Skip to content

Commit

Permalink
ci(fix): macOS add workflow steps for universal pkg (#6333)
Browse files Browse the repository at this point in the history 
Description
ci(fix): macOS add workflow steps for universal pkg
which notarizes universal binaries
Add a libffi download target (less downloads)

Motivation and Context
Work toward a single download with binaries for either x86 or arm64
macOS.

How Has This Been Tested?
Built in local fork. Tested binary locally.

What process can a PR reviewer use to test or verify this change?
---

<!-- Checklist -->
<!-- 1. Is the title of your PR in the form that would make nice release
notes? The title, excluding the conventional commit
tag, will be included exactly as is in the CHANGELOG, so please think
about it carefully. -->


Breaking Changes
---

- [x] None
- [ ] Requires data directory on base node to be deleted
- [ ] Requires hard fork
- [ ] Other - Please specify

<!-- Does this include a breaking change? If so, include this line as a
footer -->
<!-- BREAKING CHANGE: Description what the user should do, e.g. delete a
database, resync the chain -->
  • Loading branch information
@leet4tari
leet4tari committed May 14, 2024
1 parent 3c58600 commit 808dcfb
Show file tree
Hide file tree
Showing 2 changed files with 103 additions and 4 deletions.
104 changes: 102 additions & 2 deletions .github/workflows/build_binaries.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -591,6 +591,9 @@ jobs:
runs-on: macos-14

steps:
- name: Checkout source code
uses: actions/checkout@v4

- name: Download macOS binaries
uses: actions/download-artifact@v4
with:
Expand All @@ -605,6 +608,11 @@ jobs:
BINFN="${TS_FILENAME}-${TARI_VERSION}-${VSHA_SHORT}"
echo "BINFN=${BINFN}" >> $GITHUB_ENV
- name: Install macOS dependencies
shell: bash
run: |
brew install coreutils
- name: Verify checksums and extract
shell: bash
working-directory: osxuni
Expand Down Expand Up @@ -642,11 +650,103 @@ jobs:
done
ls -alhtR macos-universal
- name: Archive and Checksum Binaries
- name: Build the macOS universal pkg
continue-on-error: true
env:
MACOS_KEYCHAIN_PASS: ${{ secrets.MACOS_KEYCHAIN_PASS }}
MACOS_APPLICATION_ID: ${{ secrets.MACOS_APPLICATION_ID }}
MACOS_APPLICATION_CERT: ${{ secrets.MACOS_APPLICATION_CERT }}
MACOS_APPLICATION_PASS: ${{ secrets.MACOS_APPLICATION_PASS }}
MACOS_INSTALLER_ID: ${{ secrets.MACOS_INSTALLER_ID }}
MACOS_INSTALLER_CERT: ${{ secrets.MACOS_INSTALLER_CERT }}
MACOS_INSTALLER_PASS: ${{ secrets.MACOS_INSTALLER_PASS }}
MACOS_NOTARIZE_USERNAME: ${{ secrets.MACOS_NOTARIZE_USERNAME }}
MACOS_NOTARIZE_PASSWORD: ${{ secrets.MACOS_NOTARIZE_PASSWORD }}
MACOS_ASC_PROVIDER: ${{ secrets.MACOS_ASC_PROVIDER }}
run: |
echo $MACOS_APPLICATION_CERT | base64 --decode > application.p12
echo $MACOS_INSTALLER_CERT | base64 --decode > installer.p12
security create-keychain -p $MACOS_KEYCHAIN_PASS build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p $MACOS_KEYCHAIN_PASS build.keychain
security import application.p12 -k build.keychain -P $MACOS_APPLICATION_PASS -T /usr/bin/codesign
security import installer.p12 -k build.keychain -P $MACOS_INSTALLER_PASS -T /usr/bin/pkgbuild
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $MACOS_KEYCHAIN_PASS build.keychain
OSX_CODESIGN_EXTRAS="--entitlements ${GITHUB_WORKSPACE}/applications/minotari_node/osx-pkg/entitlements.xml"
cd buildtools
# export target_release="target/${{ matrix.builds.target }}/release"
# matrix.builds.target=macos-universal
# matrix.builds.name=macos-universal
export target_release="osxuni/macos-universal"
mkdir -p "${{ runner.temp }}/osxpkg"
export tarball_parent="${{ runner.temp }}/osxpkg"
export tarball_source="${{ env.TARI_NETWORK_DIR }}"
./create_osx_install_zip.sh unused nozip
ARRAY_FILES=( $(echo ${TS_FILES} | jq --raw-output '.[]' | awk '{ print $1 }') )
for FILE in "${ARRAY_FILES[@]}"; do
codesign --options runtime --force --verify --verbose --timestamp ${OSX_CODESIGN_EXTRAS} \
--prefix "${{ env.TS_BUNDLE_ID_BASE }}.${{ env.TS_FILENAME }}." \
--sign "Developer ID Application: $MACOS_APPLICATION_ID" \
"${{ runner.temp }}/osxpkg/${{ env.TARI_NETWORK_DIR }}/runtime/$FILE"
codesign --verify --deep --display --verbose=4 \
"${{ runner.temp }}/osxpkg/${{ env.TARI_NETWORK_DIR }}/runtime/$FILE"
cp -vf "${{ runner.temp }}/osxpkg/${{ env.TARI_NETWORK_DIR }}/runtime/$FILE" \
"${{ github.workspace }}/osxuni/macos-universal/"
done
distDirPKG=$(mktemp -d -t ${{ env.TS_FILENAME }})
echo "${distDirPKG}"
echo "distDirPKG=${distDirPKG}" >> $GITHUB_ENV
TS_Temp=${{ env.TS_FILENAME }}
TS_BUNDLE_ID_VALID_NAME=$(echo "${TS_Temp//_/-}")
TS_ARCH=universal
pkgbuild --root "${{ runner.temp }}/osxpkg/${{ env.TARI_NETWORK_DIR }}" \
--identifier "${{ env.TS_BUNDLE_ID_BASE }}.pkg.${TS_BUNDLE_ID_VALID_NAME}" \
--version "${TARI_VERSION}" \
--install-location "/tmp/tari" \
--scripts "${{ runner.temp }}/osxpkg/${{ env.TARI_NETWORK_DIR }}/scripts" \
--sign "Developer ID Installer: ${MACOS_INSTALLER_ID}" \
"${distDirPKG}/${{ env.TS_FILENAME }}-macos-universal-${{ env.TARI_VERSION }}.pkg"
echo -e "Submitting to Apple...\n\n"
xcrun notarytool submit \
"${distDirPKG}/${{ env.TS_FILENAME }}-macos-universal-${{ env.TARI_VERSION }}.pkg" \
--apple-id "${MACOS_NOTARIZE_USERNAME}" \
--password ${MACOS_NOTARIZE_PASSWORD} \
--team-id ${MACOS_ASC_PROVIDER} \
--verbose --wait 2>&1 | tee -a notarisation.result
# Maybe use line from with "Processing complete"?
requestUUID=$(tail -n5 notarisation.result | grep "id:" | cut -d" " -f 4)
requestSTATUS=$(tail -n5 notarisation.result | grep "\ \ status:" | cut -d" " -f 4)
if [[ ${requestUUID} == "" ]] || [[ ${requestSTATUS} != "Accepted" ]]; then
echo "## status: ${requestSTATUS} - could not notarize - ${requestUUID} - ${{ env.TS_FILENAME }}-macos-universal-${{ env.TARI_VERSION }}.pkg"
exit 1
else
echo "Notarization RequestUUID: ${requestUUID}"
echo -e "\nStapling package...\
${{ env.TS_FILENAME }}-macos-universal-${{ env.TARI_VERSION }}.pkg\n"
xcrun stapler staple -v \
"${distDirPKG}/${{ env.TS_FILENAME }}-macos-universal-${{ env.TARI_VERSION }}.pkg"
fi
cd ${distDirPKG}
echo "Compute pkg shasum"
${SHARUN} "${{ env.TS_FILENAME }}-macos-universal-${{ env.TARI_VERSION }}.pkg" \
>> "${{ env.TS_FILENAME }}-macos-universal-${{ env.TARI_VERSION }}.pkg.sha256"
cat "${{ env.TS_FILENAME }}-macos-universal-${{ env.TARI_VERSION }}.pkg.sha256"
echo "Checksum verification for pkg is "
${SHARUN} --check "${{ env.TS_FILENAME }}-macos-universal-${{ env.TARI_VERSION }}.pkg.sha256"
- name: Artifact upload for macOS universal pkg
if: startsWith(runner.os,'macOS')
continue-on-error: true
uses: actions/upload-artifact@v4
with:
name: ${{ env.TS_FILENAME }}-macos-universal-${{ env.TARI_VERSION }}.pkg
path: "${{ env.distDirPKG }}/${{ env.TS_FILENAME }}-macos-universal-${{ env.TARI_VERSION }}*.pkg*"

- name: Archive and Checksum macOS universal Binaries
shell: bash
working-directory: osxuni/macos-universal
run: |
set -xo pipefail
# set -xo pipefail
BINFILE="${BINFN}-macos-universal"
echo "BINFILE=${BINFILE}" >> $GITHUB_ENV
echo "Archive ${BINFILE} into ${BINFILE}.zip"
Expand Down
3 changes: 1 addition & 2 deletions .github/workflows/build_libffis.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -247,9 +247,8 @@ jobs:
- name: Download iOS libffiss for ${{ matrix.libffis }}
uses: actions/download-artifact@v4
with:
# wildcard downloads not supported yet ( minotari_*_ffi-ios-* )
# name: ${{ matrix.libffis }}-ios
path: libffiss
pattern: lib${{ matrix.libffis }}-ios-*

- name: Verify checksums
shell: bash
Expand Down

0 comments on commit 808dcfb

Please sign in to comment.