Add a guarded "Sign & notarize macOS app" step to build.yml that signs dist/DataTools.app with the Developer ID (hardened runtime + entitlements + secure timestamp), notarizes via notarytool, and staples the ticket — running before DMG packaging. The step exits 0 with a warning when the MACOS_* secrets are absent, so dry-run dispatches still produce an (unsigned) build. Add build/macos/entitlements.plist with the hardened-runtime entitlements a frozen PyInstaller/CPython app needs (JIT memory, library-validation disabled for bundled .so/.dylib + Tesseract). Update build/README.md to reflect that macOS signing is now wired and only needs the secrets. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
242 lines
9.6 KiB
YAML
242 lines
9.6 KiB
YAML
name: Build installers
|
|
|
|
# Triggers:
|
|
# * Tag push (v*) → produces installers, attaches them to a GitHub Release.
|
|
# * Manual dispatch → uploads the installers as workflow artifacts only.
|
|
#
|
|
# Outputs per platform (downloadable by buyers):
|
|
# * macOS: .dmg installer
|
|
# * Windows: .exe installer
|
|
# * Linux: .AppImage (already portable; no separate installer step)
|
|
#
|
|
# Self-contained: every artifact ships its own Python interpreter + every
|
|
# runtime dep (including bundled Tesseract OCR) through PyInstaller. No
|
|
# pre/post install steps on the buyer's machine.
|
|
#
|
|
# What this workflow doesn't do (yet):
|
|
# * Code signing (Mac Developer ID, Windows code-signing cert).
|
|
# Those need GitHub Secrets the owner sets up first. See
|
|
# build/README.md "Signing" for the secret names this workflow
|
|
# will read once they exist.
|
|
# * Auto-update endpoint generation. v1 distributes via Gumroad;
|
|
# buyers re-download for updates.
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
push:
|
|
tags:
|
|
- 'v*'
|
|
|
|
permissions:
|
|
contents: write # needed to create the release on tag push
|
|
|
|
jobs:
|
|
build:
|
|
name: Build (${{ matrix.os }})
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
include:
|
|
- os: macos-latest
|
|
platform: mac
|
|
artifact_name: DataTools-mac.dmg
|
|
artifact_path: dist/DataTools-*-mac.dmg
|
|
- os: windows-latest
|
|
platform: win
|
|
artifact_name: DataTools-win.exe
|
|
artifact_path: dist/DataTools-*-win-setup.exe
|
|
- os: ubuntu-latest
|
|
platform: linux
|
|
artifact_name: DataTools-linux.AppImage
|
|
artifact_path: dist/DataTools-*-linux-x86_64.AppImage
|
|
runs-on: ${{ matrix.os }}
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- uses: actions/setup-python@v5
|
|
with:
|
|
python-version: '3.12'
|
|
cache: pip
|
|
|
|
- name: Install build deps
|
|
run: |
|
|
pip install --upgrade pip
|
|
pip install -r requirements.txt
|
|
pip install pyinstaller pillow
|
|
|
|
# ---- Tesseract bundling cache --------------------------------
|
|
# The fetch logic inside build/tesseract.py downloads:
|
|
# * build/vendor/tessdata/eng.traineddata (~16 MB, shared)
|
|
# * build/_tesseract/<platform>/ (binary + libs, 30-120 MB)
|
|
# Cache both so iterative CI runs don't re-download. The
|
|
# cache key bakes in the pinned Tesseract version + tessdata
|
|
# URL so a version bump invalidates automatically.
|
|
- name: Cache Tesseract bundle inputs
|
|
uses: actions/cache@v4
|
|
with:
|
|
path: |
|
|
build/_tesseract
|
|
build/vendor/tessdata
|
|
key: tesseract-${{ runner.os }}-5.5.0-tessdata_best-v1
|
|
|
|
# ---- Linux: install patchelf so tesseract.py can rewrite
|
|
# RPATH on the bundled tesseract binary. apt-get install
|
|
# tesseract-ocr is handled inside tesseract.py itself. --------
|
|
- name: Install Linux build prereqs for Tesseract bundling
|
|
if: matrix.os == 'ubuntu-latest'
|
|
run: |
|
|
sudo apt-get update
|
|
sudo apt-get install -y patchelf
|
|
|
|
- name: Read version
|
|
id: version
|
|
shell: bash
|
|
run: |
|
|
VER=$(python -c "import re; print(re.search(r'__version__\s*=\s*\"([^\"]+)\"', open('src/__init__.py').read()).group(1))")
|
|
echo "version=$VER" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Generate platform icons
|
|
run: python build/generate_icons.py
|
|
|
|
# Stage Tesseract before PyInstaller. The tesseract.py helpers
|
|
# handle the per-platform fetch (UB-Mannheim on Win, brew on
|
|
# Mac, apt on Linux) and stage the binary + libs into
|
|
# build/_tesseract/<platform>/ where the spec picks them up.
|
|
# We invoke a tiny inline Python so the workflow doesn't have
|
|
# to know the per-platform target string.
|
|
- name: Stage Tesseract binary + tessdata
|
|
shell: bash
|
|
env:
|
|
DATATOOLS_PLATFORM: ${{ matrix.platform }}
|
|
run: |
|
|
python - <<'PY'
|
|
import os, sys
|
|
sys.path.insert(0, "build")
|
|
from tesseract import fetch_tessdata, fetch_tesseract_for_platform
|
|
target = os.environ["DATATOOLS_PLATFORM"]
|
|
fetch_tessdata()
|
|
fetch_tesseract_for_platform(target)
|
|
PY
|
|
|
|
- name: Build PyInstaller bundle
|
|
shell: bash
|
|
env:
|
|
# The spec reads this to find the per-platform staging dir;
|
|
# see build/datatools.spec for the contract.
|
|
DATATOOLS_TESS_STAGING: build/_tesseract/${{ matrix.platform }}
|
|
run: pyinstaller build/datatools.spec --clean --noconfirm
|
|
|
|
# ---- macOS code signing + notarization (before DMG packaging) -
|
|
# Signs dist/DataTools.app with the Developer ID, notarizes it,
|
|
# and staples the ticket so Gatekeeper passes offline. Wrapped in
|
|
# a guard: if the cert secret is absent the step prints a warning
|
|
# and exits 0, so dry-run dispatches still produce an (unsigned)
|
|
# build. Secret names match build/README.md "Signing".
|
|
- name: Sign & notarize macOS app
|
|
if: matrix.os == 'macos-latest'
|
|
env:
|
|
CERT_P12_BASE64: ${{ secrets.MACOS_DEVELOPER_ID_CERT_P12_BASE64 }}
|
|
CERT_PASSWORD: ${{ secrets.MACOS_DEVELOPER_ID_CERT_PASSWORD }}
|
|
NOTARY_APPLE_ID: ${{ secrets.MACOS_NOTARY_APPLE_ID }}
|
|
NOTARY_TEAM_ID: ${{ secrets.MACOS_NOTARY_TEAM_ID }}
|
|
NOTARY_PASSWORD: ${{ secrets.MACOS_NOTARY_PASSWORD }}
|
|
run: |
|
|
set -euo pipefail
|
|
if [ -z "${CERT_P12_BASE64:-}" ]; then
|
|
echo "::warning::MACOS_DEVELOPER_ID_CERT_P12_BASE64 not set — shipping an UNSIGNED build (Gatekeeper will warn buyers)."
|
|
exit 0
|
|
fi
|
|
|
|
APP="dist/DataTools.app"
|
|
|
|
# 1. Import the Developer ID cert into an ephemeral keychain.
|
|
KEYCHAIN="$RUNNER_TEMP/build.keychain-db"
|
|
KEYCHAIN_PW="$(uuidgen)"
|
|
security create-keychain -p "$KEYCHAIN_PW" "$KEYCHAIN"
|
|
security set-keychain-settings -lut 3600 "$KEYCHAIN"
|
|
security unlock-keychain -p "$KEYCHAIN_PW" "$KEYCHAIN"
|
|
echo "$CERT_P12_BASE64" | base64 --decode > "$RUNNER_TEMP/cert.p12"
|
|
security import "$RUNNER_TEMP/cert.p12" -k "$KEYCHAIN" -P "$CERT_PASSWORD" \
|
|
-T /usr/bin/codesign
|
|
security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PW" "$KEYCHAIN" >/dev/null
|
|
# Make the ephemeral keychain searchable (preserve the login keychain).
|
|
security list-keychains -d user -s "$KEYCHAIN" \
|
|
$(security list-keychains -d user | sed 's/"//g')
|
|
|
|
IDENTITY="$(security find-identity -v -p codesigning "$KEYCHAIN" \
|
|
| grep 'Developer ID Application' | head -1 | awk -F'"' '{print $2}')"
|
|
if [ -z "$IDENTITY" ]; then
|
|
echo "::error::No 'Developer ID Application' identity found in the imported cert."
|
|
exit 1
|
|
fi
|
|
echo "Signing with: $IDENTITY"
|
|
|
|
# 2. Sign the bundle (hardened runtime + secure timestamp + entitlements).
|
|
# --deep signs the nested dylibs/.so the PyInstaller bundle carries.
|
|
codesign --deep --force --options runtime --timestamp \
|
|
--entitlements build/macos/entitlements.plist \
|
|
--sign "$IDENTITY" "$APP"
|
|
codesign --verify --strict --verbose=2 "$APP"
|
|
|
|
# 3. Notarize the .app (notarytool needs a zip/dmg/pkg, not a bare .app),
|
|
# then staple so Gatekeeper validates offline.
|
|
if [ -n "${NOTARY_APPLE_ID:-}" ]; then
|
|
ditto -c -k --keepParent "$APP" "$RUNNER_TEMP/DataTools.zip"
|
|
xcrun notarytool submit "$RUNNER_TEMP/DataTools.zip" \
|
|
--apple-id "$NOTARY_APPLE_ID" \
|
|
--team-id "$NOTARY_TEAM_ID" \
|
|
--password "$NOTARY_PASSWORD" \
|
|
--wait
|
|
xcrun stapler staple "$APP"
|
|
xcrun stapler validate "$APP"
|
|
else
|
|
echo "::warning::Notary credentials not set — app is signed but NOT notarized (Gatekeeper will still warn)."
|
|
fi
|
|
|
|
rm -f "$RUNNER_TEMP/cert.p12"
|
|
|
|
# ---- Per-platform installer packaging ------------------------
|
|
|
|
- name: Package macOS DMG (installer)
|
|
if: matrix.os == 'macos-latest'
|
|
run: bash build/macos/build_dmg.sh "${{ steps.version.outputs.version }}"
|
|
|
|
- name: Install Inno Setup (Windows)
|
|
if: matrix.os == 'windows-latest'
|
|
run: choco install innosetup --no-progress -y
|
|
|
|
- name: Package Windows installer
|
|
if: matrix.os == 'windows-latest'
|
|
shell: cmd
|
|
run: |
|
|
iscc /DAppVersion=${{ steps.version.outputs.version }} build\installer.iss
|
|
|
|
- name: Install AppImage tooling (Linux)
|
|
if: matrix.os == 'ubuntu-latest'
|
|
run: |
|
|
sudo apt-get update
|
|
sudo apt-get install -y libfuse2 wget
|
|
wget -q https://github.com/AppImage/AppImageKit/releases/download/continuous/appimagetool-x86_64.AppImage -O /usr/local/bin/appimagetool
|
|
sudo chmod +x /usr/local/bin/appimagetool
|
|
|
|
- name: Package Linux AppImage
|
|
if: matrix.os == 'ubuntu-latest'
|
|
run: bash build/appimage/build.sh "${{ steps.version.outputs.version }}"
|
|
|
|
# ---- Upload + release ----------------------------------------
|
|
|
|
- name: Upload installer artifact
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: ${{ matrix.artifact_name }}
|
|
path: ${{ matrix.artifact_path }}
|
|
if-no-files-found: error
|
|
|
|
- name: Attach to Release (tag push only)
|
|
if: startsWith(github.ref, 'refs/tags/v')
|
|
uses: softprops/action-gh-release@v2
|
|
with:
|
|
files: ${{ matrix.artifact_path }}
|
|
fail_on_unmatched_files: true
|
|
generate_release_notes: true
|