CI: Add fixes for tagged release runs and assorted minor issues

* Add provisioning profile support for macOS builds
* Fix internal variable names in macOS packaging script
* Add fallback git reference for validator actions
* Add required repository environment to documention deployment jobs
* Pass GitHub pull request number to GitHub CLI explicitly
* Use shortened commit hash for Steam nightly versions
* Ensure that concurrency check for tagged push uses a boolean value
* Update disk image creation function to retry ejection on CI
* Fix repository checkout in Flatpak publish action
* Fix output paths and filenames of generated appcast XML files
* Limit notice about notarization password use to non-CI usage
* Remove architecture-specific suffix from appcast artifact name

.github/actions/build-obs/action.yaml

@@ -20,6 +20,10 @@ inputs:
     description: Team ID for application codesigning (macOS only)
     required: false
     default: ''
+  provisioningProfileUUID:
+    description: UUID of provisioning profile (macOS only)
+    required: false
+    default: ''
   workingDirectory:
     description: Working directory for packaging
     required: false
@@ -34,6 +38,7 @@ runs:
       env:
         CODESIGN_IDENT: ${{ inputs.codesignIdent }}
         CODESIGN_TEAM: ${{ inputs.codesignTeam }}
+        PROVISIONING_PROFILE: ${{ inputs.provisioningProfileUUID }}
       run: |
         : Run macOS Build
 

.github/actions/qt-xml-validator/action.yaml

@@ -46,6 +46,8 @@ runs:
         shopt -s extglob
         shopt -s globstar
 
+        if (( ! GITHUB_REF_BEFORE )); then GITHUB_REF_BEFORE='4b825dc642cb6eb9a060e54bf8d69288fbee4904'; fi
+
         changes=($(git diff --name-only HEAD~1 HEAD -- UI/forms/**/*.ui))
         case "${GITHUB_EVENT_NAME}" in
           pull_request) changes=($(git diff --name-only origin/"${GITHUB_BASE_REF}" HEAD -- UI/forms/**/*.ui)) ;;

.github/actions/run-clang-format/action.yaml

@@ -43,6 +43,8 @@ runs:
         : Run clang-format 🐉
         if (( ${+RUNNER_DEBUG} )) setopt XTRACE
 
+        if (( ! GITHUB_REF_BEFORE )) GITHUB_REF_BEFORE='4b825dc642cb6eb9a060e54bf8d69288fbee4904'
+
         local -a changes=($(git diff --name-only HEAD~1 HEAD))
         case ${GITHUB_EVENT_NAME} {
           pull_request) changes=($(git diff --name-only origin/${GITHUB_BASE_REF} HEAD)) ;;

.github/actions/run-cmake-format/action.yaml

@@ -42,6 +42,8 @@ runs:
         : Run cmake-format 🎛️
         if (( ${+RUNNER_DEBUG} )) setopt XTRACE
 
+        if (( ! GITHUB_REF_BEFORE )) GITHUB_REF_BEFORE='4b825dc642cb6eb9a060e54bf8d69288fbee4904'
+
         local -a changes=($(git diff --name-only HEAD~1 HEAD))
         case ${GITHUB_EVENT_NAME} {
           pull_request) changes=($(git diff --name-only origin/${GITHUB_BASE_REF} HEAD)) ;;

.github/actions/run-swift-format/action.yaml

@@ -42,6 +42,8 @@ runs:
         : Run swift-format 🔥
         if (( ${+RUNNER_DEBUG} )) setopt XTRACE
 
+        if (( ! GITHUB_REF_BEFORE )) GITHUB_REF_BEFORE='4b825dc642cb6eb9a060e54bf8d69288fbee4904'
+
         local -a changes=($(git diff --name-only HEAD~1 HEAD))
         case ${GITHUB_EVENT_NAME} {
           pull_request) changes=($(git diff --name-only origin/${GITHUB_BASE_REF} HEAD)) ;;

.github/actions/setup-macos-codesigning/action.yaml

@@ -28,6 +28,9 @@ outputs:
   haveProvisioningProfile:
     description: True if necessary provisioning profile credentials were found
     value: ${{ steps.provisioning.outputs.haveProvisioningProfile }}
+  provisioningProfileUUID:
+    description: UUID of imported provisioning profile
+    value: ${{ steps.provisioning.outputs.provisioningProfileUUID }}
   haveNotarizationUser:
     description: True if necessary notarization credentials were found
     value: ${{ steps.notarization.outputs.haveNotarizationUser }}

.github/actions/sparkle-appcast/action.yaml

@@ -72,7 +72,6 @@ runs:
 
         mkdir builds
         mkdir -p output/appcasts/stable
-        mkdir -p output/sparkle_deltas
 
     - name: Download Builds 📥
       id: builds
@@ -152,6 +151,7 @@ runs:
 
         print -n '${{ inputs.sparklePrivateKey }}' >> eddsa_private.key
         local feed_url='${{ steps.builds.outputs.feedUrl }}'
+        local arch=${${${(s:_:)feed_url:t}[2]}//x86/x86_64}
 
         Sparkle/bin/generate_appcast \
           --verbose \
@@ -166,7 +166,8 @@ runs:
         local -a deltas=(builds/*.delta(N))
 
         if (( #deltas )) {
-          mv ${deltas} output/sparkle_deltas
+          mkdir -p output/sparkle_deltas/${arch}
+          mv ${deltas} output/sparkle_deltas/${arch}
         }
 
         mv builds/*.xml output/appcasts
@@ -202,12 +203,16 @@ runs:
 
         local -a appcasts=(output/appcasts/*_v2.xml)
         local legacy
+        local feed_url='${{ steps.builds.outputs.feedUrl }}'
+        local arch=${${${(s:_:)feed_url:t}[2]}//x86/x86_64}
 
         for appcast (${appcasts}) {
           legacy="${appcast//.xml/-legacy.xml}"
           xsltproc \
             -o ${legacy} ${GITHUB_ACTION_PATH}/appcast_legacy.xslt ${appcast}
 
-          xmllint --format ${legacy} >! output/appcasts/stable/${${appcast:t}//-v2.xml/.xml}
+          xmllint --format ${legacy} >! output/appcasts/stable/${${appcast:t}//_v2.xml/.xml}
+
+          if [[ ${arch} == x86_64 ]] xmllint --format ${legacy} >! output/appcasts/stable/${${appcast:t}//_x86_64_v2.xml/.xml}
           rm ${legacy}
         }

.github/actions/steam-upload/action.yaml

@@ -153,7 +153,7 @@ runs:
             mv obs-studio-macos-x86_64-${short_hash}/obs-studio-*-macos-intel.dmg \
               ${root_dir}
 
-            description="g${GITHUB_SHA}"
+            description="g${GITHUB_SHA:0:9}"
             is_prerelease='false'
             ;;
         }

.github/scripts/.package.zsh

@@ -134,8 +134,8 @@ ${_usage_host:-}"
         config=${2}
         shift 2
         ;;
-      -s|--codesign) CODESIGN=1; shift ;;
-      -n|--notarize) NOTARIZE=1; shift ;;
+      -s|--codesign) codesign=1; shift ;;
+      -n|--notarize) notarize=1; shift ;;
       -p|--package) typeset -g package=1; shift ;;
       --skip-deps) typeset -g skip_deps=1; shift ;;
       -q|--quiet) (( verbosity -= 1 )) || true; shift ;;

.github/scripts/utils.zsh/create_diskimage

@@ -1,4 +1,4 @@
-autoload -Uz log_debug log_error log_info log_status log_group log_output
+autoload -Uz log_debug log_error log_info log_status log_group log_output log_warning
 
 local -r _usage="Usage: %B${0}%b <source> <volume name> <output_name>
 
@@ -19,7 +19,7 @@ log_group "Create macOS disk image"
 local _hdiutil_flags
 if (( _loglevel < 1 )) _hdiutil_flags='-quiet'
 
-trap "hdiutil detach ${_hdiutil_flags} /Volumes/${output_name}; rm temp.dmg; log_group return 2" ERR
+trap "hdiutil detach ${_hdiutil_flags} /Volumes/${output_name}; rm temp.dmg; log_group; return 2" ERR
 
 hdiutil create ${_hdiutil_flags} \
     -volname "${volume_name}" \
@@ -47,7 +47,28 @@ chmod -Rf go-w /Volumes/${output_name}
 SetFile -a C /Volumes/${output_name}
 rm -rf -- /Volumes/${output_name}/.fseventsd(N)
 log_info "Converting disk image..."
-hdiutil detach ${_hdiutil_flags} /Volumes/${output_name}
+
+if (( ${+CI} )) {
+    local _status=0
+    for i ({1..5}) {
+        hdiutil detach ${_hdiutil_flags} /Volumes/${output_name} && _status=0 || _status=1
+
+        if (( status )) {
+            log_warning "Unable to eject disk image (attempt #${i}). Retrying."
+        } else {
+            break
+        }
+    }
+
+    if (( status )) {
+        log_error "Unable to eject disk image after 5 attempts. Aborting"
+        log_group
+        return 2
+    }
+} else {
+    hdiutil detach ${_hdiutil_flags} /Volumes/${output_name}
+}
+
 hdiutil convert ${_hdiutil_flags} \
     -format ULMO \
     -ov \

.github/scripts/utils.zsh/read_codesign_pass

@@ -15,10 +15,13 @@ if (( ! ${+CODESIGN_IDENT_PASS} )) {
 
 print ''
 log_info 'Setting up notarization keychain...'
-log_warning "
+
+if (( ! ${+CI} )) {
+  log_warning "
  + Your Apple ID and an app-specific password is necessary for notarization from CLI
  + This password will be stored in your macOS keychain under the identifier
    'OBS-Codesign-Password' with access Apple's 'altool' only.
 
 "
+}
 xcrun notarytool store-credentials 'OBS-Codesign-Password' --apple-id "${CODESIGN_IDENT_USER}" --team-id "${CODESIGN_TEAM}" --password "${CODESIGN_IDENT_PASS}"

.github/workflows/build-project.yaml

@@ -29,7 +29,7 @@ jobs:
           case "${GITHUB_EVENT_NAME}" in
             pull_request)
               config_data=('codesign:false' 'notarize:false' 'package:false' 'config:RelWithDebInfo')
-              if gh pr view --json labels \
+              if gh pr view ${{ github.event.number }} --json labels \
                 | jq -e -r '.labels[] | select(.name == "Seeking Testers")' > /dev/null; then
                 config_data[0]='codesign:true'
                 config_data[2]='package:true'
@@ -139,6 +139,7 @@ jobs:
           codesign: ${{ fromJSON(needs.check-event.outputs.codesign) }}
           codesignIdent: ${{ steps.codesign.outputs.codesignIdent }}
           codesignTeam: ${{ steps.codesign.outputs.codesignTeam }}
+          provisioningProfileUUID: ${{ steps.codesign.outputs.provisioningProfileUUID }}
 
       - name: Package OBS Studio 📀
         uses: ./.github/actions/package-obs

.github/workflows/dispatch.yaml

@@ -117,6 +117,8 @@ jobs:
     defaults:
       run:
         shell: bash
+    environment:
+      name: cf-pages-deploy
     steps:
       - name: Get Commit Information 🆔
         id: setup

.github/workflows/publish.yaml

@@ -61,7 +61,7 @@ jobs:
         with:
           submodules: recursive
           fetch-depth: 0
-          set-safe-directory: ${{ github.workspace }}
+          set-safe-directory: ${{ env.GITHUB_WORKSPACE }}
 
       - name: Set Up Environment 🔧
         id: setup
@@ -88,7 +88,7 @@ jobs:
           fi
 
           echo "cacheKey=${cache_key}" >> $GITHUB_OUTPUT
-          echo "commitHash=$(git rev-parse --short=9 HEAD)" >> $GITHUB_OUTPUT
+          echo "commitHash=${GITHUB_SHA:0:9}" >> $GITHUB_OUTPUT
 
       - name: Build Flatpak Manifest
         uses: flatpak/flatpak-github-actions/[email protected]

.github/workflows/push.yaml

@@ -13,7 +13,7 @@ permissions:
   contents: write
 concurrency:
   group: '${{ github.workflow }} @ ${{ github.ref }}'
-  cancel-in-progress: ${{ github.ref_type == 'tag' }}
+  cancel-in-progress: ${{ fromJSON(github.ref_type == 'tag') }}
 jobs:
   check-format:
     name: Check Formatting 🔍
@@ -133,6 +133,8 @@ jobs:
     defaults:
       run:
         shell: bash
+    environment:
+      name: cf-pages-deploy
     steps:
       - name: Get Commit Information 🆔
         id: setup
@@ -216,7 +218,7 @@ jobs:
       - name: Upload Artifacts 📡
         uses: actions/upload-artifact@v3
         with:
-          name: macos-sparkle-update-${{ matrix.target }}
+          name: macos-sparkle-update
           path: ${{ github.workspace }}/output
 
   create-release: