Conversation
Phases 1 and 2: refactor build script to drop universal2 enforcement and run natively on Apple Silicon, bump upstream SHAs and Python versions, add 3.14, final-release 3.9 and 3.10. CI/CD overhaul deferred to Phase 3. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
12 tasks covering Phase 1 (script rewrite, --no-binary removal, flavor deletion, README, local validation on 3.13.13 and 3.14.5) and Phase 2 (patch bumps, 3.14 enablement, 3.9/3.10 final-release notes, pip pin sweep, Dependabot, manual release dispatches). Phase 3 (CI consolidation, runner migration, action bumps) is out of scope; Task 7 includes a stopgap so existing workflows keep calling the refactored script. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Drop universal2 enforcement; arm64 wheels used directly - Single 'recommended' flavor; remove minimal/no_customization branches - Long-flag arguments; derive major version from full version - Functions: parse_args, prepare_build_dirs, download_tool, build_framework, codesign_framework, build_pkg, notarize_and_staple, zip_framework, cleanup - Collapse signed/ad-hoc codesign duplication; fixes latent path bug - Bump relocatable-python and munki-pkg SHAs - Gate CI-only steps (brew remove, xcode-select) on $CI
Fixes regression where a signed-but-unnotarized .pkg was built into the staging dir and then deleted by cleanup() without ever reaching outputs/. The pre-refactor script moved the .pkg unconditionally after munkipkg succeeded; the refactor lost that mv when it was consolidated into notarize_and_staple().
The refactor baked 'macos11' into the URL as a literal, leaving only two %s slots. relocatable-python's locallibs/get.py expects three: (version, version, os-version). The mismatch raised 'TypeError: not all arguments converted during string formatting' during framework download. Restore the third %s; --os-version 11 is already passed to the make_relocatable_python_framework.py invocation. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
All 37 packages in requirements_recommended.txt updated to their latest versions confirmed to ship cp313-compatible macOS wheels (arm64 direct or universal2) or pure-Python wheels for Python 3.13. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
mkdir -m 777 only applies the mode to newly created directories. If /Library/ManagedFrameworks/Python already exists from a prior install with stricter perms, the un-sudo'd relocatable-python tool fails with 'Permission denied' when writing the framework. Add an explicit chmod after mkdir. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The newer relocatable-python commit 8ee72fe (Oct 2024, adds symlink path handling) causes ensurepip to die with SIGKILL on Apple Silicon during the framework build: install_name_tool invalidates the binary's code signature, and ensurepip runs before any re-sign step, so Gatekeeper kills the process. A prior bump attempt was already reverted in this repo (commit d8db8a2, PR #67) — sticking with fb4dd9b until upstream addresses the ad-hoc-resign-before-ensurepip flow. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The --no-unsign flag was disabling relocatable-python's own
fix_broken_signatures step (locallibs/fix.py), which ad-hoc re-signs
every binary modified by install_name_tool before ensurepip runs.
That's the exact code path needed to satisfy Apple Silicon Gatekeeper.
The flag's stated purpose ('don't touch the python.org signature') was
never achievable — install_name_tool invalidates the signature whether
you tell relocatable-python to handle it or not. Keeping --no-unsign
just left the binary in a broken signed state, which Gatekeeper SIGKILLs.
Bumping RP_SHA to 8ee72fe simultaneously, since the prior pin
(fb4dd9b) had the same code path and was only kept while investigating.
The newer SHA additionally sets CPPFLAGS for pip, useful for packages
with native extensions.
Closes the local equivalent of gregneagle/relocatable-python#32 for our
build pipeline.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Five things we learned during local validation that the original docs didn't anticipate: - PYTHON_BASEURL needs three %s slots (relocatable-python passes version, version, os-version) - mkdir -m 777 doesn't apply mode to existing dirs; need explicit chmod - --no-unsign disabled relocatable-python's own re-sign step and caused Apple Silicon Gatekeeper SIGKILLs at ensurepip time - Signed pkg must move to outputs/ before cleanup() runs - pyobjc 12.1 requires Python >= 3.10; 3.9 needs holdback to 11.1 Also confirmed all upstream SHAs (relocatable-python, munki-pkg) and all 37 Python package pins are at latest available as of 2026-05-11. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
24 files of stale, pre-pinned versions (pyobjc 9.0.1, requests 2.31.0, urllib3 1.26.18, etc.) that no active script or workflow referenced. The flat top-level requirements_recommended.txt has been the only source of truth for pip during the build; the aggregator file (requirement_files/requirements_recommended.txt) and its 23 per-package source files were leftovers from an abandoned "compose flat requirements" workflow. Several files (arrow.txt, boto.txt, Sphinx.txt, funcsigs.txt, atomicwrites.txt, etc.) were only used by the 'opinionated' flavor list already removed earlier in this branch. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
A broader requires_python sweep against PyPI showed that the latest versions of black, cfgv, click, filelock, flake8-bugbear, identify, isort, platformdirs, pre-commit, pycparser, requests, and urllib3 all declare requires_python >= 3.10. Pip on Python 3.9 refused to resolve the requirements file partway through; the build halted at black. For each affected package, pin the latest 3.9-compatible release for the < 3.10 branch and keep the current latest for >= 3.10. Verified that 3.10, 3.11, 3.12, 3.13, 3.14 are unaffected — no packages exclude those versions at their latest pins. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
All six Python versions (3.9.13, 3.10.11, 3.11.9, 3.12.10, 3.13.13, 3.14.5) now build, install, and smoke-test cleanly on Apple Silicon. Update spec acceptance criteria from ⏳ to ✅ and reference the test record. Add note about the 13-package 3.9 holdback set in the Validation Findings section. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- runs-on: macos-13 → macos-26 (current Apple Silicon runner image) - Drop --xcode-path arg from build invocation; script defaults to xcode-select -p, which on macos-26 resolves to the runner's default Xcode (no longer Xcode 15.2) - actions/checkout v3.4.0 → v4.1.7 - apple-actions/import-codesign-certs v2.0.0 → v3.0.0 - actions/upload-artifact v4.6.2 → v4.3.4 (matches Nudge for cross-tool consistency) - metcalfc/changelog-generator and softprops/action-gh-release already matched Nudge; left untouched Pins mirror macadmins/nudge's Manual build workflow for consistency across the maintainer's macOS toolchain. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Mirroring Nudge's pins left us multiple majors behind. Bump to current: - actions/checkout v4.1.7 → v6.0.2 (2 majors) - actions/upload-artifact v4.3.4 → v7.0.1 (3 majors) - apple-actions/import-codesign-certs v3.0.0 → v7.0.0 (4 majors) - softprops/action-gh-release v0.1.15 → v3.0.0 - metcalfc/changelog-generator v4.1 → v4.7.0 apple-actions/import-codesign-certs v5.0.0 removed the -A flag during cert import; v5.0.1 restored pkgbuild access. v7.0.0 has both fixes, so this is safe for our two-cert + munkipkg flow. All other v5/v6/v7 upgrades are runtime / Node version bumps with no behavioral changes affecting our usage.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.