| name: Build Release |
| on: |
| release: |
| types: [created] |
| schedule: |
| - cron: "0 0 * * 3" |
| workflow_dispatch: |
|
|
| permissions: |
| contents: write |
|
|
| jobs: |
| upload_src: |
| runs-on: ubuntu-latest |
| outputs: |
| build_tag: ${{ steps.get_tag.outputs.build_tag }} |
| steps: |
| - name: Harden the runner (Audit all outbound calls) |
| uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 |
| with: |
| egress-policy: audit |
|
|
| - name: Checkout Source |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 |
| with: |
| ref: ${{ github.sha }} |
| fetch-depth: 2 |
| fetch-tags: true |
| submodules: 'recursive' |
|
|
| - name: get tag and create release if weekly |
| id: get_tag |
| shell: bash -l {0} |
| env: |
| GH_TOKEN: ${{ github.token }} |
| run: | |
| if [ "${{ github.event_name }}" = "release" ]; then |
| export BUILD_TAG="${{ github.event.release.tag_name }}" |
| else |
| export BUILD_TAG=weekly-$(date "+%Y.%m.%d") |
| gh release create ${BUILD_TAG} --title "Development Build ${BUILD_TAG}" -F .github/workflows/weekly-build-notes.md --prerelease || true |
| fi |
| echo "BUILD_TAG=${BUILD_TAG}" >> "$GITHUB_ENV" |
| echo "build_tag=${BUILD_TAG}" >> "$GITHUB_OUTPUT" |
| |
| - name: Upload Source |
| id: upload_source |
| shell: bash -l {0} |
| env: |
| GH_TOKEN: ${{ github.token }} |
| run: | |
| python3 package/scripts/write_version_info.py ../freecad_version.txt |
| git config user.email '41898282+github-actions[bot]@users.noreply.github.com' |
| git config user.name 'github-actions[bot]' |
| git apply package/disable_git_info.patch |
| git commit -a -m "Disable git info write to Version.h" |
| git archive HEAD -o freecad_source_${BUILD_TAG}.tar |
| git submodule foreach --recursive \ |
| "git archive HEAD --prefix=\$path/ -o \$sha1.tar && \ |
| tar -A -f \$toplevel/freecad_source_${BUILD_TAG}.tar \$sha1.tar && \ |
| rm \$sha1.tar" |
| gzip freecad_source_${BUILD_TAG}.tar |
| sha256sum freecad_source_${BUILD_TAG}.tar.gz > freecad_source_${BUILD_TAG}.tar.gz-SHA256.txt |
| gh release upload --clobber ${BUILD_TAG} "freecad_source_${BUILD_TAG}.tar.gz" "freecad_source_${BUILD_TAG}.tar.gz-SHA256.txt" |
| |
| build: |
| needs: upload_src |
| strategy: |
| matrix: |
| include: |
| - { target: linux-64, os: ubuntu-22.04 } |
| - { target: linux-arm64, os: ubuntu-22.04-arm } |
| - { target: osx-64, os: macos-15-intel } |
| - { target: osx-arm64, os: macos-latest } |
| - { target: win-64, os: windows-latest } |
| fail-fast: false |
|
|
| runs-on: ${{ matrix.os }} |
| environment: weekly-build |
| steps: |
| - name: Harden the runner (Audit all outbound calls) |
| uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 |
| with: |
| egress-policy: audit |
|
|
| |
| - name: Maximize build space |
| if: runner.os == 'Linux' |
| uses: AdityaGarg8/remove-unwanted-software@90e01b21170618765a73370fcc3abbd1684a7793 |
| with: |
| verbose: 'true' |
| remove-android: 'true' |
| remove-cached-tools: 'true' |
|
|
| - name: Set Platform Environment Variables |
| shell: bash -l {0} |
| env: |
| OPERATING_SYSTEM: ${{ runner.os }} |
| run: | |
| if [[ $OPERATING_SYSTEM == 'Windows' ]]; then |
| echo 'PIXI_CACHE_DIR=D:\rattler' >> "$GITHUB_ENV" |
| echo 'RATTLER_CACHE_DIR=D:\rattler' >> "$GITHUB_ENV" |
| fi |
| |
| - name: Checkout Source |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 |
| with: |
| ref: ${{ github.sha }} |
| fetch-depth: 2 |
| fetch-tags: true |
| submodules: 'recursive' |
|
|
| - uses: prefix-dev/setup-pixi@82d477f15f3a381dbcc8adc1206ce643fe110fb7 |
| with: |
| pixi-version: v0.59.0 |
| cache: false |
|
|
| - name: Install the Apple certificate and provisioning profile |
| id: get_cert |
| if: runner.os == 'macOS' |
| env: |
| APP_SPECIFIC_PASSWORD: ${{ secrets.APP_SPECIFIC_PASSWORD }} |
| APPLE_ID: ${{ secrets.APPLE_ID }} |
| BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }} |
| BUILD_PROVISION_PROFILE_BASE64: ${{ secrets.BUILD_PROVISION_PROFILE_BASE64 }} |
| DEVELOPER_TEAM_ID: ${{ secrets.DEVELOPER_TEAM_ID }} |
| KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} |
| P12_PASSWORD: ${{ secrets.P12_PASSWORD }} |
| run: | |
| if [ -z "$BUILD_CERTIFICATE_BASE64" ]; then |
| echo "has_cert=false" >> $GITHUB_OUTPUT |
| echo "No certificate avalable... skipping" && exit 0 |
| else |
| echo "has_cert=true" >> $GITHUB_OUTPUT |
| fi |
| # create variables |
| CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12 |
| PP_PATH=$RUNNER_TEMP/FreeCAD_bundle.provisionprofile |
| KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db |
| |
| export KEYCHAIN_PASSWORD=$(openssl rand -base64 8) |
|
|
| |
| echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH |
| echo -n "$BUILD_PROVISION_PROFILE_BASE64" | base64 --decode -o $PP_PATH |
|
|
| |
| security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH |
| security set-keychain-settings -lut 21600 $KEYCHAIN_PATH |
| security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH |
|
|
| |
| security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH |
| security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH |
| security list-keychain -d user -s $KEYCHAIN_PATH |
|
|
| |
| mkdir -p ~/Library/Provisioning\ Profiles |
| cp $PP_PATH ~/Library/Provisioning\ Profiles |
|
|
| xcrun notarytool store-credentials "FreeCAD" --keychain "$KEYCHAIN_PATH" --apple-id "${APPLE_ID}" --password "${APP_SPECIFIC_PASSWORD}" --team-id "${DEVELOPER_TEAM_ID}" |
|
|
| - name: Build and Release Packages |
| shell: bash |
| env: |
| GH_TOKEN: ${{ github.token }} |
| SIGNING_KEY_ID: ${{ secrets.SIGNING_KEY_ID }} |
| SIGN_RELEASE: ${{ steps.get_cert.outputs.has_cert }} |
| TARGET_PLATFORM: ${{ matrix.target }} |
| MAKE_INSTALLER: "true" |
| UPLOAD_RELEASE: "true" |
| BUILD_TAG: ${{ needs.upload_src.outputs.build_tag }} |
| run: | |
| python3 package/scripts/write_version_info.py ../freecad_version.txt |
| cd package/rattler-build |
| pixi install |
| pixi run -e package create_bundle |
| |
| |
| |
| |
| |
| |
| |
|
|
