build pkg with Python 3.12 #479
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build package | |
| on: | |
| pull_request: | |
| push: | |
| branches: | |
| - main | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| id-token: write | |
| jobs: | |
| binary: | |
| runs-on: macos-13 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python 3.12 | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.11" | |
| - name: Install app certificates | |
| env: | |
| ITERATIVE_APPLICATION_CERT: ${{ secrets.ITERATIVE_APPLICATION_CERT }} | |
| ITERATIVE_APPLICATION_CERT_PASS: ${{ secrets.ITERATIVE_APPLICATION_CERT_PASS }} | |
| run: | | |
| echo $ITERATIVE_APPLICATION_CERT | base64 -d > application_cert.p12 | |
| security create-keychain -p 123456 build.keychain | |
| # NOTE: signing and steps before it might take longer than default 300 seconds, so we extend the | |
| # timeout until the keychain automatically locks again. | |
| security set-keychain-settings -lut 3600 build.keychain | |
| security default-keychain -s build.keychain | |
| security unlock-keychain -p 123456 build.keychain | |
| security import application_cert.p12 -k build.keychain -P $ITERATIVE_APPLICATION_CERT_PASS -T /usr/bin/codesign | |
| security set-key-partition-list -S 'apple-tool:,apple:,codesign:,productsign:' -s -k 123456 build.keychain | |
| security find-identity -v | |
| - name: Install requirements | |
| run: | | |
| pip install wheel | |
| pip install -r requirements.txt | |
| - name: Download dvc pkg | |
| run: python download.py | |
| - name: Set pkg type | |
| run: echo 'PKG = "osxpkg"' > dvc/dvc/_build.py | |
| - name: Install dvc requirements | |
| run: | | |
| # available lxml (webdav dependency) wheels are built with an old | |
| # SDK, which breaks osxpkg notarization. Building from scratch | |
| # instead. | |
| pip install ./dvc[all] --no-binary lxml | |
| # https://github.com/iterative/dvc/issues/7949 | |
| pip install PyInstaller==6.9.0 | |
| # https://github.com/iterative/dvc/issues/9654 | |
| pip install flufl-lock==7.1.1 | |
| dvc doctor | |
| - name: Build binary | |
| run: python build_bin.py | |
| - run: brew install tree | |
| - run: tree dist/ | |
| - name: Sign binary | |
| run: python sign_bin.py --application-id 62687162A75C39558A9EA17B57E8C65306BABE92 --keychain build.keychain | |
| - name: Create tar with binary files | |
| run: tar cvf dist.tar.gz dist | |
| - name: Upload binary to artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: binary | |
| path: dist.tar.gz | |
| retention-days: 1 | |
| installer: | |
| needs: binary | |
| runs-on: macos-13 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python 3.12 | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.11" | |
| - name: Set up Ruby 2.6 | |
| uses: ruby/setup-ruby@v1 | |
| with: | |
| ruby-version: 2.6 | |
| - name: Install installer certificates | |
| env: | |
| ITERATIVE_INSTALLER_CERT: ${{ secrets.ITERATIVE_INSTALLER_CERT }} | |
| ITERATIVE_INSTALLER_CERT_PASS: ${{ secrets.ITERATIVE_INSTALLER_CERT_PASS }} | |
| run: | | |
| echo $ITERATIVE_INSTALLER_CERT | base64 -d > installer_cert.p12 | |
| security create-keychain -p 123456 build.keychain | |
| # NOTE: signing and steps before it might take longer than default 300 seconds, so we extend the | |
| # timeout until the keychain automatically locks again. | |
| security set-keychain-settings -lut 3600 build.keychain | |
| security default-keychain -s build.keychain | |
| security unlock-keychain -p 123456 build.keychain | |
| security import installer_cert.p12 -k build.keychain -P $ITERATIVE_INSTALLER_CERT_PASS -T /usr/bin/productsign | |
| security set-key-partition-list -S 'apple-tool:,apple:,codesign:,productsign:' -s -k 123456 build.keychain | |
| - name: Check certificates | |
| run: security find-identity -v | |
| - name: Install requirements | |
| run: | | |
| pip install wheel | |
| pip install -r requirements.txt | |
| gem install --no-document dotenv -v 2.8.1 | |
| gem install --no-document fpm | |
| - name: Download signed binary | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: binary | |
| - name: Unpack tar with binary files | |
| run: tar -xvf dist.tar.gz | |
| - run: brew install tree | |
| - run: tree dist/ | |
| - name: Build installer | |
| run: python build_installer.py | |
| - name: Sign installer | |
| run: python sign_installer.py --installer-id 374191642324A98B1D9835CCD256EDEE2C710051 --keychain build.keychain | |
| - name: Upload installer to artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: installer | |
| path: dvc*.pkg | |
| retention-days: 1 | |
| notarize: | |
| needs: installer | |
| runs-on: macos-13 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python 3.12 | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.11" | |
| - name: Install requirements | |
| run: | | |
| brew install Bearer/tap/gon | |
| - name: Download signed installer | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: installer | |
| - name: Notarize and staple installer | |
| env: | |
| APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} | |
| APPLE_ID_PROVIDER: ${{ secrets.APPLE_ID_PROVIDER }} | |
| run: python notarize_installer.py --apple-id-username [email protected] --apple-id-password $APPLE_ID_PASSWORD --apple-id-provider $APPLE_ID_PROVIDER | |
| - name: Upload stapled installer to artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: stapled_installer | |
| path: dvc*.pkg | |
| retention-days: 1 | |
| upload: | |
| needs: notarize | |
| runs-on: ubuntu-latest | |
| environment: aws | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python 3.12 | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.11" | |
| - name: Install requirements | |
| run: pip install awscli | |
| - name: Download signed, notarized and stapled installer | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: stapled_installer | |
| - uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-region: us-east-2 | |
| role-to-assume: arn:aws:iam::260760892802:role/dvc-public-osxpkg-deployer | |
| - name: Upload to aws | |
| if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} | |
| run: python upload.py dvc-*.pkg | |
| notify: | |
| if: github.ref == 'refs/heads/main' && failure() | |
| needs: [binary, installer, notarize, upload] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Slack Notification | |
| uses: rtCamp/[email protected] | |
| env: | |
| SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} | |
| SLACK_COLOR: ${{ job.status }} | |
| SLACK_MESSAGE: 'Package build failed for ${{ github.repository }}' | |
| SLACK_TITLE: CI Status | |
| SLACK_USERNAME: dvc-pkg-build |