From b42af1eac252405b536b40e19d1e0ee101c4c730 Mon Sep 17 00:00:00 2001 From: lxowalle Date: Thu, 30 Apr 2026 18:27:39 +0800 Subject: [PATCH] fix(ci): use official rcodesign binary in macOS workflows fix(ci): normalize notary key secret for rcodesign Revert "fix(ci): normalize notary key secret for rcodesign" This reverts commit 34eb5acb5379a039306c04ddbdbd329de58aa9f6. Revert "fix(ci): use official rcodesign binary in macOS workflows" This reverts commit a81dcb4f902cdc5930895eb4aee61ff1af91cbac. Revert "ci: parallel macOS CGO launcher build, lowercase Docker tags, conditional Docker Hub login (#2643)" This reverts commit 9fba52d0fa8f6510187085be0654286dd25ab95c. --- .github/workflows/nightly.yml | 166 +--------------------------------- .github/workflows/release.yml | 157 +------------------------------- .goreleaser.yaml | 56 +++++++++++- 3 files changed, 54 insertions(+), 325 deletions(-) diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index f595004f0..39ad8810e 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -74,10 +74,7 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Login to Docker Hub - if: env.DOCKERHUB_USERNAME != '' uses: docker/login-action@v4 - env: - DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} with: registry: docker.io username: ${{ secrets.DOCKERHUB_USERNAME }} @@ -89,10 +86,6 @@ jobs: - name: Create local tag for GoReleaser run: git tag "${{ steps.version.outputs.version }}" - - name: Lowercase owner for Docker tags - id: repo - run: echo "owner=$(echo '${{ github.repository_owner }}' | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_OUTPUT" - - name: Run GoReleaser uses: goreleaser/goreleaser-action@v7 with: @@ -101,7 +94,7 @@ jobs: args: release --clean env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - REPO_OWNER: ${{ steps.repo.outputs.owner }} + GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }} DOCKERHUB_IMAGE_NAME: ${{ vars.DOCKERHUB_REPOSITORY }} GOVERSION: ${{ steps.setup-go.outputs.go-version }} GORELEASER_CURRENT_TAG: ${{ steps.version.outputs.version }} @@ -151,160 +144,3 @@ jobs: --prerelease \ --latest=false \ "${ASSETS[@]}" - - build-macos-launcher: - name: Build macOS Launcher (${{ matrix.arch_name }}) - runs-on: macos-latest - permissions: - contents: read - strategy: - matrix: - include: - - goarch: arm64 - arch_name: arm64 - - goarch: amd64 - arch_name: x86_64 - steps: - - name: Checkout - uses: actions/checkout@v6 - with: - fetch-depth: 0 - - - name: Setup Go from go.mod - uses: actions/setup-go@v6 - with: - go-version-file: go.mod - - - name: Setup pnpm - uses: pnpm/action-setup@v6 - with: - version: 10.33.0 - run_install: false - - - name: Setup Node.js - uses: actions/setup-node@v6 - with: - node-version: 22 - cache: pnpm - cache-dependency-path: web/frontend/pnpm-lock.yaml - - - name: Build frontend - run: | - cd web/frontend - CI=true pnpm install --frozen-lockfile - pnpm build:backend - - - name: Compute version - id: version - run: | - DATE=$(date -u +%Y%m%d) - SHA=$(git rev-parse --short=8 HEAD) - BASE_VERSION=$(git describe --tags --match "v*" --exclude "*nightly*" --abbrev=0 2>/dev/null || true) - if [ -z "$BASE_VERSION" ] || [ "$BASE_VERSION" = "v0.0.0" ]; then - VERSION="v0.0.0-nightly.${DATE}.${SHA}" - else - VERSION="${BASE_VERSION}-nightly.${DATE}.${SHA}" - fi - echo "version=${VERSION}" >> "$GITHUB_OUTPUT" - - - name: Build picoclaw-launcher with CGO - env: - CGO_ENABLED: "1" - GOOS: darwin - GOARCH: ${{ matrix.goarch }} - run: | - SDK_PATH=$(xcrun --show-sdk-path) - export CGO_CFLAGS="-isysroot ${SDK_PATH} -mmacosx-version-min=11.0" - export CGO_LDFLAGS="-isysroot ${SDK_PATH}" - - go generate ./... - go build -tags "goolm,stdjson" \ - -ldflags "-s -w \ - -X github.com/sipeed/picoclaw/pkg/config.Version=${{ steps.version.outputs.version }} \ - -X github.com/sipeed/picoclaw/pkg/config.GitCommit=$(git rev-parse --short HEAD) \ - -X github.com/sipeed/picoclaw/pkg/config.BuildTime=$(date -u +%Y-%m-%dT%H:%M:%SZ)" \ - -o picoclaw-launcher-cgo \ - ./web/backend - - - name: Sign and notarize launcher binary - if: env.MACOS_SIGN_P12 != '' - env: - MACOS_SIGN_P12: ${{ secrets.MACOS_SIGN_P12 }} - MACOS_SIGN_PASSWORD: ${{ secrets.MACOS_SIGN_PASSWORD }} - MACOS_NOTARY_ISSUER_ID: ${{ secrets.MACOS_NOTARY_ISSUER_ID }} - MACOS_NOTARY_KEY_ID: ${{ secrets.MACOS_NOTARY_KEY_ID }} - MACOS_NOTARY_KEY: ${{ secrets.MACOS_NOTARY_KEY }} - run: | - cleanup() { - rm -rf .venv-rcodesign - rm -f cert.p12 notary-key.p8 - } - trap cleanup EXIT - - python3 -m venv .venv-rcodesign - ./.venv-rcodesign/bin/python -m pip install --upgrade pip - ./.venv-rcodesign/bin/python -m pip install rcodesign - - echo "$MACOS_SIGN_P12" | base64 -d > cert.p12 - - ./.venv-rcodesign/bin/rcodesign sign \ - --p12-file cert.p12 \ - --p12-password "$MACOS_SIGN_PASSWORD" \ - picoclaw-launcher-cgo - - echo "$MACOS_NOTARY_KEY" > notary-key.p8 - - ./.venv-rcodesign/bin/rcodesign notary-submit \ - --api-key-path notary-key.p8 \ - --api-issuer "$MACOS_NOTARY_ISSUER_ID" \ - --wait \ - picoclaw-launcher-cgo - - - name: Upload launcher artifact - uses: actions/upload-artifact@v4 - with: - name: macos-launcher-${{ matrix.arch_name }} - path: picoclaw-launcher-cgo - retention-days: 1 - - patch-macos-archives: - name: Patch macOS Archives - needs: [nightly, build-macos-launcher] - runs-on: ubuntu-latest - permissions: - contents: write - strategy: - matrix: - include: - - arch_name: arm64 - - arch_name: x86_64 - steps: - - name: Download launcher artifact - uses: actions/download-artifact@v4 - with: - name: macos-launcher-${{ matrix.arch_name }} - - - name: Patch darwin release archive - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - ARCHIVE_NAME="picoclaw_Darwin_${{ matrix.arch_name }}.tar.gz" - - gh release download nightly \ - --repo "${{ github.repository }}" \ - --pattern "${ARCHIVE_NAME}" \ - --dir ./patch-tmp - - mkdir -p ./patch-extracted - tar xzf "./patch-tmp/${ARCHIVE_NAME}" -C ./patch-extracted - - cp picoclaw-launcher-cgo ./patch-extracted/picoclaw-launcher - chmod +x ./patch-extracted/picoclaw-launcher - - tar czf "${ARCHIVE_NAME}" -C ./patch-extracted . - - gh release upload nightly \ - --repo "${{ github.repository }}" \ - "${ARCHIVE_NAME}" --clobber - - echo "✅ Patched ${ARCHIVE_NAME} with CGO launcher (systray enabled)" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e781474f8..a52b6df8f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -80,10 +80,7 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Login to Docker Hub - if: env.DOCKERHUB_USERNAME != '' uses: docker/login-action@v4 - env: - DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} with: registry: docker.io username: ${{ secrets.DOCKERHUB_USERNAME }} @@ -92,10 +89,6 @@ jobs: - name: Install zip run: sudo apt-get install -y zip - - name: Lowercase owner for Docker tags - id: repo - run: echo "owner=$(echo '${{ github.repository_owner }}' | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_OUTPUT" - - name: Run GoReleaser uses: goreleaser/goreleaser-action@v7 with: @@ -104,7 +97,7 @@ jobs: args: release --clean env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - REPO_OWNER: ${{ steps.repo.outputs.owner }} + GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }} DOCKERHUB_IMAGE_NAME: ${{ vars.DOCKERHUB_REPOSITORY }} GOVERSION: ${{ steps.setup-go.outputs.go-version }} INCLUDE_ANDROID_BUNDLE: "true" @@ -123,155 +116,9 @@ jobs: --draft=${{ inputs.draft }} \ --prerelease=${{ inputs.prerelease }} - build-macos-launcher: - name: Build macOS Launcher (${{ matrix.arch_name }}) - runs-on: macos-latest - permissions: - contents: read - strategy: - matrix: - include: - - goarch: arm64 - arch_name: arm64 - - goarch: amd64 - arch_name: x86_64 - steps: - - name: Checkout tag - uses: actions/checkout@v6 - with: - fetch-depth: 0 - ref: ${{ inputs.tag }} - - - name: Setup Go from go.mod - uses: actions/setup-go@v6 - with: - go-version-file: go.mod - - - name: Setup pnpm - uses: pnpm/action-setup@v6 - with: - version: 10.33.0 - run_install: false - - - name: Setup Node.js - uses: actions/setup-node@v6 - with: - node-version: 22 - cache: pnpm - cache-dependency-path: web/frontend/pnpm-lock.yaml - - - name: Build frontend - run: | - cd web/frontend - CI=true pnpm install --frozen-lockfile - pnpm build:backend - - - name: Build picoclaw-launcher with CGO - env: - CGO_ENABLED: "1" - GOOS: darwin - GOARCH: ${{ matrix.goarch }} - run: | - SDK_PATH=$(xcrun --show-sdk-path) - export CGO_CFLAGS="-isysroot ${SDK_PATH} -mmacosx-version-min=11.0" - export CGO_LDFLAGS="-isysroot ${SDK_PATH}" - - go generate ./... - go build -tags "goolm,stdjson" \ - -ldflags "-s -w \ - -X github.com/sipeed/picoclaw/pkg/config.Version=${{ inputs.tag }} \ - -X github.com/sipeed/picoclaw/pkg/config.GitCommit=$(git rev-parse --short HEAD) \ - -X github.com/sipeed/picoclaw/pkg/config.BuildTime=$(date -u +%Y-%m-%dT%H:%M:%SZ)" \ - -o picoclaw-launcher-cgo \ - ./web/backend - - - name: Sign and notarize launcher binary - if: env.MACOS_SIGN_P12 != '' - env: - MACOS_SIGN_P12: ${{ secrets.MACOS_SIGN_P12 }} - MACOS_SIGN_PASSWORD: ${{ secrets.MACOS_SIGN_PASSWORD }} - MACOS_NOTARY_ISSUER_ID: ${{ secrets.MACOS_NOTARY_ISSUER_ID }} - MACOS_NOTARY_KEY_ID: ${{ secrets.MACOS_NOTARY_KEY_ID }} - MACOS_NOTARY_KEY: ${{ secrets.MACOS_NOTARY_KEY }} - run: | - cleanup() { - rm -rf .venv-rcodesign - rm -f cert.p12 notary-key.p8 - } - trap cleanup EXIT - - python3 -m venv .venv-rcodesign - ./.venv-rcodesign/bin/python -m pip install --upgrade pip - ./.venv-rcodesign/bin/python -m pip install rcodesign - - echo "$MACOS_SIGN_P12" | base64 -d > cert.p12 - - ./.venv-rcodesign/bin/rcodesign sign \ - --p12-file cert.p12 \ - --p12-password "$MACOS_SIGN_PASSWORD" \ - picoclaw-launcher-cgo - - echo "$MACOS_NOTARY_KEY" > notary-key.p8 - - ./.venv-rcodesign/bin/rcodesign notary-submit \ - --api-key-path notary-key.p8 \ - --api-issuer "$MACOS_NOTARY_ISSUER_ID" \ - --wait \ - picoclaw-launcher-cgo - - - name: Upload launcher artifact - uses: actions/upload-artifact@v4 - with: - name: macos-launcher-${{ matrix.arch_name }} - path: picoclaw-launcher-cgo - retention-days: 1 - - patch-macos-archives: - name: Patch macOS Archives - needs: [release, build-macos-launcher] - runs-on: ubuntu-latest - permissions: - contents: write - strategy: - matrix: - include: - - arch_name: arm64 - - arch_name: x86_64 - steps: - - name: Download launcher artifact - uses: actions/download-artifact@v4 - with: - name: macos-launcher-${{ matrix.arch_name }} - - - name: Patch darwin release archive - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - TAG: ${{ inputs.tag }} - run: | - ARCHIVE_NAME="picoclaw_Darwin_${{ matrix.arch_name }}.tar.gz" - - gh release download "${TAG}" \ - --repo "${{ github.repository }}" \ - --pattern "${ARCHIVE_NAME}" \ - --dir ./patch-tmp - - mkdir -p ./patch-extracted - tar xzf "./patch-tmp/${ARCHIVE_NAME}" -C ./patch-extracted - - cp picoclaw-launcher-cgo ./patch-extracted/picoclaw-launcher - chmod +x ./patch-extracted/picoclaw-launcher - - tar czf "${ARCHIVE_NAME}" -C ./patch-extracted . - - gh release upload "${TAG}" \ - --repo "${{ github.repository }}" \ - "${ARCHIVE_NAME}" --clobber - - echo "Patched ${ARCHIVE_NAME} with CGO launcher (systray enabled)" - upload-tos: name: Upload to TOS - needs: [release, patch-macos-archives] + needs: release if: ${{ inputs.upload_tos }} uses: ./.github/workflows/upload-tos.yml with: diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 3e747bc35..d8c51b069 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -100,6 +100,49 @@ builds: - goos: netbsd goarch: arm + - id: picoclaw-launcher-tui + binary: picoclaw-launcher-tui + env: + - CGO_ENABLED=0 + tags: + - goolm + - stdjson + ldflags: + - -s -w + - -X github.com/sipeed/picoclaw/pkg/config.Version={{ .Version }} + - -X github.com/sipeed/picoclaw/pkg/config.GitCommit={{ .ShortCommit }} + - -X github.com/sipeed/picoclaw/pkg/config.BuildTime={{ .Date }} + - -X github.com/sipeed/picoclaw/pkg/config.GoVersion={{ with index .Env "GOVERSION" }}{{ . }}{{ else }}unknown{{ end }} + goos: + - linux + - windows + - darwin + - freebsd + - netbsd + goarch: + - amd64 + - arm64 + - riscv64 + - loong64 + - arm + - s390x + - mipsle + goarm: + - "6" + - "7" + gomips: + - softfloat + main: ./cmd/picoclaw-launcher-tui + ignore: + - goos: windows + goarch: arm + - goos: netbsd + goarch: s390x + - goos: netbsd + goarch: mips64 + - goos: netbsd + goarch: arm + dockers_v2: - id: picoclaw dockerfile: docker/Dockerfile.goreleaser @@ -108,8 +151,8 @@ dockers_v2: ids: - picoclaw images: - - "ghcr.io/{{ .Env.REPO_OWNER }}/picoclaw" - - '{{ with .Env.DOCKERHUB_IMAGE_NAME }}docker.io/{{ . }}{{ end }}' + - "ghcr.io/{{ .Env.GITHUB_REPOSITORY_OWNER }}/picoclaw" + - 'docker.io/{{ .Env.DOCKERHUB_IMAGE_NAME }}' tags: - '{{ if isEnvSet "NIGHTLY_BUILD" }}nightly{{ else }}{{ .Tag }}{{ end }}' - '{{ if isEnvSet "NIGHTLY_BUILD" }}nightly{{ else }}latest{{ end }}' @@ -123,9 +166,10 @@ dockers_v2: ids: - picoclaw - picoclaw-launcher + - picoclaw-launcher-tui images: - - "ghcr.io/{{ .Env.REPO_OWNER }}/picoclaw" - - '{{ with .Env.DOCKERHUB_IMAGE_NAME }}docker.io/{{ . }}{{ end }}' + - "ghcr.io/{{ .Env.GITHUB_REPOSITORY_OWNER }}/picoclaw" + - 'docker.io/{{ .Env.DOCKERHUB_IMAGE_NAME }}' tags: - '{{ if isEnvSet "NIGHTLY_BUILD" }}nightly-launcher{{ else }}{{ .Tag }}-launcher{{ end }}' - '{{ if isEnvSet "NIGHTLY_BUILD" }}nightly-launcher{{ else }}launcher{{ end }}' @@ -140,6 +184,7 @@ notarize: ids: - picoclaw - picoclaw-launcher + - picoclaw-launcher-tui sign: certificate: "{{.Env.MACOS_SIGN_P12}}" password: "{{.Env.MACOS_SIGN_PASSWORD}}" @@ -170,6 +215,7 @@ nfpms: ids: - picoclaw - picoclaw-launcher + - picoclaw-launcher-tui package_name: picoclaw file_name_template: >- {{ .PackageName }}_ @@ -178,7 +224,7 @@ nfpms: {{- else if eq .Arch "arm" }}armv{{ .Arm }} {{- else }}{{ .Arch }}{{ end }} vendor: picoclaw - homepage: https://github.com/{{ .Env.REPO_OWNER }}/picoclaw + homepage: https://github.com/{{ .Env.GITHUB_REPOSITORY_OWNER }}/picoclaw maintainer: picoclaw contributors description: picoclaw - a tool for managing and running tasks license: MIT