Skip to content

[pre-commit.ci] pre-commit autoupdate (#241) #490

[pre-commit.ci] pre-commit autoupdate (#241)

[pre-commit.ci] pre-commit autoupdate (#241) #490

Workflow file for this run

name: Build package
on:
pull_request:
push:
branches:
- main
workflow_dispatch:
permissions:
contents: read
id-token: write
jobs:
binary:
runs-on: macos-13
steps:
- uses: actions/checkout@v4
- name: Set up Python 3.10
uses: actions/setup-python@v5
with:
python-version: "3.10"
- name: Install app certificates
env:
ITERATIVE_APPLICATION_CERT: ${{ secrets.ITERATIVE_APPLICATION_CERT }}
ITERATIVE_APPLICATION_CERT_PASS: ${{ secrets.ITERATIVE_APPLICATION_CERT_PASS }}
run: |
echo $ITERATIVE_APPLICATION_CERT | base64 -d > application_cert.p12
security create-keychain -p 123456 build.keychain
# NOTE: signing and steps before it might take longer than default 300 seconds, so we extend the
# timeout until the keychain automatically locks again.
security set-keychain-settings -lut 3600 build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p 123456 build.keychain
security import application_cert.p12 -k build.keychain -P $ITERATIVE_APPLICATION_CERT_PASS -T /usr/bin/codesign
security set-key-partition-list -S 'apple-tool:,apple:,codesign:,productsign:' -s -k 123456 build.keychain
security find-identity -v
- name: Install requirements
run: |
pip install wheel
pip install -r requirements.txt
- name: Download dvc pkg
run: python download.py
- name: Set pkg type
run: echo 'PKG = "osxpkg"' > dvc/dvc/_build.py
- name: Install dvc requirements
run: |
# available lxml (webdav dependency) wheels are built with an old
# SDK, which breaks osxpkg notarization. Building from scratch
# instead.
pip install ./dvc[all] --no-binary lxml
# https://github.com/iterative/dvc/issues/7949
pip install PyInstaller==6.9.0
# https://github.com/iterative/dvc/issues/9654
pip install flufl-lock==7.1.1
dvc doctor
- name: Build binary
run: python build_bin.py
- name: Sign binary
run: python sign_bin.py --application-id 62687162A75C39558A9EA17B57E8C65306BABE92 --keychain build.keychain
- name: Create tar with binary files
run: tar cvf dist.tar.gz dist
- name: Upload binary to artifacts
uses: actions/upload-artifact@v4
with:
name: binary
path: dist.tar.gz
retention-days: 1
installer:
needs: binary
runs-on: macos-13
steps:
- uses: actions/checkout@v4
- name: Set up Python 3.10
uses: actions/setup-python@v5
with:
python-version: "3.10"
- name: Set up Ruby 2.6
uses: ruby/setup-ruby@v1
with:
ruby-version: 2.6
- name: Install installer certificates
env:
ITERATIVE_INSTALLER_CERT: ${{ secrets.ITERATIVE_INSTALLER_CERT }}
ITERATIVE_INSTALLER_CERT_PASS: ${{ secrets.ITERATIVE_INSTALLER_CERT_PASS }}
run: |
echo $ITERATIVE_INSTALLER_CERT | base64 -d > installer_cert.p12
security create-keychain -p 123456 build.keychain
# NOTE: signing and steps before it might take longer than default 300 seconds, so we extend the
# timeout until the keychain automatically locks again.
security set-keychain-settings -lut 3600 build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p 123456 build.keychain
security import installer_cert.p12 -k build.keychain -P $ITERATIVE_INSTALLER_CERT_PASS -T /usr/bin/productsign
security set-key-partition-list -S 'apple-tool:,apple:,codesign:,productsign:' -s -k 123456 build.keychain
- name: Check certificates
run: security find-identity -v
- name: Install requirements
run: |
pip install wheel
pip install -r requirements.txt
gem install --no-document dotenv -v 2.8.1
gem install --no-document fpm
- name: Download signed binary
uses: actions/download-artifact@v4
with:
name: binary
- name: Unpack tar with binary files
run: tar -xvf dist.tar.gz
- name: Build installer
run: python build_installer.py
- name: Sign installer
run: python sign_installer.py --installer-id 374191642324A98B1D9835CCD256EDEE2C710051 --keychain build.keychain
- name: Upload installer to artifacts
uses: actions/upload-artifact@v4
with:
name: installer
path: dvc*.pkg
retention-days: 1
notarize:
needs: installer
runs-on: macos-13
steps:
- uses: actions/checkout@v4
- name: Set up Python 3.10
uses: actions/setup-python@v5
with:
python-version: "3.10"
- name: Install requirements
run: |
brew install Bearer/tap/gon
- name: Download signed installer
uses: actions/download-artifact@v4
with:
name: installer
- name: Notarize and staple installer
env:
APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
APPLE_ID_PROVIDER: ${{ secrets.APPLE_ID_PROVIDER }}
run: python notarize_installer.py --apple-id-username [email protected] --apple-id-password $APPLE_ID_PASSWORD --apple-id-provider $APPLE_ID_PROVIDER
- name: Upload stapled installer to artifacts
uses: actions/upload-artifact@v4
with:
name: stapled_installer
path: dvc*.pkg
retention-days: 1
upload:
needs: notarize
runs-on: ubuntu-latest
environment: aws
steps:
- uses: actions/checkout@v4
- name: Set up Python 3.10
uses: actions/setup-python@v5
with:
python-version: "3.10"
- name: Install requirements
run: pip install awscli
- name: Download signed, notarized and stapled installer
uses: actions/download-artifact@v4
with:
name: stapled_installer
- uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: us-east-2
role-to-assume: arn:aws:iam::260760892802:role/dvc-public-osxpkg-deployer
- name: Upload to aws
if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
run: python upload.py dvc-*.pkg
notify:
if: github.ref == 'refs/heads/main' && failure()
needs: [binary, installer, notarize, upload]
runs-on: ubuntu-latest
steps:
- name: Slack Notification
uses: rtCamp/[email protected]
env:
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
SLACK_COLOR: ${{ job.status }}
SLACK_MESSAGE: 'Package build failed for ${{ github.repository }}'
SLACK_TITLE: CI Status
SLACK_USERNAME: dvc-pkg-build