.github/workflows/build.yml

name: Build YNOT

on:
  push:
    tags:
      - 'v*'

permissions:
  contents: write

jobs:
  build:
    runs-on: ${{ matrix.os }}
    strategy:
      matrix:
        os: [macos-latest, windows-latest]
        python-version: ['3.11']
        
    steps:
    - uses: actions/checkout@v2
    
    - name: Set up Python
      uses: actions/setup-python@v2
      with:
        python-version: ${{ matrix.python-version }}
        
    - name: Install dependencies
      run: |
        python -m pip install --upgrade pip
        pip install pyinstaller yt-dlp

    - name: Build executable (Windows)
      if: matrix.os == 'windows-latest'
      run: pyinstaller --onefile --windowed --name ynot main.py

    - name: Build executable (macOS)
      if: matrix.os == 'macos-latest'
      env:
        CERTIFICATE_BASE64: ${{ secrets.MACOS_CERTIFICATE }}
        CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
      run: |
        # Decode and import certificate
        echo $CERTIFICATE_BASE64 | base64 --decode > certificate.p12
        security create-keychain -p temppass build.keychain
        security default-keychain -s build.keychain
        security unlock-keychain -p temppass build.keychain
        security import certificate.p12 -k build.keychain -P "$CERTIFICATE_PASSWORD" -T /usr/bin/codesign
        security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k temppass build.keychain

        # Build and sign
        pyinstaller --onefile --name ynot main.py
        codesign --force --options runtime --entitlements entitlements.plist --sign "Developer ID Application" dist/ynot
        ditto -c -k --keepParent dist/ynot dist/ynot.zip
        xcrun notarytool submit dist/ynot.zip --apple-id ${{ secrets.APPLE_ID }} --password ${{ secrets.APPLE_PASSWORD }} --team-id ${{ secrets.APPLE_TEAM_ID }} --wait
        
        # Wait for notarization to propagate and retry stapling if needed
        sleep 30
        for i in {1..3}; do
          if xcrun stapler staple dist/ynot; then
            break
          fi
          echo "Stapling attempt $i failed, waiting before retry..."
          sleep 30
        done

    - name: Create Release
      uses: softprops/action-gh-release@v1
      if: startsWith(github.ref, 'refs/tags/')
      with:
        files: |
          dist/ynot*
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}