From fb598e5f40a187d0c0bc90bb941d4c64c16e1707 Mon Sep 17 00:00:00 2001 From: DeeDeeG Date: Tue, 26 Sep 2023 22:34:12 -0400 Subject: [PATCH] CI: Use Python 3.11 to fix macOS signing Background and context for this commit... Not sure why exactly, but our GitHub Actions workflow is producing *signed* macOS binaries that pass spctl "acceptance" on the CLI, and various other signing/notarization checks on the CLI, such as stapler, but nevertheless warn they can't be verified when opening the signed Pulsar.app in Finder or using `open` on the CLI, and so on. Through investigating what changes we can make to better-match the Cirrus environment, which has producing signed binaries that open just fine without the warning for months now, we have tried many things. Eventually, disabling actions/setup-node and actions/setup-python was tried, which incidentally got us Python 3.11 instead of our manually pinned older Python 3.10. That worked, the signed binaries open as they should, sans verification warning. Further narrowing it down resulted in, any way we get Python other than 3.10 from actions/setup-python seems to be working. Given that, this commit starts using Python 3.11 in GitHub Actions, to fix the "macOS is signed but is still not making Gatekeeper happy" situation we have been having with GitHub Actions. --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b106e3dda0..c5ded5a53d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -10,7 +10,7 @@ on: env: # Variables needed for build information GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - PYTHON_VERSION: '3.10' + PYTHON_VERSION: '3.11' NODE_VERSION: 16 ROLLING_UPLOAD_TOKEN: ${{ secrets.ROLLING_RELEASE_UPLOAD_TOKEN }} # Below variables allow us to quickly control visual tests for each platform