Build native conda environments #54
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build native conda environments | |
| on: | |
| release: | |
| types: [published] | |
| workflow_dispatch: | |
| jobs: | |
| build: | |
| strategy: | |
| matrix: | |
| os: [ubuntu-latest, macos-latest, macos-13, windows-latest] | |
| python-version: ["3.10"] | |
| runs-on: ${{ matrix.os }} | |
| steps: | |
| - uses: actions/checkout@v2 | |
| - uses: conda-incubator/setup-miniconda@v3 | |
| with: | |
| activate-environment: wake | |
| auto-update-conda: true | |
| python-version: ${{ matrix.python-version }} | |
| - name: Install dependencies | |
| shell: bash -el {0} | |
| run: | | |
| python -m pip install . | |
| echo "VERSION=$(wake --version)" >> $GITHUB_ENV | |
| conda install -c conda-forge conda-pack -y | |
| - name: Set up variables | |
| id: vars | |
| shell: bash -el {0} | |
| run: | | |
| OS=$(echo ${{ runner.os }} | tr '[:upper:]' '[:lower:]') | |
| ARCH=$(echo ${{ runner.arch }} | tr '[:upper:]' '[:lower:]') | |
| echo "FILENAME=wake-${{ env.VERSION }}-${OS}-${ARCH}.tar.gz" >> $GITHUB_ENV | |
| echo "OS=${OS}" >> $GITHUB_ENV | |
| echo "ARCH=${ARCH}" >> $GITHUB_ENV | |
| - name: Pack conda environment | |
| shell: bash -el {0} | |
| run: | | |
| conda-pack -n wake -o ${{ env.FILENAME }} | |
| - name: Sign Python binary on MacOS | |
| if: runner.os == 'macOS' | |
| run: | | |
| security create-keychain -p "temp" build.keychain | |
| curl -O https://www.apple.com/certificateauthority/DeveloperIDG2CA.cer | |
| security import DeveloperIDG2CA.cer -k build.keychain | |
| echo "${{ secrets.CONDA_MACOS_SIGNING_KEY }}" | base64 --decode > signing_certificate.p12 | |
| security import signing_certificate.p12 -P "" -T /usr/bin/codesign -k build.keychain | |
| mkdir wake-conda | |
| tar -xzf ${{ env.FILENAME }} --directory wake-conda | |
| security default-keychain -s build.keychain | |
| security set-key-partition-list -S apple-tool:,apple: -s -k "temp" build.keychain > /dev/null | |
| security unlock-keychain -p "temp" build.keychain | |
| codesign --force -s "${{ secrets.CONDA_MACOS_SIGNING_IDENTITY }}" ./wake-conda/bin/python | |
| tar -czf ${{ env.FILENAME }} -C wake-conda . | |
| security delete-keychain build.keychain | |
| rm signing_certificate.p12 | |
| - name: Generate checksum Linux & Windows | |
| if: runner.os != 'macOS' | |
| run: | | |
| sha256sum ${{ env.FILENAME }} > ${{ env.FILENAME }}.sha256 | |
| - name: Generate checksum MacOS | |
| if: runner.os == 'macOS' | |
| run: | | |
| shasum -a 256 ${{ env.FILENAME }} > ${{ env.FILENAME }}.sha256 | |
| - name: Generate signature | |
| run: | | |
| echo "${{ secrets.CONDA_PRIVATE_KEY }}" > key.pem | |
| openssl dgst -sha256 -sign key.pem -out ${{ env.FILENAME }}.sha256.sig ${{ env.FILENAME }}.sha256 | |
| - name: Auth to Google Storage | |
| uses: 'google-github-actions/auth@v2' | |
| with: | |
| credentials_json: ${{ secrets.GCP_SA_KEY }} | |
| - name: Upload tarball | |
| uses: 'google-github-actions/upload-cloud-storage@v2' | |
| with: | |
| path: '${{ env.FILENAME }}' | |
| destination: 'wake-conda' | |
| headers: |- | |
| x-goog-meta-version: ${{ env.VERSION }} | |
| x-goog-meta-os: ${{ env.OS }} | |
| x-goog-meta-arch: ${{ env.ARCH }} | |
| x-goog-meta-python: ${{ matrix.python-version }} | |
| - name: Upload checksum | |
| uses: 'google-github-actions/upload-cloud-storage@v2' | |
| with: | |
| path: ${{ env.FILENAME }}.sha256 | |
| destination: 'wake-conda' | |
| - name: Upload signature | |
| uses: 'google-github-actions/upload-cloud-storage@v2' | |
| with: | |
| path: ${{ env.FILENAME }}.sha256.sig | |
| destination: 'wake-conda' |