Update GHA workflows for juce8

anjaldoshi · anjaldoshi · commit 0bf00800fe57 · 2024-10-15T11:44:40.000-07:00
diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
@@ -13,10 +13,20 @@ jobs:
         os: [ubuntu-20.04]
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           submodules: true
-      - uses: conda-incubator/setup-miniconda@v2
+      - name: set env vars
+        run: |
+          if [ ${{github.ref_name}} == 'juce8' ]; then
+            echo "GUI_BRANCH=development-juce8" >> "$GITHUB_ENV"
+          elif [ ${{github.ref_name}} == 'testing-juce8' ]; then
+            echo "GUI_BRANCH=testing-juce8" >> "$GITHUB_ENV"
+          else
+            echo "Invalid branch : ${{github.ref_name}}"
+            exit 1
+          fi
+      - uses: conda-incubator/setup-miniconda@v3
         with:
           activate-environment: oe-python-plugin
           python-version: "3.10"
@@ -25,7 +35,7 @@ jobs:
         run: |
           sudo apt update
           cd ../..
-          git clone https://github.com/open-ephys/plugin-GUI.git --branch main
+          git clone https://github.com/open-ephys/plugin-GUI.git --branch $GUI_BRANCH
           sudo ./plugin-GUI/Resources/Scripts/install_linux_dependencies.sh
           cd plugin-GUI/Build && cmake -G "Unix Makefiles" -DCMAKE_BUILD_TYPE=Release ..
       - name: build
@@ -55,7 +65,7 @@ jobs:
           name: ${{ env.zipfile }}
           path: ${{ env.zipfile }}
       - name: deploy
-        if: github.ref == 'refs/heads/main'
+        if: github.ref == 'refs/heads/testing-juce8'
         env:
           artifactoryApiKey: ${{ secrets.artifactoryApiKey }}
         run: |
diff --git a/.github/workflows/mac.yml b/.github/workflows/mac.yml
@@ -13,18 +13,31 @@ jobs:
         os: [macos-latest]
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
       with:
           submodules: true
-    - uses: conda-incubator/setup-miniconda@v2
+    - name: set env vars
+      run: |
+        if [ ${{github.ref_name}} == 'juce8' ]; then
+          echo "GUI_BRANCH=development-juce8" >> "$GITHUB_ENV"
+        elif [ ${{github.ref_name}} == 'testing-juce8' ]; then
+          echo "GUI_BRANCH=testing-juce8" >> "$GITHUB_ENV"
+        else
+          echo "Invalid branch : ${{github.ref_name}}"
+          exit 1
+        fi
+    - uses: maxim-lobanov/setup-xcode@v1
+      with:
+        xcode-version: latest-stable
+    - uses: conda-incubator/setup-miniconda@v3
       with:
         activate-environment: oe-python-plugin
         python-version: "3.10"
         auto-activate-base: false
     - name: setup
       run: |
         cd ../..
-        git clone https://github.com/open-ephys/plugin-GUI.git --branch main
+        git clone https://github.com/open-ephys/plugin-GUI.git --branch $GUI_BRANCH
         cd plugin-GUI/Build && cmake -G "Xcode" ..
     - name: build
       run: |
@@ -35,6 +48,13 @@ jobs:
 #      run: cd build && ctest
     - name: package
       env:
+        MACOS_CERTIFICATE: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
+        MACOS_CERTIFICATE_PWD: ${{ secrets.BUILD_CERTIFICATE_PWD }}
+        MACOS_CERTIFICATE_NAME: ${{ secrets.BUILD_CERTIFICATE_NAME }}
+        MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}
+        PROD_MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}
+        PROD_MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }}
+        PROD_MACOS_NOTARIZATION_PWD: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }}
         build_dir: "Build/Release"
         package: PythonProcessor-mac
       run: |
@@ -44,6 +64,50 @@ jobs:
         mkdir plugins 
         cp -r $build_dir/*.bundle plugins
         mv $build_dir/shared .
+
+        # Turn our base64-encoded certificate back to a regular .p12 file
+        echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
+
+        # We need to create a new keychain, otherwise using the certificate will prompt
+        # with a UI dialog asking for the certificate password, which we can't
+        # use in a headless CI environment
+        security create-keychain -p $MACOS_CI_KEYCHAIN_PWD build.keychain
+        security default-keychain -s build.keychain
+        security unlock-keychain -p $MACOS_CI_KEYCHAIN_PWD build.keychain
+        security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
+        security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $MACOS_CI_KEYCHAIN_PWD build.keychain
+        /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" -v plugins/python-processor.bundle --deep --strict --timestamp --options=runtime
+        /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" -v shared/libpython3.10.dylib --deep --strict --timestamp --options=runtime
+
+        /usr/bin/codesign -dv --verbose=4 plugins/python-processor.bundle
+
+        # Store the notarization credentials so that we can prevent a UI password dialog from blocking the CI
+
+        echo "Create keychain profile"
+        xcrun notarytool store-credentials "notarytool-profile" --apple-id "$PROD_MACOS_NOTARIZATION_APPLE_ID" --team-id "$PROD_MACOS_NOTARIZATION_TEAM_ID" --password "$PROD_MACOS_NOTARIZATION_PWD"
+
+        # We can't notarize an app bundle directly, but we need to compress it as an archive.
+        # Therefore, we create a zip file containing our app bundle, so that we can send it to the
+        # notarization service
+
+        echo "Creating temp notarization archive"
+        /usr/bin/ditto -c -k --sequesterRsrc --keepParent  plugins/python-processor.bundle python-processor.zip
+
+        # Here we send the notarization request to the Apple's Notarization service, waiting for the result.
+        # This typically takes a few seconds inside a CI environment, but it might take more depending on the App
+        # characteristics. Visit the Notarization docs for more information and strategies on how to optimize it if
+        # you're curious
+
+        echo "Notarize app"
+        xcrun notarytool submit "python-processor.zip" --keychain-profile "notarytool-profile" --wait
+
+        # Finally, we need to "attach the staple" to our executable, which will allow our app to be
+        # validated by macOS even when an internet connection is not available.
+        echo "Attach staple"
+        rm -r plugins/*
+        /usr/bin/ditto -x -k python-processor.zip plugins
+        xcrun stapler staple plugins/python-processor.bundle
+
         zipfile=${package}_${new_plugin_ver}.zip
         echo "zipfile=${zipfile}" >> $GITHUB_ENV
         zip -r -X $zipfile plugins shared
@@ -52,7 +116,7 @@ jobs:
         name: ${{ env.zipfile }}
         path: ${{ env.zipfile }}
     - name: deploy
-      if: github.ref == 'refs/heads/main'
+      if: github.ref == 'refs/heads/testing-juce8'
       env:
         artifactoryApiKey: ${{ secrets.artifactoryApiKey }}
       run: |
diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml
@@ -10,34 +10,44 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        os: [windows-2019]
+        os: [windows-latest]
     
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
       with:
           submodules: true
-    - uses: conda-incubator/setup-miniconda@v2
+    - name: set env vars
+      run: |
+        if [ ${{github.ref_name}} == 'juce8' ]; then
+          echo "GUI_BRANCH=development-juce8" >> "$GITHUB_ENV"
+          echo "GUI_LIB_VERSION=v1.0.0-dev" >> "$GITHUB_ENV"
+        elif [ ${{github.ref_name}} == 'testing-juce8' ]; then
+          echo "GUI_BRANCH=testing-juce8" >> "$GITHUB_ENV"
+          echo "GUI_LIB_VERSION=v1.0.0-alpha" >> "$GITHUB_ENV"
+        else
+          echo "Invalid branch : ${{github.ref_name}}"
+          exit 1
+        fi
+      shell: bash
+    - uses: conda-incubator/setup-miniconda@v3
       with:
         activate-environment: oe-python-plugin
         python-version: "3.10"
         auto-activate-base: false
     - name: setup
-      env: 
-        repo: open-ephys-gui
-        package: "open-ephys-lib"
       run: |
         cd ../..
-        git clone https://github.com/open-ephys/plugin-GUI.git --branch main
+        git clone https://github.com/open-ephys/plugin-GUI.git --branch $GUI_BRANCH
         cd plugin-GUI/Build
-        cmake -G "Visual Studio 16 2019" -A x64 .. 
+        cmake -G "Visual Studio 17 2022" -A x64 .. 
         mkdir Release && cd Release
-        curl -L https://openephysgui.jfrog.io/artifactory/Libraries/open-ephys-lib-v0.6.0.zip --output open-ephys-lib.zip 
+        curl -L https://openephysgui.jfrog.io/artifactory/Libraries/open-ephys-lib-$GUI_LIB_VERSION.zip --output open-ephys-lib.zip 
         unzip open-ephys-lib.zip
       shell: bash
     - name: configure
       run: |
         cd Build
-        cmake -G "Visual Studio 16 2019" -A x64 -DPython_ROOT_DIR="$CONDA/envs/oe-python-plugin" -DCOPY_PYTHON_DL=ON .. 
+        cmake -G "Visual Studio 17 2022" -A x64 -DPython_ROOT_DIR="$CONDA/envs/oe-python-plugin" -DCOPY_PYTHON_DL=ON .. 
       shell: bash
     - name: Add msbuild to PATH
       uses: microsoft/setup-msbuild@v1.1
@@ -70,7 +80,7 @@ jobs:
         name: ${{ env.zipfile }}
         path: ${{ env.zipfile }}
     - name: deploy
-      if: github.ref == 'refs/heads/main'
+      if: github.ref == 'refs/heads/testing-juce8'
       env:
         artifactoryApiKey: ${{ secrets.artifactoryApiKey }}
       run: |
