Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build and upload to PyPI | |
on: | |
release: | |
types: | |
- published | |
env: | |
LIBZIM_DL_VERSION: "9.1.0" | |
MACOSX_DEPLOYMENT_TARGET: "12.0" | |
CIBW_ENVIRONMENT_PASS_LINUX: "LIBZIM_DL_VERSION" | |
# APPLE_SIGNING_KEYCHAIN_PATH set in prepare keychain step | |
APPLE_SIGNING_KEYCHAIN_PROFILE: "build-profile" | |
APPLE_SIGNING_IDENTITY: "${{ secrets.APPLE_SIGNING_IDENTITY }}" | |
SIGN_APPLE: "yes" | |
jobs: | |
build_wheels: | |
environment: release | |
name: Build wheels on ${{ matrix.os }} | |
runs-on: ${{ matrix.os }} | |
strategy: | |
matrix: | |
os: [ubuntu-20.04, macos-13] # windows-2019 | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Set up QEMU | |
if: runner.os == 'Linux' | |
uses: docker/setup-qemu-action@v3 | |
with: | |
platforms: all | |
- name: Prepare Apple Keychain for Signing | |
if: matrix.os == 'macos-13' | |
shell: bash | |
run: | | |
# store certificate on filesystem | |
export CERTIFICATE="$(mktemp -d)/wmch-devid.p12" | |
echo "${{ secrets.APPLE_SIGNING_CERTIFICATE }}" | base64 --decode -o $CERTIFICATE | |
# create a dedicated keychain | |
export APPLE_SIGNING_KEYCHAIN_PATH="$(mktemp -d)/build.keychain" | |
echo "APPLE_SIGNING_KEYCHAIN_PATH=${APPLE_SIGNING_KEYCHAIN_PATH}" >> "$GITHUB_ENV" | |
security create-keychain -p mysecretpassword ${APPLE_SIGNING_KEYCHAIN_PATH} | |
security default-keychain -s ${APPLE_SIGNING_KEYCHAIN_PATH} | |
security unlock-keychain -p mysecretpassword ${APPLE_SIGNING_KEYCHAIN_PATH} | |
# import certificate into keychain then remove from filesystem | |
security import ${CERTIFICATE} -k ${APPLE_SIGNING_KEYCHAIN_PATH} -P "${{ secrets.APPLE_SIGNING_P12_PASSWORD }}" -A | |
rm $CERTIFICATE | |
# store signing credentials into the keychain | |
security set-key-partition-list -S "apple-tool:,apple:" -s -k mysecretpassword ${APPLE_SIGNING_KEYCHAIN_PATH} | |
security find-identity -v | |
xcrun notarytool store-credentials \ | |
--apple-id "${{ secrets.APPLE_SIGNING_ALTOOL_USERNAME }}" \ | |
--password "${{ secrets.APPLE_SIGNING_ALTOOL_PASSWORD }}" \ | |
--team-id "${{ secrets.APPLE_SIGNING_TEAM }}" \ | |
--validate \ | |
--keychain ${APPLE_SIGNING_KEYCHAIN_PATH} \ | |
${APPLE_SIGNING_KEYCHAIN_PROFILE} | |
# disable auto-locking of keychain | |
security set-keychain-settings ${APPLE_SIGNING_KEYCHAIN_PATH} | |
security unlock-keychain -p mysecretpassword ${APPLE_SIGNING_KEYCHAIN_PATH} | |
- name: Build wheels | |
uses: pypa/[email protected] | |
- name: Cleanup Apple Keychain | |
if: matrix.os == 'macos-13' | |
shell: bash | |
run: | | |
security lock-keychain ${APPLE_SIGNING_KEYCHAIN_PATH} | |
security delete-keychain ${APPLE_SIGNING_KEYCHAIN_PATH} | |
rm -f ${APPLE_SIGNING_KEYCHAIN_PATH} | |
- uses: actions/upload-artifact@v3 | |
with: | |
path: ./wheelhouse/*.whl | |
build_sdist: | |
name: Build source distribution | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Build sdist | |
run: pipx run build --sdist | |
- uses: actions/upload-artifact@v3 | |
with: | |
path: dist/*.tar.gz | |
upload_pypi: | |
needs: [build_wheels, build_sdist] | |
runs-on: ubuntu-latest | |
environment: release | |
steps: | |
- uses: actions/download-artifact@v3 | |
with: | |
# unpacks default artifact into dist/ | |
# if `name: artifact` is omitted, the action will create extra parent dir | |
name: artifact | |
path: dist | |
- uses: pypa/[email protected] | |
with: | |
user: __token__ | |
# password: ${{ secrets.PYPI_TEST_API_TOKEN }} | |
password: ${{ secrets.PYPI_API_TOKEN }} | |
# uncomment for test | |
# repository_url: https://test.pypi.org/legacy/ |