Test adding mac build entitlements

CryptAxe · CryptAxe · commit 5aea7ef6bca2 · 2025-02-04T16:06:13.000-08:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -48,10 +48,49 @@ jobs:
         env:
           MACOS_CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PASSWORD }}
 
-      - name: Setup notarization credentials
+      - name: Setup notarization credentials and entitlements
         if: matrix.os == 'macos-latest'
         run: |
           echo ${{ secrets.GODOT_MACOS_NOTARIZATION_API_KEY }} | base64 --decode > notarization_api_key.p8
+          mkdir -p build
+          cat > build/entitlements.mac.plist << 'EOF'
+  <?xml version="1.0" encoding="UTF-8"?>
+  <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+  <plist version="1.0">
+    <dict>
+      <key>com.apple.security.cs.allow-jit</key>
+      <true/>
+      <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+      <true/>
+      <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+      <true/>
+      <key>com.apple.security.files.user-selected.read-write</key>
+      <true/>
+      <key>com.apple.security.files.downloads.read-write</key>
+      <true/>
+      <key>com.apple.security.network.client</key>
+      <true/>
+      <key>com.apple.security.network.server</key>
+      <true/>
+    </dict>
+  </plist>
+  EOF
+          chmod 644 build/entitlements.mac.plist
+
+      - name: Verify entitlements file (macOS)
+        if: matrix.os == 'macos-latest'
+        run: |
+          echo "Verifying entitlements file..."
+          if [ ! -f build/entitlements.mac.plist ]; then
+            echo "Error: entitlements.mac.plist not found"
+            exit 1
+          fi
+          if [ ! -r build/entitlements.mac.plist ]; then
+            echo "Error: entitlements.mac.plist not readable"
+            exit 1
+          fi
+          echo "Validating plist format..."
+          plutil -lint build/entitlements.mac.plist
 
       - name: Build Electron app
         if: matrix.os != 'ubuntu-latest-large'
@@ -62,7 +101,7 @@ jobs:
           APPLE_API_KEY_ID: ${{ secrets.GODOT_MACOS_NOTARIZATION_API_KEY_ID }}
           APPLE_API_KEY_ISSUER: ${{ secrets.GODOT_MACOS_NOTARIZATION_API_UUID }}
         run: npm run electron-build
-
+         
       - name: Build Electron app (Linux)
         if: matrix.os == 'ubuntu-latest-large'
         env:
