[TEST] macos env codesign #820
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Publish | |
on: | |
push: | |
branches: [ master ] | |
pull_request: | |
branches: [ master ] | |
# Allows you to run this workflow manually from the Actions tab | |
workflow_dispatch: | |
jobs: | |
publish: | |
strategy: | |
matrix: | |
cfg: | |
# - { platform: linux, platform_name: Linux, os: ubuntu-latest, conda_platform: linux-64 } | |
- { platform: mac, platform_name: macOS, os: macos-latest, conda_platform: osx-64 } | |
# - { platform: win, platform_name: Windows, os: windows-latest, conda_platform: win-64 } | |
name: '${{ matrix.cfg.platform_name }} installer' | |
runs-on: ${{ matrix.cfg.os }} | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: s-weigand/setup-conda@v1 | |
- run: conda install --file ./workflow_env/conda-${{ matrix.cfg.conda_platform }}.lock -y | |
- name: Install node | |
uses: actions/setup-node@v3 | |
with: | |
node-version: '14.x' | |
cache: 'yarn' | |
- name: Install dependencies | |
run: | | |
npm install --global yarn --prefer-offline | |
yarn install | |
- name: Check JupyterLab version match | |
run: | | |
yarn check_version_match | |
- name: Check Lint & Prettier | |
run: | | |
yarn lint:check | |
- name: Get package info | |
shell: bash | |
id: package-info | |
run: echo "version=$(python scripts/get_package_version.py)" >> $GITHUB_OUTPUT | |
- name: 'Find Release with tag v${{ steps.package-info.outputs.version}}' | |
uses: actions/github-script@v6 | |
id: release-exists | |
env: | |
APP_VERSION: ${{ steps.package-info.outputs.version}} | |
with: | |
script: | | |
const releases = await github.rest.repos.listReleases({ | |
owner: context.repo.owner, | |
repo: context.repo.repo | |
}) | |
const tagName = `v${process.env.APP_VERSION}` | |
const releaseWithTag = releases.data.find(release => release.tag_name === tagName && (release.draft || release.prerelease)) | |
return releaseWithTag ? 'true' : 'false' | |
result-encoding: string | |
- name: Create Application Server Installer | |
run: | | |
yarn create_env_installer:${{ matrix.cfg.platform }} | |
- name: Codesign Application Server | |
env: | |
CSC_IDENTITY_AUTO_DISCOVERY: true | |
CSC_FOR_PULL_REQUEST: true | |
CSC_LINK: ${{ secrets.CSC_LINK }} | |
CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }} | |
APPLEID: ${{ secrets.APPLEID }} | |
APPLEIDPASS: ${{ secrets.APPLEIDPASS }} | |
TEST_CERT_PASS: ${{ secrets.TEST_CERT_PASS }} | |
run: | | |
echo $CSC_LINK | base64 -d -o certificate.p12 | |
security create-keychain -p $TEST_CERT_PASS build.keychain | |
security default-keychain -s build.keychain | |
security unlock-keychain -p $TEST_CERT_PASS build.keychain | |
echo "importing certificate" | |
security import certificate.p12 -k build.keychain -P $CSC_KEY_PASSWORD -T /usr/bin/codesign | |
echo "imported certificate" | |
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $TEST_CERT_PASS build.keychain | |
echo "listing identities" | |
security find-identity -v | |
echo "signing file $APPLEID" | |
/usr/bin/codesign --force -s "Developer ID Application" ./env_installer/jlab_server/bin/bzip2recover -v | |
rm certificate.p12 | |
rm build.keychain | |
- name: Compress Application Server Installer | |
run: | | |
yarn compress_env_installer:${{ matrix.cfg.platform }} | |
- name: Create Application Installer for Test | |
env: | |
CSC_IDENTITY_AUTO_DISCOVERY: false # disable code signing if not release asset | |
run: | | |
yarn dist:${{ matrix.cfg.platform }} | |
if: steps.release-exists.outputs.result == 'false' | |
- name: Create Application Installer for Release | |
env: | |
CSC_IDENTITY_AUTO_DISCOVERY: true | |
CSC_FOR_PULL_REQUEST: true | |
APPLEID: ${{ secrets.APPLEID }} | |
APPLEIDPASS: ${{ secrets.APPLEIDPASS }} | |
CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }} | |
CSC_LINK: ${{ secrets.CSC_LINK }} | |
run: | | |
yarn dist:${{ matrix.cfg.platform }} | |
if: steps.release-exists.outputs.result == 'true' | |
- name: Upload Debian Installer | |
if: matrix.cfg.platform == 'linux' | |
uses: actions/upload-artifact@v3 | |
with: | |
name: debian-installer | |
path: | | |
dist/JupyterLab.deb | |
- name: Upload Fedora Installer | |
if: matrix.cfg.platform == 'linux' | |
uses: actions/upload-artifact@v3 | |
with: | |
name: fedora-installer | |
path: | | |
dist/JupyterLab.rpm | |
- name: Upload macOS x64 Installer | |
if: matrix.cfg.platform == 'mac' | |
uses: actions/upload-artifact@v3 | |
with: | |
name: mac-installer-x64 | |
path: | | |
dist/JupyterLab-x64.dmg | |
- name: Upload macOS arm64 Installer | |
if: matrix.cfg.platform == 'mac' | |
uses: actions/upload-artifact@v3 | |
with: | |
name: mac-installer-arm64 | |
path: | | |
dist/JupyterLab-arm64.dmg | |
- name: Upload Windows Installer | |
if: matrix.cfg.platform == 'win' | |
uses: actions/upload-artifact@v3 | |
with: | |
name: windows-installer | |
path: | | |
dist/JupyterLab-Setup.exe | |
- name: Upload Debian Installer as Release asset | |
if: matrix.cfg.platform == 'linux' && steps.release-exists.outputs.result == 'true' | |
uses: svenstaro/upload-release-action@v2 | |
with: | |
repo_token: ${{ secrets.JLAB_APP_TOKEN }} | |
file: dist/JupyterLab.deb | |
asset_name: JupyterLab-Setup-Debian.deb | |
tag: v${{ steps.package-info.outputs.version}} | |
overwrite: true | |
- name: Upload Fedora Installer as Release asset | |
if: matrix.cfg.platform == 'linux' && steps.release-exists.outputs.result == 'true' | |
uses: svenstaro/upload-release-action@v2 | |
with: | |
repo_token: ${{ secrets.JLAB_APP_TOKEN }} | |
file: dist/JupyterLab.rpm | |
asset_name: JupyterLab-Setup-Fedora.rpm | |
tag: v${{ steps.package-info.outputs.version}} | |
overwrite: true | |
- name: Upload macOS x64 Installer as Release asset | |
if: matrix.cfg.platform == 'mac' && steps.release-exists.outputs.result == 'true' | |
uses: svenstaro/upload-release-action@v2 | |
with: | |
repo_token: ${{ secrets.JLAB_APP_TOKEN }} | |
file: dist/JupyterLab-x64.dmg | |
asset_name: JupyterLab-Setup-macOS-x64.dmg | |
tag: v${{ steps.package-info.outputs.version}} | |
overwrite: true | |
- name: Upload macOS arm64 Installer as Release asset | |
if: matrix.cfg.platform == 'mac' && steps.release-exists.outputs.result == 'true' | |
uses: svenstaro/upload-release-action@v2 | |
with: | |
repo_token: ${{ secrets.JLAB_APP_TOKEN }} | |
file: dist/JupyterLab-arm64.dmg | |
asset_name: JupyterLab-Setup-macOS-arm64.dmg | |
tag: v${{ steps.package-info.outputs.version}} | |
overwrite: true | |
- name: Upload macOS x64 App as Release asset | |
if: matrix.cfg.platform == 'mac' && steps.release-exists.outputs.result == 'true' | |
uses: svenstaro/upload-release-action@v2 | |
with: | |
repo_token: ${{ secrets.JLAB_APP_TOKEN }} | |
file: dist/JupyterLab-x64.zip | |
asset_name: JupyterLab-macOS-x64.zip | |
tag: v${{ steps.package-info.outputs.version}} | |
overwrite: true | |
- name: Upload macOS arm64 App as Release asset | |
if: matrix.cfg.platform == 'mac' && steps.release-exists.outputs.result == 'true' | |
uses: svenstaro/upload-release-action@v2 | |
with: | |
repo_token: ${{ secrets.JLAB_APP_TOKEN }} | |
file: dist/JupyterLab-arm64.zip | |
asset_name: JupyterLab-macOS-arm64.zip | |
tag: v${{ steps.package-info.outputs.version}} | |
overwrite: true | |
- name: Upload Windows Installer as Release asset | |
if: matrix.cfg.platform == 'win' && steps.release-exists.outputs.result == 'true' | |
uses: svenstaro/upload-release-action@v2 | |
with: | |
repo_token: ${{ secrets.JLAB_APP_TOKEN }} | |
file: dist/JupyterLab-Setup.exe | |
asset_name: JupyterLab-Setup-Windows.exe | |
tag: v${{ steps.package-info.outputs.version}} | |
overwrite: true | |
- name: Upload latest.yml Release asset | |
if: matrix.cfg.platform == 'win' && steps.release-exists.outputs.result == 'true' | |
uses: svenstaro/upload-release-action@v2 | |
with: | |
repo_token: ${{ secrets.JLAB_APP_TOKEN }} | |
file: dist/latest.yml | |
asset_name: latest.yml | |
tag: v${{ steps.package-info.outputs.version}} | |
overwrite: true |