Restrict default permissions of Github Actions #4040
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Package and release | |
on: | |
push: | |
paths: | |
- '.github/workflows/package.yml' | |
- '.github/workflows/pypi-release.yml' | |
- 'installer/**' | |
- 'picard/**' | |
- 'po/**.po' | |
- 'resources/win10/**' | |
- 'scripts/package/*' | |
- 'scripts/pyinstaller/*' | |
- 'test/**' | |
- 'appxmanifest.xml.in' | |
- 'picard.icns' | |
- 'picard.ico' | |
- 'picard.spec' | |
- 'requirements*.txt' | |
- 'setup.py' | |
- 'tagger.py.in' | |
- 'win.version-info.txt.in' | |
pull_request: | |
permissions: {} | |
jobs: | |
package-macos: | |
runs-on: macos-11 | |
strategy: | |
matrix: | |
setup: | |
- macos-deployment-version: 10.12 | |
python-version: 3.9.12-macosx10.9 | |
python-sha256sum: 7888174c6fe441b00448c7ab3e9cbf0e6c3c7dea0750577baf09e1383fc44656 | |
- macos-deployment-version: 10.14 | |
python-version: 3.11.1-macos11 | |
python-sha256sum: f4de33ad3ef09c3e31196b296aec761eabab4564fc8c25e50ea99edd01969819 | |
env: | |
DISCID_VERSION: 0.6.3 | |
DISCID_SHA256SUM: 8bca27e2f621c7813a6a9951fd573b31754a6fb51551a373c1acea1aa188adeb | |
FPCALC_VERSION: 1.5.1 | |
FPCALC_SHA256SUM: d4d8faff4b5f7c558d9be053da47804f9501eaa6c2f87906a9f040f38d61c860 | |
PYTHON_VERSION: ${{ matrix.setup.python-version }} | |
PYTHON_SHA256SUM: ${{ matrix.setup.python-sha256sum }} | |
MACOSX_DEPLOYMENT_TARGET: ${{ matrix.setup.macos-deployment-version }} | |
CODESIGN: 0 | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 # Fetch entire history, needed for setting the build number | |
- run: git fetch --depth=1 origin +refs/tags/release-*:refs/tags/release-* | |
- name: Setup macOS build environment | |
run: | | |
./scripts/package/macos-setup.sh | |
PYTHON_BASE_VERSION=$(echo $PYTHON_VERSION | sed -e "s/\.[0-9]\{1,\}$//") | |
echo "/Library/Frameworks/Python.framework/Versions/$PYTHON_BASE_VERSION/bin" >> $GITHUB_PATH | |
echo "/usr/local/opt/gettext/bin" >> $GITHUB_PATH | |
RELEASE_TAG=$(git describe --match "release-*" --abbrev=0 --always HEAD) | |
BUILD_NUMBER=$(git rev-list --count $RELEASE_TAG..HEAD) | |
echo "BUILD_NUMBER=$BUILD_NUMBER" >> $GITHUB_ENV | |
mkdir artifacts | |
python3 -m pip install --upgrade pip setuptools wheel | |
- name: Patch build version | |
if: startsWith(github.ref, 'refs/tags/') != true | |
run: | | |
python3 setup.py patch_version --platform=$BUILD_NUMBER.$(git rev-parse --short HEAD) | |
- name: Compile and install PyInstaller | |
run: | | |
git clone --depth 1 --branch "$PYINSTALLER_VERSION" https://github.com/pyinstaller/pyinstaller.git pyinstaller | |
cd pyinstaller/bootloader | |
python3 ./waf --verbose all | |
cd .. | |
pip3 install . | |
env: | |
PYINSTALLER_VERSION: v5.12.0 | |
CFLAGS: -mmacosx-version-min=${{ matrix.setup.macos-deployment-version }} | |
CPPFLAGS: -mmacosx-version-min=${{ matrix.setup.macos-deployment-version }} | |
LDFLAGS: -mmacosx-version-min=${{ matrix.setup.macos-deployment-version }} | |
LINKFLAGS: -mmacosx-version-min=${{ matrix.setup.macos-deployment-version }} | |
- name: Install dependencies | |
run: | | |
pip3 install -r requirements-build.txt | |
pip3 install -r requirements-macos-${MACOSX_DEPLOYMENT_TARGET}.txt | |
- name: Run tests | |
timeout-minutes: 30 | |
run: | | |
python3 setup.py test | |
- name: Prepare code signing certificate | |
run: | | |
if [ -n "$CODESIGN_MACOS_P12_URL" ] && [ -n "$AWS_ACCESS_KEY_ID" ]; then | |
pip3 install awscli | |
aws s3 cp "$CODESIGN_MACOS_P12_URL" ./scripts/package/appledev.p12 | |
else | |
echo "::warning::No code signing certificate available, skipping code signing." | |
fi | |
env: | |
AWS_DEFAULT_REGION: eu-central-1 | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
CODESIGN_MACOS_P12_URL: ${{ secrets.CODESIGN_MACOS_P12_URL }} | |
- name: Build macOS app | |
run: | | |
./scripts/package/macos-package-app.sh | |
rm -f ./scripts/package/appledev.p12 | |
mv dist/*.dmg artifacts/ | |
env: | |
APPLE_ID_USER: ${{ secrets.APPLE_ID_USER }} | |
APPLE_ID_TEAM: ${{ secrets.APPLE_ID_TEAM }} | |
APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} | |
CODESIGN_MACOS_P12_PASSWORD: ${{ secrets.CODESIGN_MACOS_P12_PASSWORD }} | |
- name: Archive production artifacts | |
uses: actions/upload-artifact@v3 | |
with: | |
name: macos-app-${{ matrix.setup.macos-deployment-version }} | |
path: artifacts/ | |
package-windows: | |
runs-on: windows-2019 | |
strategy: | |
matrix: | |
type: | |
- store-app | |
- signed-app | |
- installer | |
- portable | |
fail-fast: false | |
env: | |
CODESIGN: 0 | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 # Fetch entire history, needed for setting the build number | |
- run: git fetch --depth=1 origin +refs/tags/release-*:refs/tags/release-* | |
- name: Set up Python 3.8 | |
uses: actions/setup-python@v4 | |
with: | |
python-version: 3.8 | |
- name: Setup Windows build environment | |
run: | | |
& .\scripts\package\win-setup.ps1 ` | |
-DiscidVersion $Env:DISCID_VERSION -DiscidSha256Sum $Env:DISCID_SHA256SUM ` | |
-FpcalcVersion $Env:FPCALC_VERSION -FpcalcSha256Sum $Env:FPCALC_SHA256SUM | |
Write-Output "C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x64" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 | |
$ReleaseTag = $(git describe --match "release-*" --abbrev=0 --always HEAD) | |
$BuildNumber = $(git rev-list --count "$ReleaseTag..HEAD") | |
Write-Output "BUILD_NUMBER=$BuildNumber" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 | |
New-Item -Name .\artifacts -ItemType Directory | |
env: | |
DISCID_VERSION: 0.6.3 | |
DISCID_SHA256SUM: c9486ece9796584a5ce5cf49efe88ada4454c24fa6f028c8bde1aaef28e99853 | |
FPCALC_VERSION: 1.5.1 | |
FPCALC_SHA256SUM: 36b478e16aa69f757f376645db0d436073a42c0097b6bb2677109e7835b59bbc | |
- name: Install dependencies | |
run: | | |
python -m pip install --upgrade pip | |
pip install -r requirements-build.txt | |
pip install -r requirements-win.txt | |
- name: Patch build version | |
if: startsWith(github.ref, 'refs/tags/') != true | |
run: | | |
python setup.py patch_version --platform=$Env:BUILD_NUMBER.$(git rev-parse --short HEAD) | |
- name: Run tests | |
timeout-minutes: 30 | |
run: python setup.py test | |
- name: Prepare code signing certificate | |
if: matrix.type != 'store-app' | |
run: | | |
If ($Env:CODESIGN_P12_URL -And $Env:AWS_ACCESS_KEY_ID) { | |
pip install awscli | |
aws s3 cp "$Env:CODESIGN_P12_URL" .\codesign.pfx | |
Write-Output "CODESIGN=1" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 | |
} Else { | |
Write-Output "::warning::No code signing certificate available, skipping code signing." | |
} | |
env: | |
AWS_DEFAULT_REGION: eu-central-1 | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
CODESIGN_P12_URL: ${{ secrets.CODESIGN_P12_URL }} | |
- name: Build Windows 10 store app package | |
if: matrix.type == 'store-app' | |
run: | | |
& .\scripts\package\win-package-appx.ps1 -BuildNumber $Env:BUILD_NUMBER | |
Move-Item .\dist\*.msix .\artifacts | |
env: | |
PICARD_APPX_PUBLISHER: CN=0A9169B7-05A3-4ED9-8876-830F17846709 | |
- name: Build Windows 10 signed app package | |
if: matrix.type == 'signed-app' && env.CODESIGN == '1' | |
run: | | |
$CertPassword = ConvertTo-SecureString -String $Env:CODESIGN_P12_PASSWORD -Force -AsPlainText | |
& .\scripts\package\win-package-appx.ps1 -BuildNumber $Env:BUILD_NUMBER -CertificateFile .\codesign.pfx -CertificatePassword $CertPassword | |
Move-Item .\dist\*.msix .\artifacts | |
env: | |
CODESIGN_P12_PASSWORD: ${{ secrets.CODESIGN_P12_PASSWORD }} | |
- name: Build Windows installer | |
if: matrix.type == 'installer' | |
run: | | |
# choco install nsis | |
If ($Env:CODESIGN -eq "1") { | |
$CertPassword = ConvertTo-SecureString -String $Env:CODESIGN_P12_PASSWORD -Force -AsPlainText | |
$Certificate = Get-PfxCertificate -FilePath .\codesign.pfx -Password $CertPassword | |
} Else { | |
$Certificate = $null | |
} | |
& .\scripts\package\win-package-installer.ps1 -BuildNumber $Env:BUILD_NUMBER -Certificate $Certificate | |
Move-Item .\installer\*.exe .\artifacts | |
dist\picard\fpcalc -version | |
env: | |
CODESIGN_P12_PASSWORD: ${{ secrets.CODESIGN_P12_PASSWORD }} | |
- name: Build Windows portable app | |
if: matrix.type == 'portable' | |
run: | | |
If ($Env:CODESIGN -eq "1") { | |
$CertPassword = ConvertTo-SecureString -String $Env:CODESIGN_P12_PASSWORD -Force -AsPlainText | |
$Certificate = Get-PfxCertificate -FilePath .\codesign.pfx -Password $CertPassword | |
} Else { | |
$Certificate = $null | |
} | |
& .\scripts\package\win-package-portable.ps1 -BuildNumber $Env:BUILD_NUMBER -Certificate $Certificate | |
Move-Item .\dist\*.exe .\artifacts | |
env: | |
CODESIGN_P12_PASSWORD: ${{ secrets.CODESIGN_P12_PASSWORD }} | |
- name: Cleanup | |
if: env.CODESIGN == '1' | |
run: Remove-Item .\codesign.pfx | |
- name: Archive production artifacts | |
uses: actions/upload-artifact@v3 | |
if: matrix.type != 'signed-app' || env.CODESIGN == '1' | |
with: | |
name: windows-${{ matrix.type }} | |
path: artifacts/ | |
package-pypi: | |
uses: ./.github/workflows/pypi-release.yml | |
secrets: inherit | |
github-release: | |
runs-on: ubuntu-latest | |
if: startsWith(github.ref, 'refs/tags/') | |
needs: | |
- package-macos | |
- package-windows | |
- package-pypi | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: actions/setup-python@v4 | |
with: | |
python-version: 3.9 | |
- uses: actions/download-artifact@v3 | |
with: | |
name: macos-app-10.12 | |
path: artifacts/ | |
- uses: actions/download-artifact@v3 | |
with: | |
name: macos-app-10.14 | |
path: artifacts/ | |
- uses: actions/download-artifact@v3 | |
with: | |
name: windows-signed-app | |
path: artifacts/ | |
- uses: actions/download-artifact@v3 | |
with: | |
name: windows-store-app | |
path: artifacts/ | |
- uses: actions/download-artifact@v3 | |
with: | |
name: windows-installer | |
path: artifacts/ | |
- uses: actions/download-artifact@v3 | |
with: | |
name: windows-portable | |
path: artifacts/ | |
- uses: actions/download-artifact@v3 | |
with: | |
name: picard-sdist | |
path: artifacts/ | |
- name: Generate checksums | |
run: | | |
cd artifacts | |
sha256sum * > SHA256SUMS | |
- name: Prepare changelog | |
id: changelog | |
continue-on-error: true | |
run: | | |
PICARD_VERSION=$(python -c "import picard; print(picard.__version__)") | |
echo "version=$PICARD_VERSION" >> $GITHUB_OUTPUT | |
./scripts/tools/changelog-for-version.py $PICARD_VERSION > changes-$PICARD_VERSION.txt | |
- name: Create release | |
uses: softprops/action-gh-release@v1 | |
with: | |
name: MusicBrainz Picard ${{ steps.changelog.outputs.version }} | |
body_path: changes-${{ steps.changelog.outputs.version }}.txt | |
files: artifacts/* | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |