` is provided.
     required: false
   team-id:
-    description: The team ID to use for signing the Xcode project. Defaults to parsing team ID from `.xcodeproj`.
+    description: The team ID to use for signing the Xcode project. Defaults to parsing team ID from `manual-signing-certificate` if provided.
     required: false
   bundle-id:
-    description: The bundle ID of the Xcode project. Defaults to parsing bundle ID from `.xcodeproj`.
+    description: The bundle ID of the Xcode project. Overrides the value in the exported Unity project. Defaults to parsing bundle ID from `.xcodeproj`.
     required: false
   configuration:
-    description: The configuration to use when building the xcode project. Defaults to `Release`.
+    description: The configuration to build the Xcode project with. Defaults to `Release`.
     required: false
     default: 'Release'
   scheme:
@@ -52,34 +64,56 @@ inputs:
     description: The destination to use when building the xcode project. Defaults to `generic/platform={platform}`.
     required: false
   platform:
-    description: The platform to build for. Can be one of `iOS`, `macOS`, `visionOS`, `tvOS`. Defaults to parsing platform from `.xcodeproj`.
+    description: The platform to build for. Can be one of `iOS`, `macOS`, `tvOS`, `visionOS`. Defaults to parsing platform from `.xcodeproj`.
     required: false
   platform-sdk-version:
     description: The version of the platform SDK to use for building the Xcode project. Defaults to the latest version of the platform SDK defined in the `.xcodeproj`.
     required: false
   export-option:
-    description: The export option to use for exporting the Xcode project. Can be one of `app-store-connect`, `steam`, `release-testing`, `package`, `enterprise`, `debugging`, `developer-id`, `mac-application`.
+    description: The export option to use for exporting the Xcode project. Can be one of `app-store-connect`, `steam`, `release-testing`, `enterprise`, `debugging`, `developer-id`, `mac-application`. Defaults to `development`
     required: false
     default: development
   export-option-plist:
     description: The path to custom export option plist file to use when exporting the Xcode project. Overrides `export-option`.
     required: false
   entitlements-plist:
-    description: The path to custom entitlements plist file. Generates default hardened runtime entitlements if not provided.
+    description: The path to custom entitlements plist file. Generates [default hardened runtime entitlements](https://developer.apple.com/documentation/security/hardened-runtime) if not provided.
     required: false
   notarize:
-    description: Whether to notarize the exported Xcode project. Apps to be uploaded to Steam must be notarized by Apple. Defaults to `true` if `export-option === steam`.
+    description: Whether to notarize the exported Xcode project. Defaults to `true` if `export-option !== app-store-connect`.
+    required: false
+  archive-type:
+    description: The archive type to use when exporting macOS applications when not uploading to the App Store. Can be one of `app` or `pkg`. Defaults to `app`. Forces `app` if `export-option === steam`.
     required: false
+    default: app
   upload:
     description: Whether to upload the exported Xcode project to App Store Connect. Defaults to `true` if `export-option === app-store-connect`.
     required: false
   whats-new:
-    description: 'When `uploading === true`, Let your testers know what you would like them to test in this build. This information will be available to testers in all groups who have access to this build. Defaults to the last git commit sha, current branch name, and commit message.'
+    description: When `uploading === true`, Let your testers know what you would like them to test in this build. This information will be available to testers in all groups who have access to this build. Defaults to the last git commit sha, current branch name, and commit message up to 4000 characters.
     required: false
   auto-increment-build-number:
-    description: Whether to automatically increment the CFBundleVersion in the Xcode project. Defaults to `true` if `export-option === app-store-connect`.
+    description: Whether to automatically increment the `CFBundleVersion` in the Xcode project. Defaults to `true` if `export-option === app-store-connect`.
     required: false
     default: 'true'
+  test-groups:
+    description: One or more test groups to automatically add to the build when uploading to TestFlight. When using multiple groups, separate them with commas. None by default.
+    required: false
+  submit-for-review:
+    description: Whether to submit the build for review when uploading to TestFlight. Defaults to `false`.
+    required: false
+  developer-id-application-certificate:
+    description: The `Developer ID Application` certificate encoded as base64 string. Required if `export-option === steam` or `export-option === developer-id` or `notarize === true`.
+    required: false
+  developer-id-application-certificate-password:
+    description: The password for the `Developer ID Application` certificate. Required if `developer-id-application-certificate` is provided.
+    required: false
+  developer-id-installer-certificate:
+    description: The `Developer ID Installer` certificate encoded as base64 string. Required when creating an installer package for macOS application.
+    required: false
+  developer-id-installer-certificate-password:
+    description: The password for the `Developer ID Installer` certificate. Required if `developer-id-installer-certificate` is provided.
+    required: false
 outputs:
   executable:
     description: The path to the generated archive executable.