Skip to content

Commit f45fe89

Browse files
cboulaycboulay
committed
Move Apple GHA to its own script
1 parent 0058c83 commit f45fe89

File tree

2 files changed

+219
-92
lines changed

2 files changed

+219
-92
lines changed

.github/workflows/apple.yml

Lines changed: 211 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,211 @@
1+
name: Apple CI
2+
3+
on:
4+
push:
5+
branches:
6+
- main
7+
- dev
8+
tags: ['*']
9+
paths:
10+
- '**'
11+
- '!docs/**'
12+
- '!.github/**'
13+
- '.github/workflows/apple.yml'
14+
pull_request:
15+
release:
16+
types: ['created']
17+
workflow_dispatch:
18+
inputs:
19+
cmakeextra:
20+
description: 'Extra CMake options'
21+
required: false
22+
default: ''
23+
24+
concurrency:
25+
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
26+
cancel-in-progress: true
27+
28+
defaults:
29+
run:
30+
shell: bash
31+
32+
jobs:
33+
build:
34+
name: ${{ matrix.config.name }}
35+
runs-on: ${{ matrix.config.os }}
36+
strategy:
37+
fail-fast: false
38+
matrix:
39+
config:
40+
- {name: "macOS-latest", os: "macOS-latest", cmake_extra: "-DCMAKE_OSX_DEPLOYMENT_TARGET=10.15 -DCMAKE_OSX_ARCHITECTURES=\"x86_64;arm64\" -DLSL_FRAMEWORK=ON" }
41+
- {name: "iOS", os: "macOS-latest", cmake_extra: "-DCMAKE_SYSTEM_NAME=iOS -DCMAKE_OSX_DEPLOYMENT_TARGET=12.0 -DCMAKE_OSX_ARCHITECTURES=\"arm64;x86_64\" -DCMAKE_TOOLCHAIN_FILE=cmake/ios.toolchain.cmake -DLSL_FRAMEWORK=ON" }
42+
43+
steps:
44+
- uses: actions/checkout@v4
45+
46+
- name: Install certificates and provisioning profiles
47+
env:
48+
MACOS_CERTIFICATE_APP: ${{ secrets.PROD_MACOS_CERTIFICATE }}
49+
MACOS_CERTIFICATE_INST: ${{ secrets.PROD_MACOS_CERTIFICATE_INST }}
50+
MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }}
51+
MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}
52+
run: |
53+
# Create temporary keychain
54+
KEYCHAIN_PATH=$RUNNER_TEMP/build.keychain
55+
security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" $KEYCHAIN_PATH
56+
security default-keychain -s $KEYCHAIN_PATH
57+
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
58+
security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" $KEYCHAIN_PATH
59+
60+
# Import certificates from secrets ...
61+
CERTIFICATE_PATH_APP=$RUNNER_TEMP/build_certificate_app.p12
62+
CERTIFICATE_PATH_INST=$RUNNER_TEMP/build_certificate_inst.p12
63+
echo -n "$MACOS_CERTIFICATE_APP" | base64 --decode -o $CERTIFICATE_PATH_APP
64+
echo -n "$MACOS_CERTIFICATE_INST" | base64 --decode -o $CERTIFICATE_PATH_INST
65+
# ... to keychain
66+
security import $CERTIFICATE_PATH_APP -P "$MACOS_CERTIFICATE_PWD" -k $KEYCHAIN_PATH -A -t cert -f pkcs12
67+
security import $CERTIFICATE_PATH_INST -P "$MACOS_CERTIFICATE_PWD" -k $KEYCHAIN_PATH -A -t cert -f pkcs12
68+
69+
# Set trusted partitions (groups of applications) that can access the keychain items
70+
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" $KEYCHAIN_PATH
71+
security list-keychain -d user -s $KEYCHAIN_PATH
72+
73+
# Get certificate identities into environment variables
74+
CERT_IDENTITY_APP=$(security find-identity -v -p codesigning $KEYCHAIN_PATH | grep "Developer ID Application" | head -1 | awk -F'"' '{print $2}')
75+
echo "APPLE_CODE_SIGN_IDENTITY_APP=$CERT_IDENTITY_APP" >> $GITHUB_ENV
76+
CERT_IDENTITY_INST=$(security find-identity -v -p basic $KEYCHAIN_PATH | grep "Developer ID Installer" | head -1 | awk -F'"' '{print $2}')
77+
echo "APPLE_CODE_SIGN_IDENTITY_INST=$CERT_IDENTITY_INST" >> $GITHUB_ENV
78+
79+
- name: Configure CMake
80+
env:
81+
APPLE_DEVELOPMENT_TEAM: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }}
82+
run: |
83+
cmake --version
84+
cmake -S . -B build \
85+
-DCMAKE_BUILD_TYPE=Release \
86+
-DCMAKE_INSTALL_PREFIX=${PWD}/install \
87+
-DLSL_UNITTESTS=ON \
88+
-DLSL_BENCHMARKS=ON \
89+
-DCPACK_PACKAGE_DIRECTORY=${PWD}/package \
90+
-Dlslgitrevision=${{ github.sha }} \
91+
-Dlslgitbranch=${{ github.ref }} \
92+
${{ matrix.config.cmake_extra }} \
93+
${{ github.event.inputs.cmakeextra }}
94+
echo ${PWD}
95+
96+
- name: make
97+
run: cmake --build build --config Release -j
98+
99+
- name: make install
100+
run: cmake --build build --config Release --target install
101+
102+
- name: test install using examples
103+
run: |
104+
# Test that the in-tree install was successful by building the examples
105+
cmake -S examples -B examples/build \
106+
-DLSL_INSTALL_ROOT=${PWD}/install \
107+
-DCMAKE_INSTALL_PREFIX=examples/build/install \
108+
-DLSL_COMFY_DEFAULTS=ON \
109+
${{ matrix.config.cmake_extra }} \
110+
${{ github.event.inputs.cmakeextra }}
111+
cmake --build examples/build --target install --config Release -j
112+
./examples/build/install/bin/HandleMetaData
113+
114+
- name: Codesign
115+
run: |
116+
codesign -vvv --force --deep --sign "$APPLE_CODE_SIGN_IDENTITY_APP" \
117+
--entitlements lsl.entitlements --options runtime \
118+
install/Frameworks/lsl.framework/Versions/A/lsl
119+
codesign -vvv --force --deep --sign "$APPLE_CODE_SIGN_IDENTITY_APP" \
120+
--entitlements lsl.entitlements --options runtime \
121+
install/Frameworks/lsl.framework
122+
echo "✅ Verifying binary signatures in install target..."
123+
codesign -vvv --verify --deep --strict install/Frameworks/lsl.framework/Versions/A/lsl
124+
codesign -vvv --verify --deep --strict install/Frameworks/lsl.framework
125+
126+
- name: upload install dir
127+
uses: actions/upload-artifact@v4
128+
with:
129+
name: build-${{ matrix.config.name }}
130+
path: install
131+
132+
# run internal tests
133+
- name: unit tests
134+
run: |
135+
mkdir -p dumps
136+
install/bin/lsl_test_internal --order rand --wait-for-keypress never --durations yes
137+
install/bin/lsl_test_exported --order rand --wait-for-keypress never --durations yes
138+
timeout-minutes: 10
139+
140+
- name: upload dump
141+
if: failure()
142+
uses: actions/upload-artifact@v4
143+
with:
144+
name: dumps-${{ matrix.config.name }}
145+
path: dumps
146+
147+
package_and_deploy:
148+
name: Package and Deploy
149+
needs: build
150+
runs-on: macOS-latest
151+
steps:
152+
- uses: actions/download-artifact@v4
153+
with:
154+
name: build-macOS-latest
155+
path: build-macOS-latest
156+
- uses: actions/download-artifact@v4
157+
with:
158+
name: build-iOS
159+
path: build-iOS
160+
161+
- name: Create XCFramework
162+
run: |
163+
xcodebuild -create-xcframework \
164+
-framework build-macOS-latest/install/Frameworks/lsl.framework \
165+
-framework build-iOS/install/Frameworks/lsl.framework \
166+
-output lsl.xcframework
167+
xcodebuild -show-sdk-version
168+
169+
- name: Codesign XCFramework
170+
env:
171+
APPLE_CODE_SIGN_IDENTITY_APP: ${{ secrets.PROD_MACOS_CERTIFICATE_IDENTITY_APP }}
172+
run: |
173+
codesign -vvv --force --deep --sign "$APPLE_CODE_SIGN_IDENTITY_APP" lsl.xcframework
174+
echo "✅ Verifying binary signatures in XCFramework..."
175+
codesign -vvv --verify --deep --strict lsl.xcframework
176+
177+
- name: Create zip archive
178+
run: ditto -c -k --sequesterRsrc --keepParent lsl.xcframework lsl.xcframework.zip
179+
180+
- name: Notarize XCFramework
181+
env:
182+
APPLE_DEVELOPMENT_TEAM: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }}
183+
APPLE_NOTARIZE_USERNAME: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}
184+
APPLE_NOTARIZE_PASSWORD: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }}
185+
run: |
186+
xcrun notarytool submit lsl.xcframework.zip \
187+
--apple-id "$APPLE_NOTARIZE_USERNAME" \
188+
--password "$APPLE_NOTARIZE_PASSWORD" \
189+
--team-id "$APPLE_DEVELOPMENT_TEAM" \
190+
--wait
191+
xcrun stapler staple lsl.xcframework
192+
193+
- name: upload xcframework
194+
uses: actions/upload-artifact@v4
195+
with:
196+
name: xcframework
197+
path: lsl.xcframework.zip
198+
199+
- name: upload to release page
200+
if: github.event_name == 'release'
201+
env:
202+
TOKEN: "token ${{ secrets.GITHUB_TOKEN }}"
203+
TAG: ${{ github.event.release.tag_name }}
204+
UPLOAD_URL: ${{ github.event.release.upload_url }}
205+
run: |
206+
UPLOAD_URL=${UPLOAD_URL%\{*} # remove "{name,label}" suffix
207+
for pkg in lsl.xcframework.zip; do
208+
NAME=$(basename $pkg)
209+
MIME=$(file --mime-type $pkg|cut -d ' ' -f2)
210+
curl -X POST -H "Accept: application/vnd.github.v3+json" -H "Authorization: $TOKEN" -H "Content-Type: $MIME" --data-binary @$pkg $UPLOAD_URL?name=$NAME
211+
done

.github/workflows/cppcmake.yml

Lines changed: 8 additions & 92 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,9 @@ name: C/C++ CI
22

33
on:
44
push:
5-
branches: ['*']
5+
branches:
6+
- main
7+
- dev
68
tags: ['*']
79
paths:
810
- '**'
@@ -35,53 +37,15 @@ jobs:
3537
fail-fast: false
3638
matrix:
3739
config:
38-
# - {name: "ubuntu-22.04", os: "ubuntu-22.04", cmake_extra: "-DLSL_BUNDLED_PUGIXML=OFF" }
39-
# - {name: "ubuntu-24.04", os: "ubuntu-24.04", cmake_extra: "-DLSL_BUNDLED_PUGIXML=OFF" }
40-
# - {name: "windows-x64", os: "windows-latest", cmake_extra: "-T v142,host=x86"}
41-
# - {name: "windows-32", os: "windows-latest", cmake_extra: "-T v142,host=x86 -A Win32"}
42-
- {name: "macOS-latest", os: "macOS-latest", cmake_extra: "-DCMAKE_OSX_DEPLOYMENT_TARGET=10.15 -DCMAKE_OSX_ARCHITECTURES=\"x86_64;arm64\" -DLSL_FRAMEWORK=ON" }
43-
- {name: "iOS", os: "macOS-latest", cmake_extra: "-DCMAKE_IOS_DEPLOYMENT_TARGET=12.0 -DCMAKE_TOOLCHAIN_FILE=\"make/ios.toolchain.cmake\" -DLSL_FRAMEWORK=ON" }
40+
- {name: "ubuntu-22.04", os: "ubuntu-22.04", cmake_extra: "-DLSL_BUNDLED_PUGIXML=OFF" }
41+
- {name: "ubuntu-24.04", os: "ubuntu-24.04", cmake_extra: "-DLSL_BUNDLED_PUGIXML=OFF" }
42+
- {name: "windows-x64", os: "windows-latest", cmake_extra: "-T v142,host=x86"}
43+
- {name: "windows-32", os: "windows-latest", cmake_extra: "-T v142,host=x86 -A Win32"}
4444

4545
steps:
4646
- uses: actions/checkout@v4
4747

48-
- name: Install certificates and provisioning profiles
49-
if: matrix.config.os == 'macOS-latest'
50-
env:
51-
MACOS_CERTIFICATE_APP: ${{ secrets.PROD_MACOS_CERTIFICATE }}
52-
MACOS_CERTIFICATE_INST: ${{ secrets.PROD_MACOS_CERTIFICATE_INST }}
53-
MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }}
54-
MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}
55-
run: |
56-
# Create temporary keychain
57-
KEYCHAIN_PATH=$RUNNER_TEMP/build.keychain
58-
security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" $KEYCHAIN_PATH
59-
security default-keychain -s $KEYCHAIN_PATH
60-
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
61-
security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" $KEYCHAIN_PATH
62-
63-
# Import certificates from secrets ...
64-
CERTIFICATE_PATH_APP=$RUNNER_TEMP/build_certificate_app.p12
65-
CERTIFICATE_PATH_INST=$RUNNER_TEMP/build_certificate_inst.p12
66-
echo -n "$MACOS_CERTIFICATE_APP" | base64 --decode -o $CERTIFICATE_PATH_APP
67-
echo -n "$MACOS_CERTIFICATE_INST" | base64 --decode -o $CERTIFICATE_PATH_INST
68-
# ... to keychain
69-
security import $CERTIFICATE_PATH_APP -P "$MACOS_CERTIFICATE_PWD" -k $KEYCHAIN_PATH -A -t cert -f pkcs12
70-
security import $CERTIFICATE_PATH_INST -P "$MACOS_CERTIFICATE_PWD" -k $KEYCHAIN_PATH -A -t cert -f pkcs12
71-
72-
# Set trusted partitions (groups of applications) that can access the keychain items
73-
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" $KEYCHAIN_PATH
74-
security list-keychain -d user -s $KEYCHAIN_PATH
75-
76-
# Get certificate identities into environment variables
77-
CERT_IDENTITY_APP=$(security find-identity -v -p codesigning $KEYCHAIN_PATH | grep "Developer ID Application" | head -1 | awk -F'"' '{print $2}')
78-
echo "APPLE_CODE_SIGN_IDENTITY_APP=$CERT_IDENTITY_APP" >> $GITHUB_ENV
79-
CERT_IDENTITY_INST=$(security find-identity -v -p basic $KEYCHAIN_PATH | grep "Developer ID Installer" | head -1 | awk -F'"' '{print $2}')
80-
echo "APPLE_CODE_SIGN_IDENTITY_INST=$CERT_IDENTITY_INST" >> $GITHUB_ENV
81-
8248
- name: Configure CMake
83-
env:
84-
APPLE_DEVELOPMENT_TEAM: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }}
8549
run: |
8650
if [[ "${{ matrix.config.name }}" = ubuntu-2* ]]; then
8751
sudo apt-get install -y --no-install-recommends libpugixml-dev
@@ -117,8 +81,7 @@ jobs:
11781
cmake --build examples/build --target install --config Release -j
11882
./examples/build/install/bin/HandleMetaData
11983
120-
- name: package (!macOS)
121-
if: matrix.config.os != 'macOS-latest'
84+
- name: package
12285
run: |
12386
echo $GITHUB_REF
12487
cmake --build build --target package --config Release -j
@@ -137,48 +100,6 @@ jobs:
137100
cmake -E remove_directory package/_CPack_Packages
138101
cp testing/lslcfgs/default.cfg .
139102
140-
- name: Codesign (macOS)
141-
if: matrix.config.os == 'macOS-latest'
142-
run: |
143-
codesign -vvv --force --deep --sign "$APPLE_CODE_SIGN_IDENTITY_APP" \
144-
--entitlements lsl.entitlements --options runtime \
145-
install/Frameworks/lsl.framework/Versions/A/lsl
146-
codesign -vvv --force --deep --sign "$APPLE_CODE_SIGN_IDENTITY_APP" \
147-
--entitlements lsl.entitlements --options runtime \
148-
install/Frameworks/lsl.framework
149-
echo "✅ Verifying binary signatures in install target..."
150-
codesign -vvv --verify --deep --strict install/Frameworks/lsl.framework/Versions/A/lsl
151-
codesign -vvv --verify --deep --strict install/Frameworks/lsl.framework
152-
153-
# CMake does a lousy job of creating .pkg files for macOS, so we do it manually
154-
- name: package and notarize (macOS)
155-
if: matrix.config.os == 'macOS-latest'
156-
env:
157-
APPLE_DEVELOPMENT_TEAM: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }}
158-
APPLE_NOTARIZE_USERNAME: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}
159-
APPLE_NOTARIZE_PASSWORD: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }}
160-
run: |
161-
# Get the version number from the framework's Info.plist
162-
VERSION=$(plutil -extract CFBundleShortVersionString xml1 -o - install/Frameworks/lsl.framework/Versions/A/Resources/Info.plist | sed -n 's/.*<string>\(.*\)<\/string>.*/\1/p')
163-
echo "LSL_VERSION=$VERSION" >> $GITHUB_ENV
164-
165-
mkdir -p package
166-
productbuild --sign "$APPLE_CODE_SIGN_IDENTITY_INST" \
167-
--component install/Frameworks/lsl.framework \
168-
/Library/Frameworks package/liblsl-${LSL_VERSION}-Darwin-universal.pkg
169-
# Notarize the package
170-
xcrun notarytool submit package/liblsl-${LSL_VERSION}-Darwin-universal.pkg \
171-
--apple-id "$APPLE_NOTARIZE_USERNAME" \
172-
--password "$APPLE_NOTARIZE_PASSWORD" \
173-
--team-id "$APPLE_DEVELOPMENT_TEAM" \
174-
--wait
175-
# Staple the notarization ticket to the package
176-
xcrun stapler staple package/liblsl-${LSL_VERSION}-Darwin-universal.pkg
177-
# If notarization fails, you can get the history of notarization requests:
178-
# xcrun notarytool history --apple-id "$APPLE_NOTARIZE_USERNAME" --password "$APPLE_NOTARIZE_PASSWORD" --team-id "$APPLE_DEVELOPMENT_TEAM"
179-
# Then you can check the status of a specific request:
180-
# xcrun notarytool log <request-id> --apple-id "$APPLE_NOTARIZE_USERNAME" --password "$APPLE_NOTARIZE_PASSWORD" --team-id "$APPLE_DEVELOPMENT_TEAM"
181-
182103
- name: upload install dir
183104
uses: actions/upload-artifact@master
184105
with:
@@ -239,8 +160,3 @@ jobs:
239160
MIME=$(file --mime-type $pkg|cut -d ' ' -f2)
240161
curl -X POST -H "Accept: application/vnd.github.v3+json" -H "Authorization: $TOKEN" -H "Content-Type: $MIME" --data-binary @$pkg $UPLOAD_URL?name=$NAME
241162
done
242-
243-
- name: Clean up keychain
244-
if: matrix.config.os == 'macOS-latest'
245-
run: |
246-
security delete-keychain $RUNNER_TEMP/app-signing.keychain-db || true

0 commit comments

Comments
 (0)