code sign in fix #28
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and Release | |
| on: | |
| push: | |
| tags: | |
| - 'v*.*.*' # Triggers on version tags like v0.2.0 | |
| workflow_dispatch: # Allows manual triggering | |
| jobs: | |
| build: | |
| strategy: | |
| matrix: | |
| include: | |
| - os: ubuntu-latest | |
| os_name: linux | |
| arch: x64 | |
| arch_name: amd64 | |
| extension: tar.gz | |
| - os: ubuntu-latest | |
| os_name: linux | |
| arch: arm64 | |
| arch_name: arm64 | |
| extension: tar.gz | |
| - os: windows-latest | |
| os_name: windows | |
| arch: x64 | |
| arch_name: amd64 | |
| extension: zip | |
| - os: macos-latest | |
| os_name: darwin | |
| arch: x64 | |
| arch_name: amd64 | |
| extension: tar.gz | |
| - os: macos-latest | |
| os_name: darwin | |
| arch: arm64 | |
| arch_name: arm64 | |
| extension: tar.gz | |
| runs-on: ${{ matrix.os }} | |
| outputs: | |
| VERSION: ${{ steps.get_version.outputs.VERSION }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| # Step to extract the version number | |
| - name: Set Version | |
| id: get_version | |
| shell: bash | |
| run: | | |
| VERSION="${GITHUB_REF#refs/tags/}" | |
| VERSION="${VERSION#v}" | |
| echo "VERSION=$VERSION" >> $GITHUB_ENV | |
| echo "VERSION=$VERSION" >> $GITHUB_OUTPUT | |
| # Setup QEMU and Docker Buildx for Linux builds | |
| - name: Setup QEMU | |
| if: matrix.os_name == 'linux' | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Setup Docker Buildx | |
| if: matrix.os_name == 'linux' | |
| uses: docker/setup-buildx-action@v3 | |
| # Build Linux binaries using Docker | |
| - name: Build Linux Binary with Docker | |
| if: matrix.os_name == 'linux' | |
| run: | | |
| mkdir -p /tmp/output | |
| docker buildx build --platform linux/${{ matrix.arch_name }} \ | |
| --output type=local,dest=/tmp/output \ | |
| --build-arg ARCH=${{ matrix.arch_name }} \ | |
| --build-arg VERSION=${{ env.VERSION }} \ | |
| -t hf_to_cb_dataset_migrator:linux-${{ matrix.arch_name }} -f Dockerfile.linux . | |
| # Build Windows binary on Windows runner | |
| - name: Set up Python on Windows | |
| if: runner.os == 'Windows' | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.11' | |
| architecture: ${{ matrix.arch }} | |
| - name: Install dependencies on Windows | |
| if: runner.os == 'Windows' | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install -r requirements.txt | |
| pip install pyinstaller | |
| - name: Build with PyInstaller on Windows | |
| if: runner.os == 'Windows' | |
| run: | | |
| pyinstaller hf_to_cb_dataset_migrator/cli.py --name hf_to_cb_dataset_migrator | |
| - name: Compress Windows Binary | |
| if: runner.os == 'Windows' | |
| shell: powershell | |
| run: | | |
| $APP_NAME = "hf_to_cb_dataset_migrator_${{ env.VERSION }}_${{ matrix.os_name }}_${{ matrix.arch_name }}" | |
| Compress-Archive -Path dist\hf_to_cb_dataset_migrator\* -DestinationPath "$APP_NAME.${{ matrix.extension }}" | |
| # Build macOS binaries using macOS runners | |
| - name: Set up Python on macOS | |
| if: matrix.os_name == 'darwin' | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.11' | |
| architecture: ${{ matrix.arch }} | |
| - name: Install dependencies on macOS | |
| if: matrix.os_name == 'darwin' | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install -r requirements.txt | |
| pip install pyinstaller | |
| - name: Build with PyInstaller on macOS and Code-sign and notarise | |
| if: matrix.os_name == 'darwin' | |
| env: | |
| ARCHFLAGS: ${{ matrix.arch == 'arm64' && '-arch arm64' || '' }} | |
| CERTIFICATE: ${{ secrets.APPLE_DEV_CERT }} | |
| CERT_PASSWORD: ${{ secrets.APPLE_DEV_CERT_PASSPHRASE }} | |
| KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} | |
| APPLE_ID: ${{ secrets.APPLE_ID }} | |
| APPLE_APP_PASSWORD: ${{ secrets.APPLE_APP_PASSWORD }} | |
| APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} | |
| run: | | |
| echo "$CERTIFICATE" | base64 --decode > /tmp/certificate.p12 | |
| security create-keychain -p $KEYCHAIN_PASSWORD build.keychain | |
| security default-keychain -s build.keychain | |
| security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain | |
| security import /tmp/certificate.p12 -k build.keychain -P "$CERT_PASSWORD" -T /usr/bin/codesign | |
| security set-key-partition-list -S apple-tool:,apple: -s -k $KEYCHAIN_PASSWORD build.keychain | |
| # build the binary and signin with certificate | |
| pyinstaller hf_to_cb_dataset_migrator/cli.py --name hf_to_cb_dataset_migrator --codesign-identity "Developer ID Application: Couchbase, Inc. ($APPLE_TEAM_ID)" | |
| # Verify the code-signing | |
| codesign --verify --deep --strict --verbose dist/hf_to_cb_dataset_migrator/hf_to_cb_dataset_migrator | |
| APP_NAME="hf_to_cb_dataset_migrator_${{ env.VERSION }}_${{ matrix.os_name }}_${{ matrix.arch_name }}" | |
| cd dist | |
| tar -czvf "../$APP_NAME.${{ matrix.extension }}" hf_to_cb_dataset_migrator | |
| zip -r "../$APP_NAME.zip" hf_to_cb_dataset_migrator/hf_to_cb_dataset_migrator | |
| cd .. | |
| xcrun notarytool submit "$APP_NAME.zip" --apple-id "$APPLE_ID" --password "$APPLE_APP_PASSWORD" --team-id "$APPLE_TEAM_ID" --wait | |
| # Staple the notarization ticket | |
| #xcrun stapler staple "$APP_NAME.zip" | |
| rm -rf "$APP_NAME.zip" | |
| # Compress Linux Binary | |
| - name: Compress Linux Binary | |
| if: matrix.os_name == 'linux' | |
| run: | | |
| APP_NAME="hf_to_cb_dataset_migrator_${{ env.VERSION }}_${{ matrix.os_name }}_${{ matrix.arch_name }}" | |
| tar -czvf "$APP_NAME.${{ matrix.extension }}" -C /tmp/output/dist hf_to_cb_dataset_migrator | |
| # Upload artifact | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: ${{ matrix.os_name }}_${{ matrix.arch_name }} | |
| path: | | |
| hf_to_cb_dataset_migrator_*_${{ matrix.os_name }}_${{ matrix.arch_name }}.* | |
| release: | |
| needs: build | |
| runs-on: ubuntu-latest | |
| if: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') }} | |
| steps: | |
| - name: Download artifacts | |
| uses: actions/download-artifact@v3 | |
| with: | |
| path: ./artifacts | |
| - name: Create Release and Upload Assets | |
| uses: ncipollo/release-action@v1 | |
| with: | |
| tag: ${{ github.ref }} | |
| name: Release ${{ needs.build.outputs.VERSION }} | |
| body: | | |
| Release notes here | |
| artifacts: ./artifacts/** | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| draft: false | |
| prerelease: false |