aladac/tensors
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
53a7adfa0ed4116522a1fce7d0bb71abc06b0850
tensors/.github/workflows/publish.yml
T
Adam Ladachowski 53a7adfa0e Add macOS code signing and notarization (requires secrets)
2026-02-03 21:53:59 +01:00

165 lines
4.8 KiB
YAML
Raw Blame History

name: Publish Package
on:
push:
tags:
- 'v*'
permissions:
contents: write
id-token: write
jobs:
build-binaries:
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
arch: x64
artifact: tsr-linux-x64
- os: ubuntu-24.04-arm
arch: arm64
artifact: tsr-linux-arm64
- os: macos-latest
arch: arm64
artifact: tsr-macos-arm64
- os: macos-15-large
arch: x64
artifact: tsr-macos-x64
- os: windows-latest
arch: x64
artifact: tsr-windows-x64.exe
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.12'
- name: Install dependencies
run: |
pip install nuitka
pip install -e .
- name: Build binary (Unix)
if: runner.os != 'Windows'
run: |
python -m nuitka \
--standalone \
--onefile \
--output-dir=dist \
--output-filename=${{ matrix.artifact }} \
--assume-yes-for-downloads \
--remove-output \
tensors.py
- name: Sign and notarize (macOS)
if: runner.os == 'macOS' && env.APPLE_CERTIFICATE_BASE64 != ''
env:
APPLE_CERTIFICATE_BASE64: ${{ secrets.APPLE_CERTIFICATE_BASE64 }}
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
APPLE_ID: ${{ secrets.APPLE_ID }}
APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
run: |
# Import certificate
echo "$APPLE_CERTIFICATE_BASE64" | base64 --decode > certificate.p12
security create-keychain -p "" build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p "" build.keychain
security import certificate.p12 -k build.keychain -P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "" build.keychain
# Sign the binary
codesign --force --options runtime --sign "Developer ID Application" dist/${{ matrix.artifact }}
# Create zip for notarization
ditto -c -k --keepParent dist/${{ matrix.artifact }} dist/${{ matrix.artifact }}.zip
# Submit for notarization
xcrun notarytool submit dist/${{ matrix.artifact }}.zip \
--apple-id "$APPLE_ID" \
--password "$APPLE_ID_PASSWORD" \
--team-id "$APPLE_TEAM_ID" \
--wait
# Staple the notarization ticket
xcrun stapler staple dist/${{ matrix.artifact }}
# Cleanup
rm certificate.p12 dist/${{ matrix.artifact }}.zip
- name: Build binary (Windows)
if: runner.os == 'Windows'
run: |
python -m nuitka `
--standalone `
--onefile `
--output-dir=dist `
--output-filename=${{ matrix.artifact }} `
--assume-yes-for-downloads `
--remove-output `
tensors.py
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: ${{ matrix.artifact }}
path: dist/${{ matrix.artifact }}
publish:
runs-on: ubuntu-latest
needs: build-binaries
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.12'
- name: Install build tools
run: pip install build
- name: Extract version from tag
id: version
run: |
TAG=${GITHUB_REF#refs/tags/v}
echo "version=$TAG" >> $GITHUB_OUTPUT
if [[ "$TAG" =~ -pre[0-9]*$ ]] || [[ "$TAG" =~ -alpha[0-9]*$ ]] || [[ "$TAG" =~ -beta[0-9]*$ ]] || [[ "$TAG" =~ -rc[0-9]*$ ]] || [[ "$TAG" =~ -a[0-9]*$ ]]; then
echo "prerelease=true" >> $GITHUB_OUTPUT
else
echo "prerelease=false" >> $GITHUB_OUTPUT
fi
- name: Build package
run: python -m build
- name: Download all artifacts
uses: actions/download-artifact@v4
with:
path: binaries
- name: Prepare release assets
run: |
mkdir -p release
cp dist/* release/
find binaries -type f -exec cp {} release/ \;
ls -la release/
- name: Publish to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
- name: Create GitHub Release
uses: softprops/action-gh-release@v2
with:
files: release/*
prerelease: ${{ steps.version.outputs.prerelease }}
generate_release_notes: true
Reference in New Issue View Git Blame Copy Permalink