-
Notifications
You must be signed in to change notification settings - Fork 10
145 lines (143 loc) · 5.42 KB
/
build_mac.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
name: Build Mac installer
on:
workflow_dispatch:
# Inputs the workflow accepts.
inputs:
whl-url:
description: 'URL for Kolibri whl file'
required: true
release:
description: 'Is this a release asset?'
required: false
type: boolean
default: false
workflow_call:
inputs:
whl-file-name:
required: false
type: string
whl-url:
required: false
type: string
ref:
description: 'A ref for this workflow to check out its own repo'
required: false
type: string
release:
description: 'Is this a release asset?'
required: false
type: boolean
default: false
secrets:
KOLIBRI_MAC_APP_IDENTITY:
required: false
KOLIBRI_MAC_APP_CERTIFICATE:
required: false
KOLIBRI_MAC_APP_CERTIFICATE_PASSWORD:
required: false
KOLIBRI_MAC_APP_USERNAME:
required: false
KOLIBRI_MAC_APP_PASSWORD:
required: false
KOLIBRI_MAC_APP_TEAM_ID:
required: false
outputs:
dmg-file-name:
description: "DMG file name"
value: ${{ jobs.build_dmg.outputs.dmg-file-name }}
jobs:
build_dmg:
runs-on: macos-13
outputs:
dmg-file-name: ${{ steps.get-dmg-filename.outputs.dmg-file-name }}
env:
# We need the official Python, because the GA ones only support newer macOS versions
# The deployment target is picked up by the Python build tools automatically
PYTHON_VERSION: "3.10.10"
MACOSX_DEPLOYMENT_TARGET: "10.9"
steps:
- name: Validate whl reference inputs
if: ${{ (inputs.whl-file-name && inputs.whl-url) || (!inputs.whl-file-name && !inputs.whl-url) }}
run: |
echo "Must specify exactly one reference for the whl file to build the EXE with."
exit 1
- uses: actions/checkout@v4
if: ${{ !inputs.ref }}
- uses: actions/checkout@v4
if: ${{ inputs.ref }}
with:
repository: learningequality/kolibri-app
ref: ${{ inputs.ref }}
- name: Cache Python download
id: cache-python-download
uses: actions/cache@v4
with:
path: ~/python.pkg
key: macOS-Python-${{ env.PYTHON_VERSION }}
- name: Download Python ${{ env.PYTHON_VERSION }}
if: steps.cache-python-download.outputs.cache-hit != 'true'
run: curl https://www.python.org/ftp/python/${PYTHON_VERSION}/python-${PYTHON_VERSION}-macos11.pkg -o ~/python.pkg
- name: Install Python 3.10
run: |
sudo installer -pkg ~/python.pkg -target /
unlink /usr/local/bin/python || true
ln -s /usr/local/bin/python3 /usr/local/bin/python
- uses: actions/cache@v4
with:
path: ~/Library/Caches/pip
key: ${{ runner.os }}-pip-${{ hashFiles('setup.py', 'build_requires.txt', '.github/workflows/build_mac.yml') }}
restore-keys: |
${{ runner.os }}-pip-
- name: Install dependencies
run: make dependencies
- name: Download the whlfile from URL and install
if: ${{ inputs.whl-url }}
run: make get-whl whl=${{ inputs.whl-url }}
- name: Download the whlfile from artifacts
if: ${{ inputs.whl-file-name }}
uses: actions/download-artifact@v4
with:
name: ${{ inputs.whl-file-name }}
path: whl
- name: Install WHL file from artifacts
if: ${{ inputs.whl-file-name }}
run: make install-whl whl=whl/${{ inputs.whl-file-name }}
- name: Setup app signing certificate
if: ${{ inputs.release }}
env:
KEYCHAIN_PASSWORD: ${{ hashFiles('*')}}
run: |
security create-keychain -p "$KEYCHAIN_PASSWORD" temp.keychain
security set-keychain-settings -lut 21600 temp.keychain
security unlock-keychain -p "$KEYCHAIN_PASSWORD" temp.keychain
echo -n "${{ secrets.KOLIBRI_MAC_APP_CERTIFICATE }}" | base64 --decode --output=certificate.p12
# -A option allows any application to read keys.
# This would be insecure if the keychain was retained but GitHub action
# VMs are thrown away after use.
security import certificate.p12 -k temp.keychain -f pkcs12 -A -T '/usr/bin/codesign' -T '/usr/bin/security' -P "${{ secrets.KOLIBRI_MAC_APP_CERTIFICATE_PASSWORD }}"
security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" temp.keychain
security list-keychains -d user -s temp.keychain login.keychain
- name: Build the app
run: make build-mac-app
- name: Codesign the app
if: ${{ inputs.release }}
run: MAC_CODESIGN_IDENTITY="${{ secrets.KOLIBRI_MAC_APP_IDENTITY }}" make codesign-mac-app
- name: Build the DMG
run: make build-dmg
- name: Codesign the DMG
if: ${{ inputs.release }}
run: MAC_CODESIGN_IDENTITY="${{ secrets.KOLIBRI_MAC_APP_IDENTITY }}" make codesign-dmg
- name: Notarize the DMG
if: ${{ inputs.release }}
env:
MAC_NOTARIZE_USERNAME: ${{ secrets.KOLIBRI_MAC_APP_USERNAME }}
MAC_NOTARIZE_PASSWORD: ${{ secrets.KOLIBRI_MAC_APP_PASSWORD }}
MAC_NOTARIZE_TEAM_ID: ${{ secrets.KOLIBRI_MAC_APP_TEAM_ID }}
run: make notarize-dmg
- name: Get DMG filename
id: get-dmg-filename
run: echo "dmg-file-name=$(ls dist | grep .dmg | cat)" >> $GITHUB_OUTPUT
- uses: actions/upload-artifact@v4
with:
name: ${{ steps.get-dmg-filename.outputs.dmg-file-name }}
path: dist/${{ steps.get-dmg-filename.outputs.dmg-file-name }}