de8d02e0bb
GitHub is deprecating macOS 13 runners -- the only remaining Intel runner is now macOS 15, and it is scheduled for retirement in 2027, at which point we will no longer be able to provide Intel weeklies.
171 lines
6.8 KiB
YAML
171 lines
6.8 KiB
YAML
name: Weekly Build
|
|
on:
|
|
schedule:
|
|
- cron: "0 0 * * 3"
|
|
workflow_dispatch:
|
|
|
|
permissions:
|
|
contents: write
|
|
|
|
jobs:
|
|
tag_build:
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
build_tag: ${{ steps.tag_build.outputs.build_tag }}
|
|
steps:
|
|
- name: Harden the runner (Audit all outbound calls)
|
|
uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- name: Checkout Source
|
|
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
|
with:
|
|
fetch-depth: 2
|
|
fetch-tags: true
|
|
submodules: 'recursive'
|
|
|
|
- name: Tag Build
|
|
id: tag_build
|
|
shell: bash -l {0}
|
|
env:
|
|
GH_TOKEN: ${{ github.token }}
|
|
run: |
|
|
export BUILD_TAG=weekly-$(date "+%Y.%m.%d")
|
|
echo "BUILD_TAG=${BUILD_TAG}" >> "$GITHUB_ENV"
|
|
echo "build_tag=${BUILD_TAG}" >> "$GITHUB_OUTPUT"
|
|
gh release create ${BUILD_TAG} --title "Development Build ${BUILD_TAG}" -F .github/workflows/weekly-build-notes.md --prerelease || true
|
|
|
|
- name: Upload Source
|
|
id: upload_source
|
|
shell: bash -l {0}
|
|
env:
|
|
GH_TOKEN: ${{ github.token }}
|
|
run: |
|
|
python3 package/rattler-build/scripts/make_version_file.py ../freecad_version.txt
|
|
git config user.email '41898282+github-actions[bot]@users.noreply.github.com'
|
|
git config user.name 'github-actions[bot]'
|
|
git apply package/rattler-build/scripts/disable_git_info.patch
|
|
git commit -a -m "Disable git info write to Version.h"
|
|
git archive HEAD -o freecad_source_${BUILD_TAG}.tar
|
|
git submodule foreach --recursive \
|
|
"git archive HEAD --prefix=\$path/ -o \$sha1.tar && \
|
|
tar -A -f \$toplevel/freecad_source_${BUILD_TAG}.tar \$sha1.tar && \
|
|
rm \$sha1.tar"
|
|
gzip freecad_source_${BUILD_TAG}.tar
|
|
sha256sum freecad_source_${BUILD_TAG}.tar.gz > freecad_source_${BUILD_TAG}.tar.gz-SHA256.txt
|
|
gh release upload --clobber ${BUILD_TAG} "freecad_source_${BUILD_TAG}.tar.gz" "freecad_source_${BUILD_TAG}.tar.gz-SHA256.txt"
|
|
|
|
build:
|
|
needs: tag_build
|
|
strategy:
|
|
matrix:
|
|
include:
|
|
- { target: linux-64, os: ubuntu-22.04 }
|
|
- { target: linux-arm64, os: ubuntu-22.04-arm }
|
|
- { target: osx-64, os: macos-15-intel }
|
|
- { target: osx-arm64, os: macos-latest }
|
|
- { target: win-64, os: windows-latest }
|
|
fail-fast: false
|
|
|
|
runs-on: ${{ matrix.os }}
|
|
environment: weekly-build
|
|
steps:
|
|
- name: Harden the runner (Audit all outbound calls)
|
|
uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
|
|
with:
|
|
egress-policy: audit
|
|
|
|
# prevent running out of disk space on Ubuntu runners.
|
|
- name: Maximize build space
|
|
if: runner.os == 'Linux'
|
|
uses: AdityaGarg8/remove-unwanted-software@90e01b21170618765a73370fcc3abbd1684a7793 # v5
|
|
with:
|
|
verbose: 'true'
|
|
remove-android: 'true' # (frees ~9 GB)
|
|
remove-cached-tools: 'true' # (frees ~8.3 GB)
|
|
|
|
- name: Set Platform Environment Variables
|
|
shell: bash -l {0}
|
|
env:
|
|
BUILD_TAG: ${{ needs.tag_build.outputs.build_tag }}
|
|
OPERATING_SYSTEM: ${{ runner.os }}
|
|
run: |
|
|
echo "BUILD_TAG=${BUILD_TAG}" >> "$GITHUB_ENV"
|
|
if [[ $OPERATING_SYSTEM == 'Windows' ]]; then
|
|
echo 'PIXI_CACHE_DIR=D:\rattler' >> "$GITHUB_ENV"
|
|
echo 'RATTLER_CACHE_DIR=D:\rattler' >> "$GITHUB_ENV"
|
|
fi
|
|
|
|
- name: Checkout Source
|
|
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
|
with:
|
|
fetch-depth: 2
|
|
fetch-tags: true
|
|
submodules: 'recursive'
|
|
|
|
- uses: prefix-dev/setup-pixi@82d477f15f3a381dbcc8adc1206ce643fe110fb7 # v0.9.3
|
|
with:
|
|
pixi-version: v0.59.0
|
|
cache: false
|
|
|
|
- name: Install the Apple certificate and provisioning profile
|
|
if: runner.os == 'macOS'
|
|
env:
|
|
APP_SPECIFIC_PASSWORD: ${{ secrets.APP_SPECIFIC_PASSWORD }}
|
|
APPLE_ID: ${{ secrets.APPLE_ID }}
|
|
BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
|
|
BUILD_PROVISION_PROFILE_BASE64: ${{ secrets.BUILD_PROVISION_PROFILE_BASE64 }}
|
|
DEVELOPER_TEAM_ID: ${{ secrets.DEVELOPER_TEAM_ID }}
|
|
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
|
|
P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
|
|
run: |
|
|
# create variables
|
|
CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
|
|
PP_PATH=$RUNNER_TEMP/FreeCAD_Weekly.provisionprofile
|
|
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
|
|
|
|
export KEYCHAIN_PASSWORD=$(openssl rand -base64 8)
|
|
|
|
# import certificate and provisioning profile from secrets
|
|
echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH
|
|
echo -n "$BUILD_PROVISION_PROFILE_BASE64" | base64 --decode -o $PP_PATH
|
|
|
|
# create temporary keychain
|
|
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
|
|
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
|
|
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
|
|
|
|
# import certificate to keychain
|
|
security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
|
|
security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
|
|
security list-keychain -d user -s $KEYCHAIN_PATH
|
|
|
|
# apply provisioning profile
|
|
mkdir -p ~/Library/Provisioning\ Profiles
|
|
cp $PP_PATH ~/Library/Provisioning\ Profiles
|
|
|
|
xcrun notarytool store-credentials "FreeCAD" --keychain "$KEYCHAIN_PATH" --apple-id "${APPLE_ID}" --password "${APP_SPECIFIC_PASSWORD}" --team-id "${DEVELOPER_TEAM_ID}"
|
|
|
|
- name: Build and Release Packages
|
|
shell: bash
|
|
env:
|
|
GH_TOKEN: ${{ github.token }}
|
|
SIGNING_KEY_ID: ${{ secrets.SIGNING_KEY_ID }}
|
|
SIGN_RELEASE: "true"
|
|
TARGET_PLATFORM: ${{ matrix.target }}
|
|
UPLOAD_RELEASE: "true"
|
|
run: |
|
|
python3 package/rattler-build/scripts/make_version_file.py ../freecad_version.txt
|
|
git apply package/rattler-build/scripts/disable_git_info.patch
|
|
cd package/rattler-build
|
|
pixi install
|
|
pixi run -e package create_bundle
|
|
|
|
## Needed if running on a self-hosted runner:
|
|
# - name: Clean up keychain and provisioning profile
|
|
# if: ${{ always() }}
|
|
# run: |
|
|
# security delete-keychain $RUNNER_TEMP/app-signing.keychain-db
|
|
# rm ~/Library/MobileDevice/Provisioning\ Profiles/build_pp.mobileprovision
|