Archive/yass/.github/workflows/releases-macos.yml

name: Build Artifacts (macOS)
on:
  workflow_dispatch:
    inputs:
      logLevel:
        description: 'Log level'
        required: true
        default: 'warning'
        type: choice
        options:
        - info
        - warning
        - debug
      tags:
        description: 'Test scenario tags'
        required: false
        type: boolean
  pull_request:
    branches: [master, develop]
    paths-ignore:
    - '**/*.md'
    - '.circleci/**'
    - '.cirrus.yml'
  push:
    branches: [master, develop]
    paths-ignore:
    - '**/*.md'
    - '.circleci/**'
    - '.cirrus.yml'
  release:
    types: [published]
  schedule:
    - cron: '0 16 * * *'
concurrency:
  group: ${{ github.workflow }} / ${{ startsWith(github.event_name, 'pull') && github.ref_name || github.sha }}
  cancel-in-progress: ${{ startsWith(github.event_name, 'pull') }}
env:
  CACHE_EPOCH: 127-4
  GOPROXY: direct
jobs:
  mac-release:
    runs-on: macos-14
    strategy:
      fail-fast: false
      matrix:
        arch: [x64, arm64]
        build_type: [Release]
    env:
      BUILD_TYPE: '${{ matrix.build_type }}'
    steps:
      - uses: actions/checkout@v4
      - name: Checkout with shallow submodules
        run: |
          # unshallow must come first otherwise submodule may be get unshallowed
          git fetch --tags --unshallow
          git submodule update --init --depth 1
      - name: Cache clang
        id: clang-cache
        uses: actions/cache@v4
        with:
          path: |
            third_party/llvm-build/Release+Asserts
          key: ${{ runner.os }}-toolchain-arm64-${{ hashFiles('CLANG_REVISION') }}-v${{ env.CACHE_EPOCH }}
      - uses: actions/setup-go@v5
        with:
          go-version: '>=1.19.0'
      - name: Cache depot_tools
        id: depot-cache
        uses: actions/cache@v4
        with:
          path: |
            third_party/depot_tools
          key: ${{ runner.os }}-depot_tools-v1
      - name: Cache crashpad build stage
        id: crashpad-cache
        uses: actions/cache@v4
        with:
          path: |
            third_party/crashpad
          key: ${{ runner.os }}-mac-${{ matrix.arch }}-crashpad-${{ hashFiles('CRASHPAD_COMMIT') }}-v${{ env.CACHE_EPOCH }}
      - name: Cache golang (tools only)
        uses: actions/cache@v4
        with:
          path: |
            ~/Library/Caches/go-build
            ~/go/pkg/mod
          key: ${{ runner.os }}-go-tools-${{ hashFiles('tools/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go-tools-
      - name: Build build tool
        run: |
          cd tools
          go build
      - name: "Install dependency: prebuilt clang and clang-tidy binaries"
        if: ${{ steps.clang-cache.outputs.cache-hit != 'true' }}
        run: |
          ./scripts/download-clang-prebuilt-binaries.py
          rm -f third_party/llvm-build/Release+Asserts/*.tgz
      - name: Populate depedencies
        run: |
          # brew update
          # brew install ninja cmake p7zip
          brew install ninja
          # pin to old python for distutils (python 3.12 removed it)
          brew install python@3.11
          brew unlink python@3.11
          brew unlink python@3.12
          brew link --force --overwrite python@3.11
          ln -sf $(brew --prefix)/opt/python@3.11/libexec/bin/python /opt/homebrew/bin/python
          ln -sf $(brew --prefix)/opt/python@3.11/libexec/bin/python /opt/homebrew/bin/python3
      - name: Set up Xcode to 15.4
        run: |
          sudo xcode-select -s /Applications/Xcode_15.4.app
      - name: Download and Build Crashpad (include depot_tools)
        if: ${{ steps.depot-cache.outputs.cache-hit != 'true' || steps.crashpad-cache.outputs.cache-hit != 'true' }}
        shell: bash
        run: |
          WITH_CPU=${{ matrix.arch }} ./scripts/build-crashpad.sh
      - name: Install the Apple certificate
        if: ${{ github.event_name == 'release' }}
        env:
          BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
          P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
          KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
        run: |
          # create variables
          CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db

          # import certificate and provisioning profile from secrets
          echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH

          # create temporary keychain
          security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
          security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH

          # import certificate to keychain
          security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
          security list-keychain -d user -s $KEYCHAIN_PATH

          echo "CODESIGN_IDENTITY=Developer ID Application" >> $GITHUB_ENV
          echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> $GITHUB_ENV
      - name: Build
        run: |
          ./tools/build --arch ${{ matrix.arch }} -build-test -build-benchmark
      - name: Clean up keychain and provisioning profile
        if: ${{ always() }}
        run: |
          if [ ! -z $KEYCHAIN_PATH ]; then
            security delete-keychain $KEYCHAIN_PATH
          fi
      - name: Install rosetta
        if: ${{ matrix.arch == 'x64' }}
        run: |
          /usr/sbin/softwareupdate --install-rosetta --agree-to-license
      - name: Run tests
        run: |
          ./build-darwin-${{ matrix.arch }}/yass_test
          # slow on m1 bots
          # ./build-darwin-${{ matrix.arch }}/yass_benchmark
      - name: Upload dist tarball (including debuginfo)
        if: ${{ github.event_name == 'release' }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          gh release upload ${{ github.event.release.tag_name }} *.dmg *.zip