-
Notifications
You must be signed in to change notification settings - Fork 2
145 lines (122 loc) · 5.56 KB
/
build_stable.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
name: Build stable and nightly bundles
on:
push:
branches:
- '*'
tags:
- '*'
schedule:
- cron: '0 3 * * *'
workflow_dispatch:
pull_request:
jobs:
build_applications:
name: ${{ matrix.os }}
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [macos-14, windows-2019]
steps:
- name: Check glue version to build
shell: bash
run: echo ${GITHUB_REF_NAME}
# osx signing based on https://melatonin.dev/blog/how-to-code-sign-and-notarize-macos-audio-plugins-in-ci/
- name: Import Developer ID Application Certificate
if: ${{ matrix.os == 'macos-14' }}
uses: apple-actions/import-codesign-certs@v1
with:
p12-file-base64: ${{ secrets.DEV_ID_APP_CERT }}
p12-password: ${{ secrets.DEV_ID_APP_PASSWORD }}
keychain-password: ${{ secrets.KEYCHAIN_PASSWORD }}
- name: Import Mac Installer Distribution Certificate
if: ${{ matrix.os == 'macos-14' }}
uses: apple-actions/import-codesign-certs@v1
with:
p12-file-base64: ${{ secrets.MAC_INST_DIST_CERT }}
p12-password: ${{ secrets.MAC_INST_DIST_PASSWORD }}
create-keychain: false
keychain-password: ${{ secrets.KEYCHAIN_PASSWORD }}
- name: Checkout code
uses: actions/checkout@v2
- name: Set up Python 3.11
uses: actions/setup-python@v2
with:
python-version: 3.11
- name: Install Python dependencies
run: pip install -r requirements.txt --no-cache-dir
- name: Uninstall debugpy
run: pip uninstall -y debugpy
- name: Uninstall joblib
run: pip uninstall -y joblib
- name: Run pyinstaller
run: pyinstaller glue_app.spec
# Don't do the following for now since it actually breaks the WWT plugin
# - name: Remove nested app
# if: ${{ matrix.os == 'macos-14' }}
# run: rm -rf dist/glue.app/Contents/Frameworks/PyQt5/Qt/lib/QtWebEngineCore.framework/Versions/5/Helpers/QtWebEngineProcess.app
- name: Simple test of MacOS X application
if: ${{ matrix.os == 'macos-14' }}
run: dist/glue.app/Contents/MacOS/start_glue --test
- name: Rename MacOS X application
if: ${{ matrix.os == 'macos-14' }}
run: mv dist/glue.app dist/"glue ${GITHUB_REF_NAME}.app"
- name: Rename Windows application
if: ${{ matrix.os == 'windows-2019' }}
shell: bash
run: mv dist/glue.exe dist/"glue ${GITHUB_REF_NAME}.exe"
# Build signed DMG for direct distribution
- name: Remove start_glue
if: ${{ matrix.os == 'macos-14' }}
run: rm -rf dist/start_glue
- name: Codesign MacOS X application
if: ${{ matrix.os == 'macos-14' }}
run: codesign --entitlements entitlements.plist --force -s "${{ secrets.DEVELOPER_ID_APPLICATION}}" -v dist/"glue ${GITHUB_REF_NAME}.app" --deep --strict --options=runtime --timestamp
- name: Make DMG
if: ${{ matrix.os == 'macos-14' }}
run: hdiutil create -volname "Glue" -srcfolder dist -ov -format UDZO dist/"glue ${GITHUB_REF_NAME}.dmg"
- name: Notarize app
if: ${{ matrix.os == 'macos-14' }}
run: xcrun notarytool submit dist/"glue ${GITHUB_REF_NAME}.dmg" --apple-id ${{ secrets.NOTARIZATION_USERNAME }} --team-id ${{ secrets.TEAM_ID }} --password ${{ secrets.NOTARIZATION_PASSWORD }} --wait
- name: Staple notarization to dmg
if: ${{ matrix.os == 'macos-14' }}
run: xcrun stapler staple dist/"glue ${GITHUB_REF_NAME}.dmg"
# Build signed pkg for potential Mac App Store distribution
- name: Rename MacOS X application
if: ${{ matrix.os == 'macos-14' }}
run: mv dist/"glue ${GITHUB_REF_NAME}.app" dist/glueviz.app
- name: Build MacOS X installer for distribution
if: ${{ matrix.os == 'macos-14' }}
run: productbuild --component dist/glueviz.app /Applications/ dist/"glue ${GITHUB_REF_NAME}_unsigned.pkg"
- name: Sign MacOS X installer for distribution
if: ${{ matrix.os == 'macos-14' }}
run: productsign --sign "${{ secrets.MAC_INSTALLER_DISTRIBUTION}}" dist/"glue ${GITHUB_REF_NAME}_unsigned.pkg" dist/"glue ${GITHUB_REF_NAME}.pkg"
- name: Remove unsigned pkg
if: ${{ matrix.os == 'macos-14' }}
run: rm -rf dist/"glue ${GITHUB_REF_NAME}_unsigned.pkg"
# For now validation fails because the entitlements file is missing the sandbox option - but we are leaving
# it out for now as WWT does not work correctly with it.
#- name: Validate pkg
# if: ${{ matrix.os == 'macos-14' }}
# run: xcrun altool --validate-app -f dist/"glue ${GITHUB_REF_NAME}.pkg" --type osx --username ${{ secrets.NOTARIZATION_USERNAME }} --password ${{ secrets.NOTARIZATION_PASSWORD }} --team-id ${{ secrets.TEAM_ID }}
- name: Remove .app
if: ${{ matrix.os == 'macos-14' }}
run: rm -rf dist/"glueviz.app"
- name: Output list of included packages
if: matrix.os == 'macos-14'
run: pip freeze > included-packages.txt
- name: Install awscli
run: pip install awscli
- name: Upload glue to S3
shell: bash
if: github.event_name != 'pull_request'
run: aws s3 cp dist/ s3://glueviz/installers/${GITHUB_REF_NAME}/ --recursive
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- name: Upload package list to S3
if: github.event_name != 'pull_request' && matrix.os == 'macos-14'
run: aws s3 cp included-packages.txt s3://glueviz/installers/${GITHUB_REF_NAME}/
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}