forked from NREL/EnergyPlus
-
Notifications
You must be signed in to change notification settings - Fork 0
362 lines (312 loc) · 13.8 KB
/
mac_release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
name: Mac Releases
on:
push:
tags:
- '*'
workflow_dispatch:
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
BUILD_TYPE: Release
FC: gfortran-13
SDKROOT: /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk
Python_REQUIRED_VERSION: 3.12.2
BUILD_DOCS: true # Installing MacTex takes like 15min, so you can speed things up by disabling it
jobs:
build_installer_artifact:
runs-on: ${{ matrix.os }}
continue-on-error: ${{ matrix.allow_failure }}
strategy:
# fail-fast: Default is true, switch to false to allow one platform to fail and still run others
fail-fast: false
matrix:
macos_dev_target: [12.1, 13.0]
include:
- macos_dev_target: 12.1
os: macos-12
allow_failure: false
arch: x86_64
python-arch: x64
- macos_dev_target: 13.0
os: macos-14
allow_failure: false
arch: arm64
python-arch: arm64
permissions:
# Needed permission to upload the release asset
contents: write
steps:
- uses: actions/checkout@v4
# - name: Setup QtIFW 4.x
# uses: jmarrec/setup-qtifw@v1
# with:
# qtifw-version: '4.6.1'
- name: "Configure for codesigning"
run: |
set -x
cd $RUNNER_TEMP
mkdir codesigning && cd codesigning
# ----- Create certificate files from secrets base64 -----
echo "${{ secrets.MACOS_DEVELOPER_ID_APPLICATION_CERTIFICATE_P12_BASE64 }}" | base64 --decode > certificate_application.p12
echo "${{ secrets.MACOS_DEVELOPER_ID_INSTALLER_CERTIFICATE_P12_BASE64 }}" | base64 --decode > certificate_installer.p12
# ----- Configure Keychain -----
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
security create-keychain -p "${{ secrets.MACOS_KEYCHAIN_PASSWORD }}" $KEYCHAIN_PATH
# Unlock it for 6 hours
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
security unlock-keychain -p "${{ secrets.MACOS_KEYCHAIN_PASSWORD }}" $KEYCHAIN_PATH
# ----- Import certificates on Keychain -----
security import certificate_application.p12 -P '${{ secrets.MACOS_DEVELOPER_ID_APPLICATION_CERTIFICATE_P12_PASSWORD }}' -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security import certificate_installer.p12 -P '${{ secrets.MACOS_DEVELOPER_ID_INSTALLER_CERTIFICATE_P12_PASSWORD }}' -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security list-keychain -d user -s $KEYCHAIN_PATH
security find-identity -vvvv $KEYCHAIN_PATH
# Add needed intermediary certificates
aria2c https://www.apple.com/certificateauthority/AppleWWDRCAG2.cer
aria2c https://www.apple.com/certificateauthority/DeveloperIDG2CA.cer
security import AppleWWDRCAG2.cer -k $KEYCHAIN_PATH
security import DeveloperIDG2CA.cer -k $KEYCHAIN_PATH
security find-identity -vvvv $KEYCHAIN_PATH
security find-identity -v -p codesigning
# Store AppConnect credentials
echo "${{ secrets.NOTARIZATION_API_KEY }}" > AppConnect_Developer_API_Key.p8
xcrun notarytool store-credentials EnergyPlus \
--key AppConnect_Developer_API_Key.p8 \
--key-id ${{ secrets.NOTARIZATION_API_TEAM_ID }} \
--issuer ${{ secrets.NOTARIZATION_API_ISSUER_ID }} \
--keychain $KEYCHAIN_PATH
cd .. && rm -Rf codesigning
# Download my patched QtIFW
mkdir QtIFW && cd QtIFW
aria2c https://github.com/jmarrec/QtIFW-fixup/releases/download/v5.0.0-dev-with-fixup/QtIFW-5.0.0-${{ matrix.arch }}.zip
xattr -r -d com.apple.quarantine ./QtIFW-5.0.0-${{ matrix.arch }}.zip
unzip QtIFW-5.0.0-${{ matrix.arch }}.zip
rm -Rf ./*.zip
chmod +x *
./installerbase --version
echo "$(pwd)" >> $GITHUB_PATH
- name: Remove python ${{ env.Python_REQUIRED_VERSION }} from the toolcache
run: |
ls $RUNNER_TOOL_CACHE/Python || true
rm -Rf "$RUNNER_TOOL_CACHE/Python/${{ env.Python_REQUIRED_VERSION }}"
rm -Rf "$RUNNER_TOOL_CACHE/Python/${{ env.Python_REQUIRED_VERSION }}*/"
- name: Set up Python ${{ env.Python_REQUIRED_VERSION }}
id: setup-python
uses: jmarrec/setup-python@v5
with:
python-version: ${{ env.Python_REQUIRED_VERSION }}
# check-latest: true # Force pick up the python I built instead of the (potential) toolcache one. I could also do `rm -Rf $RUNNER_TOOL_CACHE/Python/3.12.2` before this action
- name: Install Python dependencies
run: |
python -m pip install --upgrade pip
pip install aqtinstall
- name: Install System dependencies and LaTeX
shell: bash
run: |
set -x
brew update
if [[ "$BUILD_DOCS" != "false" ]]; then
echo "Using brew to install mactex and adding it to PATH"
brew install --cask mactex-no-gui
echo "/Library/TeX/texbin" >> $GITHUB_PATH
echo "DOCUMENTATION_BUILD=BuildWithAll" >> $GITHUB_ENV
else
echo "DOCUMENTATION_BUILD=DoNotBuild" >> $GITHUB_ENV
fi
# The MACOSX_DEPLOYMENT_TARGET environment variable sets the default value for the CMAKE_OSX_DEPLOYMENT_TARGET variable.
# We use cmake commands to build some subprojects, so setting it globally
echo MACOSX_DEPLOYMENT_TARGET=${{ matrix.macos_dev_target }} >> $GITHUB_ENV
echo "Installing gcc@13 for gfortran support of -static-libquadmath"
brew list gcc@13 || brew install gcc@13
which gfortran-13 || echo "FC=$(brew --prefix gcc@13)/bin/gfortran-13" >> $GITHUB_ENV
brew install ninja
- name: Create Build Directory
run: cmake -E make_directory ./build/
# should we pin to a specific version of CMake here like we did on Windows?
- name: Configure CMake
working-directory: ./build
shell: bash
run: |
cmake -G Ninja -DCMAKE_BUILD_TYPE:STRING=$BUILD_TYPE \
-DCMAKE_OSX_DEPLOYMENT_TARGET:STRING=${{ matrix.macos_dev_target }} \
-DLINK_WITH_PYTHON:BOOL=ON -DPython_REQUIRED_VERSION:STRING=${{ steps.setup-python.outputs.python-version }} \
-DPython_ROOT_DIR:PATH=$RUNNER_TOOL_CACHE/Python/${{ steps.setup-python.outputs.python-version }}/${{ matrix.python-arch }}/ \
-DBUILD_FORTRAN:BOOL=ON -DBUILD_PACKAGE:BOOL=ON \
-DDOCUMENTATION_BUILD:STRING=$DOCUMENTATION_BUILD -DTEX_INTERACTION:STRING="batchmode" \
-DENABLE_OPENMP:BOOL=OFF -DUSE_OpenMP:BOOL=OFF \
-DCPACK_CODESIGNING_DEVELOPPER_ID_APPLICATION:STRING="Developer ID Application: National Renewable Energy Laboratory (K7JYVQJL7R)" \
-DCPACK_CODESIGNING_NOTARY_PROFILE_NAME:STRING=EnergyPlus \
../
- name: Build Package
working-directory: ./build
shell: bash
run: |
ninja package
- name: Upload Tarball as artifact for testing
uses: actions/upload-artifact@v4
with:
name: energyplus-${{ matrix.os }}.tar.gz
path: build/EnergyPlus-*-${{ matrix.arch }}.tar.gz
if-no-files-found: error
retention-days: 7
overwrite: false
- name: Upload DMG as artifact for testing
uses: actions/upload-artifact@v4
with:
name: energyplus-${{ matrix.os }}.dmg
path: build/EnergyPlus-*-${{ matrix.arch }}.dmg
if-no-files-found: error
retention-days: 7
overwrite: false
- name: Quick Test Package Signing and otool exes and libs
shell: bash
working-directory: ./build
run: |
begin_group() { echo -e "::group::\033[93m$1\033[0m"; }
subheader() { echo -e "\033[95m---- $1\033[0m"; }
exes=(
"energyplus" "libenergyplusapi.dylib"
"ExpandObjects" "ConvertInputFormat"
"PreProcess/IDFVersionUpdater/Transition-V23-1-0-to-V23-2-0"
"PostProcess/ReadVarsESO" "PostProcess/HVAC-Diagram"
)
TGZ_DIR=$(find _CPack_Packages/Darwin/TGZ -name "EnergyPlus*" -type d -maxdepth 1)
echo "TGZ_DIR=$TGZ_DIR" >> $GITHUB_ENV
echo "Checking TGZ dir at $TGZ_DIR"
for rel_exe in "${exes[@]}"; do
exe="$TGZ_DIR/$rel_exe"
begin_group "Checking $exe"
subheader "otool"
otool -L "${exe}" || true
subheader "codesign"
siginfo=$(codesign --display -vv "${exe}" 2>&1)
if [[ $siginfo == *"K7JYVQJL7R"* ]]; then
echo -e "\033[92mSIGNATURE OK\033[0m"
echo "$siginfo" | grep Authority
else
echo -e "\033[91mSignature not ok for ${exe}\033[0m"
echo "::error::title=Signature not ok for ${exe}::$siginfo"
fi
echo "::endgroup::"
done
- name: Full Test Package signing and otool for IFW and TGZ
working-directory: ./build
shell: bash
run: |
begin_group() { echo -e "::group::\033[93m$1\033[0m"; }
begin_group "Full Check signature of _CPack_Packages for both IFW and TGZ and resolve otool libraries"
python ../scripts/dev/verify_signature.py --verbose --otool --otool-out-file otool_infos_cpack.json .
echo "::endgroup::"
begin_group "Running a simulation with python"
./$TGZ_DIR/energyplus --help
./$TGZ_DIR/energyplus -w ./$TGZ_DIR/WeatherData/USA_IL_Chicago-OHare.Intl.AP.725300_TMY3.epw -d out ./$TGZ_DIR/ExampleFiles/PythonPluginCustomSchedule.idf
echo "::endgroup::"
- name: Upload otool info as artifact
uses: actions/upload-artifact@v4
with:
name: otool_infos_cpack_${{ matrix.os }}_${{ matrix.arch }}
path: build/otool*json
if-no-files-found: error
- name: Upload Tarball to release
uses: svenstaro/upload-release-action@v2
with:
repo_token: ${{ secrets.GITHUB_TOKEN }}
file: build/EnergyPlus-*-${{ matrix.arch }}.tar.gz
tag: ${{ github.ref }}
overwrite: true
file_glob: true
- name: Upload DMG to release
uses: svenstaro/upload-release-action@v2
with:
repo_token: ${{ secrets.GITHUB_TOKEN }}
file: build/EnergyPlus-*-${{ matrix.arch }}.dmg
tag: ${{ github.ref }}
overwrite: true
file_glob: true
test_package:
name: Test Built Package
needs: build_installer_artifact
runs-on: ${{ matrix.os }}
strategy:
# fail-fast: Default is true, switch to false to allow one platform to fail and still run others
fail-fast: false
matrix:
macos_dev_target: [ 12.1, 13.0]
include:
- macos_dev_target: 12.1
os: macos-12
arch: x86_64
python-arch: x64
test_key: mac12
- macos_dev_target: 13.0
os: macos-14
arch: arm64
python-arch: arm64
test_key: mac13-arm64
steps:
- uses: actions/checkout@v4 # Still need E+ checked out to get testing scripts
with:
path: checkout
- name: Set up Python ${{ env.Python_REQUIRED_VERSION }}
uses: actions/setup-python@v5
id: setup-python
with:
python-version: ${{ env.Python_REQUIRED_VERSION }}
architecture: ${{ matrix.python-arch }}
- name: Gather Test Package from Artifacts
uses: actions/download-artifact@v4
with:
name: energyplus-${{ matrix.os }}.tar.gz
path: package
- name: Check Contents
shell: bash
run: ls
- name: Check Package contents
shell: bash
working-directory: package
run: ls
- name: Run Package Tests
run: python checkout/scripts/package_tests/runner.py --verbose ${{ matrix.test_key }} package/
- name: Gather Dmg Package from Artifacts
uses: actions/download-artifact@v4
with:
name: energyplus-${{ matrix.os }}.dmg
path: dmg
- name: Test Dmg Install and Package signing
working-directory: ./dmg
shell: bash
run: |
begin_group() { echo -e "::group::\033[93m$1\033[0m"; }
set -x
dmg=$(ls EnergyPlus-*.dmg)
begin_group "Checking Signature of .dmg"
spctl --assess --type open --context context:primary-signature -vvvv $dmg
echo "::endgroup::"
begin_group "Mounting Dmg, and checking signature of installer app"
mkdir temp_mount
hdiutil attach -mountpoint ./temp_mount/ $dmg
filename="${dmg%.*}"
spctl --assess --type open --context context:primary-signature -vvvv ./temp_mount/$filename.app
echo "::endgroup::"
begin_group "Installing"
sudo ./temp_mount/$filename.app/Contents/MacOS/$filename --accept-licenses --default-answer --confirm-command --root $(pwd)/test_install install
hdiutil detach ./temp_mount/
echo "::endgroup::"
begin_group "Quick Check signature of inner executables and binaries"
codesign -dvvv ./test_install/energyplus
codesign -dvvv ./test_install/libenergyplusapi.dylib
codesign -dvvv ./test_install/libpython*.dylib
codesign -dvvv ./test_install/ConvertInputFormat
codesign -dvvv ./test_install/PostProcess/ReadVarsESO
echo "::endgroup::"
begin_group "Full Check signature of installed DMG for all executables and resolve otool libraries"
python ../checkout/scripts/dev/verify_signature.py --otool --otool-out-file otool_info_dmg.json --verbose --install test_install
echo "::endgroup::"
begin_group "Running a simulation with python"
./test_install/energyplus --help
./test_install/energyplus -w ./test_install/WeatherData/USA_IL_Chicago-OHare.Intl.AP.725300_TMY3.epw -d out ./test_install/ExampleFiles/PythonPluginCustomSchedule.idf
echo "::endgroup::"
- name: Upload otool info as artifact
uses: actions/upload-artifact@v4
with:
name: otool_info_dmg_${{ matrix.os }}_${{ matrix.arch }}
path: dmg/otool*json
if-no-files-found: error