.github/workflows/macos-build.yml

name: MacOS Build

env:
  OPENBB_LOG_COLLECT: false
  OPENBB_USE_PROMPT_TOOLKIT: false
  OPENBB_FILE_OVERWRITE: true
  PIP_DEFAULT_TIMEOUT: 100
  PYTHONNOUSERSITE: 1

on: workflow_dispatch

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  M1-MacOs-Build:
    name: M1 MacOS Build
    runs-on: [self-hosted, macos, ARM64]
    steps:
      # Checkout repository main branch. this allows for the commit hashes to line up
      - name: Checkout
        uses: actions/checkout@v3
      - name: Git Log
        run: git log
      # The following commands to clear previous PATHS and restore to defaults since we have to maintain the instance ourselves
      - name: Clean Previous Path
        run: |
          export PATH=""
          export PATH="/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin"
          echo $PATH
      # Set up caching for conda env so that the workflow runs quickly after the first time
      - name: Setup Conda Caching
        uses: actions/cache@v3
        with:
          path: ~/conda_pkgs_dir
          key: conda-macos-3-10-${{ hashFiles('build/conda/environments/constructor.yml') }}
      # Set up miniconda using the environment yaml file within the repo
      - name: Setup Miniconda
        uses: conda-incubator/setup-miniconda@v3.0.4
        with:
          miniconda-version: "latest"
          auto-update-conda: true
          channels: conda-forge,defaults
          show-channel-urls: true
          channel-priority: flexible
          environment-file: build/conda/environments/constructor.yml
          activate-environment: constructor
          auto-activate-base: false

      - name: Creating Application Keychain
        env:
          MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
          MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
          MACOS_KEYCHAIN_PWD: ${{ secrets.MACOS_KEYCHAIN_PWD }}
          MACOS_CODESIGN_IDENTITY: ${{ secrets.MACOS_CODESIGN_IDENTITY }}
        run:
          | # when pushing to main, make to generate new cert, and utilize secrets to store new password, and identity
          echo "Ensuring Keychain with same name does not exist"
          rm -rf /Users/openbb/Library/Keychains/build.keychain-db
          echo "Decoding certificate"
          echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
          echo "Creating Keychain"
          security create-keychain -p $MACOS_KEYCHAIN_PWD build.keychain
          echo "Setting Default Keychain"
          security default-keychain -s build.keychain
          echo "Unlocking Keychain"
          security unlock-keychain -p $MACOS_KEYCHAIN_PWD build.keychain
          echo "Importing Keychain"
          security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
          echo "Setting Partition List"
          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $MACOS_KEYCHAIN_PWD build.keychain

      - name: Create Signed Package
        env:
          MACOS_INSTALLER_KEYCHAIN_PWD: ${{ secrets.MACOS_INSTALLER_KEYCHAIN_PWD }}
          MACOS_INSTALLER_SIGNING_IDENTITY_NAME: ${{ secrets.MACOS_CODESIGN_INSTALLER_IDENTITY_NAME }}
          MACOS_APPLICATION_SIGNING_IDENTITY: ${{ secrets.MACOS_CODESIGN_IDENTITY }}
        run: |
          security unlock-keychain -p $MACOS_INSTALLER_KEYCHAIN_PWD install.keychain
          echo "signing_identity_name: $MACOS_INSTALLER_SIGNING_IDENTITY_NAME" >> build/conda/installer/construct.yaml
          echo "notarization_identity_name: $MACOS_APPLICATION_SIGNING_IDENTITY" >> build/conda/installer/construct.yaml
          cd build/conda && constructor installer/. && cd ../../
          mv build/conda/OpenBB-Platform-MacOSX-arm64.pkg OpenBB-Platform-MacOSX-arm64.pkg
        shell: bash -l {0}

      - name: Deleting Previous Keychain
        run: |
          echo "Deleting Previous Keychain to Clean Instance"
          rm -rf /Users/openbb/Library/Keychains/build.keychain-db

      - name: Clean up Build Artifacts
        run: |
          rm -rf build/conda/tmp

      - name: Notarize DMG
        env:
          NOTARIZE_APPLE_ID: ${{ secrets.NOTARIZE_APPLE_ID }}
          NOTARIZE_APPLE_PWD: ${{ secrets.NOTARIZE_APPLE_PWD }}
          NOTARIZE_APPLE_TEAM_ID: ${{ secrets.NOTARIZE_APPLE_TEAM_ID }}
        run: |
          xcrun notarytool submit OpenBB-Platform-MacOSX-arm64.pkg --apple-id "$NOTARIZE_APPLE_ID" --password "$NOTARIZE_APPLE_PWD" --team-id "$NOTARIZE_APPLE_TEAM_ID" --wait

      - name: Staple
        run: |
          xcrun stapler staple OpenBB-Platform-MacOSX-arm64.pkg

      - name: Save Build Artifact PKG
        uses: actions/upload-artifact@v4
        with:
          name: OpenBBM1.pkg
          path: OpenBB-Platform-MacOSX-arm64.pkg

      - name: Clean up Build Artifacts
        run: |
          rm OpenBB-Platform-MacOSX-arm64.pkg

  # Job to build the MacOS Intel version of the Terminal===================================
  Intel-MacOs-Build:
    name: Intel MacOS Build
    runs-on: [self-hosted, macos, x64]
    steps:
      # Checkout repository main branch. this allows for the commit hashes to line up
      - name: Checkout
        uses: actions/checkout@v3
      - name: Git Log
        run: git log
      # The following commands to clear previous PATHS and restore to defaults since we have to maintain the instance ourselves
      - name: Clean Previous Path
        run: |
          export PATH=""
          export PATH="/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin"
          echo $PATH
      # Set up caching for conda env so that the workflow runs quickly after the first time
      - name: Setup Conda Caching
        uses: actions/cache@v3
        with:
          path: ~/conda_pkgs_dir
          key: conda-macos-3-10-${{ hashFiles('build/conda/environments/constructor.yml') }}
      # Set up miniconda using the environment yaml file within the repo
      - name: Setup Miniconda
        uses: conda-incubator/setup-miniconda@v3.0.4
        with:
          miniconda-version: "latest"
          auto-update-conda: true
          channels: conda-forge,defaults
          show-channel-urls: true
          channel-priority: flexible
          environment-file: build/conda/environments/constructor.yml
          activate-environment: constructor
          auto-activate-base: false

      - name: Creating Application Keychain
        env:
          MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
          MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
          MACOS_KEYCHAIN_PWD: ${{ secrets.MACOS_KEYCHAIN_PWD }}
          MACOS_CODESIGN_IDENTITY: ${{ secrets.MACOS_CODESIGN_IDENTITY }}
        run:
          | # when pushing to main, make to generate new cert, and utilize secrets to store new password, and identity
          echo "Ensuring Keychain with same name does not exist"
          rm -rf /Users/openbb/Library/Keychains/build.keychain-db
          echo "Decoding certificate"
          echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
          echo "Creating Keychain"
          security create-keychain -p $MACOS_KEYCHAIN_PWD build.keychain
          echo "Setting Default Keychain"
          security default-keychain -s build.keychain
          echo "Unlocking Keychain"
          security unlock-keychain -p $MACOS_KEYCHAIN_PWD build.keychain
          echo "Importing Keychain"
          security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
          echo "Setting Partition List"
          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $MACOS_KEYCHAIN_PWD build.keychain

      - name: Create Signed Package
        env:
          MACOS_INSTALLER_KEYCHAIN_PWD: ${{ secrets.MACOS_INSTALLER_KEYCHAIN_PWD }}
          MACOS_INSTALLER_SIGNING_IDENTITY_NAME: ${{ secrets.MACOS_CODESIGN_INSTALLER_IDENTITY_NAME }}
          MACOS_APPLICATION_SIGNING_IDENTITY: ${{ secrets.MACOS_CODESIGN_IDENTITY }}
        run: |
          security unlock-keychain -p $MACOS_INSTALLER_KEYCHAIN_PWD install.keychain
          echo "signing_identity_name: $MACOS_INSTALLER_SIGNING_IDENTITY_NAME" >> build/conda/installer/construct.yaml
          echo "notarization_identity_name: $MACOS_APPLICATION_SIGNING_IDENTITY" >> build/conda/installer/construct.yaml
          cd build/conda && constructor installer/. && cd ../../
          mv build/conda/OpenBB-Platform-MacOSX-x86_64.pkg OpenBB-Platform-MacOSX-x86_64.pkg
        shell: bash -l {0}

      - name: Deleting Previous Keychain
        run: |
          echo "Deleting Previous Keychain to Clean Instance"
          rm -rf /Users/openbb/Library/Keychains/build.keychain-db

      - name: Clean up Build Artifacts
        run: |
          rm -rf build/conda/tmp

      - name: Notarize DMG
        env:
          NOTARIZE_APPLE_ID: ${{ secrets.NOTARIZE_APPLE_ID }}
          NOTARIZE_APPLE_PWD: ${{ secrets.NOTARIZE_APPLE_PWD }}
          NOTARIZE_APPLE_TEAM_ID: ${{ secrets.NOTARIZE_APPLE_TEAM_ID }}
        run: |
          xcrun notarytool submit OpenBB-Platform-MacOSX-x86_64.pkg --apple-id "$NOTARIZE_APPLE_ID" --password "$NOTARIZE_APPLE_PWD" --team-id "$NOTARIZE_APPLE_TEAM_ID" --wait

      - name: Staple
        run: |
          xcrun stapler staple OpenBB-Platform-MacOSX-x86_64.pkg

      - name: Save Build Artifact PKG
        uses: actions/upload-artifact@v4
        with:
          name: OpenBBIntel.pkg
          path: OpenBB-Platform-MacOSX-x86_64.pkg

      - name: Clean up Build Artifacts
        run: |
          rm OpenBB-Platform-MacOSX-x86_64.pkg