Skip to content

Commit

Permalink
Update workflows
Browse files Browse the repository at this point in the history
  • Loading branch information
@medengineer
medengineer committed Jan 7, 2025
1 parent 33a1b79 commit 016fc60
Show file tree
Hide file tree
Showing 2 changed files with 99 additions and 99 deletions.
196 changes: 98 additions & 98 deletions .github/workflows/mac.yml
View file
Original file line number Diff line number Diff line change
@@ -1,110 +1,110 @@
name: mac

on:
on:
push:

jobs:

build-mac:

runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [macos-latest]

steps:
- uses: actions/checkout@v4
- name: set env vars
run: |
if [ ${{github.ref_name}} == 'juce8' ]; then
echo "GUI_BRANCH=development-juce8" >> "$GITHUB_ENV"
elif [ ${{github.ref_name}} == 'testing-juce8' ]; then
echo "GUI_BRANCH=testing-juce8" >> "$GITHUB_ENV"
else
echo "Invalid branch : ${{github.ref_name}}"
exit 1
fi
- name: setup
run: |
cd ../..
git clone https://github.com/open-ephys/plugin-GUI.git --branch $GUI_BRANCH
cd plugin-GUI/Build && cmake -G "Xcode" ..
- uses: maxim-lobanov/setup-xcode@v1
with:
xcode-version: latest-stable
- name: build
run: |
cd Build
cmake -G "Xcode" ..
xcodebuild -configuration Release
# - name: test
# run: cd build && ctest
- name: codesign_deploy
if: github.ref == 'refs/heads/testing-juce8'
env:
ARTIFACTORY_ACCESS_TOKEN: ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }}
MACOS_CERTIFICATE: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
MACOS_CERTIFICATE_PWD: ${{ secrets.BUILD_CERTIFICATE_PWD }}
MACOS_CERTIFICATE_NAME: ${{ secrets.BUILD_CERTIFICATE_NAME }}
MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}
PROD_MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}
PROD_MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }}
PROD_MACOS_NOTARIZATION_PWD: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }}
build_dir: "Build/Release"
package: EventBroadcaster-mac
run: |
plugin_api=$(grep -rnw ../../plugin-GUI/Source -e '#define PLUGIN_API_VER' | grep -Eo "[0-9]" | tail -1)
tag=$(grep -w Source/OpenEphysLib.cpp -e 'info->libVersion' | grep -Eo "[0-9]+.[0-9]+.[0-9]+")
new_plugin_ver=$tag-API$plugin_api
mkdir plugins
cp -r $build_dir/*.bundle plugins
# Turn our base64-encoded certificate back to a regular .p12 file
echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
# We need to create a new keychain, otherwise using the certificate will prompt
# with a UI dialog asking for the certificate password, which we can't
# use in a headless CI environment
security create-keychain -p $MACOS_CI_KEYCHAIN_PWD build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p $MACOS_CI_KEYCHAIN_PWD build.keychain
security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $MACOS_CI_KEYCHAIN_PWD build.keychain
/usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" -v plugins/event-broadcaster.bundle --deep --strict --timestamp --options=runtime
/usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" -v shared/libzmq.5.dylib --deep --strict --timestamp --options=runtime
/usr/bin/codesign -dv --verbose=4 plugins/event-broadcaster.bundle
# Store the notarization credentials so that we can prevent a UI password dialog from blocking the CI
echo "Create keychain profile"
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$PROD_MACOS_NOTARIZATION_APPLE_ID" --team-id "$PROD_MACOS_NOTARIZATION_TEAM_ID" --password "$PROD_MACOS_NOTARIZATION_PWD"
# We can't notarize an app bundle directly, but we need to compress it as an archive.
# Therefore, we create a zip file containing our app bundle, so that we can send it to the
# notarization service
echo "Creating temp notarization archive"
/usr/bin/ditto -c -k --sequesterRsrc --keepParent plugins/event-broadcaster.bundle event-broadcaster.zip
# Here we send the notarization request to the Apple's Notarization service, waiting for the result.
# This typically takes a few seconds inside a CI environment, but it might take more depending on the App
# characteristics. Visit the Notarization docs for more information and strategies on how to optimize it if
# you're curious
echo "Notarize app"
xcrun notarytool submit "event-broadcaster.zip" --keychain-profile "notarytool-profile" --wait
# Finally, we need to "attach the staple" to our executable, which will allow our app to be
# validated by macOS even when an internet connection is not available.
echo "Attach staple"
rm -r plugins/*
/usr/bin/ditto -x -k event-broadcaster.zip plugins
xcrun stapler staple plugins/event-broadcaster.bundle
spctl -vvv --assess --type exec plugins/event-broadcaster.bundle
zipfile=${package}_${new_plugin_ver}.zip
/usr/bin/ditto -c -k --sequesterRsrc --keepParent plugins $zipfile
curl -H "X-JFrog-Art-Api:$ARTIFACTORY_ACCESS_TOKEN" -T $zipfile "https://openephys.jfrog.io/artifactory/EventBroadcaster-plugin/mac/$zipfile"
- uses: actions/checkout@v4
- name: set env vars
run: |
if [ ${{github.ref_name}} == 'juce8' ]; then
echo "GUI_BRANCH=development-juce8" >> "$GITHUB_ENV"
elif [ ${{github.ref_name}} == 'testing-juce8' ]; then
echo "GUI_BRANCH=testing-juce8" >> "$GITHUB_ENV"
else
echo "Invalid branch : ${{github.ref_name}}"
exit 1
fi
- name: setup
run: |
cd ../..
git clone https://github.com/open-ephys/plugin-GUI.git --branch $GUI_BRANCH
cd plugin-GUI/Build && cmake -G "Xcode" ..
- uses: maxim-lobanov/setup-xcode@v1
with:
xcode-version: latest-stable
- name: build
run: |
cd Build
cmake -G "Xcode" ..
xcodebuild -configuration Release
# - name: test
# run: cd build && ctest
- name: codesign_deploy
if: github.ref == 'refs/heads/testing-juce8'
env:
ARTIFACTORY_ACCESS_TOKEN: ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }}
MACOS_CERTIFICATE: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
MACOS_CERTIFICATE_PWD: ${{ secrets.BUILD_CERTIFICATE_PWD }}
MACOS_CERTIFICATE_NAME: ${{ secrets.BUILD_CERTIFICATE_NAME }}
MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}
PROD_MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}
PROD_MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }}
PROD_MACOS_NOTARIZATION_PWD: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }}
build_dir: "Build/Release"
package: EventBroadcaster-mac
run: |
plugin_api=$(grep -rnw ../../plugin-GUI/Source -e '#define PLUGIN_API_VER' | grep -Eo "[0-9]*" | tail -1)
tag=$(grep -w Source/OpenEphysLib.cpp -e 'info->libVersion' | grep -Eo "[0-9]+.[0-9]+.[0-9]+")
new_plugin_ver=$tag-API$plugin_api
mkdir plugins
cp -r $build_dir/*.bundle plugins
mkdir shared
cp -r libs/macos/bin/* shared
# Turn our base64-encoded certificate back to a regular .p12 file
echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
# We need to create a new keychain, otherwise using the certificate will prompt
# with a UI dialog asking for the certificate password, which we can't
# use in a headless CI environment
security create-keychain -p $MACOS_CI_KEYCHAIN_PWD build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p $MACOS_CI_KEYCHAIN_PWD build.keychain
security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $MACOS_CI_KEYCHAIN_PWD build.keychain
# Codesign the plugins and shared libraries
/usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" -v plugins/event-broadcaster.bundle --deep --strict --timestamp --options=runtime
/usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" -v shared/* --deep --strict --timestamp --options=runtime
/usr/bin/codesign -dv --verbose=4 plugins/event-broadcaster.bundle
# Store the notarization credentials so that we can prevent a UI password dialog from blocking the CI
echo "Create keychain profile"
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$PROD_MACOS_NOTARIZATION_APPLE_ID" --team-id "$PROD_MACOS_NOTARIZATION_TEAM_ID" --password "$PROD_MACOS_NOTARIZATION_PWD"
# Create a zip file containing the plugin for notarization
echo "Creating temp notarization archive"
/usr/bin/ditto -c -k --sequesterRsrc --keepParent plugins/event-broadcaster.bundle event-broadcaster.zip
# Submit the notarization request and wait for the result
echo "Notarize app"
xcrun notarytool submit "event-broadcaster.zip" --keychain-profile "notarytool-profile" --wait
# Attach the staple to the notarized bundle
echo "Attach staple"
rm -r plugins/*
/usr/bin/ditto -x -k event-broadcaster.zip plugins
xcrun stapler staple plugins/event-broadcaster.bundle
# Verify the notarization and attach staple
spctl -vvv --assess --type exec plugins/event-broadcaster.bundle
# Create the final zip file containing plugins and shared
zipfile=${package}_${new_plugin_ver}.zip
mkdir temp_dir
cp -R plugins shared temp_dir
/usr/bin/ditto -c -k --sequesterRsrc temp_dir $zipfile
# Upload the zip file to Artifactory
curl -H "X-JFrog-Art-Api:$ARTIFACTORY_ACCESS_TOKEN" -T $zipfile "https://openephys.jfrog.io/artifactory/EventBroadcaster-plugin/mac/$zipfile"
2 changes: 1 addition & 1 deletion .github/workflows/windows.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,5 +69,5 @@ jobs:
zipfile=${package}_${new_plugin_ver}.zip
powershell Compress-Archive -Path "plugins" -DestinationPath ${zipfile}
powershell Compress-Archive -U -Path "shared" -DestinationPath ${zipfile}
curl -H "X-JFrog-Art-Api:$artifactoryApiKey" -T $zipfile "https://openephys.jfrog.io/artifactory/EventBroadcaster-plugin/windows/$zipfile"
curl -H "X-JFrog-Art-Api:$ARTIFACTORY_ACCESS_TOKEN" -T $zipfile "https://openephys.jfrog.io/artifactory/EventBroadcaster-plugin/windows/$zipfile"
shell: bash

0 comments on commit 016fc60

Please sign in to comment.