Cycode

name: Build executable version of CLI and optionally upload artifact on: workflow_dispatch: inputs: publish: description: 'Upload artifacts to release' required: false default: false type: boolean push: branches: - main permissions: contents: write jobs: build: name: Build on ${{ matrix.os }} (${{ matrix.mode }} mode) strategy: fail-fast: false matrix: os: [ ubuntu-22.04, macos-15-intel, macos-15, windows-2022 ] mode: [ 'onefile', 'onedir' ] exclude: - os: ubuntu-22.04 mode: onedir - os: windows-2022 mode: onedir runs-on: ${{ matrix.os }} defaults: run: shell: bash steps: - name: Run Cimon if: matrix.os == 'ubuntu-22.04' uses: cycodelabs/cimon-action@v0 with: client-id: ${{ secrets.CIMON_CLIENT_ID }} secret: ${{ secrets.CIMON_SECRET }} prevent: true allowed-hosts: > files.pythonhosted.org install.python-poetry.org pypi.org uploads.github.com - name: Checkout repository uses: actions/checkout@v4 with: fetch-depth: 0 - name: Checkout latest release tag if: ${{ github.event_name == 'workflow_dispatch' }} run: | LATEST_TAG=$(git describe --tags `git rev-list --tags --max-count=1`) git checkout $LATEST_TAG echo "LATEST_TAG=$LATEST_TAG" >> $GITHUB_ENV - name: Set up Python 3.12 uses: actions/setup-python@v4 with: python-version: '3.12' - name: Load cached Poetry setup id: cached-poetry uses: actions/cache@v3 with: path: ~/.local key: poetry-${{ matrix.os }}-2 # increment to reset cache - name: Setup Poetry if: steps.cached-poetry.outputs.cache-hit != 'true' uses: snok/install-poetry@v1 with: version: 2.2.1 - name: Add Poetry to PATH run: echo "$HOME/.local/bin" >> $GITHUB_PATH - name: Install dependencies run: poetry install --without dev,test - name: Import macOS signing certificate if: runner.os == 'macOS' env: APPLE_CERT: ${{ secrets.APPLE_CERT }} APPLE_CERT_PWD: ${{ secrets.APPLE_CERT_PWD }} APPLE_CERT_NAME: ${{ secrets.APPLE_CERT_NAME }} APPLE_KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }} run: | # import certificate CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12 echo -n "$APPLE_CERT" | base64 --decode -o $CERTIFICATE_PATH # create temporary keychain KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db security create-keychain -p "$APPLE_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH security set-keychain-settings -lut 21600 $KEYCHAIN_PATH security unlock-keychain -p "$APPLE_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH # import certificate to keychain security import $CERTIFICATE_PATH -P "$APPLE_CERT_PWD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH security list-keychain -d user -s $KEYCHAIN_PATH - name: Build executable (onefile) if: matrix.mode == 'onefile' env: APPLE_CERT_NAME: ${{ secrets.APPLE_CERT_NAME }} run: | poetry run pyinstaller pyinstaller.spec echo "PATH_TO_CYCODE_CLI_EXECUTABLE=dist/cycode-cli" >> $GITHUB_ENV - name: Build executable (onedir) if: matrix.mode == 'onedir' env: CYCODE_ONEDIR_MODE: 1 APPLE_CERT_NAME: ${{ secrets.APPLE_CERT_NAME }} run: | poetry run pyinstaller pyinstaller.spec echo "PATH_TO_CYCODE_CLI_EXECUTABLE=dist/cycode-cli/cycode-cli" >> $GITHUB_ENV - name: Test executable run: time $PATH_TO_CYCODE_CLI_EXECUTABLE version - name: Notarize macOS executable if: runner.os == 'macOS' env: APPLE_NOTARIZATION_EMAIL: ${{ secrets.APPLE_NOTARIZATION_EMAIL }} APPLE_NOTARIZATION_PWD: ${{ secrets.APPLE_NOTARIZATION_PWD }} APPLE_NOTARIZATION_TEAM_ID: ${{ secrets.APPLE_NOTARIZATION_TEAM_ID }} run: | # create keychain profile xcrun notarytool store-credentials "notarytool-profile" --apple-id "$APPLE_NOTARIZATION_EMAIL" --team-id "$APPLE_NOTARIZATION_TEAM_ID" --password "$APPLE_NOTARIZATION_PWD" # create zip file (notarization does not support binaries) ditto -c -k --keepParent dist/cycode-cli notarization.zip # notarize app (this will take a while) xcrun notarytool submit notarization.zip --keychain-profile "notarytool-profile" --wait # we can't staple the app because it's executable - name: Test macOS signed executable if: runner.os == 'macOS' run: | file -b $PATH_TO_CYCODE_CLI_EXECUTABLE time $PATH_TO_CYCODE_CLI_EXECUTABLE version # verify signature codesign -dv --verbose=4 $PATH_TO_CYCODE_CLI_EXECUTABLE - name: Import cert for Windows and setup envs if: runner.os == 'Windows' env: SM_CLIENT_CERT_FILE_B64: ${{ secrets.SM_CLIENT_CERT_FILE_B64 }} run: | # import certificate echo "$SM_CLIENT_CERT_FILE_B64" | base64 --decode > /d/Certificate_pkcs12.p12 echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV" # add required soft to the path echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH echo "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools" >> $GITHUB_PATH - name: Sign Windows executable if: runner.os == 'Windows' shell: cmd env: SM_HOST: ${{ secrets.SM_HOST }} SM_KEYPAIR_ALIAS: ${{ secrets.SM_KEYPAIR_ALIAS }} SM_API_KEY: ${{ secrets.SM_API_KEY }} SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} SM_CODE_SIGNING_CERT_SHA1_HASH: ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} run: | :: setup SSM KSP curl -X GET https://one.digicert.com/signingmanager/api-ui/v1/releases/smtools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o smtools-windows-x64.msi msiexec /i smtools-windows-x64.msi /quiet /qn C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user smctl windows certsync --keypair-alias=%SM_KEYPAIR_ALIAS% :: sign executable signtool.exe sign /sha1 %SM_CODE_SIGNING_CERT_SHA1_HASH% /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 ".\dist\cycode-cli.exe" - name: Test Windows signed executable if: runner.os == 'Windows' shell: cmd run: | :: call executable and expect correct output .\dist\cycode-cli.exe version :: verify signature signtool.exe verify /v /pa ".\dist\cycode-cli.exe" - name: Prepare files for artifact and release (rename and calculate sha256) run: echo "ARTIFACT_NAME=$(./process_executable_file.py dist/cycode-cli)" >> $GITHUB_ENV - name: Upload files as artifact uses: actions/upload-artifact@v4 with: name: ${{ env.ARTIFACT_NAME }} path: dist - name: Upload files to release if: ${{ github.event_name == 'workflow_dispatch' && inputs.publish }} uses: svenstaro/upload-release-action@v2 with: file: dist/* tag: ${{ env.LATEST_TAG }} overwrite: true file_glob: true