test nuitka #1
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Nuitka test | |
| on: | |
| push: | |
| branches: | |
| - CM-29700-improve-executable-files | |
| permissions: | |
| contents: write | |
| jobs: | |
| build: | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: [ macos-11 ] | |
| runs-on: ${{ matrix.os }} | |
| defaults: | |
| run: | |
| shell: bash | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up Python 3.12 | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: '3.12' | |
| - name: Install dependencies | |
| run: pip install cycode nuitka | |
| - name: Build executable | |
| run: python -m nuitka --standalone --follow-imports --output-dir=dist cycode/cli/main.py | |
| - name: Test executable | |
| run: time ./dist/cycode version | |
| - name: Sign macOS executable | |
| if: runner.os == 'macOS' | |
| env: | |
| APPLE_CERT: ${{ secrets.APPLE_CERT }} | |
| APPLE_CERT_PWD: ${{ secrets.APPLE_CERT_PWD }} | |
| APPLE_CERT_NAME: ${{ secrets.APPLE_CERT_NAME }} | |
| APPLE_KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }} | |
| run: | | |
| # import certificate | |
| CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12 | |
| echo -n "$APPLE_CERT" | base64 --decode -o $CERTIFICATE_PATH | |
| # create temporary keychain | |
| KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db | |
| security create-keychain -p "$APPLE_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
| security set-keychain-settings -lut 21600 $KEYCHAIN_PATH | |
| security unlock-keychain -p "$APPLE_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
| # import certificate to keychain | |
| security import $CERTIFICATE_PATH -P "$APPLE_CERT_PWD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH | |
| security list-keychain -d user -s $KEYCHAIN_PATH | |
| # sign executable | |
| codesign --deep --force --options=runtime --entitlements entitlements.plist --sign "$APPLE_CERT_NAME" --timestamp dist/cycode | |
| - name: Notarize macOS executable | |
| if: runner.os == 'macOS' | |
| env: | |
| APPLE_NOTARIZATION_EMAIL: ${{ secrets.APPLE_NOTARIZATION_EMAIL }} | |
| APPLE_NOTARIZATION_PWD: ${{ secrets.APPLE_NOTARIZATION_PWD }} | |
| APPLE_NOTARIZATION_TEAM_ID: ${{ secrets.APPLE_NOTARIZATION_TEAM_ID }} | |
| run: | | |
| # create keychain profile | |
| xcrun notarytool store-credentials "notarytool-profile" --apple-id "$APPLE_NOTARIZATION_EMAIL" --team-id "$APPLE_NOTARIZATION_TEAM_ID" --password "$APPLE_NOTARIZATION_PWD" | |
| # create zip file (notarization does not support binaries) | |
| ditto -c -k --keepParent dist/cycode notarization.zip | |
| # notarize app (this will take a while) | |
| xcrun notarytool submit notarization.zip --keychain-profile "notarytool-profile" --wait | |
| # we can't staple the app because it's executable. we should only staple app bundles like .dmg | |
| # xcrun stapler staple dist/cycode | |
| - name: Test macOS signed executable | |
| if: runner.os == 'macOS' | |
| run: time ./dist/cycode version | |
| - name: Prepare files on macOS | |
| if: runner.os == 'macOS' | |
| run: | | |
| echo "ARTIFACT_NAME=cycode-mac" >> $GITHUB_ENV | |
| mv dist/cycode dist/cycode-mac | |
| shasum -a 256 dist/cycode-mac > sha256 | |
| head -c 64 sha256 > dist/cycode-mac.sha256 | |
| - name: Upload files as artifact | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: ${{ env.ARTIFACT_NAME }} | |
| path: dist |