Bump docker/setup-buildx-action from 3 to 4 (#401) #417
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build executable version of CLI and optionally upload artifact | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| publish: | |
| description: 'Upload artifacts to release' | |
| required: false | |
| default: false | |
| type: boolean | |
| push: | |
| branches: | |
| - main | |
| permissions: | |
| contents: write | |
| jobs: | |
| build: | |
| name: Build on ${{ matrix.os }} (${{ matrix.mode }} mode) | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: [ ubuntu-22.04, macos-15-intel, macos-15, windows-2022 ] | |
| mode: [ 'onefile', 'onedir' ] | |
| exclude: | |
| - os: ubuntu-22.04 | |
| mode: onedir | |
| - os: windows-2022 | |
| mode: onedir | |
| runs-on: ${{ matrix.os }} | |
| defaults: | |
| run: | |
| shell: bash | |
| steps: | |
| - name: Run Cimon | |
| if: matrix.os == 'ubuntu-22.04' | |
| uses: cycodelabs/cimon-action@v0 | |
| with: | |
| client-id: ${{ secrets.CIMON_CLIENT_ID }} | |
| secret: ${{ secrets.CIMON_SECRET }} | |
| prevent: true | |
| allowed-hosts: > | |
| files.pythonhosted.org | |
| install.python-poetry.org | |
| pypi.org | |
| uploads.github.com | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Checkout latest release tag | |
| if: ${{ github.event_name == 'workflow_dispatch' }} | |
| run: | | |
| LATEST_TAG=$(git describe --tags `git rev-list --tags --max-count=1`) | |
| git checkout $LATEST_TAG | |
| echo "LATEST_TAG=$LATEST_TAG" >> $GITHUB_ENV | |
| - name: Set up Python 3.13 | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: '3.13' | |
| - name: Load cached Poetry setup | |
| id: cached-poetry | |
| uses: actions/cache@v3 | |
| with: | |
| path: ~/.local | |
| key: poetry-${{ matrix.os }}-2 # increment to reset cache | |
| - name: Setup Poetry | |
| if: steps.cached-poetry.outputs.cache-hit != 'true' | |
| uses: snok/install-poetry@v1 | |
| with: | |
| version: 2.2.1 | |
| - name: Add Poetry to PATH | |
| run: echo "$HOME/.local/bin" >> $GITHUB_PATH | |
| - name: Install dependencies | |
| run: poetry install --without dev,test | |
| - name: Import macOS signing certificate | |
| if: runner.os == 'macOS' | |
| env: | |
| APPLE_CERT: ${{ secrets.APPLE_CERT }} | |
| APPLE_CERT_PWD: ${{ secrets.APPLE_CERT_PWD }} | |
| APPLE_CERT_NAME: ${{ secrets.APPLE_CERT_NAME }} | |
| APPLE_KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }} | |
| run: | | |
| # import certificate | |
| CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12 | |
| echo -n "$APPLE_CERT" | base64 --decode -o $CERTIFICATE_PATH | |
| # create temporary keychain | |
| KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db | |
| security create-keychain -p "$APPLE_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
| security set-keychain-settings -lut 21600 $KEYCHAIN_PATH | |
| security unlock-keychain -p "$APPLE_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
| # import certificate to keychain | |
| security import $CERTIFICATE_PATH -P "$APPLE_CERT_PWD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH | |
| security list-keychain -d user -s $KEYCHAIN_PATH | |
| - name: Build executable (onefile) | |
| if: matrix.mode == 'onefile' | |
| env: | |
| APPLE_CERT_NAME: ${{ secrets.APPLE_CERT_NAME }} | |
| run: | | |
| poetry run pyinstaller pyinstaller.spec | |
| echo "PATH_TO_CYCODE_CLI_EXECUTABLE=dist/cycode-cli" >> $GITHUB_ENV | |
| - name: Build executable (onedir) | |
| if: matrix.mode == 'onedir' | |
| env: | |
| CYCODE_ONEDIR_MODE: 1 | |
| APPLE_CERT_NAME: ${{ secrets.APPLE_CERT_NAME }} | |
| run: | | |
| poetry run pyinstaller pyinstaller.spec | |
| echo "PATH_TO_CYCODE_CLI_EXECUTABLE=dist/cycode-cli/cycode-cli" >> $GITHUB_ENV | |
| - name: Test executable | |
| run: time $PATH_TO_CYCODE_CLI_EXECUTABLE status | |
| - name: Codesign onedir binaries | |
| if: runner.os == 'macOS' && matrix.mode == 'onedir' | |
| env: | |
| APPLE_CERT_NAME: ${{ secrets.APPLE_CERT_NAME }} | |
| run: | | |
| # The standalone _internal/Python fails codesign --verify --strict because it was | |
| # extracted from Python.framework without Info.plist context. | |
| # Fix: remove the bare copy and replace with the framework version's binary, | |
| # then delete the framework directory (it's redundant). | |
| if [ -d dist/cycode-cli/_internal/Python.framework ]; then | |
| FRAMEWORK_PYTHON=$(find dist/cycode-cli/_internal/Python.framework/Versions -name "Python" -type f | head -1) | |
| if [ -n "$FRAMEWORK_PYTHON" ]; then | |
| echo "Replacing _internal/Python with framework binary" | |
| rm dist/cycode-cli/_internal/Python | |
| cp "$FRAMEWORK_PYTHON" dist/cycode-cli/_internal/Python | |
| fi | |
| rm -rf dist/cycode-cli/_internal/Python.framework | |
| fi | |
| # Sign all Mach-O binaries (excluding the main executable) | |
| while IFS= read -r file; do | |
| if file -b "$file" | grep -q "Mach-O"; then | |
| echo "Signing: $file" | |
| codesign --force --sign "$APPLE_CERT_NAME" --timestamp --options runtime "$file" | |
| fi | |
| done < <(find dist/cycode-cli -type f ! -name "cycode-cli") | |
| # Re-sign the main executable with entitlements (must be last) | |
| codesign --force --sign "$APPLE_CERT_NAME" --timestamp --options runtime --entitlements entitlements.plist dist/cycode-cli/cycode-cli | |
| - name: Notarize macOS executable | |
| if: runner.os == 'macOS' | |
| env: | |
| APPLE_NOTARIZATION_EMAIL: ${{ secrets.APPLE_NOTARIZATION_EMAIL }} | |
| APPLE_NOTARIZATION_PWD: ${{ secrets.APPLE_NOTARIZATION_PWD }} | |
| APPLE_NOTARIZATION_TEAM_ID: ${{ secrets.APPLE_NOTARIZATION_TEAM_ID }} | |
| run: | | |
| # create keychain profile | |
| xcrun notarytool store-credentials "notarytool-profile" --apple-id "$APPLE_NOTARIZATION_EMAIL" --team-id "$APPLE_NOTARIZATION_TEAM_ID" --password "$APPLE_NOTARIZATION_PWD" | |
| # create zip file (notarization does not support bare binaries) | |
| ditto -c -k --keepParent dist/cycode-cli notarization.zip | |
| # notarize app (this will take a while) | |
| NOTARIZE_OUTPUT=$(xcrun notarytool submit notarization.zip --keychain-profile "notarytool-profile" --wait 2>&1) || true | |
| echo "$NOTARIZE_OUTPUT" | |
| # extract submission ID for log retrieval | |
| SUBMISSION_ID=$(echo "$NOTARIZE_OUTPUT" | grep " id:" | head -1 | awk '{print $2}') | |
| # check notarization status explicitly | |
| if echo "$NOTARIZE_OUTPUT" | grep -q "status: Accepted"; then | |
| echo "Notarization succeeded!" | |
| else | |
| echo "Notarization failed! Fetching log for details..." | |
| if [ -n "$SUBMISSION_ID" ]; then | |
| xcrun notarytool log "$SUBMISSION_ID" --keychain-profile "notarytool-profile" || true | |
| fi | |
| exit 1 | |
| fi | |
| # we can't staple the app because it's executable | |
| - name: Verify macOS code signatures | |
| if: runner.os == 'macOS' | |
| run: | | |
| FAILED=false | |
| while IFS= read -r file; do | |
| if file -b "$file" | grep -q "Mach-O"; then | |
| if ! codesign --verify "$file" 2>&1; then | |
| echo "INVALID: $file" | |
| codesign -dv "$file" 2>&1 || true | |
| FAILED=true | |
| else | |
| echo "OK: $file" | |
| fi | |
| fi | |
| done < <(find dist/cycode-cli -type f) | |
| if [ "$FAILED" = true ]; then | |
| echo "Found binaries with invalid signatures!" | |
| exit 1 | |
| fi | |
| codesign -dv --verbose=4 $PATH_TO_CYCODE_CLI_EXECUTABLE | |
| - name: Test macOS signed executable | |
| if: runner.os == 'macOS' | |
| run: | | |
| file -b $PATH_TO_CYCODE_CLI_EXECUTABLE | |
| time $PATH_TO_CYCODE_CLI_EXECUTABLE status | |
| - name: Import cert for Windows and setup envs | |
| if: runner.os == 'Windows' | |
| env: | |
| SM_CLIENT_CERT_FILE_B64: ${{ secrets.SM_CLIENT_CERT_FILE_B64 }} | |
| run: | | |
| # import certificate | |
| echo "$SM_CLIENT_CERT_FILE_B64" | base64 --decode > /d/Certificate_pkcs12.p12 | |
| echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV" | |
| # add required soft to the path | |
| echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH | |
| echo "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools" >> $GITHUB_PATH | |
| - name: Sign Windows executable | |
| if: runner.os == 'Windows' | |
| shell: cmd | |
| env: | |
| SM_HOST: ${{ secrets.SM_HOST }} | |
| SM_KEYPAIR_ALIAS: ${{ secrets.SM_KEYPAIR_ALIAS }} | |
| SM_API_KEY: ${{ secrets.SM_API_KEY }} | |
| SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} | |
| SM_CODE_SIGNING_CERT_SHA1_HASH: ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} | |
| run: | | |
| :: setup SSM KSP | |
| curl -X GET https://one.digicert.com/signingmanager/api-ui/v1/releases/smtools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o smtools-windows-x64.msi | |
| msiexec /i smtools-windows-x64.msi /quiet /qn | |
| C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user | |
| smctl windows certsync --keypair-alias=%SM_KEYPAIR_ALIAS% | |
| :: sign executable | |
| signtool.exe sign /sha1 %SM_CODE_SIGNING_CERT_SHA1_HASH% /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 ".\dist\cycode-cli.exe" | |
| - name: Test Windows signed executable | |
| if: runner.os == 'Windows' | |
| shell: cmd | |
| run: | | |
| :: call executable and expect correct output | |
| .\dist\cycode-cli.exe status | |
| :: verify signature | |
| signtool.exe verify /v /pa ".\dist\cycode-cli.exe" | |
| - name: Prepare files for artifact and release (rename and calculate sha256) | |
| run: echo "ARTIFACT_NAME=$(./process_executable_file.py dist/cycode-cli)" >> $GITHUB_ENV | |
| - name: Upload files as artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ env.ARTIFACT_NAME }} | |
| path: dist | |
| - name: Verify macOS artifact end-to-end | |
| if: runner.os == 'macOS' && matrix.mode == 'onedir' | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: ${{ env.ARTIFACT_NAME }} | |
| path: /tmp/artifact-verify | |
| - name: Verify macOS artifact signatures and run with quarantine | |
| if: runner.os == 'macOS' && matrix.mode == 'onedir' | |
| run: | | |
| # extract the onedir zip exactly as an end user would | |
| ARCHIVE=$(find /tmp/artifact-verify -name "*.zip" | head -1) | |
| echo "Verifying archive: $ARCHIVE" | |
| unzip "$ARCHIVE" -d /tmp/artifact-extracted | |
| # verify all Mach-O code signatures | |
| FAILED=false | |
| while IFS= read -r file; do | |
| if file -b "$file" | grep -q "Mach-O"; then | |
| if ! codesign --verify "$file" 2>&1; then | |
| echo "INVALID: $file" | |
| codesign -dv "$file" 2>&1 || true | |
| FAILED=true | |
| else | |
| echo "OK: $file" | |
| fi | |
| fi | |
| done < <(find /tmp/artifact-extracted -type f) | |
| if [ "$FAILED" = true ]; then | |
| echo "Artifact contains binaries with invalid signatures!" | |
| exit 1 | |
| fi | |
| # simulate download quarantine and test execution | |
| # this is the definitive test — it triggers the same dlopen checks end users experience | |
| find /tmp/artifact-extracted -type f -exec xattr -w com.apple.quarantine "0081;$(printf '%x' $(date +%s));CI;$(uuidgen)" {} \; | |
| EXECUTABLE=$(find /tmp/artifact-extracted -name "cycode-cli" -type f | head -1) | |
| echo "Testing quarantined executable: $EXECUTABLE" | |
| time "$EXECUTABLE" status | |
| - name: Upload files to release | |
| if: ${{ github.event_name == 'workflow_dispatch' && inputs.publish }} | |
| uses: svenstaro/upload-release-action@v2 | |
| with: | |
| file: dist/* | |
| tag: ${{ env.LATEST_TAG }} | |
| overwrite: true | |
| file_glob: true |