build_executable.yml

name: Build executable version of CLI and upload artifact. On dispatch event build the latest tag and upload to release assets

on:
  workflow_dispatch:
  push:
    branches:
      - main

permissions:
  contents: write

jobs:
  build:
    name: Build on ${{ matrix.os }} (${{ matrix.mode }} mode)
    strategy:
      fail-fast: false
      matrix:
        os: [ ubuntu-20.04, macos-13, macos-14, windows-2019 ]
        mode: [ 'onefile', 'onedir' ]
        exclude:
          - os: ubuntu-20.04
            mode: onedir
          - os: windows-2019
            mode: onedir

    runs-on: ${{ matrix.os }}

    defaults:
      run:
        shell: bash

    steps:
      - name: Run Cimon
        if: matrix.os == 'ubuntu-20.04'
        uses: cycodelabs/cimon-action@v0
        with:
          client-id: ${{ secrets.CIMON_CLIENT_ID }}
          secret: ${{ secrets.CIMON_SECRET }}
          prevent: true
          allowed-hosts: >
            files.pythonhosted.org
            install.python-poetry.org
            pypi.org
            uploads.github.com

      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Checkout latest release tag
        if: ${{ github.event_name == 'workflow_dispatch' }}
        run: |
          LATEST_TAG=$(git describe --tags `git rev-list --tags --max-count=1`)
          git checkout $LATEST_TAG
          echo "LATEST_TAG=$LATEST_TAG" >> $GITHUB_ENV

      - name: Set up Python 3.12
        uses: actions/setup-python@v4
        with:
          python-version: '3.12'

      - name: Load cached Poetry setup
        id: cached-poetry
        uses: actions/cache@v3
        with:
          path: ~/.local
          key: poetry-${{ matrix.os }}-1  # increment to reset cache

      - name: Setup Poetry
        if: steps.cached-poetry.outputs.cache-hit != 'true'
        uses: snok/install-poetry@v1
        with:
          version: 1.8.3

      - name: Add Poetry to PATH
        run: echo "$HOME/.local/bin" >> $GITHUB_PATH

      - name: Install dependencies
        run: poetry install --without dev,test

      - name: Import macOS signing certificate
        if: runner.os == 'macOS'
        env:
          APPLE_CERT: ${{ secrets.APPLE_CERT }}
          APPLE_CERT_PWD: ${{ secrets.APPLE_CERT_PWD }}
          APPLE_CERT_NAME: ${{ secrets.APPLE_CERT_NAME }}
          APPLE_KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }}
        run: |
          # import certificate
          CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
          echo -n "$APPLE_CERT" | base64 --decode -o $CERTIFICATE_PATH

          # create temporary keychain
          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
          security create-keychain -p "$APPLE_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
          security unlock-keychain -p "$APPLE_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH

          # import certificate to keychain
          security import $CERTIFICATE_PATH -P "$APPLE_CERT_PWD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
          security list-keychain -d user -s $KEYCHAIN_PATH

      - name: Build executable (onefile)
        if: matrix.mode == 'onefile'
        env:
          APPLE_CERT_NAME: ${{ secrets.APPLE_CERT_NAME }}
        run: |
          poetry run pyinstaller pyinstaller.spec
          echo "PATH_TO_CYCODE_CLI_EXECUTABLE=dist/cycode-cli" >> $GITHUB_ENV

      - name: Build executable (onedir)
        if: matrix.mode == 'onedir'
        env:
          CYCODE_ONEDIR_MODE: 1
          APPLE_CERT_NAME: ${{ secrets.APPLE_CERT_NAME }}
        run: |
          poetry run pyinstaller pyinstaller.spec
          echo "PATH_TO_CYCODE_CLI_EXECUTABLE=dist/cycode-cli/cycode-cli" >> $GITHUB_ENV

      - name: Test executable
        run: time $PATH_TO_CYCODE_CLI_EXECUTABLE version

      - name: Notarize macOS executable
        if: runner.os == 'macOS'
        env:
          APPLE_NOTARIZATION_EMAIL: ${{ secrets.APPLE_NOTARIZATION_EMAIL }}
          APPLE_NOTARIZATION_PWD: ${{ secrets.APPLE_NOTARIZATION_PWD }}
          APPLE_NOTARIZATION_TEAM_ID: ${{ secrets.APPLE_NOTARIZATION_TEAM_ID }}
        run: |
          # create keychain profile
          xcrun notarytool store-credentials "notarytool-profile" --apple-id "$APPLE_NOTARIZATION_EMAIL" --team-id "$APPLE_NOTARIZATION_TEAM_ID" --password "$APPLE_NOTARIZATION_PWD"

          # create zip file (notarization does not support binaries)
          ditto -c -k --keepParent dist/cycode-cli notarization.zip

          # notarize app (this will take a while)
          xcrun notarytool submit notarization.zip --keychain-profile "notarytool-profile" --wait

          # we can't staple the app because it's executable

      - name: Test macOS signed executable
        if: runner.os == 'macOS'
        run: |
          file -b $PATH_TO_CYCODE_CLI_EXECUTABLE
          time $PATH_TO_CYCODE_CLI_EXECUTABLE version

          # verify signature
          codesign -dv --verbose=4 $PATH_TO_CYCODE_CLI_EXECUTABLE

      - name: Import cert for Windows and setup envs
        if: runner.os == 'Windows'
        env:
          SM_CLIENT_CERT_FILE_B64: ${{ secrets.SM_CLIENT_CERT_FILE_B64 }}
        run: |
          # import certificate
          echo "$SM_CLIENT_CERT_FILE_B64" | base64 --decode > /d/Certificate_pkcs12.p12 
          echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV"

          # add required soft to the path
          echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH  
          echo "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools" >> $GITHUB_PATH 

      - name: Sign Windows executable
        if: runner.os == 'Windows'
        shell: cmd
        env:
          SM_HOST: ${{ secrets.SM_HOST }}
          SM_API_KEY: ${{ secrets.SM_API_KEY }}
          SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }}
          SM_CODE_SIGNING_CERT_SHA1_HASH: ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }}
        run: |
          :: setup SSM KSP
          curl -X GET  https://one.digicert.com/signingmanager/api-ui/v1/releases/smtools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o smtools-windows-x64.msi 
          msiexec /i smtools-windows-x64.msi /quiet /qn
          C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user
          smksp_cert_sync.exe

          :: sign executable
          signtool.exe sign /sha1 %SM_CODE_SIGNING_CERT_SHA1_HASH% /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 ".\dist\cycode-cli.exe" 

      - name: Test Windows signed executable
        if: runner.os == 'Windows'
        shell: cmd
        run: |
          :: call executable and expect correct output
          .\dist\cycode-cli.exe version

          :: verify signature
          signtool.exe verify /v /pa ".\dist\cycode-cli.exe"

      - name: Prepare files for artifact and release (rename and calculate sha256)
        run: echo "ARTIFACT_NAME=$(./process_executable_file.py dist/cycode-cli)" >> $GITHUB_ENV

      - name: Upload files as artifact
        uses: actions/upload-artifact@v3
        with:
          name: ${{ env.ARTIFACT_NAME }}
          path: dist

      - name: Upload files to release
        if: ${{ github.event_name == 'workflow_dispatch' }}
        uses: svenstaro/upload-release-action@v2
        with:
          file: dist/*
          tag: ${{ env.LATEST_TAG }}
          overwrite: true
          file_glob: true