create/.github/workflows/build_release.yml

name: Build Release
on:
  release:
    types: [created]
  schedule:
   - cron: "0 0 * * 3"
  workflow_dispatch:

permissions:
  contents: write

jobs:
  upload_src:
    runs-on: ubuntu-latest
    outputs:
      build_tag: ${{ steps.get_tag.outputs.build_tag }}
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
        with:
          egress-policy: audit

      - name: Checkout Source
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          ref: ${{ github.sha }}
          fetch-depth: 2
          fetch-tags: true
          submodules: 'recursive'

      - name: get tag and create release if weekly
        id: get_tag
        shell: bash -l {0}
        env:
          GH_TOKEN: ${{ github.token }}
        run: |
          if [ "${{ github.event_name }}" = "release" ]; then
            export BUILD_TAG="${{ github.event.release.tag_name }}"
          else
            export BUILD_TAG=weekly-$(date "+%Y.%m.%d")
            gh release create ${BUILD_TAG} --title "Development Build ${BUILD_TAG}" -F .github/workflows/weekly-build-notes.md --prerelease || true
          fi
          echo "BUILD_TAG=${BUILD_TAG}" >> "$GITHUB_ENV"
          echo "build_tag=${BUILD_TAG}" >> "$GITHUB_OUTPUT"

      - name: Upload Source
        id: upload_source
        shell: bash -l {0}
        env:
          GH_TOKEN: ${{ github.token }}
        run: |
          python3 package/scripts/write_version_info.py ../freecad_version.txt
          git config user.email '41898282+github-actions[bot]@users.noreply.github.com'
          git config user.name 'github-actions[bot]'
          git apply package/disable_git_info.patch
          git commit -a -m "Disable git info write to Version.h"
          git archive HEAD -o freecad_source_${BUILD_TAG}.tar
          git submodule foreach --recursive \
            "git archive HEAD --prefix=\$path/ -o \$sha1.tar && \
             tar -A -f \$toplevel/freecad_source_${BUILD_TAG}.tar \$sha1.tar && \
             rm \$sha1.tar"
          gzip freecad_source_${BUILD_TAG}.tar
          sha256sum freecad_source_${BUILD_TAG}.tar.gz > freecad_source_${BUILD_TAG}.tar.gz-SHA256.txt
          gh release upload --clobber ${BUILD_TAG} "freecad_source_${BUILD_TAG}.tar.gz" "freecad_source_${BUILD_TAG}.tar.gz-SHA256.txt"

  build:
    needs: upload_src
    strategy:
      matrix:
        include:
          - { target: linux-64, os: ubuntu-22.04 }
          - { target: linux-arm64, os: ubuntu-22.04-arm }
          - { target: osx-64, os: macos-15-intel }
          - { target: osx-arm64, os: macos-latest }
          - { target: win-64, os: windows-latest }
      fail-fast: false

    runs-on: ${{ matrix.os }}
    environment: weekly-build
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
        with:
          egress-policy: audit

      # prevent running out of disk space on Ubuntu runners.
      - name: Maximize build space
        if: runner.os == 'Linux'
        uses: AdityaGarg8/remove-unwanted-software@90e01b21170618765a73370fcc3abbd1684a7793 # v5
        with:
          verbose: 'true'
          remove-android: 'true'      # (frees ~9 GB)
          remove-cached-tools: 'true' # (frees ~8.3 GB)

      - name: Set Platform Environment Variables
        shell: bash -l {0}
        env:
          OPERATING_SYSTEM: ${{ runner.os }}
        run: |
          if [[ $OPERATING_SYSTEM == 'Windows' ]]; then
            echo 'PIXI_CACHE_DIR=D:\rattler' >> "$GITHUB_ENV"
            echo 'RATTLER_CACHE_DIR=D:\rattler' >> "$GITHUB_ENV"
          fi

      - name: Checkout Source
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          ref: ${{ github.sha }}
          fetch-depth: 2
          fetch-tags: true
          submodules: 'recursive'

      - uses: prefix-dev/setup-pixi@82d477f15f3a381dbcc8adc1206ce643fe110fb7 # v0.9.3
        with:
          pixi-version: v0.59.0
          cache: false

      - name: Install the Apple certificate and provisioning profile
        id: get_cert
        if: runner.os == 'macOS'
        env:
          APP_SPECIFIC_PASSWORD: ${{ secrets.APP_SPECIFIC_PASSWORD }}
          APPLE_ID: ${{ secrets.APPLE_ID }}
          BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
          BUILD_PROVISION_PROFILE_BASE64: ${{ secrets.BUILD_PROVISION_PROFILE_BASE64 }}
          DEVELOPER_TEAM_ID: ${{ secrets.DEVELOPER_TEAM_ID }}
          KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
          P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
        run: |
          if [ -z "$BUILD_CERTIFICATE_BASE64" ]; then
            echo "has_cert=false" >> $GITHUB_OUTPUT
            echo "No certificate avalable... skipping" && exit 0
          else
            echo "has_cert=true" >> $GITHUB_OUTPUT
          fi
          # create variables
          CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
          PP_PATH=$RUNNER_TEMP/FreeCAD_bundle.provisionprofile
          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db

          export KEYCHAIN_PASSWORD=$(openssl rand -base64 8)

          # import certificate and provisioning profile from secrets
          echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH
          echo -n "$BUILD_PROVISION_PROFILE_BASE64" | base64 --decode -o $PP_PATH

          # create temporary keychain
          security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
          security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH

          # import certificate to keychain
          security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
          security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
          security list-keychain -d user -s $KEYCHAIN_PATH

          # apply provisioning profile
          mkdir -p ~/Library/Provisioning\ Profiles
          cp $PP_PATH ~/Library/Provisioning\ Profiles

          xcrun notarytool store-credentials "FreeCAD" --keychain "$KEYCHAIN_PATH" --apple-id "${APPLE_ID}" --password "${APP_SPECIFIC_PASSWORD}" --team-id "${DEVELOPER_TEAM_ID}"

      - name: Build and Release Packages
        shell: bash
        env:
          GH_TOKEN: ${{ github.token }}
          SIGNING_KEY_ID: ${{ secrets.SIGNING_KEY_ID }}
          SIGN_RELEASE: ${{ steps.get_cert.outputs.has_cert }}
          TARGET_PLATFORM: ${{ matrix.target }}
          MAKE_INSTALLER: "true"
          UPLOAD_RELEASE: "true"
          BUILD_TAG: ${{ needs.upload_src.outputs.build_tag }}
        run: |
          python3 package/scripts/write_version_info.py ../freecad_version.txt
          cd package/rattler-build
          pixi install
          pixi run -e package create_bundle

      ## Needed if running on a self-hosted runner:
      # - name: Clean up keychain and provisioning profile
      #   if: ${{ always() }}
      #   run: |
      #     security delete-keychain $RUNNER_TEMP/app-signing.keychain-db
      #     rm ~/Library/MobileDevice/Provisioning\ Profiles/build_pp.mobileprovision