Build stable and nightly bundles #327
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build stable and nightly bundles | |
on: | |
push: | |
branches: | |
- '*' | |
tags: | |
- '*' | |
schedule: | |
- cron: '0 3 * * *' | |
workflow_dispatch: | |
pull_request: | |
jobs: | |
build_applications: | |
name: ${{ matrix.os }} | |
runs-on: ${{ matrix.os }} | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [macos-14, windows-2019] | |
steps: | |
- name: Check glue version to build | |
shell: bash | |
run: echo ${GITHUB_REF_NAME} | |
# osx signing based on https://melatonin.dev/blog/how-to-code-sign-and-notarize-macos-audio-plugins-in-ci/ | |
- name: Import Developer ID Application Certificate | |
if: ${{ matrix.os == 'macos-14' }} | |
uses: apple-actions/import-codesign-certs@v1 | |
with: | |
p12-file-base64: ${{ secrets.DEV_ID_APP_CERT }} | |
p12-password: ${{ secrets.DEV_ID_APP_PASSWORD }} | |
keychain-password: ${{ secrets.KEYCHAIN_PASSWORD }} | |
- name: Import Mac Installer Distribution Certificate | |
if: ${{ matrix.os == 'macos-14' }} | |
uses: apple-actions/import-codesign-certs@v1 | |
with: | |
p12-file-base64: ${{ secrets.MAC_INST_DIST_CERT }} | |
p12-password: ${{ secrets.MAC_INST_DIST_PASSWORD }} | |
create-keychain: false | |
keychain-password: ${{ secrets.KEYCHAIN_PASSWORD }} | |
- name: Checkout code | |
uses: actions/checkout@v2 | |
- name: Set up Python 3.11 | |
uses: actions/setup-python@v2 | |
with: | |
python-version: 3.11 | |
- name: Install Python dependencies | |
run: pip install -r requirements.txt --no-cache-dir | |
- name: Uninstall debugpy | |
run: pip uninstall -y debugpy | |
- name: Uninstall joblib | |
run: pip uninstall -y joblib | |
- name: Run pyinstaller | |
run: pyinstaller glue_app.spec | |
# Don't do the following for now since it actually breaks the WWT plugin | |
# - name: Remove nested app | |
# if: ${{ matrix.os == 'macos-14' }} | |
# run: rm -rf dist/glue.app/Contents/Frameworks/PyQt5/Qt/lib/QtWebEngineCore.framework/Versions/5/Helpers/QtWebEngineProcess.app | |
- name: Simple test of MacOS X application | |
if: ${{ matrix.os == 'macos-14' }} | |
run: dist/glue.app/Contents/MacOS/start_glue --test | |
- name: Rename MacOS X application | |
if: ${{ matrix.os == 'macos-14' }} | |
run: mv dist/glue.app dist/"glue ${GITHUB_REF_NAME}.app" | |
- name: Rename Windows application | |
if: ${{ matrix.os == 'windows-2019' }} | |
shell: bash | |
run: mv dist/glue.exe dist/"glue ${GITHUB_REF_NAME}.exe" | |
# Build signed DMG for direct distribution | |
- name: Remove start_glue | |
if: ${{ matrix.os == 'macos-14' }} | |
run: rm -rf dist/start_glue | |
- name: Codesign MacOS X application | |
if: ${{ matrix.os == 'macos-14' }} | |
run: codesign --entitlements entitlements.plist --force -s "${{ secrets.DEVELOPER_ID_APPLICATION}}" -v dist/"glue ${GITHUB_REF_NAME}.app" --deep --strict --options=runtime --timestamp | |
- name: Make DMG | |
if: ${{ matrix.os == 'macos-14' }} | |
run: hdiutil create -volname "Glue" -srcfolder dist -ov -format UDZO dist/"glue ${GITHUB_REF_NAME}.dmg" | |
- name: Notarize app | |
if: ${{ matrix.os == 'macos-14' }} | |
run: xcrun notarytool submit dist/"glue ${GITHUB_REF_NAME}.dmg" --apple-id ${{ secrets.NOTARIZATION_USERNAME }} --team-id ${{ secrets.TEAM_ID }} --password ${{ secrets.NOTARIZATION_PASSWORD }} --wait | |
- name: Staple notarization to dmg | |
if: ${{ matrix.os == 'macos-14' }} | |
run: xcrun stapler staple dist/"glue ${GITHUB_REF_NAME}.dmg" | |
# Build signed pkg for potential Mac App Store distribution | |
- name: Rename MacOS X application | |
if: ${{ matrix.os == 'macos-14' }} | |
run: mv dist/"glue ${GITHUB_REF_NAME}.app" dist/glueviz.app | |
- name: Build MacOS X installer for distribution | |
if: ${{ matrix.os == 'macos-14' }} | |
run: productbuild --component dist/glueviz.app /Applications/ dist/"glue ${GITHUB_REF_NAME}_unsigned.pkg" | |
- name: Sign MacOS X installer for distribution | |
if: ${{ matrix.os == 'macos-14' }} | |
run: productsign --sign "${{ secrets.MAC_INSTALLER_DISTRIBUTION}}" dist/"glue ${GITHUB_REF_NAME}_unsigned.pkg" dist/"glue ${GITHUB_REF_NAME}.pkg" | |
- name: Remove unsigned pkg | |
if: ${{ matrix.os == 'macos-14' }} | |
run: rm -rf dist/"glue ${GITHUB_REF_NAME}_unsigned.pkg" | |
# For now validation fails because the entitlements file is missing the sandbox option - but we are leaving | |
# it out for now as WWT does not work correctly with it. | |
#- name: Validate pkg | |
# if: ${{ matrix.os == 'macos-14' }} | |
# run: xcrun altool --validate-app -f dist/"glue ${GITHUB_REF_NAME}.pkg" --type osx --username ${{ secrets.NOTARIZATION_USERNAME }} --password ${{ secrets.NOTARIZATION_PASSWORD }} --team-id ${{ secrets.TEAM_ID }} | |
- name: Remove .app | |
if: ${{ matrix.os == 'macos-14' }} | |
run: rm -rf dist/"glueviz.app" | |
- name: Output list of included packages | |
if: matrix.os == 'macos-14' | |
run: pip freeze > included-packages.txt | |
- name: Install awscli | |
run: pip install awscli | |
- name: Upload glue to S3 | |
shell: bash | |
if: github.event_name != 'pull_request' | |
run: aws s3 cp dist/ s3://glueviz/installers/${GITHUB_REF_NAME}/ --recursive | |
env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
- name: Upload package list to S3 | |
if: github.event_name != 'pull_request' && matrix.os == 'macos-14' | |
run: aws s3 cp included-packages.txt s3://glueviz/installers/${GITHUB_REF_NAME}/ | |
env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} |