build: wire desktop-bundle pipeline (CI matrix + per-platform installers)
Stand up the seamless-download path for non-technical buyers:
* .github/workflows/build.yml — matrix CI (mac/win/linux) that builds
PyInstaller bundles and packages them per platform on tag push,
attaching the resulting installers to a GitHub Release.
* build/installer.iss — Inno Setup script for the Windows installer
(per-user install, optional desktop shortcut, runs on finish).
* build/macos/build_dmg.sh — wraps DataTools.app into a .dmg with a
drag-to-/Applications layout.
* build/appimage/{AppRun,datatools.desktop,build.sh} — AppImage recipe.
* src/__init__.py — single source of truth for __version__; the spec
reads it (was hardcoded), CI passes it through to all packagers.
Buyer download path now lives in the top-level README. Per-build
README documents the Phase 2 step (signing/notarization) that needs
the owner's Apple Developer + Windows code-signing credentials —
those are intentionally not in CI yet because they require setup
outside this repo.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -16,15 +16,75 @@ build/
|
||||
│ Streamlit server, opens browser, locks server
|
||||
│ to 127.0.0.1 so the privacy claim holds.
|
||||
├── datatools.spec PyInstaller spec — hidden imports, data files,
|
||||
│ Mac .app bundle config.
|
||||
│ Mac .app bundle config. Reads the version
|
||||
│ from src/__init__.py.
|
||||
├── installer.iss Inno Setup script — Windows .exe installer.
|
||||
├── macos/
|
||||
│ └── build_dmg.sh Wraps dist/DataTools.app into a .dmg with a
|
||||
│ drag-to-/Applications layout.
|
||||
├── appimage/
|
||||
│ ├── AppRun Entry point invoked when the AppImage runs.
|
||||
│ ├── datatools.desktop Linux desktop-entry metadata.
|
||||
│ └── build.sh Wraps dist/DataTools/ into an .AppImage.
|
||||
├── hooks/ PyInstaller hooks for libs the static analyser
|
||||
│ └── hook-streamlit.py misses (Streamlit's dynamic imports).
|
||||
├── icon.icns macOS app icon (TODO: produce from a 1024×1024
|
||||
│ PNG. Optional — bundle still builds without).
|
||||
├── icon.ico Windows app icon (TODO).
|
||||
├── icon.png Linux AppImage icon (TODO — build.sh generates
|
||||
│ a placeholder if missing).
|
||||
└── README.md this file
|
||||
```
|
||||
|
||||
CI: `.github/workflows/build.yml` runs the full pipeline on tag push
|
||||
(matrix: macos-latest, windows-latest, ubuntu-latest) and attaches
|
||||
the resulting installers to a GitHub Release. Manual
|
||||
`workflow_dispatch` runs upload them as workflow artifacts only.
|
||||
|
||||
## Releasing
|
||||
|
||||
1. Bump `__version__` in `src/__init__.py`.
|
||||
2. `git commit -am "release: vX.Y.Z" && git tag vX.Y.Z`.
|
||||
3. `git push && git push --tags`.
|
||||
4. CI builds all three platforms and creates a GitHub Release with
|
||||
the installers attached.
|
||||
5. Mirror the GitHub Release assets to Gumroad (manual until v2).
|
||||
|
||||
## Signing (Phase 2 — needs accounts/credentials)
|
||||
|
||||
Both code-signing steps are intentionally not in CI yet because they
|
||||
require credentials the owner sets up first.
|
||||
|
||||
**macOS** — Apple Developer Program enrollment ($99/yr). Once enrolled,
|
||||
add these GitHub Secrets and uncomment the `codesign` + `notarytool`
|
||||
steps in `build.yml`:
|
||||
|
||||
| Secret | Value |
|
||||
|---|---|
|
||||
| `MACOS_DEVELOPER_ID_CERT_P12_BASE64` | base64-encoded `.p12` cert |
|
||||
| `MACOS_DEVELOPER_ID_CERT_PASSWORD` | password for the .p12 |
|
||||
| `MACOS_NOTARY_APPLE_ID` | Apple ID email |
|
||||
| `MACOS_NOTARY_TEAM_ID` | 10-char team ID |
|
||||
| `MACOS_NOTARY_PASSWORD` | app-specific password |
|
||||
|
||||
**Windows** — Code-signing cert from Sectigo / DigiCert (~$200-400/yr,
|
||||
or ~$300-500 for an EV cert that bypasses SmartScreen). Add:
|
||||
|
||||
| Secret | Value |
|
||||
|---|---|
|
||||
| `WINDOWS_CERT_PFX_BASE64` | base64-encoded `.pfx` cert |
|
||||
| `WINDOWS_CERT_PASSWORD` | password for the .pfx |
|
||||
|
||||
Until those are wired, buyers will see:
|
||||
- macOS: "DataTools is damaged and can't be opened" — fix by removing
|
||||
the quarantine attribute (`xattr -cr /Applications/DataTools.app`).
|
||||
Acceptable for the technical buyer; **blocking** for the
|
||||
non-technical buyer. Don't ship to non-technical without notarization.
|
||||
- Windows: SmartScreen "Windows protected your PC" — buyer clicks
|
||||
"More info → Run anyway". Friction but not blocking.
|
||||
- Linux: AppImage runs without complaint (Linux has no equivalent
|
||||
trust-store).
|
||||
|
||||
## Per-platform recipe
|
||||
|
||||
Each platform builds on its own machine — PyInstaller does **not**
|
||||
|
||||
Reference in New Issue
Block a user