Build executable version of CLI and optionally upload artifact #405
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build executable version of CLI and optionally upload artifact | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| publish: | |
| description: 'Upload artifacts to release' | |
| required: false | |
| default: false | |
| type: boolean | |
| push: | |
| branches: | |
| - main | |
| permissions: | |
| contents: write | |
| jobs: | |
| build: | |
| name: Build on ${{ matrix.os }} (${{ matrix.mode }} mode) | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: [ ubuntu-22.04, macos-15-intel, macos-15, windows-2022 ] | |
| mode: [ 'onefile', 'onedir' ] | |
| exclude: | |
| - os: ubuntu-22.04 | |
| mode: onedir | |
| - os: windows-2022 | |
| mode: onedir | |
| runs-on: ${{ matrix.os }} | |
| defaults: | |
| run: | |
| shell: bash | |
| steps: | |
| - name: Run Cimon | |
| if: matrix.os == 'ubuntu-22.04' | |
| uses: cycodelabs/cimon-action@v0 | |
| with: | |
| client-id: ${{ secrets.CIMON_CLIENT_ID }} | |
| secret: ${{ secrets.CIMON_SECRET }} | |
| prevent: true | |
| allowed-hosts: > | |
| files.pythonhosted.org | |
| install.python-poetry.org | |
| pypi.org | |
| uploads.github.com | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Checkout latest release tag | |
| if: ${{ github.event_name == 'workflow_dispatch' }} | |
| run: | | |
| LATEST_TAG=$(git describe --tags `git rev-list --tags --max-count=1`) | |
| git checkout $LATEST_TAG | |
| echo "LATEST_TAG=$LATEST_TAG" >> $GITHUB_ENV | |
| - name: Set up Python 3.13 | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: '3.13' | |
| - name: Load cached Poetry setup | |
| id: cached-poetry | |
| uses: actions/cache@v3 | |
| with: | |
| path: ~/.local | |
| key: poetry-${{ matrix.os }}-2 # increment to reset cache | |
| - name: Setup Poetry | |
| if: steps.cached-poetry.outputs.cache-hit != 'true' | |
| uses: snok/install-poetry@v1 | |
| with: | |
| version: 2.2.1 | |
| - name: Add Poetry to PATH | |
| run: echo "$HOME/.local/bin" >> $GITHUB_PATH | |
| - name: Install dependencies | |
| run: poetry install --without dev,test | |
| - name: Import macOS signing certificate | |
| if: runner.os == 'macOS' | |
| env: | |
| APPLE_CERT: ${{ secrets.APPLE_CERT }} | |
| APPLE_CERT_PWD: ${{ secrets.APPLE_CERT_PWD }} | |
| APPLE_CERT_NAME: ${{ secrets.APPLE_CERT_NAME }} | |
| APPLE_KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }} | |
| run: | | |
| # import certificate | |
| CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12 | |
| echo -n "$APPLE_CERT" | base64 --decode -o $CERTIFICATE_PATH | |
| # create temporary keychain | |
| KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db | |
| security create-keychain -p "$APPLE_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
| security set-keychain-settings -lut 21600 $KEYCHAIN_PATH | |
| security unlock-keychain -p "$APPLE_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
| # import certificate to keychain | |
| security import $CERTIFICATE_PATH -P "$APPLE_CERT_PWD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH | |
| security list-keychain -d user -s $KEYCHAIN_PATH | |
| - name: Build executable (onefile) | |
| if: matrix.mode == 'onefile' | |
| env: | |
| APPLE_CERT_NAME: ${{ secrets.APPLE_CERT_NAME }} | |
| run: | | |
| poetry run pyinstaller pyinstaller.spec | |
| echo "PATH_TO_CYCODE_CLI_EXECUTABLE=dist/cycode-cli" >> $GITHUB_ENV | |
| - name: Build executable (onedir) | |
| if: matrix.mode == 'onedir' | |
| env: | |
| CYCODE_ONEDIR_MODE: 1 | |
| APPLE_CERT_NAME: ${{ secrets.APPLE_CERT_NAME }} | |
| run: | | |
| poetry run pyinstaller pyinstaller.spec | |
| echo "PATH_TO_CYCODE_CLI_EXECUTABLE=dist/cycode-cli/cycode-cli" >> $GITHUB_ENV | |
| - name: Test executable | |
| run: time $PATH_TO_CYCODE_CLI_EXECUTABLE version | |
| - name: Codesign onedir binaries | |
| if: runner.os == 'macOS' && matrix.mode == 'onedir' | |
| env: | |
| APPLE_CERT_NAME: ${{ secrets.APPLE_CERT_NAME }} | |
| run: | | |
| # 1. Sign framework bundles (preserves Info.plist binding for --strict verification) | |
| while IFS= read -r framework; do | |
| echo "Signing framework: $framework" | |
| codesign --force --sign "$APPLE_CERT_NAME" --timestamp --options runtime "$framework" | |
| done < <(find dist/cycode-cli -name "*.framework" -type d -maxdepth 3) | |
| # 2. Replace standalone Python binary with symlink to the framework version. | |
| # The standalone copy fails codesign --verify --strict because it lacks the | |
| # framework's Info.plist context. The framework version passes. | |
| if [ -f dist/cycode-cli/_internal/Python ] && [ -d dist/cycode-cli/_internal/Python.framework ]; then | |
| FRAMEWORK_PYTHON=$(find dist/cycode-cli/_internal/Python.framework/Versions -name "Python" -type f | head -1) | |
| if [ -n "$FRAMEWORK_PYTHON" ]; then | |
| RELATIVE_PATH=${FRAMEWORK_PYTHON#dist/cycode-cli/_internal/} | |
| echo "Replacing _internal/Python with symlink to $RELATIVE_PATH" | |
| rm dist/cycode-cli/_internal/Python | |
| ln -s "$RELATIVE_PATH" dist/cycode-cli/_internal/Python | |
| fi | |
| fi | |
| # 3. Sign remaining Mach-O files (dylibs, .so files) outside of framework bundles | |
| find dist/cycode-cli -type f ! -name "cycode-cli" ! -path "*.framework/*" | while read -r file; do | |
| if file -b "$file" | grep -q "Mach-O"; then | |
| echo "Signing: $file" | |
| codesign --force --sign "$APPLE_CERT_NAME" --timestamp --options runtime "$file" | |
| fi | |
| done | |
| # 4. Re-sign the main executable with entitlements (must be last) | |
| codesign --force --sign "$APPLE_CERT_NAME" --timestamp --options runtime --entitlements entitlements.plist dist/cycode-cli/cycode-cli | |
| - name: Notarize macOS executable | |
| if: runner.os == 'macOS' | |
| env: | |
| APPLE_NOTARIZATION_EMAIL: ${{ secrets.APPLE_NOTARIZATION_EMAIL }} | |
| APPLE_NOTARIZATION_PWD: ${{ secrets.APPLE_NOTARIZATION_PWD }} | |
| APPLE_NOTARIZATION_TEAM_ID: ${{ secrets.APPLE_NOTARIZATION_TEAM_ID }} | |
| run: | | |
| # create keychain profile | |
| xcrun notarytool store-credentials "notarytool-profile" --apple-id "$APPLE_NOTARIZATION_EMAIL" --team-id "$APPLE_NOTARIZATION_TEAM_ID" --password "$APPLE_NOTARIZATION_PWD" | |
| # create zip file (notarization does not support bare binaries) | |
| ditto -c -k --keepParent dist/cycode-cli notarization.zip | |
| # notarize app (this will take a while) | |
| NOTARIZE_OUTPUT=$(xcrun notarytool submit notarization.zip --keychain-profile "notarytool-profile" --wait 2>&1) || true | |
| echo "$NOTARIZE_OUTPUT" | |
| # extract submission ID for log retrieval | |
| SUBMISSION_ID=$(echo "$NOTARIZE_OUTPUT" | grep " id:" | head -1 | awk '{print $2}') | |
| # check notarization status explicitly | |
| if echo "$NOTARIZE_OUTPUT" | grep -q "status: Accepted"; then | |
| echo "Notarization succeeded!" | |
| else | |
| echo "Notarization failed! Fetching log for details..." | |
| if [ -n "$SUBMISSION_ID" ]; then | |
| xcrun notarytool log "$SUBMISSION_ID" --keychain-profile "notarytool-profile" || true | |
| fi | |
| exit 1 | |
| fi | |
| # we can't staple the app because it's executable | |
| - name: Verify macOS code signatures | |
| if: runner.os == 'macOS' | |
| run: | | |
| # verify all Mach-O binaries are properly signed | |
| # use -L to follow symlinks (e.g. _internal/Python -> Python.framework/...) | |
| FAILED=false | |
| while IFS= read -r file; do | |
| if file -b "$file" | grep -q "Mach-O"; then | |
| if ! codesign --verify --strict "$file" 2>&1; then | |
| echo "INVALID: $file" | |
| codesign -dv "$file" 2>&1 || true | |
| FAILED=true | |
| else | |
| echo "OK: $file" | |
| fi | |
| fi | |
| done < <(find -L dist/cycode-cli -type f) | |
| if [ "$FAILED" = true ]; then | |
| echo "Found binaries with invalid signatures!" | |
| exit 1 | |
| fi | |
| codesign -dv --verbose=4 $PATH_TO_CYCODE_CLI_EXECUTABLE | |
| - name: Test macOS signed executable | |
| if: runner.os == 'macOS' | |
| run: | | |
| file -b $PATH_TO_CYCODE_CLI_EXECUTABLE | |
| time $PATH_TO_CYCODE_CLI_EXECUTABLE version | |
| - name: Import cert for Windows and setup envs | |
| if: runner.os == 'Windows' | |
| env: | |
| SM_CLIENT_CERT_FILE_B64: ${{ secrets.SM_CLIENT_CERT_FILE_B64 }} | |
| run: | | |
| # import certificate | |
| echo "$SM_CLIENT_CERT_FILE_B64" | base64 --decode > /d/Certificate_pkcs12.p12 | |
| echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV" | |
| # add required soft to the path | |
| echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH | |
| echo "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools" >> $GITHUB_PATH | |
| - name: Sign Windows executable | |
| if: runner.os == 'Windows' | |
| shell: cmd | |
| env: | |
| SM_HOST: ${{ secrets.SM_HOST }} | |
| SM_KEYPAIR_ALIAS: ${{ secrets.SM_KEYPAIR_ALIAS }} | |
| SM_API_KEY: ${{ secrets.SM_API_KEY }} | |
| SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} | |
| SM_CODE_SIGNING_CERT_SHA1_HASH: ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} | |
| run: | | |
| :: setup SSM KSP | |
| curl -X GET https://one.digicert.com/signingmanager/api-ui/v1/releases/smtools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o smtools-windows-x64.msi | |
| msiexec /i smtools-windows-x64.msi /quiet /qn | |
| C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user | |
| smctl windows certsync --keypair-alias=%SM_KEYPAIR_ALIAS% | |
| :: sign executable | |
| signtool.exe sign /sha1 %SM_CODE_SIGNING_CERT_SHA1_HASH% /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 ".\dist\cycode-cli.exe" | |
| - name: Test Windows signed executable | |
| if: runner.os == 'Windows' | |
| shell: cmd | |
| run: | | |
| :: call executable and expect correct output | |
| .\dist\cycode-cli.exe version | |
| :: verify signature | |
| signtool.exe verify /v /pa ".\dist\cycode-cli.exe" | |
| - name: Prepare files for artifact and release (rename and calculate sha256) | |
| run: echo "ARTIFACT_NAME=$(./process_executable_file.py dist/cycode-cli)" >> $GITHUB_ENV | |
| - name: Upload files as artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ env.ARTIFACT_NAME }} | |
| path: dist | |
| - name: Verify macOS artifact end-to-end | |
| if: runner.os == 'macOS' && matrix.mode == 'onedir' | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: ${{ env.ARTIFACT_NAME }} | |
| path: /tmp/artifact-verify | |
| - name: Verify macOS artifact signatures and run with quarantine | |
| if: runner.os == 'macOS' && matrix.mode == 'onedir' | |
| run: | | |
| # extract the onedir zip exactly as an end user would | |
| ARCHIVE=$(find /tmp/artifact-verify -name "*.zip" | head -1) | |
| echo "Verifying archive: $ARCHIVE" | |
| unzip "$ARCHIVE" -d /tmp/artifact-extracted | |
| # verify all Mach-O code signatures (strict mode) | |
| FAILED=false | |
| while IFS= read -r file; do | |
| if file -b "$file" | grep -q "Mach-O"; then | |
| if ! codesign --verify --strict "$file" 2>&1; then | |
| echo "INVALID: $file" | |
| codesign -dv "$file" 2>&1 || true | |
| FAILED=true | |
| else | |
| echo "OK: $file" | |
| fi | |
| fi | |
| done < <(find -L /tmp/artifact-extracted -type f) | |
| if [ "$FAILED" = true ]; then | |
| echo "Artifact contains binaries with invalid signatures!" | |
| exit 1 | |
| fi | |
| # simulate download quarantine and test execution | |
| find -L /tmp/artifact-extracted -type f -exec xattr -w com.apple.quarantine "0081;$(printf '%x' $(date +%s));CI;$(uuidgen)" {} \; | |
| EXECUTABLE=$(find -L /tmp/artifact-extracted -name "cycode-cli" -type f | head -1) | |
| echo "Testing quarantined executable: $EXECUTABLE" | |
| time "$EXECUTABLE" version | |
| - name: Upload files to release | |
| if: ${{ github.event_name == 'workflow_dispatch' && inputs.publish }} | |
| uses: svenstaro/upload-release-action@v2 | |
| with: | |
| file: dist/* | |
| tag: ${{ env.LATEST_TAG }} | |
| overwrite: true | |
| file_glob: true |