Skip to content

Add more logging output to Apple certificate workflow and ensure OpenSSL can handle our Developer certificates #1182

Add more logging output to Apple certificate workflow and ensure OpenSSL can handle our Developer certificates

Add more logging output to Apple certificate workflow and ensure OpenSSL can handle our Developer certificates #1182

Workflow file for this run

name: Construct
concurrency:
group: ${{ github.workflow }}-${{ github.event.number }}-${{ github.event.ref }}
cancel-in-progress: true
on: # yamllint disable-line rule:truthy
push:
branches:
- main
tags:
- '*'
pull_request:
branches:
- main
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
jobs:
# Build installers
build_macos:
name: Build (macOS ${{ matrix.arch }})
strategy:
fail-fast: false
matrix:
include:
- arch: x86_64
- arch: arm64
runs-on: macos-11
env:
MNE_CROSSCOMPILE_ARCH: ${{ matrix.arch }}
GITHUB_EVENT_NAME: ${{ github.event_name }}
defaults:
run:
shell: bash -el {0}
steps:
- uses: actions/checkout@v3
- uses: mamba-org/setup-micromamba@v1
with:
condarc: |
channels:
- conda-forge
channel_priority: strict
environment-file: environment.yml
- run: ./tools/extract_version.sh
- run: ./tools/macos_install_certificates.sh
# if: ${{ github.event_name != 'pull_request' }}
env:
APPLICATION_CERT_BASE64: ${{ secrets.APPLE_APPLICATION_CERT_BASE64 }}
APPLICATION_CERT_PASSWORD: ${{ secrets.APPLE_APPLICATION_CERT_PASSWORD }}
INSTALLER_CERT_BASE64: ${{ secrets.APPLE_INSTALLER_CERT_BASE64 }}
INSTALLER_CERT_PASSWORD: ${{ secrets.APPLE_INSTALLER_CERT_PASSWORD }}
KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }}
- name: Patch config (non-PR)
if: ${{ github.event_name != 'pull_request' }}
run: |
sed -i "" "s/_name: *# \[osx\]/_name: 9779L28NP8 # \[osx\]/" ${RECIPE_DIR}/construct.yaml
- run: ./tools/run_constructor.sh
timeout-minutes: 20
- run: ./tools/macos_check_installer_signature.sh
- run: ./tools/macos_notarize_installer.sh
if: ${{ github.event_name != 'pull_request' }}
env:
APPLE_ID: ${{ secrets.APPLE_ID }}
APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
- run: ./tools/calculate_installer_hash.sh
- run: |
installer -verbose -pkginfo -pkg ./${MNE_INSTALLER_NAME}
installer -verbose -dominfo -pkg ./${MNE_INSTALLER_NAME}
installer -verbose -volinfo -pkg ./${MNE_INSTALLER_NAME}
- uses: actions/upload-artifact@v3
with:
name: ${{ env.MNE_INSTALLER_ARTIFACT_ID }}
path: MNE-Python-*.*
build_linux:
name: Build (Linux)
runs-on: ubuntu-20.04
defaults:
run:
shell: bash -el {0}
steps:
- uses: actions/checkout@v3
- uses: mamba-org/setup-micromamba@v1
with:
condarc: |
channels:
- conda-forge
channel_priority: strict
environment-file: environment.yml
- run: ./tools/extract_version.sh
- run: ./tools/run_constructor.sh
timeout-minutes: 20
- run: ./tools/calculate_installer_hash.sh
- uses: actions/upload-artifact@v3
with:
name: ${{ env.MNE_INSTALLER_ARTIFACT_ID }}
path: MNE-Python-*.*
build_windows:
name: Build (Windows)
strategy:
fail-fast: false
runs-on: windows-2019
defaults:
run:
shell: bash -el {0}
steps:
- uses: actions/checkout@v3
- uses: mamba-org/setup-micromamba@v1
with:
condarc: |
channels:
- conda-forge
channel_priority: strict
environment-file: environment.yml
- run: ./tools/extract_version.sh
- run: ./tools/run_constructor.sh
timeout-minutes: 20
- run: ./tools/calculate_installer_hash.sh
- uses: actions/upload-artifact@v3
with:
name: ${{ env.MNE_INSTALLER_ARTIFACT_ID }}
path: MNE-Python-*.*
# Test
test_macos:
name: Test (${{ matrix.os }} ${{ matrix.arch }})
needs: [build_macos]
strategy:
fail-fast: false
matrix:
os: [macos-11, macos-12]
arch: [x86_64]
# We currently can't/don't test anything about the arm64 build
# include:
# - os: macos-11
# arch: arm64
runs-on: ${{ matrix.os }}
defaults:
run:
shell: bash -el {0}
steps:
- uses: actions/checkout@v3
- run: ./tools/extract_version.sh
- uses: actions/download-artifact@v3
with:
name: ${{ env.MNE_INSTALLER_ARTIFACT_ID }}
- name: Run installer
run: |
sudo installer -verbose -pkg ${MNE_INSTALLER_NAME} -target / \
|| ( tail -n 30 /var/log/install.log && exit 1 ) # display last log messages on error
- run: ./tools/export_frozen_env_def.sh
- uses: actions/upload-artifact@v3
with:
name: ${{ env.MNE_INSTALLER_ARTIFACT_ID }}-json
path: MNE-Python-*.env.json
- uses: pyvista/setup-headless-display-action@main
with:
qt: true
pyvista: false
- run: ./tools/check_installation.sh
test_linux:
name: Test (${{ matrix.os }})
needs: [build_linux]
strategy:
fail-fast: false
matrix:
os: [ubuntu-20.04, ubuntu-22.04]
runs-on: ${{ matrix.os }}
defaults:
run:
shell: bash -el {0}
steps:
- uses: actions/checkout@v3
- run: ./tools/extract_version.sh
- uses: actions/download-artifact@v3
with:
name: ${{ env.MNE_INSTALLER_ARTIFACT_ID }}
- run: sh ./${MNE_INSTALLER_NAME} -b
- run: ./tools/export_frozen_env_def.sh
- uses: actions/upload-artifact@v3
with:
name: ${{ env.MNE_INSTALLER_ARTIFACT_ID }}-json
path: MNE-Python-*.env.json
- uses: pyvista/setup-headless-display-action@main
with:
qt: true
pyvista: false
- run: ./tools/check_installation.sh
test_windows:
needs: [build_windows]
name: Test (${{ matrix.os }})
strategy:
fail-fast: false
matrix:
os: [windows-2019, windows-2022]
runs-on: ${{ matrix.os }}
defaults:
run:
shell: bash -el {0}
steps:
- uses: actions/checkout@v3
- run: ./tools/extract_version.sh
- uses: actions/download-artifact@v3
with:
name: ${{ env.MNE_INSTALLER_ARTIFACT_ID }}
# https://docs.anaconda.com/anaconda/install/silent-mode.html#windows
- run: .\%MNE_INSTALLER_NAME% /S /InstallationType=JustMe /AddToPath=1
timeout-minutes: 30
shell: cmd
- run: ./tools/export_frozen_env_def.sh
- uses: actions/upload-artifact@v3
with:
name: ${{ env.MNE_INSTALLER_ARTIFACT_ID }}-json
path: MNE-Python-*.env.json
- uses: pyvista/setup-headless-display-action@main
with:
qt: true
pyvista: false
- run: ./tools/check_installation.sh
# Release
release:
name: Release
needs: [build_macos, build_linux, build_windows, test_macos, test_linux, test_windows]
if: github.ref_type == 'tag'
runs-on: ubuntu-latest
defaults:
run:
shell: bash -el {0}
steps:
# These names should correspond to MNE_INSTALLER_ARTIFACT_ID in tools/extract_version.sh
- uses: actions/download-artifact@v3
with:
name: MNE-Python-Linux-x86_64
- uses: actions/download-artifact@v3
with:
name: MNE-Python-Linux-x86_64-json
- uses: actions/download-artifact@v3
with:
name: MNE-Python-Windows-x86_64
- uses: actions/download-artifact@v3
with:
name: MNE-Python-Windows-x86_64-json
- uses: actions/download-artifact@v3
with:
name: MNE-Python-macOS-x86_64
- uses: actions/download-artifact@v3
with:
name: MNE-Python-macOS-x86_64-json
- uses: actions/download-artifact@v3
with:
name: MNE-Python-macOS-arm64
# We don't have a JSON, as this is only produced upon successful
# installation. Since we don't have an Apple Silicon runner on GHA,
# disable this for now.
# - uses: actions/download-artifact@v3
# with:
# name: MNE-Python-macOS-arm64-json
- run: ls -al ./
- uses: ncipollo/release-action@v1
with:
artifacts: "MNE-Python-*.*"
token: ${{ secrets.GITHUB_TOKEN }}
draft: true
prerelease: true
allowUpdates: true
generateReleaseNotes: true