Build executable version of CLI and upload artifact. On dispatch event build the latest tag and upload to release assets #108
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build executable version of CLI and upload artifact. On dispatch event build the latest tag and upload to release assets | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - main | |
| permissions: | |
| contents: write | |
| jobs: | |
| build: | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: [ ubuntu-20.04, macos-11, windows-2019 ] | |
| runs-on: ${{ matrix.os }} | |
| defaults: | |
| run: | |
| shell: bash | |
| steps: | |
| - name: Run Cimon | |
| if: matrix.os == 'ubuntu-20.04' | |
| uses: cycodelabs/cimon-action@v0 | |
| with: | |
| client-id: ${{ secrets.CIMON_CLIENT_ID }} | |
| secret: ${{ secrets.CIMON_SECRET }} | |
| prevent: true | |
| allowed-hosts: > | |
| files.pythonhosted.org | |
| install.python-poetry.org | |
| pypi.org | |
| uploads.github.com | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Checkout latest release tag | |
| if: ${{ github.event_name == 'workflow_dispatch' }} | |
| run: | | |
| LATEST_TAG=$(git describe --tags `git rev-list --tags --max-count=1`) | |
| git checkout $LATEST_TAG | |
| echo "LATEST_TAG=$LATEST_TAG" >> $GITHUB_ENV | |
| - name: Set up Python 3.7 | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: '3.7' | |
| - name: Load cached Poetry setup | |
| id: cached-poetry | |
| uses: actions/cache@v3 | |
| with: | |
| path: ~/.local | |
| key: poetry-${{ matrix.os }}-0 # increment to reset cache | |
| - name: Setup Poetry | |
| if: steps.cached-poetry.outputs.cache-hit != 'true' | |
| uses: snok/install-poetry@v1 | |
| with: | |
| version: 1.5.1 | |
| - name: Add Poetry to PATH | |
| run: echo "$HOME/.local/bin" >> $GITHUB_PATH | |
| - name: Install dependencies | |
| run: poetry install | |
| - name: Build executable | |
| run: poetry run pyinstaller pyinstaller.spec | |
| - name: Test executable | |
| run: ./dist/cycode version | |
| - name: Sign macOS executable | |
| if: runner.os == 'macOS' | |
| env: | |
| APPLE_CERT: ${{ secrets.APPLE_CERT }} | |
| APPLE_CERT_PWD: ${{ secrets.APPLE_CERT_PWD }} | |
| APPLE_CERT_NAME: ${{ secrets.APPLE_CERT_NAME }} | |
| APPLE_KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }} | |
| run: | | |
| # import certificate | |
| CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12 | |
| echo -n "$APPLE_CERT" | base64 --decode -o $CERTIFICATE_PATH | |
| # create temporary keychain | |
| KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db | |
| security create-keychain -p "$APPLE_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
| security set-keychain-settings -lut 21600 $KEYCHAIN_PATH | |
| security unlock-keychain -p "$APPLE_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
| # import certificate to keychain | |
| security import $CERTIFICATE_PATH -P "$APPLE_CERT_PWD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH | |
| security list-keychain -d user -s $KEYCHAIN_PATH | |
| # sign executable | |
| codesign --deep --force --options=runtime --entitlements entitlements.plist --sign "$APPLE_CERT_NAME" --timestamp dist/cycode | |
| - name: Notarize macOS executable | |
| if: runner.os == 'macOS' | |
| env: | |
| APPLE_NOTARIZATION_EMAIL: ${{ secrets.APPLE_NOTARIZATION_EMAIL }} | |
| APPLE_NOTARIZATION_PWD: ${{ secrets.APPLE_NOTARIZATION_PWD }} | |
| APPLE_NOTARIZATION_TEAM_ID: ${{ secrets.APPLE_NOTARIZATION_TEAM_ID }} | |
| run: | | |
| # create keychain profile | |
| xcrun notarytool store-credentials "notarytool-profile" --apple-id "$APPLE_NOTARIZATION_EMAIL" --team-id "$APPLE_NOTARIZATION_TEAM_ID" --password "$APPLE_NOTARIZATION_PWD" | |
| # create zip file (notarization does not support binaries) | |
| ditto -c -k --keepParent dist/cycode notarization.zip | |
| # notarize app (this will take a while) | |
| xcrun notarytool submit notarization.zip --keychain-profile "notarytool-profile" --wait | |
| # we can't staple the app because it's executable. we should only staple app bundles like .dmg | |
| # xcrun stapler staple dist/cycode | |
| - name: Test macOS signed executable | |
| if: runner.os == 'macOS' | |
| run: ./dist/cycode version | |
| - name: Import cert for Windows and setup envs | |
| if: runner.os == 'Windows' | |
| env: | |
| SM_CLIENT_CERT_FILE_B64: ${{ secrets.SM_CLIENT_CERT_FILE_B64 }} | |
| run: | | |
| # import certificate | |
| echo "$SM_CLIENT_CERT_FILE_B64" | base64 --decode > /d/Certificate_pkcs12.p12 | |
| echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV" | |
| # add required soft to the path | |
| echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH | |
| echo "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools" >> $GITHUB_PATH | |
| - name: Sign Windows executable | |
| if: runner.os == 'Windows' | |
| shell: cmd | |
| env: | |
| SM_HOST: ${{ secrets.SM_HOST }} | |
| SM_API_KEY: ${{ secrets.SM_API_KEY }} | |
| SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} | |
| SM_CODE_SIGNING_CERT_SHA1_HASH: ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} | |
| run: | | |
| :: setup SSM KSP | |
| curl -X GET https://one.digicert.com/signingmanager/api-ui/v1/releases/smtools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o smtools-windows-x64.msi | |
| msiexec /i smtools-windows-x64.msi /quiet /qn | |
| C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user | |
| smksp_cert_sync.exe | |
| :: sign executable | |
| signtool.exe sign /sha1 %SM_CODE_SIGNING_CERT_SHA1_HASH% /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 ".\dist\cycode.exe" | |
| - name: Test Windows signed executable | |
| if: runner.os == 'Windows' | |
| shell: cmd | |
| run: | | |
| :: call executable and expect correct output | |
| .\dist\cycode.exe version | |
| :: verify signature | |
| signtool.exe verify /v /pa ".\dist\cycode.exe" | |
| - name: Prepare files on Windows | |
| if: runner.os == 'Windows' | |
| run: | | |
| echo "ARTIFACT_NAME=cycode-win" >> $GITHUB_ENV | |
| mv dist/cycode.exe dist/cycode-win.exe | |
| powershell -Command "(Get-FileHash -Algorithm SHA256 dist/cycode-win.exe).Hash" > sha256 | |
| head -c 64 sha256 > dist/cycode-win.exe.sha256 | |
| - name: Prepare files on macOS | |
| if: runner.os == 'macOS' | |
| run: | | |
| echo "ARTIFACT_NAME=cycode-mac" >> $GITHUB_ENV | |
| mv dist/cycode dist/cycode-mac | |
| shasum -a 256 dist/cycode-mac > sha256 | |
| head -c 64 sha256 > dist/cycode-mac.sha256 | |
| - name: Prepare files on Linux | |
| if: runner.os == 'Linux' | |
| run: | | |
| echo "ARTIFACT_NAME=cycode-linux" >> $GITHUB_ENV | |
| mv dist/cycode dist/cycode-linux | |
| sha256sum dist/cycode-linux > sha256 | |
| head -c 64 sha256 > dist/cycode-linux.sha256 | |
| - name: Upload files as artifact | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: ${{ env.ARTIFACT_NAME }} | |
| path: dist | |
| - name: Upload files to release | |
| if: ${{ github.event_name == 'workflow_dispatch' }} | |
| uses: svenstaro/upload-release-action@v2 | |
| with: | |
| file: dist/* | |
| tag: ${{ env.LATEST_TAG }} | |
| overwrite: true | |
| file_glob: true |