name: Weekly Build on: schedule: - cron: "42 18 * * 1" workflow_dispatch: permissions: contents: write jobs: tag_build: runs-on: ubuntu-latest outputs: build_tag: ${{ steps.tag_build.outputs.build_tag }} steps: - name: Harden the runner (Audit all outbound calls) uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit - name: Checkout Source uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 2 fetch-tags: true submodules: 'recursive' - name: Tag Build id: tag_build shell: bash -l {0} env: GH_TOKEN: ${{ github.token }} run: | export BUILD_TAG=weekly-$(date "+%Y.%m.%d") echo "BUILD_TAG=${BUILD_TAG}" >> "$GITHUB_ENV" echo "build_tag=${BUILD_TAG}" >> "$GITHUB_OUTPUT" gh release create ${BUILD_TAG} --title "Development Build ${BUILD_TAG}" -F .github/workflows/weekly-build-notes.md --prerelease || true - name: Upload Source id: upload_source shell: bash -l {0} env: GH_TOKEN: ${{ github.token }} run: | python3 package/rattler-build/scripts/make_version_file.py ../freecad_version.txt git config user.email '41898282+github-actions[bot]@users.noreply.github.com' git config user.name 'github-actions[bot]' git apply package/rattler-build/scripts/disable_git_info.patch git commit -a -m "Disable git info write to Version.h" git archive HEAD -o freecad_source_${BUILD_TAG}.tar git submodule foreach --recursive \ "git archive HEAD --prefix=\$path/ -o \$sha1.tar && \ tar -A -f \$toplevel/freecad_source_${BUILD_TAG}.tar \$sha1.tar && \ rm \$sha1.tar" gzip freecad_source_${BUILD_TAG}.tar sha256sum freecad_source_${BUILD_TAG}.tar.gz > freecad_source_${BUILD_TAG}.tar.gz-SHA256.txt gh release upload --clobber ${BUILD_TAG} "freecad_source_${BUILD_TAG}.tar.gz" "freecad_source_${BUILD_TAG}.tar.gz-SHA256.txt" build: needs: tag_build strategy: matrix: include: - { target: linux-64, os: ubuntu-22.04 } - { target: linux-arm64, os: ubuntu-22.04-arm } - { target: osx-64, os: macos-13 } - { target: osx-arm64, os: macos-latest } - { target: win-64, os: windows-latest } fail-fast: false runs-on: ${{ matrix.os }} environment: weekly-build steps: - name: Harden the runner (Audit all outbound calls) uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit # prevent running out of disk space on Ubuntu runners. - name: Maximize build space if: runner.os == 'Linux' uses: AdityaGarg8/remove-unwanted-software@90e01b21170618765a73370fcc3abbd1684a7793 # v5 with: verbose: 'true' remove-android: 'true' # (frees ~9 GB) remove-cached-tools: 'true' # (frees ~8.3 GB) - name: Set Platform Environment Variables shell: bash -l {0} env: BUILD_TAG: ${{ needs.tag_build.outputs.build_tag }} OPERATING_SYSTEM: ${{ runner.os }} run: | echo "BUILD_TAG=${BUILD_TAG}" >> "$GITHUB_ENV" if [[ $OPERATING_SYSTEM == 'Windows' ]]; then echo 'PIXI_CACHE_DIR=D:\rattler' >> "$GITHUB_ENV" echo 'RATTLER_CACHE_DIR=D:\rattler' >> "$GITHUB_ENV" fi - name: Checkout Source uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 2 fetch-tags: true submodules: 'recursive' - uses: prefix-dev/setup-pixi@14c8aabd75893f83f4ab30c03e7cf853c8208961 # v0.8.10 with: pixi-version: v0.48.1 cache: false - name: Install the Apple certificate and provisioning profile if: runner.os == 'macOS' env: APP_SPECIFIC_PASSWORD: ${{ secrets.APP_SPECIFIC_PASSWORD }} APPLE_ID: ${{ secrets.APPLE_ID }} BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }} BUILD_PROVISION_PROFILE_BASE64: ${{ secrets.BUILD_PROVISION_PROFILE_BASE64 }} DEVELOPER_TEAM_ID: ${{ secrets.DEVELOPER_TEAM_ID }} KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} P12_PASSWORD: ${{ secrets.P12_PASSWORD }} run: | # create variables CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12 PP_PATH=$RUNNER_TEMP/FreeCAD_Weekly.provisionprofile KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db export KEYCHAIN_PASSWORD=$(openssl rand -base64 8) # import certificate and provisioning profile from secrets echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH echo -n "$BUILD_PROVISION_PROFILE_BASE64" | base64 --decode -o $PP_PATH # create temporary keychain security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH security set-keychain-settings -lut 21600 $KEYCHAIN_PATH security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH # import certificate to keychain security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH security list-keychain -d user -s $KEYCHAIN_PATH # apply provisioning profile mkdir -p ~/Library/Provisioning\ Profiles cp $PP_PATH ~/Library/Provisioning\ Profiles xcrun notarytool store-credentials "FreeCAD" --keychain "$KEYCHAIN_PATH" --apple-id "${APPLE_ID}" --password "${APP_SPECIFIC_PASSWORD}" --team-id "${DEVELOPER_TEAM_ID}" - name: Build and Release Packages shell: bash env: GH_TOKEN: ${{ github.token }} SIGNING_KEY_ID: ${{ secrets.SIGNING_KEY_ID }} SIGN_RELEASE: "true" TARGET_PLATFORM: ${{ matrix.target }} UPLOAD_RELEASE: "true" run: | python3 package/rattler-build/scripts/make_version_file.py ../freecad_version.txt git apply package/rattler-build/scripts/disable_git_info.patch cd package/rattler-build pixi install pixi run -e package create_bundle ## Needed if running on a self-hosted runner: # - name: Clean up keychain and provisioning profile # if: ${{ always() }} # run: | # security delete-keychain $RUNNER_TEMP/app-signing.keychain-db # rm ~/Library/MobileDevice/Provisioning\ Profiles/build_pp.mobileprovision