Skip to content

Commit 5c3b144

Browse files
sophatvathanasophatvathana
committed
chore(ci): simplify macOS build workflows by removing Python installation and notarization steps
1 parent 5c60f7d commit 5c3b144

4 files changed

Lines changed: 406 additions & 163 deletions

File tree

.github/workflows/build.yml

Lines changed: 1 addition & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@ jobs:
1818
- os: macos-latest
1919
target: aarch64-apple-darwin
2020
artifact_name: rohas-macos-arm64
21-
- os: macos-13
21+
- os: macos-latest
2222
target: x86_64-apple-darwin
2323
artifact_name: rohas-macos-x86_64
2424
- os: windows-latest
@@ -45,16 +45,6 @@ jobs:
4545
with:
4646
python-version: '3.12'
4747

48-
- name: Install Homebrew Python (macOS)
49-
if: runner.os == 'macOS'
50-
shell: bash
51-
run: |
52-
brew update
53-
brew install python@3.12 || brew upgrade python@3.12
54-
PY_PREFIX="$(brew --prefix python@3.12)"
55-
echo "PYO3_PYTHON=${PY_PREFIX}/bin/python3.12" >> $GITHUB_ENV
56-
echo "MACOS_PYTHON_FRAMEWORK=${PY_PREFIX}/Frameworks/Python.framework/Versions/3.12/Python" >> $GITHUB_ENV
57-
5848
- name: Install cross-compilation dependencies (Linux ARM64)
5949
if: matrix.target == 'aarch64-unknown-linux-gnu' && matrix.os != 'ubuntu-24.04-arm'
6050
run: |
@@ -124,24 +114,6 @@ jobs:
124114
OPENSSL_VENDORED: 1
125115
run: cargo build --release --target ${{ matrix.target }}
126116

127-
- name: Align macOS Python framework path
128-
if: runner.os == 'macOS'
129-
run: |
130-
BINARY="target/${{ matrix.target }}/release/rohas"
131-
if [ -f "$BINARY" ]; then
132-
OLD_PATH="/Library/Frameworks/Python.framework/Versions/3.12/Python"
133-
NEW_PATH="${MACOS_PYTHON_FRAMEWORK:-}"
134-
if [ -z "$NEW_PATH" ] || [ ! -f "$NEW_PATH" ]; then
135-
echo "macOS Python framework not found at $NEW_PATH"
136-
exit 1
137-
fi
138-
install_name_tool -change "$OLD_PATH" "$NEW_PATH" "$BINARY"
139-
install_name_tool -add_rpath "$(dirname "$(dirname "$NEW_PATH")")" "$BINARY" || true
140-
else
141-
echo "Binary not found at $BINARY"
142-
exit 1
143-
fi
144-
145117
- name: Import Apple Code Signing Certificate
146118
if: runner.os == 'macOS'
147119
uses: apple-actions/import-codesign-certs@v2

.github/workflows/release.yml

Lines changed: 119 additions & 133 deletions
Original file line numberDiff line numberDiff line change
@@ -18,12 +18,13 @@ jobs:
1818
fail-fast: false
1919
matrix:
2020
include:
21-
- os: macos-latest
22-
target: aarch64-apple-darwin
23-
artifact_name: rohas-macos-arm64
24-
- os: macos-13
25-
target: x86_64-apple-darwin
26-
artifact_name: rohas-macos-x86_64
21+
# macOS builds are commented out - users can build from source using build.sh
22+
# - os: macos-latest
23+
# target: aarch64-apple-darwin
24+
# artifact_name: rohas-macos-arm64
25+
# - os: macos-latest
26+
# target: x86_64-apple-darwin
27+
# artifact_name: rohas-macos-x86_64
2728
- os: windows-latest
2829
target: x86_64-pc-windows-msvc
2930
artifact_name: rohas-windows-x86_64
@@ -48,16 +49,6 @@ jobs:
4849
with:
4950
python-version: '3.12'
5051

51-
- name: Install Homebrew Python (macOS)
52-
if: runner.os == 'macOS'
53-
shell: bash
54-
run: |
55-
brew update
56-
brew install python@3.12 || brew upgrade python@3.12
57-
PY_PREFIX="$(brew --prefix python@3.12)"
58-
echo "PYO3_PYTHON=${PY_PREFIX}/bin/python3.12" >> $GITHUB_ENV
59-
echo "MACOS_PYTHON_FRAMEWORK=${PY_PREFIX}/Frameworks/Python.framework/Versions/3.12/Python" >> $GITHUB_ENV
60-
6152
- name: Install cross-compilation dependencies (Linux ARM64)
6253
if: matrix.target == 'aarch64-unknown-linux-gnu' && matrix.os != 'ubuntu-24.04-arm'
6354
run: |
@@ -127,120 +118,103 @@ jobs:
127118
OPENSSL_VENDORED: 1
128119
run: cargo build --release --target ${{ matrix.target }}
129120

130-
- name: Align macOS Python framework path
131-
if: runner.os == 'macOS'
132-
run: |
133-
BINARY="target/${{ matrix.target }}/release/rohas"
134-
if [ -f "$BINARY" ]; then
135-
OLD_PATH="/Library/Frameworks/Python.framework/Versions/3.12/Python"
136-
NEW_PATH="${MACOS_PYTHON_FRAMEWORK:-}"
137-
if [ -z "$NEW_PATH" ] || [ ! -f "$NEW_PATH" ]; then
138-
echo "macOS Python framework not found at $NEW_PATH"
139-
exit 1
140-
fi
141-
install_name_tool -change "$OLD_PATH" "$NEW_PATH" "$BINARY"
142-
install_name_tool -add_rpath "$(dirname "$(dirname "$NEW_PATH")")" "$BINARY" || true
143-
else
144-
echo "Binary not found at $BINARY"
145-
exit 1
146-
fi
147-
148-
- name: Import Apple Code Signing Certificate
149-
if: runner.os == 'macOS'
150-
uses: apple-actions/import-codesign-certs@v2
151-
with:
152-
p12-file-base64: ${{ secrets.APPLE_CERTIFICATE_BASE64 }}
153-
p12-password: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
154-
155-
- name: Code Sign macOS Binary
156-
if: runner.os == 'macOS'
157-
shell: bash
158-
run: |
159-
BINARY="target/${{ matrix.target }}/release/rohas"
160-
if [ -f "$BINARY" ]; then
161-
SIGNING_IDENTITY="${{ secrets.APPLE_SIGNING_IDENTITY }}"
162-
if [ -z "$SIGNING_IDENTITY" ]; then
163-
echo "Warning: APPLE_SIGNING_IDENTITY not set, skipping code signing"
164-
else
165-
codesign --force --timestamp --options runtime --sign "$SIGNING_IDENTITY" "$BINARY"
166-
codesign --verify --verbose "$BINARY"
167-
fi
168-
else
169-
echo "Binary not found at $BINARY"
170-
exit 1
171-
fi
172-
173-
- name: Notarize macOS Binary
174-
if: runner.os == 'macOS'
175-
shell: bash
176-
run: |
177-
BINARY="$GITHUB_WORKSPACE/target/${{ matrix.target }}/release/rohas"
178-
if [ -f "$BINARY" ]; then
179-
APPLE_ID="${{ secrets.APPLE_ID }}"
180-
APPLE_TEAM_ID="${{ secrets.APPLE_TEAM_ID }}"
181-
APPLE_APP_PASSWORD="${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}"
182-
183-
if [ -z "$APPLE_ID" ] || [ -z "$APPLE_TEAM_ID" ] || [ -z "$APPLE_APP_PASSWORD" ]; then
184-
echo "Warning: Notarization credentials not set, skipping notarization"
185-
else
186-
# Create a zip file for notarization (required format)
187-
# Use absolute path to avoid any path resolution issues
188-
NOTARIZE_ZIP="$GITHUB_WORKSPACE/target/${{ matrix.target }}/release/rohas-notarize.zip"
189-
cd "$GITHUB_WORKSPACE/target/${{ matrix.target }}/release"
190-
zip -j "rohas-notarize.zip" rohas
191-
192-
# Submit for notarization
193-
xcrun notarytool submit "$NOTARIZE_ZIP" \
194-
--apple-id "$APPLE_ID" \
195-
--team-id "$APPLE_TEAM_ID" \
196-
--password "$APPLE_APP_PASSWORD" \
197-
--wait
198-
199-
# Wait a few seconds for the ticket to propagate to Apple's CDN
200-
echo "Waiting for notarization ticket to propagate..."
201-
sleep 10
202-
203-
# Staple the notarization ticket to the binary
204-
# Retry stapling a few times as the ticket may take time to propagate
205-
MAX_RETRIES=5
206-
RETRY_COUNT=0
207-
STAPLE_SUCCESS=false
208-
209-
while [ $RETRY_COUNT -lt $MAX_RETRIES ]; do
210-
if xcrun stapler staple "$BINARY" 2>&1; then
211-
STAPLE_SUCCESS=true
212-
echo "Successfully stapled notarization ticket"
213-
break
214-
else
215-
RETRY_COUNT=$((RETRY_COUNT + 1))
216-
if [ $RETRY_COUNT -lt $MAX_RETRIES ]; then
217-
echo "Stapling failed, retrying in 5 seconds... (attempt $RETRY_COUNT/$MAX_RETRIES)"
218-
sleep 5
219-
fi
220-
fi
221-
done
222-
223-
if [ "$STAPLE_SUCCESS" = false ]; then
224-
echo "Warning: Failed to staple notarization ticket after $MAX_RETRIES attempts"
225-
echo "The binary is notarized but not stapled. This may cause Gatekeeper warnings on first run."
226-
echo "This is non-fatal - the binary will still work, but users may see a warning on first launch."
227-
fi
228-
229-
# Verify the binary is signed
230-
codesign --verify --verbose "$BINARY"
231-
232-
# Verify stapling if it succeeded
233-
if [ "$STAPLE_SUCCESS" = true ]; then
234-
xcrun stapler validate "$BINARY" || echo "Warning: Stapler validation failed, but binary is notarized"
235-
fi
236-
237-
# Clean up the temporary zip file
238-
rm -f "$NOTARIZE_ZIP"
239-
fi
240-
else
241-
echo "Binary not found at $BINARY"
242-
exit 1
243-
fi
121+
# macOS builds are commented out - users can build from source using build.sh
122+
# - name: Import Apple Code Signing Certificate
123+
# if: runner.os == 'macOS'
124+
# uses: apple-actions/import-codesign-certs@v2
125+
# with:
126+
# p12-file-base64: ${{ secrets.APPLE_CERTIFICATE_BASE64 }}
127+
# p12-password: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
128+
#
129+
# - name: Code Sign macOS Binary
130+
# if: runner.os == 'macOS'
131+
# shell: bash
132+
# run: |
133+
# BINARY="target/${{ matrix.target }}/release/rohas"
134+
# if [ -f "$BINARY" ]; then
135+
# SIGNING_IDENTITY="${{ secrets.APPLE_SIGNING_IDENTITY }}"
136+
# if [ -z "$SIGNING_IDENTITY" ]; then
137+
# echo "Warning: APPLE_SIGNING_IDENTITY not set, skipping code signing"
138+
# else
139+
# codesign --force --timestamp --options runtime --sign "$SIGNING_IDENTITY" "$BINARY"
140+
# codesign --verify --verbose "$BINARY"
141+
# fi
142+
# else
143+
# echo "Binary not found at $BINARY"
144+
# exit 1
145+
# fi
146+
#
147+
# - name: Notarize macOS Binary
148+
# if: runner.os == 'macOS'
149+
# shell: bash
150+
# run: |
151+
# BINARY="$GITHUB_WORKSPACE/target/${{ matrix.target }}/release/rohas"
152+
# if [ -f "$BINARY" ]; then
153+
# APPLE_ID="${{ secrets.APPLE_ID }}"
154+
# APPLE_TEAM_ID="${{ secrets.APPLE_TEAM_ID }}"
155+
# APPLE_APP_PASSWORD="${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}"
156+
#
157+
# if [ -z "$APPLE_ID" ] || [ -z "$APPLE_TEAM_ID" ] || [ -z "$APPLE_APP_PASSWORD" ]; then
158+
# echo "Warning: Notarization credentials not set, skipping notarization"
159+
# else
160+
# # Create a zip file for notarization (required format)
161+
# # Use absolute path to avoid any path resolution issues
162+
# NOTARIZE_ZIP="$GITHUB_WORKSPACE/target/${{ matrix.target }}/release/rohas-notarize.zip"
163+
# cd "$GITHUB_WORKSPACE/target/${{ matrix.target }}/release"
164+
# zip -j "rohas-notarize.zip" rohas
165+
#
166+
# # Submit for notarization
167+
# xcrun notarytool submit "$NOTARIZE_ZIP" \
168+
# --apple-id "$APPLE_ID" \
169+
# --team-id "$APPLE_TEAM_ID" \
170+
# --password "$APPLE_APP_PASSWORD" \
171+
# --wait
172+
#
173+
# # Wait a few seconds for the ticket to propagate to Apple's CDN
174+
# echo "Waiting for notarization ticket to propagate..."
175+
# sleep 10
176+
#
177+
# # Staple the notarization ticket to the binary
178+
# # Retry stapling a few times as the ticket may take time to propagate
179+
# MAX_RETRIES=5
180+
# RETRY_COUNT=0
181+
# STAPLE_SUCCESS=false
182+
#
183+
# while [ $RETRY_COUNT -lt $MAX_RETRIES ]; do
184+
# if xcrun stapler staple "$BINARY" 2>&1; then
185+
# STAPLE_SUCCESS=true
186+
# echo "Successfully stapled notarization ticket"
187+
# break
188+
# else
189+
# RETRY_COUNT=$((RETRY_COUNT + 1))
190+
# if [ $RETRY_COUNT -lt $MAX_RETRIES ]; then
191+
# echo "Stapling failed, retrying in 5 seconds... (attempt $RETRY_COUNT/$MAX_RETRIES)"
192+
# sleep 5
193+
# fi
194+
# fi
195+
# done
196+
#
197+
# if [ "$STAPLE_SUCCESS" = false ]; then
198+
# echo "Warning: Failed to staple notarization ticket after $MAX_RETRIES attempts"
199+
# echo "The binary is notarized but not stapled. This may cause Gatekeeper warnings on first run."
200+
# echo "This is non-fatal - the binary will still work, but users may see a warning on first launch."
201+
# fi
202+
#
203+
# # Verify the binary is signed
204+
# codesign --verify --verbose "$BINARY"
205+
#
206+
# # Verify stapling if it succeeded
207+
# if [ "$STAPLE_SUCCESS" = true ]; then
208+
# xcrun stapler validate "$BINARY" || echo "Warning: Stapler validation failed, but binary is notarized"
209+
# fi
210+
#
211+
# # Clean up the temporary zip file
212+
# rm -f "$NOTARIZE_ZIP"
213+
# fi
214+
# else
215+
# echo "Binary not found at $BINARY"
216+
# exit 1
217+
# fi
244218

245219
- name: Prepare artifact (Windows)
246220
if: runner.os == 'Windows'
@@ -325,15 +299,27 @@ jobs:
325299
326300
### Downloads
327301
328-
- **macOS ARM64 (M1)**: `rohas-macos-arm64.tar.gz`
329-
- **macOS x86_64**: `rohas-macos-x86_64.tar.gz`
330302
- **Windows x86_64**: `rohas-windows-x86_64.zip`
331303
- **Linux x86_64**: `rohas-linux-x86_64.tar.gz`
332304
- **Linux ARM64**: `rohas-linux-arm64.tar.gz`
333305
306+
### Building from Source
307+
308+
**macOS and other platforms** can build from source using our build script:
309+
```bash
310+
curl -fsSL https://raw.githubusercontent.com/rohas-dev/rohas/main/scripts/build.sh | bash
311+
```
312+
313+
Or clone the repository and build manually:
314+
```bash
315+
git clone https://github.com/rohas-dev/rohas.git
316+
cd rohas
317+
cargo build --release
318+
```
319+
334320
### Installation
335321
336-
**macOS/Linux:**
322+
**Linux:**
337323
```bash
338324
tar -xzf rohas-<platform>.tar.gz
339325
sudo mv rohas /usr/local/bin/

crates/rohas-runtime/Cargo.toml

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -25,4 +25,3 @@ once_cell = "1.21.3"
2525
[dev-dependencies]
2626
tokio-test = "0.4"
2727
tracing-subscriber = { workspace = true }
28-

0 commit comments

Comments
 (0)