obs-studio/.github/workflows/main.yml

name: 'BUILD'

on:
  push:
    paths-ignore: ['**.md']
    branches:
      - master
      - 'release/**'
    tags: ['*']
  pull_request:
    paths-ignore: ['**.md']
    branches: [master]
  merge_group:
    branches: [master]

env:
  CACHE_REVISION: '006'
  CEF_BUILD_VERSION_LINUX: '5060'
  CEF_BUILD_VERSION_WIN: '5060'
  QT_VERSION_MAC: '6.4.3'
  QT_VERSION_WIN: '6.4.3'
  DEPS_VERSION_WIN: '2023-06-01'
  VLC_VERSION_WIN: '3.0.0-git'
  TWITCH_CLIENTID: ${{ secrets.TWITCH_CLIENT_ID }}
  TWITCH_HASH: ${{ secrets.TWITCH_HASH }}
  RESTREAM_CLIENTID: ${{ secrets.RESTREAM_CLIENTID }}
  RESTREAM_HASH: ${{ secrets.RESTREAM_HASH }}
  YOUTUBE_CLIENTID: ${{ secrets.YOUTUBE_CLIENTID }}
  YOUTUBE_CLIENTID_HASH: ${{ secrets.YOUTUBE_CLIENTID_HASH }}
  YOUTUBE_SECRET: ${{ secrets.YOUTUBE_SECRET }}
  YOUTUBE_SECRET_HASH: ${{ secrets.YOUTUBE_SECRET_HASH }}
  GPU_PRIORITY_VAL: ${{ secrets.GPU_PRIORITY_VAL }}

concurrency:
  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
  cancel-in-progress: true

jobs:
  clang_check:
    name: '01 - Code Format Check'
    runs-on: [ubuntu-22.04]
    steps:
      - name: 'Checkout'
        uses: actions/checkout@v3
        with:
          submodules: 'recursive'

      - name: 'Install clang-format'
        run: sudo apt-get install -y clang-format-13

      - name: 'Run clang-format'
        run: |
          ./CI/check-format.sh
          ./CI/check-changes.sh

      - name: 'Install cmake-format'
        run: sudo pip install cmakelang

      - name: 'Run cmake-format'
        run: |
          ./CI/check-cmake.sh

      - name: 'Run format-manifest.py'
        run: |
          python3 ./build-aux/format-manifest.py
          ./CI/check-changes.sh

  config:
    name: '01 - Configure Build Jobs'
    runs-on: [ubuntu-22.04]
    outputs:
      create_artifacts: ${{ steps.config.outputs.create_artifacts }}
      cache_date: ${{ steps.config.outputs.cache_date }}
    steps:
      - name: 'Configure Build Jobs'
        id: config
        run: |
          if [[ "${{ github.event_name == 'pull_request' }}" == "true" ]]; then
            if test -n "$(curl -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" -s "${{ github.event.pull_request.url }}" | jq -e '.labels[] | select(.name == "Seeking Testers")')"; then
              echo 'create_artifacts=true' >> $GITHUB_OUTPUT
            else
              echo 'create_artifacts=false' >> $GITHUB_OUTPUT
            fi
          else
            echo 'create_artifacts=true' >> $GITHUB_OUTPUT
          fi
          echo "cache_date=$(date +"%Y-%m-%d")" >> $GITHUB_OUTPUT

  macos_build:
    name: '02 - macOS'
    runs-on: [macos-12]
    strategy:
      matrix:
        arch: ['x86_64', 'arm64']
    if: always()
    needs: [config, clang_check]
    env:
      BLOCKED_FORMULAS: 'speexdsp curl php composer'
    defaults:
      run:
        shell: bash
        working-directory: 'obs-studio'
    steps:
      - name: 'Checkout'
        uses: actions/checkout@v3
        with:
          submodules: 'recursive'
          path: 'obs-studio'
          fetch-depth: 0

      - name: 'Check for GitHub Labels'
        id: github-check
        run: |
          if [[ "${GITHUB_EVENT_NAME}" == 'pull_request' ]]; then
            if test -n "$(curl -H "Authorization: Bearer ${{ github.token }}" -s "${{ github.event.pull_request.url }}" | jq -e '.labels[] | select(.name == "Seeking Testers")')"; then
              echo "generator=Xcode" >> $GITHUB_OUTPUT
            else
              echo "generator=Ninja" >> $GITHUB_OUTPUT
            fi
          elif [[ "${GITHUB_EVENT_NAME}" == 'push' ]]; then
            if [[ ${GITHUB_REF_NAME} =~ [0-9]+.[0-9]+.[0-9]+(-(rc|beta).+)? ]]; then
              echo "generator=Xcode" >> $GITHUB_OUTPUT
            else
              echo "generator=Ninja" >> $GITHUB_OUTPUT
            fi
          else
            echo "generator=Ninja" >> $GITHUB_OUTPUT
          fi

      - name: 'Restore ccache from cache'
        id: ccache-cache
        uses: actions/cache@v3
        with:
          path: ${{ github.workspace }}/.ccache
          key: ${{ runner.os }}-ccache-${{ steps.github-check.outputs.generator }}-${{ matrix.arch }}-${{ github.event_name }}-${{ github.head_ref }}
          restore-keys: |
            ${{ runner.os }}-ccache-${{ steps.github-check.outputs.generator }}-${{ matrix.arch }}-push-

      - name: 'Setup build environment'
        id: setup
        run: |
          REMOVE_FORMULAS=""
          for FORMULA in ${{ env.BLOCKED_FORMULAS }}; do
            if [ -d "/usr/local/opt/${FORMULA}" ]; then
              REMOVE_FORMULAS="${REMOVE_FORMULAS}${FORMULA} "
            fi
          done

          if [ -n "${REMOVE_FORMULAS}" ]; then
            brew uninstall ${REMOVE_FORMULAS}
          fi

          echo "commitHash=$(git rev-parse --short=9 HEAD)" >> $GITHUB_OUTPUT

      - name: 'Install dependencies'
        run: CI/macos/01_install_dependencies.sh --architecture "${{ matrix.arch }}"

      - name: 'Install Apple Developer Certificate'
        id: macos-codesign
        env:
          MACOS_SIGNING_IDENTITY: ${{ secrets.MACOS_SIGNING_IDENTITY }}
          MACOS_SIGNING_CERT: ${{ secrets.MACOS_SIGNING_CERT }}
          MACOS_SIGNING_CERT_PASSWORD: ${{ secrets.MACOS_SIGNING_CERT_PASSWORD }}
          MACOS_KEYCHAIN_PASSWORD: ${{ secrets.MACOS_KEYCHAIN_PASSWORD }}
          MACOS_PROVISIONING_PROFILE: ${{ secrets.MACOS_SIGNING_PROVISIONING_PROFILE }}
        run: |
          if [[ "${MACOS_SIGNING_IDENTITY}" && "${MACOS_SIGNING_CERT}" ]]; then
            CERTIFICATE_PATH="${RUNNER_TEMP}/build_certificate.p12"
            KEYCHAIN_PATH="${RUNNER_TEMP}/app-signing.keychain-db"

            echo -n "${MACOS_SIGNING_CERT}" | base64 --decode --output "${CERTIFICATE_PATH}"

            : "${MACOS_KEYCHAIN_PASSWORD:="$(echo ${RANDOM} | sha1sum | head -c 32)"}"

            security create-keychain -p "${MACOS_KEYCHAIN_PASSWORD}" "${KEYCHAIN_PATH}"
            security set-keychain-settings -lut 21600 "${KEYCHAIN_PATH}"
            security unlock-keychain -p "${MACOS_KEYCHAIN_PASSWORD}" "${KEYCHAIN_PATH}"

            security import "${CERTIFICATE_PATH}" -P "${MACOS_SIGNING_CERT_PASSWORD}" -A \
              -t cert -f pkcs12 -k "${KEYCHAIN_PATH}" \
              -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/xcrun

            security set-key-partition-list -S 'apple-tool:,apple:' -k "${MACOS_KEYCHAIN_PASSWORD}" \
              "${KEYCHAIN_PATH}" &> /dev/null
            security list-keychain -d user -s "${KEYCHAIN_PATH}" 'login-keychain'

            echo "CODESIGN_IDENT=${MACOS_SIGNING_IDENTITY}" >> $GITHUB_ENV
            echo "MACOS_KEYCHAIN_PASSWORD=${MACOS_KEYCHAIN_PASSWORD}" >> $GITHUB_ENV
            echo "haveCodesignIdent=true" >> $GITHUB_OUTPUT
          else
            echo "CODESIGN_IDENT=-" >> $GITHUB_ENV
            echo "haveCodesignIdent=false" >> $GITHUB_OUTPUT
          fi

          if [[ "${MACOS_PROVISIONING_PROFILE}" ]]; then
            PROFILE_PATH="${RUNNER_TEMP}/build_profile.provisionprofile"
            echo -n "${MACOS_PROVISIONING_PROFILE}" | base64 --decode --output "${PROFILE_PATH}"

            mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
            security cms -D -i "${PROFILE_PATH}" -o "${RUNNER_TEMP}/build_profile.plist"
            UUID="$(plutil -extract UUID raw "${RUNNER_TEMP}/build_profile.plist")"
            TEAM_ID="$(plutil -extract TeamIdentifier.0 raw -expect string "${RUNNER_TEMP}/build_profile.plist")"

            cp "${PROFILE_PATH}" ~/Library/MobileDevice/Provisioning\ Profiles/${UUID}.provisionprofile
            echo "provisionprofileUUID=${UUID}" >> $GITHUB_OUTPUT
            echo "haveProvisioningProfile=true" >> $GITHUB_OUTPUT
            echo "CODESIGN_TEAM=${TEAM_ID}" >> $GITHUB_ENV
          else
           echo "haveProvisioningProfile=false" >> $GITHUB_OUTPUT
          fi

          if [[ "${MACOS_NOTARIZATION_USERNAME}" && "${MACOS_NOTARIZATION_PASSWORD}" ]]; then
            echo "haveNotarizationUser=true" >> $GITHUB_OUTPUT
          else
            echo "haveNotarizationUser=false" >> $GITHUB_OUTPUT
          fi

      - name: 'Build OBS'
        env:
          PROVISIONING_PROFILE: ${{ steps.macos-codesign.outputs.provisionprofileUUID }}
        run: |
          if [[ '${{ steps.github-check.outputs.generator }}' == 'Xcode' ]]; then
            SEEKING_TESTERS=1 CI/macos/02_build_obs.sh --codesign --architecture "${{ matrix.arch }}"
          else
            CI/macos/02_build_obs.sh --codesign --architecture "${{ matrix.arch }}"
          fi

      - name: 'Create build artifact'
        if: ${{ fromJSON(needs.config.outputs.create_artifacts) }}
        run: |
          : ${PACKAGE:=}
          case "${GITHUB_EVENT_NAME}" in
              push) if [[ ${GITHUB_REF_NAME} =~ [0-9]+.[0-9]+.[0-9]+(-(rc|beta).+)? ]]; then PACKAGE=1; fi ;;
              pull_request) PACKAGE=1 ;;
          esac

          if [[ "${PACKAGE}" ]]; then
            CI/macos/03_package_obs.sh --codesign --architecture "${{ matrix.arch }}"
            ARTIFACT_NAME=$(basename $(/usr/bin/find build_${{ matrix.arch }} -type f -name "obs-studio-*.dmg" -depth 1 | head -1))
            echo "FILE_NAME=${ARTIFACT_NAME}" >> $GITHUB_ENV
          fi

      - name: 'Upload build Artifact'
        if: ${{ fromJSON(needs.config.outputs.create_artifacts) && env.FILE_NAME != '' }}
        uses: actions/upload-artifact@v3
        with:
          name: 'obs-studio-macos-${{ matrix.arch }}-${{ steps.setup.outputs.commitHash }}'
          path: '${{ github.workspace }}/obs-studio/build_${{ matrix.arch }}/${{ env.FILE_NAME }}'

  linux_build:
    name: '02 - Linux'
    runs-on: ${{ matrix.ubuntu }}
    strategy:
      matrix:
        ubuntu: ['ubuntu-20.04', 'ubuntu-22.04']
        include:
          - ubuntu: 'ubuntu-20.04'
            script_options: '--disable-pipewire'
    if: always()
    needs: [config, clang_check]
    defaults:
      run:
        shell: bash
        working-directory: 'obs-studio'
    env:
      BUILD_FOR_DISTRIBUTION: ${{ startsWith(github.ref, 'refs/tags/') && github.event_name != 'pull_request' }}
    steps:
      - name: 'Checkout'
        uses: actions/checkout@v3
        with:
          submodules: 'recursive'
          path: 'obs-studio'
          fetch-depth: 0

      - name: 'Restore ccache from cache'
        id: ccache-cache
        uses: actions/cache@v3
        env:
          CACHE_NAME: 'ccache-cache'
        with:
          path: ${{ github.workspace }}/.ccache
          key: ${{ runner.os }}-ccache-${{ matrix.ubuntu }}-${{ github.event_name }}-${{ github.head_ref }}
          restore-keys: |
            ${{ runner.os }}-ccache-${{ matrix.ubuntu }}-push-

      - name: 'Restore Chromium Embedded Framework from cache'
        id: cef-cache
        uses: actions/cache@v3
        env:
          CACHE_NAME: 'cef-cache'
        with:
          path: ${{ github.workspace }}/obs-build-dependencies/cef_binary_${{ env.CEF_BUILD_VERSION_LINUX }}_linux64
          key: ${{ runner.os }}-pr-${{ env.CACHE_NAME }}-${{ env.CEF_BUILD_VERSION_LINUX }}-${{ env.CACHE_REVISION }}

      - name: 'Setup build environment'
        id: setup
        run: |
          echo "commitHash=$(git rev-parse --short=9 HEAD)" >> $GITHUB_OUTPUT

      - name: 'Install dependencies'
        env:
          RESTORED_CEF: ${{ steps.cef-cache.outputs.cache-hit }}
        run: CI/linux/01_install_dependencies.sh ${{ matrix.script_options }}

      - name: 'Build OBS'
        run: CI/linux/02_build_obs.sh ${{ matrix.script_options }}

      - name: 'Run tests'
        if: success()
        run: cmake --build build -t test

      - name: 'Create build artifact'
        if: ${{ success() && fromJSON(needs.config.outputs.create_artifacts) }}
        run: |
          CI/linux/03_package_obs.sh
          ARTIFACT_NAME=$(basename $(/usr/bin/find build  -maxdepth 1 -type f -name "obs-studio-*.deb" | sort -rn | head -1))
          echo "FILE_NAME=${ARTIFACT_NAME}" >> $GITHUB_ENV
          echo "DEBUG_FILE_NAME=${ARTIFACT_NAME//.deb/-dbgsym.ddeb}" >> $GITHUB_ENV

      - name: 'Upload build Artifact'
        if: ${{ success() && fromJSON(needs.config.outputs.create_artifacts) }}
        uses: actions/upload-artifact@v3
        with:
          name: 'obs-studio-${{ matrix.ubuntu }}-${{ steps.setup.outputs.commitHash }}'
          path: '${{ github.workspace }}/obs-studio/build/${{ env.FILE_NAME }}'

      - name: 'Upload debug symbol Artifact'
        if: ${{ success() && fromJSON(needs.config.outputs.create_artifacts) }}
        uses: actions/upload-artifact@v3
        with:
          name: 'obs-studio-${{ matrix.ubuntu }}-${{ steps.setup.outputs.commitHash }}-dbgsym'
          path: '${{ github.workspace }}/obs-studio/build/${{ env.DEBUG_FILE_NAME }}'

  windows_build:
    name: '02 - Windows'
    runs-on: [windows-2022]
    needs: [config, clang_check]
    if: always()
    strategy:
      matrix:
        arch: [x64, x86]
    env:
      CMAKE_GENERATOR: 'Visual Studio 17 2022'
      CMAKE_SYSTEM_VERSION: '10.0.18363.657'
      VIRTUALCAM-GUID: 'A3FCE0F5-3493-419F-958A-ABA1250EC20B'
      BUILD_FOR_DISTRIBUTION: ${{ startsWith(github.ref, 'refs/tags/') && github.event_name != 'pull_request' }}
    defaults:
      run:
        working-directory: 'obs-studio'
    steps:
      - name: 'Checkout'
        uses: actions/checkout@v3
        with:
          submodules: 'recursive'
          path: 'obs-studio'
          fetch-depth: 0

      - name: 'Add msbuild to PATH'
        uses: microsoft/[email protected]

      - name: 'Restore VLC dependency from cache'
        id: vlc-cache
        uses: actions/cache@v3
        env:
          CACHE_NAME: 'vlc-cache'
        with:
          path: ${{ github.workspace }}/obs-build-dependencies/vlc-${{ env.VLC_VERSION_WIN }}
          key: ${{ runner.os }}-pr-${{ env.CACHE_NAME }}-${{ env.VLC_VERSION_WIN }}-${{ env.CACHE_REVISION }}

      - name: 'Restore Chromium Embedded Framework from cache'
        id: cef-cache
        uses: actions/cache@v3
        env:
          CACHE_NAME: 'cef-cache'
        with:
          path: ${{ github.workspace }}/obs-build-dependencies/cef_binary_${{ env.CEF_BUILD_VERSION_WIN }}_windows_${{ matrix.arch }}
          key: ${{ runner.os }}-pr-${{ env.CACHE_NAME }}-${{ env.CEF_BUILD_VERSION_WIN }}-${{ matrix.arch }}-${{ env.CACHE_REVISION }}

      - name: Setup Environment
        id: setup
        run: |
          $CommitHash = git rev-parse --short=9 HEAD
          "commitHash=${CommitHash}" >> $env:GITHUB_OUTPUT

      - name: 'Install dependencies'
        env:
          RESTORED_VLC: ${{ steps.vlc-cache.outputs.cache-hit }}
          RESTORED_CEF: ${{ steps.cef-cache.outputs.cache-hit }}
        run: CI/windows/01_install_dependencies.ps1 -BuildArch ${{ matrix.arch }}

      - name: 'Build OBS'
        run: CI/windows/02_build_obs.ps1 -BuildArch ${{ matrix.arch }}

      - name: 'Create build artifact'
        if: ${{ success() && fromJSON(needs.config.outputs.create_artifacts) }}
        run: |
          CI/windows/03_package_obs.ps1 -BuildArch ${{ matrix.arch }} -Package
          $ArtifactName = Get-ChildItem -filter "obs-studio-*-windows-${{ matrix.arch }}.zip" -File
          Write-Output "FILE_NAME=${ArtifactName}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf8 -Append

      - name: 'Upload build artifact'
        if: ${{ success() && fromJSON(needs.config.outputs.create_artifacts) }}
        uses: actions/upload-artifact@v3
        with:
          name: 'obs-studio-windows-${{ matrix.arch }}-${{ steps.setup.outputs.commitHash }}'
          path: '${{ env.FILE_NAME }}'

  linux_package:
    name: '02 - Flatpak'
    runs-on: [ubuntu-latest]
    needs: [config, clang_check]
    defaults:
      run:
        shell: bash
    container:
      image: bilelmoussaoui/flatpak-github-actions:kde-6.4
      options: --privileged
    steps:

      - name: 'Checkout'
        uses: actions/checkout@v3
        with:
          submodules: 'recursive'
          fetch-depth: 0

      - name: 'Setup build environment'
        id: setup
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          CACHE_KEY: flatpak-builder-${{ hashFiles('build-aux/**/*.json') }}
        run: |
          dnf install -y -q gh
          gh extension install actions/gh-actions-cache

          git config --global --add safe.directory $GITHUB_WORKSPACE

          KEY="$CACHE_KEY-x86_64"
          CACHE_HIT=$(gh actions-cache list -B master --key $KEY | grep -q $KEY && echo 'true' || echo 'false')

          echo "git_hash=$(git rev-parse --short=9 HEAD)" >> $GITHUB_OUTPUT
          echo "cache_key=$CACHE_KEY" >> $GITHUB_OUTPUT
          echo "cache_hit=$CACHE_HIT" >> $GITHUB_OUTPUT

      - name: Build Flatpak Manifest
        uses: flatpak/flatpak-github-actions/[email protected]
        with:
          build-bundle: ${{ fromJSON(needs.config.outputs.create_artifacts) }}
          bundle: obs-studio-flatpak-${{ steps.setup.outputs.git_hash }}.flatpak
          manifest-path: build-aux/com.obsproject.Studio.json
          cache: ${{ fromJSON(steps.setup.outputs.cache_hit) || (github.event_name == 'push' && github.ref == 'refs/heads/master') }}
          restore-cache: ${{ fromJSON(steps.setup.outputs.cache_hit) }}
          cache-key: ${{ steps.setup.outputs.cache_key }}

  windows_package:
    name: '03 - Windows Installer'
    runs-on: [windows-latest]
    needs: [windows_build]
    if: ${{ startsWith(github.ref, 'refs/tags/') && github.event_name != 'pull_request' }}
    env:
      BUILD_FOR_DISTRIBUTION: 'ON'
    steps:
      - name: 'Checkout'
        uses: actions/checkout@v3

      - name: Setup Environment
        id: setup
        run: |
          $CommitHash = git rev-parse --short=9 HEAD
          "commitHash=${CommitHash}" >> $env:GITHUB_OUTPUT

      - name: 'Add msbuild to PATH'
        uses: microsoft/[email protected]

      - name: 'Download 64-bit artifact'
        uses: actions/download-artifact@v3
        with:
          name: 'obs-studio-windows-x64-${{ steps.setup.outputs.commitHash }}'

      - name: 'Download 32-bit artifact'
        uses: actions/download-artifact@v3
        with:
          name: 'obs-studio-windows-x86-${{ steps.setup.outputs.commitHash }}'

      - name: 'Unpack Windows build artifacts'
        id: unpack
        run: |
          if (!(Test-Path install_temp)) {
            $null = New-Item -ItemType Directory -Force -Path install_temp
          }

          Expand-Archive -Path "$(Get-ChildItem -filter "obs-studio-*-windows-x86.zip" -File)" -DestinationPath install_temp
          Expand-Archive -Path "$(Get-ChildItem -filter "obs-studio-*-windows-x64.zip" -File)" -Force -DestinationPath install_temp

          CI/windows/03_package_obs.ps1 -CombinedArchs -Package

          $ArtifactName = (Get-ChildItem -filter "obs-studio-*-windows-x86+x64.zip" -File).Name
          "filename=${ArtifactName}" >> $env:GITHUB_OUTPUT

      - name: 'Upload build artifact'
        uses: actions/upload-artifact@v3
        with:
          name: 'obs-studio-windows-installer'
          path: '${{ steps.unpack.outputs.filename }}'

  macos_release:
    name: '03 - macOS notarized image'
    runs-on: [macos-12]
    needs: [macos_build]
    env:
      BUILD_FOR_DISTRIBUTION: 'ON'
      HAVE_SPARKLE_KEY: ${{ secrets.SPARKLE_PRIVATE_KEY != '' }}
    outputs:
      run_sparkle: ${{ steps.sparkle_check.outputs.run_sparkle }}
    if: ${{ startsWith(github.ref, 'refs/tags/') && github.event_name != 'pull_request' }}
    strategy:
      matrix:
        arch: ['x86_64', 'arm64']
    defaults:
      run:
        shell: bash
    steps:
      - name: 'Install Apple Developer Certificate'
        id: macos-codesign
        env:
          MACOS_SIGNING_IDENTITY: ${{ secrets.MACOS_SIGNING_IDENTITY }}
          MACOS_SIGNING_CERT: ${{ secrets.MACOS_SIGNING_CERT }}
          MACOS_SIGNING_CERT_PASSWORD: ${{ secrets.MACOS_SIGNING_CERT_PASSWORD }}
          MACOS_KEYCHAIN_PASSWORD: ${{ secrets.MACOS_KEYCHAIN_PASSWORD }}
          MACOS_PROVISIONING_PROFILE: ${{ secrets.MACOS_SIGNING_PROVISIONING_PROFILE }}
          MACOS_NOTARIZATION_USERNAME: ${{ secrets.MACOS_NOTARIZATION_USERNAME }}
          MACOS_NOTARIZATION_PASSWORD: ${{ secrets.MACOS_NOTARIZATION_PASSWORD }}
        run: |
          if [[ "${MACOS_SIGNING_IDENTITY}" && "${MACOS_SIGNING_CERT}" ]]; then
            CERTIFICATE_PATH="${RUNNER_TEMP}/build_certificate.p12"
            KEYCHAIN_PATH="${RUNNER_TEMP}/app-signing.keychain-db"

            echo -n "${MACOS_SIGNING_CERT}" | base64 --decode --output "${CERTIFICATE_PATH}"

            : "${MACOS_KEYCHAIN_PASSWORD:="$(echo ${RANDOM} | sha1sum | head -c 32)"}"

            security create-keychain -p "${MACOS_KEYCHAIN_PASSWORD}" "${KEYCHAIN_PATH}"
            security set-keychain-settings -lut 21600 "${KEYCHAIN_PATH}"
            security unlock-keychain -p "${MACOS_KEYCHAIN_PASSWORD}" "${KEYCHAIN_PATH}"

            security import "${CERTIFICATE_PATH}" -P "${MACOS_SIGNING_CERT_PASSWORD}" -A \
              -t cert -f pkcs12 -k "${KEYCHAIN_PATH}" \
              -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/xcrun

            security set-key-partition-list -S 'apple-tool:,apple:' -k "${MACOS_KEYCHAIN_PASSWORD}" \
              "${KEYCHAIN_PATH}" &> /dev/null
            security list-keychain -d user -s "${KEYCHAIN_PATH}" 'login-keychain'

            echo "CODESIGN_IDENT=${MACOS_SIGNING_IDENTITY}" >> $GITHUB_ENV
            echo "MACOS_KEYCHAIN_PASSWORD=${MACOS_KEYCHAIN_PASSWORD}" >> $GITHUB_ENV
            echo "haveCodesignIdent=true" >> $GITHUB_OUTPUT
          else
            echo "CODESIGN_IDENT=-" >> $GITHUB_ENV
            echo "haveCodesignIdent=false" >> $GITHUB_OUTPUT
          fi

          if [[ "${MACOS_PROVISIONING_PROFILE}" ]]; then
            PROFILE_PATH="${RUNNER_TEMP}/build_profile.provisionprofile"
            echo -n "${MACOS_PROVISIONING_PROFILE}" | base64 --decode --output "${PROFILE_PATH}"

            mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
            security cms -D -i "${PROFILE_PATH}" -o "${RUNNER_TEMP}/build_profile.plist"
            UUID="$(plutil -extract UUID raw "${RUNNER_TEMP}/build_profile.plist")"
            TEAM_ID="$(plutil -extract TeamIdentifier.0 raw -expect string "${RUNNER_TEMP}/build_profile.plist")"

            cp "${PROFILE_PATH}" ~/Library/MobileDevice/Provisioning\ Profiles/${UUID}.provisionprofile
            echo "provisionprofileUUID=${UUID}" >> $GITHUB_OUTPUT
            echo "haveProvisioningProfile=true" >> $GITHUB_OUTPUT
            echo "CODESIGN_TEAM=${TEAM_ID}" >> $GITHUB_ENV
          else
           echo "haveProvisioningProfile=false" >> $GITHUB_OUTPUT
          fi

          if [[ "${MACOS_NOTARIZATION_USERNAME}" && "${MACOS_NOTARIZATION_PASSWORD}" ]]; then
            echo "haveNotarizationUser=true" >> $GITHUB_OUTPUT
          else
            echo "haveNotarizationUser=false" >> $GITHUB_OUTPUT
          fi

      - name: 'Checkout'
        if: ${{ fromJSON(steps.macos-codesign.outputs.haveCodesignIdent) && fromJSON(steps.macos-codesign.outputs.haveNotarizationUser) }}
        uses: actions/checkout@v3

      - name: 'Setup build environment'
        if: ${{ fromJSON(steps.macos-codesign.outputs.haveCodesignIdent) && fromJSON(steps.macos-codesign.outputs.haveNotarizationUser) }}
        id: setup
        run: |
          echo "commitHash=$(git rev-parse --short=9 HEAD)" >> $GITHUB_OUTPUT

      - name: 'Determine if Sparkle should run'
        if: env.HAVE_CODESIGN_IDENTITY == 'true'
        id: sparkle_check
        run: |
          echo 'run_sparkle=${{ env.HAVE_SPARKLE_KEY }}' >> $GITHUB_OUTPUT

      - name: 'Download artifact'
        if: ${{ fromJSON(steps.macos-codesign.outputs.haveCodesignIdent) && fromJSON(steps.macos-codesign.outputs.haveNotarizationUser) }}
        uses: actions/download-artifact@v3
        with:
          name: 'obs-studio-macos-${{ matrix.arch }}-${{ steps.setup.outputs.commitHash }}'

      - name: 'Create disk image for distribution'
        if: ${{ fromJSON(steps.macos-codesign.outputs.haveCodesignIdent) && fromJSON(steps.macos-codesign.outputs.haveNotarizationUser) }}
        env:
          CODESIGN_IDENT_USER: ${{ secrets.MACOS_NOTARIZATION_USERNAME }}
          CODESIGN_IDENT_PASS: ${{ secrets.MACOS_NOTARIZATION_PASSWORD }}
        run: |
          ARTIFACT_NAME=$(/usr/bin/find . -type f -name "obs-studio-*.dmg" -depth 1 | head -1)
          CI/macos/03_package_obs.sh --notarize-image ${ARTIFACT_NAME}

          echo "FILE_NAME=$(basename ${ARTIFACT_NAME})" >> $GITHUB_ENV

      - name: 'Upload build Artifact'
        if: ${{ fromJSON(steps.macos-codesign.outputs.haveCodesignIdent) && fromJSON(steps.macos-codesign.outputs.haveNotarizationUser) }}
        uses: actions/upload-artifact@v3
        with:
          name: 'obs-studio-macos-${{ matrix.arch }}-notarized'
          path: '${{ github.workspace }}/${{ env.FILE_NAME }}'

  macos_sparkle:
    name: '04 - macOS Sparkle Updates'
    runs-on: [macos-12]
    needs: [macos_release]
    if: fromJSON(needs.macos_release.outputs.run_sparkle)
    strategy:
      matrix:
        arch: ['x86_64', 'arm64']
    env:
      SPARKLE_VERSION: '2.3.2'
      SPARKLE_HASH: '2b3fe6918ca20a83729aad34f8f693a678b714a17d33b5f13ca2d25edfa7eed3'
    defaults:
      run:
        shell: bash
    steps:
      - name: 'Checkout'
        uses: actions/checkout@v3
        with:
          path: 'repo'
          ref: ${{ github.ref }}

      - name: 'Download artifact'
        uses: actions/download-artifact@v3
        with:
          name: 'obs-studio-macos-${{ matrix.arch }}-notarized'
          path: 'artifacts'

      - name: 'Install Python requirements'
        run: pip3 install requests xmltodict

      - name: 'Install Brew requirements'
        run: brew install coreutils pandoc

      - name: 'Setup Sparkle'
        run: |
          curl -L "https://github.com/sparkle-project/Sparkle/releases/download/${{ env.SPARKLE_VERSION }}/Sparkle-${{ env.SPARKLE_VERSION }}.tar.xz" -o Sparkle.tar.xz

          if [[ '${{ env.SPARKLE_HASH }}' != "$(sha256sum Sparkle.tar.xz | cut -d " " -f 1)" ]]; then
              echo "Sparkle download hash does not match!"
              exit 1
          fi

          mkdir sparkle && cd sparkle
          tar -xf ../Sparkle.tar.xz

      - name: 'Setup folder structure'
        run: |
          mkdir builds
          mkdir -p output/appcasts/stable
          mkdir -p output/sparkle_deltas/${{ matrix.arch }}

      - name: 'Determine branch and tag'
        id: branch
        run: |
          pushd repo

          GIT_TAG="$(git describe --tags --abbrev=0)"
          if [[ ${GIT_TAG} == *'beta'* || ${GIT_TAG} == *'rc'* ]]; then
            echo "branch=beta" >> $GITHUB_OUTPUT
            echo "deltas=1" >> $GITHUB_OUTPUT
          else
            echo "branch=stable" >> $GITHUB_OUTPUT
            echo "deltas=1" >> $GITHUB_OUTPUT
          fi
          # Write tag description to file
          git tag -l --format='%(contents)' ${GIT_TAG} >> ../notes.rst

      - name: 'Download existing Appcast and builds'
        run: python3 repo/CI/macos/appcast_download.py --branch "${{ steps.branch.outputs.branch }}" --max-old-versions ${{ steps.branch.outputs.deltas }}

      - name: 'Prepare release notes'
        run: |
          # Insert underline at line 2 to turn first line into heading
          sed -i '' '2i\'$'\n''###################################################' notes.rst
          pandoc -f rst -t html notes.rst -o output/appcasts/notes_${{ steps.branch.outputs.branch }}.html

      - name: 'Setup Sparkle key'
        run: echo -n "${{ secrets.SPARKLE_PRIVATE_KEY }}" >> eddsa_private.key

      - name: 'Generate Appcast'
        run: |
          mv artifacts/*.dmg builds/
          ./sparkle/bin/generate_appcast \
              --verbose \
              --ed-key-file ./eddsa_private.key \
              --download-url-prefix "https://cdn-fastly.obsproject.com/downloads/" \
              --full-release-notes-url "https://obsproject.com/osx_update/notes_${{ steps.branch.outputs.branch }}.html" \
              --maximum-versions 0 \
              --maximum-deltas ${{ steps.branch.outputs.deltas }} \
              --channel "${{ steps.branch.outputs.branch }}" builds/
          # Move deltas, if any
          if compgen -G "builds/*.delta" > /dev/null; then
            mv builds/*.delta output/sparkle_deltas/${{ matrix.arch }}
          fi
          # Move appcasts
          mv builds/*.xml output/appcasts/

      - name: 'Create 1.x Appcast'
        run: python3 repo/CI/macos/appcast_convert.py

      - name: 'Upload Appcast and Deltas'
        uses: actions/upload-artifact@v3
        with:
          name: 'macos-sparkle-updates'
          path: '${{ github.workspace }}/output'