feat: add codesign for macos #61
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build and Package Python Library | |
on: | |
push: | |
branches: [ feat/python-codesign ] | |
workflow_dispatch: | |
inputs: | |
model_dir: | |
description: "Path to model directory in janhq/models repo" | |
required: true | |
model_name: | |
description: "name of model to be release" | |
required: true | |
repo_name: | |
description: "name of repo to be checked out" | |
required: true | |
branch_name: | |
description: "name of branch to be checked out" | |
required: true | |
default: main | |
env: | |
MODEL_DIR: models/whispervq # ${{ inputs.model_dir }} | |
MODEL_NAME: whispervq # ${{ inputs.model_name }} | |
REPO_NAME: janhq/models # ${{ inputs.model_name }} | |
BRANCH_NAME: feat/ci-python-models # ${{ inputs.model_name }} | |
jobs: | |
build-and-test: | |
runs-on: ${{ matrix.runs-on }} | |
timeout-minutes: 60 | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
# - os: "linux" | |
# name: "amd64" | |
# runs-on: "ubuntu-20-04-cuda-12-0" | |
- os: "mac" | |
name: "amd64" | |
runs-on: "macos-selfhosted-12" | |
- os: "mac" | |
name: "arm64" | |
runs-on: "macos-silicon" | |
# - os: "windows" | |
# name: "amd64" | |
# runs-on: "windows-cuda-12-0" | |
steps: | |
- name: Clone | |
id: checkout | |
uses: actions/checkout@v3 | |
with: | |
submodules: recursive | |
repository: ${{env.REPO_NAME}} | |
ref: ${{env.BRANCH_NAME}} | |
- uses: conda-incubator/setup-miniconda@v3 | |
if: runner.os != 'windows' | |
with: | |
auto-update-conda: true | |
python-version: 3.11 | |
- name: use python | |
if : runner.os == 'windows' | |
uses: actions/setup-python@v5 | |
with: | |
python-version: "3.11" | |
- name: Get Cer for code signing | |
if: runner.os == 'macOS' | |
run: base64 -d <<< "$CODE_SIGN_P12_BASE64" > /tmp/codesign.p12 | |
shell: bash | |
env: | |
CODE_SIGN_P12_BASE64: ${{ secrets.CODE_SIGN_P12_BASE64 }} | |
- uses: apple-actions/import-codesign-certs@v2 | |
continue-on-error: true | |
if: runner.os == 'macOS' | |
with: | |
p12-file-base64: ${{ secrets.CODE_SIGN_P12_BASE64 }} | |
p12-password: ${{ secrets.CODE_SIGN_P12_PASSWORD }} | |
- name: Get Cer for code signing | |
if: runner.os == 'macOS' | |
run: base64 -d <<< "$NOTARIZE_P8_BASE64" > /tmp/notary-key.p8 | |
shell: bash | |
env: | |
NOTARIZE_P8_BASE64: ${{ secrets.NOTARIZE_P8_BASE64 }} | |
- name: Install dependencies Windows | |
if: runner.os == 'windows' | |
shell: pwsh | |
run: | | |
python3 -m pip install --upgrade pip | |
python3 -m pip install -r ${{env.MODEL_DIR}}/requirements.cuda.txt | |
- name: Install dependencies Linux | |
if: runner.os == 'linux' | |
run: | | |
conda create -y -n ${{env.MODEL_NAME}} python=3.11 | |
source $HOME/miniconda/bin/activate base | |
conda init | |
conda activate ${{env.MODEL_NAME}} | |
python -m pip install --upgrade pip | |
python -m pip install -r ${{env.MODEL_DIR}}/requirements.cuda.txt | |
- name: Install dependencies Mac | |
if: runner.os == 'macOS' | |
run: | | |
conda create -y -n ${{env.MODEL_NAME}} python=3.11 | |
source $HOME/miniconda/bin/activate base | |
conda init | |
conda activate ${{env.MODEL_NAME}} | |
python -m pip install --upgrade pip | |
python -m pip install -r ${{env.MODEL_DIR}}/requirements.txt | |
- name: prepare python package windows | |
if : runner.os == 'windows' | |
shell: pwsh | |
run: | | |
$pythonPath = where.exe python | |
echo "Python path (where.exe): $pythonPath" | |
$pythonFolder = Split-Path -Path "$pythonPath" -Parent | |
echo "PYTHON_FOLDER=$pythonFolder" >> $env:GITHUB_ENV | |
copy "$pythonFolder\python*.*" "$pythonFolder\Scripts\" | |
- name: prepare python package macos | |
if : runner.os == 'macOs' | |
run: | | |
source $HOME/miniconda/bin/activate base | |
conda init | |
conda activate ${{env.MODEL_NAME}} | |
PYTHON_PATH=$(which python) | |
echo $PYTHON_PATH | |
PYTHON_FOLDER=$(dirname $(dirname "$PYTHON_PATH")) | |
echo "PYTHON_FOLDER=$PYTHON_FOLDER" >> $GITHUB_ENV | |
echo "github end PYTHON_FOLDER: ${{env.PYTHON_FOLDER}}" | |
- name: prepare python package linux | |
if : runner.os == 'linux' | |
run: | | |
source $HOME/miniconda/bin/activate base | |
conda init | |
conda activate ${{env.MODEL_NAME}} | |
PYTHON_PATH=$(which python) | |
echo $PYTHON_PATH | |
PYTHON_FOLDER=$(dirname $(dirname "$PYTHON_PATH")) | |
rm -rf $PYTHON_FOLDER/lib/python3.1 | |
echo "PYTHON_FOLDER=$PYTHON_FOLDER" >> $GITHUB_ENV | |
echo "github end PYTHON_FOLDER: ${{env.PYTHON_FOLDER}}" | |
- name: Notary macOS Binary | |
if: runner.os == 'macOS' | |
run: | | |
codesign --force --entitlements="./engine/templates/macos/entitlements.plist" -s "${{ secrets.DEVELOPER_ID }}" --options=runtime ${{env.PYTHON_FOLDER}}/bin/python | |
codesign --force --entitlements="./engine/templates/macos/entitlements.plist" -s "${{ secrets.DEVELOPER_ID }}" --options=runtime ${{env.PYTHON_FOLDER}}/bin/python3 | |
curl -sSfL https://raw.githubusercontent.com/anchore/quill/main/install.sh | sh -s -- -b /usr/local/bin | |
cd engine/cortex | |
# Notarize the binary | |
quill notarize ${{env.PYTHON_FOLDER}}/bin/python | |
quill notarize ${{env.PYTHON_FOLDER}}/bin/python3 | |
env: | |
QUILL_NOTARY_KEY_ID: ${{ secrets.NOTARY_KEY_ID }} | |
QUILL_NOTARY_ISSUER: ${{ secrets.NOTARY_ISSUER }} | |
QUILL_NOTARY_KEY: "/tmp/notary-key.p8" | |
- name: Upload Artifact | |
#if : runner.os == 'windows' || runner.os == 'linux' | |
uses: actions/upload-artifact@v4 | |
with: | |
name: ${{env.MODEL_NAME}}-${{ matrix.os }}-${{ matrix.name }} | |
path: ${{env.PYTHON_FOLDER}} | |
include-hidden-files: true | |
compression-level: 9 | |
- name: Post Upload windows | |
if : runner.os == 'windows' | |
run: | | |
rm ${{env.PYTHON_FOLDER}}/Scripts/python*.* | |
- name: Remove Keychain | |
continue-on-error: true | |
if: always() && runner.os == 'macOS' | |
run: | | |
security delete-keychain signing_temp.keychain |