-
Notifications
You must be signed in to change notification settings - Fork 4
193 lines (180 loc) · 7.69 KB
/
build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
name: Build App
on:
push:
branches: [main]
pull_request:
release:
types: [published]
env:
PYTHONUNBUFFERED: 1
PYTHON_VERSION: "3.11"
jobs:
notifications-build:
uses: ./.github/workflows/notifications.yml
secrets: inherit
package-build:
name: Build PyPI Package
needs: notifications-build
runs-on: ubuntu-22.04
defaults:
run:
shell: bash
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Python
id: python
uses: actions/setup-python@v5
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Set pipx default python
env:
PIPX_DEFAULT_PYTHON: ${{ steps.python.outputs.python-path }}
run: echo "PIPX_DEFAULT_PYTHON=$PIPX_DEFAULT_PYTHON" >> "$GITHUB_ENV"
- name: Setup Poetry
uses: ./.github/actions/setup-poetry
- name: Get notification apps
id: download-notifications
uses: actions/download-artifact@v4
with:
path: ${{ runner.temp }}/notifications-artifacts
merge-multiple: true
- name: Unzip & move notifications apps
env:
ARTIFACTS_PATH: ${{ steps.download-notifications.outputs.download-path }}
MACOS_ARTIFACT_NAME: ${{ needs.notifications-build.outputs.macos-artifact-name }}
MACOS_BUILD_PATH: ${{ needs.notifications-build.outputs.macos-build-path }}
WINDOWS_ARTIFACT_NAME: ${{ needs.notifications-build.outputs.windows-artifact-name }}
WINDOWS_BUILD_PATH: ${{ needs.notifications-build.outputs.windows-posix-build-path }}
run: |
# macOS Notifications App
mkdir "$GITHUB_WORKSPACE/$MACOS_BUILD_PATH"
unzip "$ARTIFACTS_PATH/$MACOS_ARTIFACT_NAME.zip" -d "$GITHUB_WORKSPACE/$MACOS_BUILD_PATH"
# Windows Notifications App
mkdir "$GITHUB_WORKSPACE/$WINDOWS_BUILD_PATH"
unzip "$ARTIFACTS_PATH/$WINDOWS_ARTIFACT_NAME.zip" -d "$GITHUB_WORKSPACE/$WINDOWS_BUILD_PATH"
- name: Build package sdist & wheel
run: poetry build
- name: Upload package sdist & wheel
uses: actions/upload-artifact@v4
with:
name: pypi-package-build
path: ./dist
binary-build:
name: Build ${{ matrix.build.os }} App Binary
needs: notifications-build
runs-on: ${{ matrix.build.os }}
defaults:
run:
shell: bash
strategy:
fail-fast: false
matrix:
build:
- os: macos-14
notifications:
artifact-name: ${{ needs.notifications-build.outputs.macos-artifact-name }}
build-path: ./${{ needs.notifications-build.outputs.macos-build-path }}
- os: windows-2022
notifications:
artifact-name: ${{ needs.notifications-build.outputs.windows-artifact-name }}
build-path: .\${{ needs.notifications-build.outputs.windows-build-path }}
- os: ubuntu-22.04
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Python
id: python
uses: actions/setup-python@v5
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Set pipx default python
env:
PIPX_DEFAULT_PYTHON: ${{ steps.python.outputs.python-path }}
run: echo "PIPX_DEFAULT_PYTHON=$PIPX_DEFAULT_PYTHON" >> "$GITHUB_ENV"
- name: Setup Poetry
uses: ./.github/actions/setup-poetry
- name: Setup Keychain (macOS)
if: runner.os == 'macOS'
uses: ./.github/actions/setup-keychain
with:
macos-certificate: ${{ secrets.PROD_MACOS_CERTIFICATE }}
macos-certificate-pwd: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }}
macos-ci-keychain-pwd: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}
- name: Install Drive Backup package & dependencies
run: poetry install
- name: Get notification app (macOS & Windows)
if: runner.os == 'macOS' || runner.os == 'Windows'
uses: actions/download-artifact@v4
with:
name: ${{ matrix.build.notifications.artifact-name }}
path: ${{ matrix.build.notifications.build-path }}
- name: Unzip notification app (macOS & Windows)
if: runner.os == 'macOS' || runner.os == 'Windows'
env:
NOTIFICATION_NAME: ${{ matrix.build.notifications.artifact-name }}
NOTFICATION_BUILD: ${{ matrix.build.notifications.build-path }}
run: |
python -c "
from pathlib import Path
import shutil
zip_path = Path(r'$NOTFICATION_BUILD') / '$NOTIFICATION_NAME.zip'
shutil.unpack_archive(zip_path, r'$NOTFICATION_BUILD')
"
- name: Build app binary
env:
MACOS_CODESIGN_IDENTITY: ${{ secrets.PROD_MACOS_CERTIFICATE_IDENTITY }}
run: poetry run python app_build.py build
- name: Notarize app (macOS)
if: runner.os == 'macOS'
env:
MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}
MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }}
MACOS_NOTARIZATION_PWD: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }}
run: |
echo "Create Zip Archive"
ZIP_PATH="$(poetry run python app_build.py archive --format zip)"
# Here we send the notarization request to Apple's Notarization service, waiting for the result.
# This typically takes a few seconds inside a CI environment, but it might take more depending on the App
# characteristics. We pass in all the credentials, including the password so that we can prevent a
# UI password dialog from blocking the CI
echo "Notarize app"
xcrun notarytool submit "$ZIP_PATH" \
--apple-id "$MACOS_NOTARIZATION_APPLE_ID" \
--team-id "$MACOS_NOTARIZATION_TEAM_ID" \
--password "$MACOS_NOTARIZATION_PWD" \
--wait
# Remove the zip, we don't need it anymore
rm "$ZIP_PATH"
# This is where we would normally "attach the staple" to our executable. Unfortunately that can't be done at
# this time:
#
# "Although tickets are created for standalone binaries, it’s not currently possible to staple tickets to them."
# (Source: https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow#3087720)
#
# This isn't a huge problem because our binary can still be verified on a users machine as long as there is an
# internet connection.
- name: Move notification app into binary directory (macOS & Windows)
if: runner.os == 'macOS' || runner.os == 'Windows'
run: poetry run python app_build.py add-notifications
- name: Get Archive Name
run: |
# Get the project's version
VERSION=$(poetry version -s)
if [ "$GITHUB_EVENT_NAME" != "release" ]; then
VERSION="$VERSION+$(git rev-parse --short $GITHUB_SHA)"
fi
# Create the archive name and store as an environment varable
ARCHIVE_NAME=$(poetry run python app_build.py archive-name --version $VERSION)
echo "ARCHIVE_NAME=$ARCHIVE_NAME" >> "$GITHUB_ENV"
- name: Archive app
run: |
# Build the archive and store the path to it
ARCHIVE_PATH="$(poetry run python app_build.py archive --archive-name "$ARCHIVE_NAME")"
# Store the archive path as an environment variable
echo "ARCHIVE_PATH=$ARCHIVE_PATH" >> "$GITHUB_ENV"
- name: Upload binary archive
uses: actions/upload-artifact@v4
with:
name: ${{ env.ARCHIVE_NAME }}
path: ${{ env.ARCHIVE_PATH }}