Skip to content

Fix codesign macos for application and installer #142

Fix codesign macos for application and installer

Fix codesign macos for application and installer #142

Workflow file for this run

name: CI Cortex Release
on:
push:
tags: ["v[0-9]+.[0-9]+.[0-9]+", "v[0-9]+.[0-9]+.[0-9]+-*", "!v[0-9]+.[0-9]+.[0-9]+-cortex-js"]
paths: ["cortex-cpp/**", "cortex-js/**"]
workflow_dispatch:
jobs:
create-draft-release:
runs-on: ubuntu-latest
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
outputs:
upload_url: ${{ steps.create_release.outputs.upload_url }}
version: ${{ steps.get_version.outputs.version }}
permissions:
contents: write
steps:
- name: Extract tag name without v prefix
id: get_version
run: |
echo "VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_ENV && echo "::set-output name=version::${GITHUB_REF#refs/tags/v}"
env:
GITHUB_REF: ${{ github.ref }}
- name: Create Draft Release
id: create_release
uses: softprops/action-gh-release@v2
with:
tag_name: ${{ github.ref_name }}
token: ${{ secrets.GITHUB_TOKEN }}
name: "${{ env.VERSION }}"
draft: true
prerelease: false
build-and-test:
runs-on: ${{ matrix.runs-on }}
needs: [create-draft-release]
timeout-minutes: 40
strategy:
fail-fast: false
matrix:
include:
- os: "linux"
name: "amd64"
runs-on: "ubuntu-20-04"
cmake-flags: "-DCORTEX_CPP_VERSION=${{needs.create-draft-release.outputs.version}}"
build-deps-cmake-flags: ""
arch: "x64"
platform: "linux"
- os: "mac"
name: "amd64"
runs-on: "macos-13"
cmake-flags: "-DCORTEX_CPP_VERSION=${{needs.create-draft-release.outputs.version}}"
build-deps-cmake-flags: ""
arch: "x64"
platform: "darwin"
- os: "mac"
name: "arm64"
runs-on: "macos-latest"
cmake-flags: "-DCORTEX_CPP_VERSION=${{needs.create-draft-release.outputs.version}} -DMAC_ARM64=ON"
build-deps-cmake-flags: ""
arch: "arm64"
platform: "darwin"
- os: "windows"
name: "amd64"
runs-on: "windows-cuda-12-0"
cmake-flags: "-DCORTEX_CPP_VERSION=${{needs.create-draft-release.outputs.version}} -DBUILD_SHARED_LIBS=OFF -DCMAKE_BUILD_TYPE=RELEASE -DCMAKE_CXX_COMPILER_LAUNCHER=ccache -DCMAKE_C_COMPILER_LAUNCHER=ccache -DCMAKE_CUDA_COMPILER_LAUNCHER=ccache -GNinja"
build-deps-cmake-flags: "-DCMAKE_BUILD_TYPE=RELEASE -DCMAKE_CXX_COMPILER_LAUNCHER=ccache -DCMAKE_C_COMPILER_LAUNCHER=ccache -DCMAKE_CUDA_COMPILER_LAUNCHER=ccache -GNinja"
arch: "x64"
platform: "win32"
steps:
- name: Clone
id: checkout
uses: actions/checkout@v3
with:
submodules: recursive
- uses: actions/setup-dotnet@v3
if: runner.os == 'Windows'
with:
dotnet-version: "8.0.x"
- uses: actions/setup-node@v3
with:
node-version: "20.x"
registry-url: "https://registry.npmjs.org"
- name: Install choco on Windows
if: runner.os == 'Windows'
run: |
choco install make pkgconfiglite ccache awscli 7zip ninja -y
- name: Download ccache from s3
if: runner.os == 'Windows'
continue-on-error: true
run: |
Import-Module "$env:ChocolateyInstall\helpers\chocolateyProfile.psm1"
refreshenv
aws s3 cp s3://${{ secrets.MINIO_BUCKET_NAME }}/cortex-cpp-${{ matrix.os }}-${{ matrix.name }} ${{ matrix.ccache-dir }} --recursive --endpoint ${{ secrets.MINIO_ENDPOINT }}
env:
AWS_ACCESS_KEY_ID: "${{ secrets.MINIO_ACCESS_KEY_ID }}"
AWS_SECRET_ACCESS_KEY: "${{ secrets.MINIO_SECRET_ACCESS_KEY }}"
AWS_DEFAULT_REGION: "${{ secrets.MINIO_REGION }}"
- name: Get Cer for code signing
if: runner.os == 'macOS'
run: base64 -d <<< "$CODE_SIGN_P12_BASE64" > /tmp/codesign.p12
shell: bash
env:
CODE_SIGN_P12_BASE64: ${{ secrets.CODE_SIGN_P12_BASE64 }}
- name: Install the Apple certificate and provisioning profile
if: runner.os == 'macOS'
env:
BUILD_CERTIFICATE_BASE64: ${{ secrets.CODE_SIGN_P12_BASE64 }}
P12_PASSWORD: ${{ secrets.CODE_SIGN_P12_PASSWORD }}
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
run: |
# create variables
CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
# import certificate and provisioning profile from secrets
echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH
# create temporary keychain
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
# import certificate to keychain
security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security list-keychain -d user -s $KEYCHAIN_PATH
- name: Build
run: |
cd cortex-cpp
make build CMAKE_EXTRA_FLAGS="${{ matrix.cmake-flags }}" BUILD_DEPS_CMAKE_EXTRA_FLAGS="${{ matrix.build-deps-cmake-flags }}"
- name: Pre-package
run: |
cd cortex-cpp
make pre-package
- name: Code Signing macOS
if: runner.os == 'macOS'
run: |
cd cortex-cpp
make codesign CODE_SIGN=true DEVELOPER_ID="${{ secrets.DEVELOPER_ID }}"
- uses: nick-fields/retry@v3
with:
continue_on_error: true
retry_wait_seconds: 10
timeout_minutes: 10
max_attempts: 3
shell: cmd
command: |
cd cortex-cpp
set PATH=%PATH%;%USERPROFILE%\.dotnet\tools
make codesign CODE_SIGN=true AZURE_KEY_VAULT_URI="${{ secrets.AZURE_KEY_VAULT_URI }}" AZURE_CLIENT_ID="${{ secrets.AZURE_CLIENT_ID }}" AZURE_TENANT_ID="${{ secrets.AZURE_TENANT_ID }}" AZURE_CLIENT_SECRET="${{ secrets.AZURE_CLIENT_SECRET }}" AZURE_CERT_NAME="${{ secrets.AZURE_CERT_NAME }}"
name: Code Signing Windows
if: runner.os == 'Windows'
- name: Package
run: |
cd cortex-cpp
make package
- uses: actions/[email protected]
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create-draft-release.outputs.upload_url }}
asset_path: ./cortex-cpp/cortex-cpp.tar.gz
asset_name: cortex-cpp-${{ needs.create-draft-release.outputs.version }}-${{ matrix.os }}-${{ matrix.name }}.tar.gz
asset_content_type: application/gzip
- name: Upload ccache to s3
continue-on-error: true
if: always() && runner.os == 'Windows'
run: |
Import-Module "$env:ChocolateyInstall\helpers\chocolateyProfile.psm1"
refreshenv
aws s3 cp ${{ matrix.ccache-dir }} s3://${{ secrets.MINIO_BUCKET_NAME }}/cortex-cpp-${{ matrix.os }}-${{ matrix.name }} --recursive --endpoint ${{ secrets.MINIO_ENDPOINT }}
env:
AWS_ACCESS_KEY_ID: "${{ secrets.MINIO_ACCESS_KEY_ID }}"
AWS_SECRET_ACCESS_KEY: "${{ secrets.MINIO_SECRET_ACCESS_KEY }}"
AWS_DEFAULT_REGION: "${{ secrets.MINIO_REGION }}"
## cortex-cpp node binding
# update version in package.json
- name: Install jq
uses: dcarbone/[email protected]
- name: "Update version by tag"
working-directory: cortex-cpp
run: |
echo "Version: ${{ needs.create-draft-release.outputs.version }}"
# Update the version in package.json
jq --arg version "${{ needs.create-draft-release.outputs.version }}" '.version = $version' package.json > package-tmp.json
rm package.json
mv package-tmp.json package.json
# build prebuilds
- name: Build Prebuilds
working-directory: cortex-cpp
run: |
npm install -g yarn
yarn && yarn prebuild
# upload prebuilds
- name: Upload Prebuilds Darwin
uses: actions/[email protected]
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create-draft-release.outputs.upload_url }}
asset_path: ./cortex-cpp/prebuilds/cortex-cpp-v${{ needs.create-draft-release.outputs.version }}-napi-v8-${{matrix.platform}}-${{ matrix.arch }}.tar.gz
asset_name: cortex-cpp-v${{ needs.create-draft-release.outputs.version }}-napi-v8-${{matrix.platform}}-${{ matrix.arch }}.tar.gz
asset_content_type: application/gzip
# Setup .npmrc file to publish to npm - upload only once
- run: npm publish --access public
continue-on-error: true
if: runner.os == 'linux'
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
working-directory: ./cortex-cpp
- name: Clean up keychain
if: ${{ always() && runner.os == 'macOS' }}
run: |
security delete-keychain $RUNNER_TEMP/app-signing.keychain-db
build-cortex-single-binary:
runs-on: ${{ matrix.runs-on }}
needs: [create-draft-release, build-and-test]
timeout-minutes: 20
strategy:
fail-fast: false
matrix:
include:
- os: "linux"
name: "amd64"
runs-on: "ubuntu-latest"
- os: "windows"
name: "amd64"
runs-on: "windows-2019"
- os: "mac"
name: "amd64"
runs-on: "macos-desktop"
- os: "mac"
name: "arm64"
runs-on: "macos-silicon"
steps:
- name: Clone
id: checkout
uses: actions/checkout@v3
with:
submodules: recursive
- uses: actions/setup-dotnet@v3
if: runner.os == 'Windows'
with:
dotnet-version: "8.0.x"
- name: Install jq
uses: dcarbone/[email protected]
- uses: actions/setup-node@v3
with:
node-version: "20.x"
registry-url: "https://registry.npmjs.org"
- name: "Update version by tag"
working-directory: cortex-js
shell: bash
run: |
echo "Version: ${{ needs.create-draft-release.outputs.version }}"
# Update the version in package.json
jq --arg version "${{ needs.create-draft-release.outputs.version }}" '.version = $version' package.json > /tmp/package.json
mv /tmp/package.json package.json
- name: Install choco on Windows
if: runner.os == 'Windows'
run: |
choco install make -y
- uses: actions/setup-node@v3
with:
node-version: "20.x"
registry-url: "https://registry.npmjs.org"
- uses: actions/setup-python@v3
if: runner.os != 'macOS'
with:
python-version: "3.10"
- run: pip3 install --upgrade setuptools
if: runner.os == 'macOS'
- run: yarn install && yarn build:binary
working-directory: ./cortex-js
- name: Get Cer for code signing
if: runner.os == 'macOS'
run: base64 -d <<< "$CODE_SIGN_P12_BASE64" > /tmp/codesign.p12
shell: bash
env:
CODE_SIGN_P12_BASE64: ${{ secrets.CODE_SIGN_P12_BASE64 }}
- name: Install the Apple certificate and provisioning profile
if: runner.os == 'macOS'
env:
BUILD_CERTIFICATE_BASE64: ${{ secrets.CODE_SIGN_P12_BASE64 }}
P12_PASSWORD: ${{ secrets.CODE_SIGN_P12_PASSWORD }}
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
run: |
# create variables
CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
# import certificate and provisioning profile from secrets
echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH
# create temporary keychain
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
# import certificate to keychain
security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security list-keychain -d user -s $KEYCHAIN_PATH
- name: update app info
run: |
cd cortex-js
make update-app-info
- name: copy bin file macos
if: runner.os == 'macOS'
run: |
cd cortex-js
mkdir -p installer
which cp
which mv
npm install -g cpx
npx cpx ./dist/cortexso-macos ./
mv cortexso-macos cortex
- name: Code Signing macOS
if: runner.os == 'macOS'
env:
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
KEYCHAIN_PATH: $RUNNER_TEMP/app-signing.keychain-db
run: |
cd cortex-js
./dist/cortexso-macos --help
echo "--------"
./cortex --help
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
make codesign-binary CODE_SIGN=true DEVELOPER_ID="${{ secrets.DEVELOPER_ID }}"
- name: Create MacOS PKG Installer
env:
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
KEYCHAIN_PATH: $RUNNER_TEMP/app-signing.keychain-db
if: runner.os == 'macOS'
run: |
cd cortex-js
echo "--------"
npx cpx ./cortex ./installer
./installer/cortex --help
pkgbuild --identifier ai.cortex.pkg --install-location ./usr/local/bin/ --root ./installer cortex-installer.pkg
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
make codesign-installer CODE_SIGN=true DEVELOPER_ID="${{ secrets.DEVELOPER_ID }}"
- name: Create MacOS PKG Installer
if: runner.os == 'Linux'
run: |
cd cortex-js
mkdir -p cortexso/DEBIAN
mkdir -p cortexso/usr/local/bin
sed "s/Version:/Version: ${{ needs.create-draft-release.outputs.version }}/g" control.template > cortexso/DEBIAN/control
cp cortex cortexso/usr/local/bin/cortex
dpkg-deb --build cortexso
- run: |
cd cortex-js
set PATH=%PATH%;%USERPROFILE%\.dotnet\tools
make codesign-binary CODE_SIGN=true CORTEX_VERSION="0.${{ needs.create-draft-release.outputs.version }}" AZURE_KEY_VAULT_URI="${{ secrets.AZURE_KEY_VAULT_URI }}" AZURE_CLIENT_ID="${{ secrets.AZURE_CLIENT_ID }}" AZURE_TENANT_ID="${{ secrets.AZURE_TENANT_ID }}" AZURE_CLIENT_SECRET="${{ secrets.AZURE_CLIENT_SECRET }}" AZURE_CERT_NAME="${{ secrets.AZURE_CERT_NAME }}"
name: Code Signing Windows
shell: cmd
if: runner.os == 'Windows'
- name: Update version in installer.iss using sed
if: runner.os == 'Windows'
shell: bash
run: |
cd cortex-js
sed -i "s/AppVersion=1.0/AppVersion=${{ needs.create-draft-release.outputs.version }}/g" installer.iss
cat installer.iss
- name: Compile .ISS to .EXE Installer
uses: Minionguyjpro/[email protected]
if: runner.os == 'Windows'
with:
path: cortex-js/installer.iss
options: /O+
- run: |
cd cortex-js
set PATH=%PATH%;%USERPROFILE%\.dotnet\tools
make codesign-installer CODE_SIGN=true CORTEX_VERSION="0.${{ needs.create-draft-release.outputs.version }}" AZURE_KEY_VAULT_URI="${{ secrets.AZURE_KEY_VAULT_URI }}" AZURE_CLIENT_ID="${{ secrets.AZURE_CLIENT_ID }}" AZURE_TENANT_ID="${{ secrets.AZURE_TENANT_ID }}" AZURE_CLIENT_SECRET="${{ secrets.AZURE_CLIENT_SECRET }}" AZURE_CERT_NAME="${{ secrets.AZURE_CERT_NAME }}"
name: Code Signing Windows
shell: cmd
if: runner.os == 'Windows'
- name: Post-Bundle
run: |
cd cortex-js
make postbundle
- name: Upload Cortex Installer
uses: actions/[email protected]
if: runner.os != 'Linux'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create-draft-release.outputs.upload_url }}
asset_path: ./cortex-js/cortex-installer.tar.gz
asset_name: cortex-installer-${{ needs.create-draft-release.outputs.version }}-${{ matrix.name }}-${{ matrix.os }}.tar.gz
asset_content_type: application/gzip
- name: Upload Cortex Installer
uses: actions/[email protected]
if: runner.os == 'Windows'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create-draft-release.outputs.upload_url }}
asset_path: ./cortex-js/setup.exe
asset_name: cortex-installer-${{ needs.create-draft-release.outputs.version }}-${{ matrix.name }}-${{ matrix.os }}.exe
asset_content_type: application/octet-stream
- uses: actions/[email protected]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create-draft-release.outputs.upload_url }}
asset_path: ./cortex-js/cortex.tar.gz
asset_name: cortex-${{ needs.create-draft-release.outputs.version }}-${{ matrix.name }}-${{ matrix.os }}.tar.gz
asset_content_type: application/gzip
- uses: actions/[email protected]
if: runner.os == 'Linux'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create-draft-release.outputs.upload_url }}
asset_path: ./cortex-js/cortexso.deb
asset_name: cortex-installer-${{ needs.create-draft-release.outputs.version }}-${{ matrix.name }}-${{ matrix.os }}.deb
asset_content_type: application/gzip
# Upload artifact for package manager
- name: Upload Artifact
if: runner.os == 'Linux'
uses: actions/upload-artifact@v2
with:
name: cortex-linux
path: ./cortex-js/cortex
- name: Clean up keychain
if: ${{ always() && runner.os == 'macOS' }}
run: |
security delete-keychain $RUNNER_TEMP/app-signing.keychain-db
update_release_draft:
needs: [build-and-test, build-cortex-single-binary]
permissions:
# write permission is required to create a github release
contents: write
# write permission is required for autolabeler
# otherwise, read permission is required at least
pull-requests: write
runs-on: ubuntu-latest
steps:
# (Optional) GitHub Enterprise requires GHE_HOST variable set
#- name: Set GHE_HOST
# run: |
# echo "GHE_HOST=${GITHUB_SERVER_URL##https:\/\/}" >> $GITHUB_ENV
# Drafts your next Release notes as Pull Requests are merged into "master"
- uses: release-drafter/release-drafter@v5
# (Optional) specify config name to use, relative to .github/. Default: release-drafter.yml
# with:
# config-name: my-config.yml
# disable-autolabeler: true
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Add jobs with approval
public_package_manager:
needs: [create-draft-release, update_release_draft]
runs-on: ubuntu-latest
environment: package-manager
permissions:
contents: read
steps:
- name: checkout
uses: actions/checkout@v4
- name: Download artifact
uses: actions/download-artifact@v2
with:
name: cortex-linux
path: ./cortex-linux
- name: install dependencies
run: |
ls -al ./cortex-linux
sudo apt-get install dput devscripts build-essential debhelper-compat pbuilder debootstrap devscripts -y
- name: import gpg key with subkey
uses: crazy-max/ghaction-import-gpg@v4
with:
gpg_private_key: ${{ secrets.HOMEBREW_GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.HOMEBREW_GPG_PASSPHRASE }}
fingerprint: ${{ secrets.HOMEBREW_GPG_FINGERPRINT }}
- run: |
mkdir -p package-managers-template/launchpad/cortexso-${{ needs.create-draft-release.outputs.version }}/debian
cp package-managers-template/launchpad/cortexso/debian/* package-managers-template/launchpad/cortexso-${{ needs.create-draft-release.outputs.version }}/debian/
cp ./cortex-linux/cortex package-managers-template/launchpad/cortexso-${{ needs.create-draft-release.outputs.version }}/
- name: Get release notes
id: release_notes
run: |
RELEASE_NOTES="cortex update to version ${{ needs.create-draft-release.outputs.version }}"
echo "RELEASE_NOTES=${RELEASE_NOTES}" >> $GITHUB_ENV
- name: Update change log
run: |
sed -i "s/VERSION/${{ needs.create-draft-release.outputs.version }}/g" package-managers-template/launchpad/cortexso-${{ needs.create-draft-release.outputs.version }}/debian/changelog
sed -i "s/CHANGELOG_HERE/${{ env.RELEASE_NOTES }}/g" package-managers-template/launchpad/cortexso-${{ needs.create-draft-release.outputs.version }}/debian/changelog
timestamp=$(date -u +"%a, %d %b %Y %H:%M:%S +0000")
sed -i "s/TIME_HERE/${timestamp}/g" package-managers-template/launchpad/cortexso-${{ needs.create-draft-release.outputs.version }}/debian/changelog
- name: Build package
run: |
cd package-managers-template/launchpad/cortexso-${{ needs.create-draft-release.outputs.version }}
echo "y" | debuild -S -sa -k${{ secrets.HOMEBREW_GPG_FINGERPRINT }}
sudo pbuilder create --distribution jammy --debootstrapopts --variant=buildd
sudo pbuilder build ../cortexso_${{ needs.create-draft-release.outputs.version }}.dsc
dput ppa:homebrew-computer/main ../cortexso_${{ needs.create-draft-release.outputs.version }}_source.changes