.github/workflows/build.yaml

name: Build package
on:
  pull_request:
  push:
    branches:
    - main
  workflow_dispatch:
permissions:
  contents: read
  id-token: write

jobs:
  binary:
    runs-on: macos-13
    steps:
    - uses: actions/checkout@v4

    - name: Set up Python 3.10
      uses: actions/setup-python@v5
      with:
        python-version: "3.10"

    - name: Install app certificates
      env:
        ITERATIVE_APPLICATION_CERT: ${{ secrets.ITERATIVE_APPLICATION_CERT }}
        ITERATIVE_APPLICATION_CERT_PASS: ${{ secrets.ITERATIVE_APPLICATION_CERT_PASS }}
      run: |
        echo $ITERATIVE_APPLICATION_CERT | base64 -d > application_cert.p12
        security create-keychain -p 123456 build.keychain
        # NOTE: signing and steps before it might take longer than default 300 seconds, so we extend the
        # timeout until the keychain automatically locks again.
        security set-keychain-settings -lut 3600 build.keychain
        security default-keychain -s build.keychain
        security unlock-keychain -p 123456 build.keychain
        security import application_cert.p12 -k build.keychain -P $ITERATIVE_APPLICATION_CERT_PASS -T /usr/bin/codesign
        security set-key-partition-list -S 'apple-tool:,apple:,codesign:,productsign:' -s -k 123456 build.keychain
        security find-identity -v

    - name: Install requirements
      run: |
        pip install wheel
        pip install -r requirements.txt

    - name: Download dvc pkg
      run: python download.py

    - name: Set pkg type
      run: echo 'PKG = "osxpkg"' > dvc/dvc/_build.py

    - name: Install dvc requirements
      run: |
        # available lxml (webdav dependency) wheels are built with an old
        # SDK, which breaks osxpkg notarization. Building from scratch
        # instead.
        pip install ./dvc[all] --no-binary lxml
        # https://github.com/iterative/dvc/issues/7949
        pip install PyInstaller==6.9.0
        # https://github.com/iterative/dvc/issues/9654
        pip install flufl-lock==7.1.1
        dvc doctor

    - name: Build binary
      run: python build_bin.py

    - name: Sign binary
      run: python sign_bin.py --application-id 62687162A75C39558A9EA17B57E8C65306BABE92 --keychain build.keychain

    - name: Create tar with binary files
      run: tar cvf dist.tar.gz dist

    - name: Upload binary to artifacts
      uses: actions/upload-artifact@v4
      with:
        name: binary
        path: dist.tar.gz
        retention-days: 1

  installer:
    needs: binary
    runs-on: macos-13
    steps:
    - uses: actions/checkout@v4

    - name: Set up Python 3.10
      uses: actions/setup-python@v5
      with:
        python-version: "3.10"

    - name: Set up Ruby 2.6
      uses: ruby/setup-ruby@v1
      with:
        ruby-version: 2.6

    - name: Install installer certificates
      env:
        ITERATIVE_INSTALLER_CERT: ${{ secrets.ITERATIVE_INSTALLER_CERT }}
        ITERATIVE_INSTALLER_CERT_PASS: ${{ secrets.ITERATIVE_INSTALLER_CERT_PASS }}
      run: |
        echo $ITERATIVE_INSTALLER_CERT | base64 -d > installer_cert.p12
        security create-keychain -p 123456 build.keychain
        # NOTE: signing and steps before it might take longer than default 300 seconds, so we extend the
        # timeout until the keychain automatically locks again.
        security set-keychain-settings -lut 3600 build.keychain
        security default-keychain -s build.keychain
        security unlock-keychain -p 123456 build.keychain
        security import installer_cert.p12 -k build.keychain -P $ITERATIVE_INSTALLER_CERT_PASS -T /usr/bin/productsign
        security set-key-partition-list -S 'apple-tool:,apple:,codesign:,productsign:' -s -k 123456 build.keychain

    - name: Check certificates
      run: security find-identity -v

    - name: Install requirements
      run: |
        pip install wheel
        pip install -r requirements.txt
        gem install --no-document dotenv -v 2.8.1
        gem install --no-document fpm

    - name: Download signed binary
      uses: actions/download-artifact@v4
      with:
        name: binary

    - name: Unpack tar with binary files
      run: tar -xvf dist.tar.gz

    - name: Build installer
      run: python build_installer.py

    - name: Sign installer
      run: python sign_installer.py --installer-id 374191642324A98B1D9835CCD256EDEE2C710051 --keychain build.keychain

    - name: Upload installer to artifacts
      uses: actions/upload-artifact@v4
      with:
        name: installer
        path: dvc*.pkg
        retention-days: 1

  notarize:
    needs: installer
    runs-on: macos-13
    steps:
    - uses: actions/checkout@v4

    - name: Set up Python 3.10
      uses: actions/setup-python@v5
      with:
        python-version: "3.10"

    - name: Install requirements
      run: |
        brew install Bearer/tap/gon

    - name: Download signed installer
      uses: actions/download-artifact@v4
      with:
        name: installer

    - name: Notarize and staple installer
      env:
        APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
        APPLE_ID_PROVIDER: ${{ secrets.APPLE_ID_PROVIDER }}
      run: python notarize_installer.py --apple-id-username ivan@iterative.ai --apple-id-password $APPLE_ID_PASSWORD --apple-id-provider $APPLE_ID_PROVIDER

    - name: Upload stapled installer to artifacts
      uses: actions/upload-artifact@v4
      with:
        name: stapled_installer
        path: dvc*.pkg
        retention-days: 1

  upload:
    needs: notarize
    runs-on: ubuntu-latest
    environment: aws
    steps:
    - uses: actions/checkout@v4

    - name: Set up Python 3.10
      uses: actions/setup-python@v5
      with:
        python-version: "3.10"

    - name: Install requirements
      run: pip install awscli

    - name: Download signed, notarized and stapled installer
      uses: actions/download-artifact@v4
      with:
        name: stapled_installer

    - uses: aws-actions/configure-aws-credentials@v4
      with:
        aws-region: us-east-2
        role-to-assume: arn:aws:iam::260760892802:role/dvc-public-osxpkg-deployer

    - name: Upload to aws
      if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
      run: python upload.py dvc-*.pkg

  notify:
    if: github.ref == 'refs/heads/main' && failure()
    needs: [binary, installer, notarize, upload]
    runs-on: ubuntu-latest
    steps:
    - name: Slack Notification
      uses: rtCamp/action-slack-notify@v2.3.2
      env:
        SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
        SLACK_COLOR: ${{ job.status }}
        SLACK_MESSAGE: 'Package build failed for ${{ github.repository }}'
        SLACK_TITLE: CI Status
        SLACK_USERNAME: dvc-pkg-build