Build executable version of CLI and upload artifact. On dispatch event build the latest tag and upload to release assets #246
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build executable version of CLI and upload artifact. On dispatch event build the latest tag and upload to release assets | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - main | |
| permissions: | |
| contents: write | |
| jobs: | |
| build: | |
| name: Build on ${{ matrix.os }} (${{ matrix.mode }} mode) | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: [ ubuntu-20.04, macos-12, macos-14, windows-2019 ] | |
| mode: [ 'onefile', 'onedir' ] | |
| exclude: | |
| - os: ubuntu-20.04 | |
| mode: onedir | |
| - os: windows-2019 | |
| mode: onedir | |
| runs-on: ${{ matrix.os }} | |
| defaults: | |
| run: | |
| shell: bash | |
| steps: | |
| - name: Run Cimon | |
| if: matrix.os == 'ubuntu-20.04' | |
| uses: cycodelabs/cimon-action@v0 | |
| with: | |
| client-id: ${{ secrets.CIMON_CLIENT_ID }} | |
| secret: ${{ secrets.CIMON_SECRET }} | |
| prevent: true | |
| allowed-hosts: > | |
| files.pythonhosted.org | |
| install.python-poetry.org | |
| pypi.org | |
| uploads.github.com | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Checkout latest release tag | |
| if: ${{ github.event_name == 'workflow_dispatch' }} | |
| run: | | |
| LATEST_TAG=$(git describe --tags `git rev-list --tags --max-count=1`) | |
| git checkout $LATEST_TAG | |
| echo "LATEST_TAG=$LATEST_TAG" >> $GITHUB_ENV | |
| - name: Set up Python 3.12 | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: '3.12' | |
| - name: Load cached Poetry setup | |
| id: cached-poetry | |
| uses: actions/cache@v3 | |
| with: | |
| path: ~/.local | |
| key: poetry-${{ matrix.os }}-1 # increment to reset cache | |
| - name: Setup Poetry | |
| if: steps.cached-poetry.outputs.cache-hit != 'true' | |
| uses: snok/install-poetry@v1 | |
| with: | |
| version: 1.8.3 | |
| - name: Add Poetry to PATH | |
| run: echo "$HOME/.local/bin" >> $GITHUB_PATH | |
| - name: Install dependencies | |
| run: poetry install --without dev,test | |
| - name: Import macOS signing certificate | |
| if: runner.os == 'macOS' | |
| env: | |
| APPLE_CERT: ${{ secrets.APPLE_CERT }} | |
| APPLE_CERT_PWD: ${{ secrets.APPLE_CERT_PWD }} | |
| APPLE_CERT_NAME: ${{ secrets.APPLE_CERT_NAME }} | |
| APPLE_KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }} | |
| run: | | |
| # import certificate | |
| CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12 | |
| echo -n "$APPLE_CERT" | base64 --decode -o $CERTIFICATE_PATH | |
| # create temporary keychain | |
| KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db | |
| security create-keychain -p "$APPLE_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
| security set-keychain-settings -lut 21600 $KEYCHAIN_PATH | |
| security unlock-keychain -p "$APPLE_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
| # import certificate to keychain | |
| security import $CERTIFICATE_PATH -P "$APPLE_CERT_PWD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH | |
| security list-keychain -d user -s $KEYCHAIN_PATH | |
| - name: Build executable (onefile) | |
| if: matrix.mode == 'onefile' | |
| env: | |
| APPLE_CERT_NAME: ${{ secrets.APPLE_CERT_NAME }} | |
| run: | | |
| poetry run pyinstaller pyinstaller.spec | |
| echo "PATH_TO_CYCODE_CLI_EXECUTABLE=dist/cycode-cli" >> $GITHUB_ENV | |
| - name: Build executable (onedir) | |
| if: matrix.mode == 'onedir' | |
| env: | |
| CYCODE_ONEDIR_MODE: 1 | |
| APPLE_CERT_NAME: ${{ secrets.APPLE_CERT_NAME }} | |
| run: | | |
| poetry run pyinstaller pyinstaller.spec | |
| echo "PATH_TO_CYCODE_CLI_EXECUTABLE=dist/cycode-cli/cycode-cli" >> $GITHUB_ENV | |
| - name: Test executable | |
| run: time $PATH_TO_CYCODE_CLI_EXECUTABLE version | |
| - name: Notarize macOS executable | |
| if: runner.os == 'macOS' | |
| env: | |
| APPLE_NOTARIZATION_EMAIL: ${{ secrets.APPLE_NOTARIZATION_EMAIL }} | |
| APPLE_NOTARIZATION_PWD: ${{ secrets.APPLE_NOTARIZATION_PWD }} | |
| APPLE_NOTARIZATION_TEAM_ID: ${{ secrets.APPLE_NOTARIZATION_TEAM_ID }} | |
| run: | | |
| # create keychain profile | |
| xcrun notarytool store-credentials "notarytool-profile" --apple-id "$APPLE_NOTARIZATION_EMAIL" --team-id "$APPLE_NOTARIZATION_TEAM_ID" --password "$APPLE_NOTARIZATION_PWD" | |
| # create zip file (notarization does not support binaries) | |
| ditto -c -k --keepParent dist/cycode-cli notarization.zip | |
| # notarize app (this will take a while) | |
| xcrun notarytool submit notarization.zip --keychain-profile "notarytool-profile" --wait | |
| # we can't staple the app because it's executable | |
| - name: Test macOS signed executable | |
| if: runner.os == 'macOS' | |
| run: | | |
| file -b $PATH_TO_CYCODE_CLI_EXECUTABLE | |
| time $PATH_TO_CYCODE_CLI_EXECUTABLE version | |
| # verify signature | |
| codesign -dv --verbose=4 $PATH_TO_CYCODE_CLI_EXECUTABLE | |
| - name: Import cert for Windows and setup envs | |
| if: runner.os == 'Windows' | |
| env: | |
| SM_CLIENT_CERT_FILE_B64: ${{ secrets.SM_CLIENT_CERT_FILE_B64 }} | |
| run: | | |
| # import certificate | |
| echo "$SM_CLIENT_CERT_FILE_B64" | base64 --decode > /d/Certificate_pkcs12.p12 | |
| echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV" | |
| # add required soft to the path | |
| echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH | |
| echo "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools" >> $GITHUB_PATH | |
| - name: Sign Windows executable | |
| if: runner.os == 'Windows' | |
| shell: cmd | |
| env: | |
| SM_HOST: ${{ secrets.SM_HOST }} | |
| SM_API_KEY: ${{ secrets.SM_API_KEY }} | |
| SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} | |
| SM_CODE_SIGNING_CERT_SHA1_HASH: ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} | |
| run: | | |
| :: setup SSM KSP | |
| curl -X GET https://one.digicert.com/signingmanager/api-ui/v1/releases/smtools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o smtools-windows-x64.msi | |
| msiexec /i smtools-windows-x64.msi /quiet /qn | |
| C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user | |
| smksp_cert_sync.exe | |
| :: sign executable | |
| signtool.exe sign /sha1 %SM_CODE_SIGNING_CERT_SHA1_HASH% /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 ".\dist\cycode-cli.exe" | |
| - name: Test Windows signed executable | |
| if: runner.os == 'Windows' | |
| shell: cmd | |
| run: | | |
| :: call executable and expect correct output | |
| .\dist\cycode-cli.exe version | |
| :: verify signature | |
| signtool.exe verify /v /pa ".\dist\cycode-cli.exe" | |
| - name: Prepare files for artifact and release (rename and calculate sha256) | |
| run: echo "ARTIFACT_NAME=$(./process_executable_file.py dist/cycode-cli)" >> $GITHUB_ENV | |
| - name: Upload files as artifact | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: ${{ env.ARTIFACT_NAME }} | |
| path: dist | |
| - name: Upload files to release | |
| if: ${{ github.event_name == 'workflow_dispatch' }} | |
| uses: svenstaro/upload-release-action@v2 | |
| with: | |
| file: dist/* | |
| tag: ${{ env.LATEST_TAG }} | |
| overwrite: true | |
| file_glob: true |