Refine TODO #4079
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deployment (macOS/ARM64) | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - main-release | |
| paths-ignore: | |
| - 'docs/**' | |
| - 'src/test/**' | |
| - 'README.md' | |
| tags: | |
| - '*' | |
| pull_request: | |
| merge_group: | |
| workflow_dispatch: | |
| inputs: | |
| notarization: | |
| type: boolean | |
| required: false | |
| default: false | |
| env: | |
| SpringerNatureAPIKey: ${{ secrets.SpringerNatureAPIKey }} | |
| AstrophysicsDataSystemAPIKey: ${{ secrets.AstrophysicsDataSystemAPIKey }} | |
| IEEEAPIKey: ${{ secrets.IEEEAPIKey }} | |
| BiodiversityHeritageApiKey: ${{ secrets.BiodiversityHeritageApiKey}} | |
| OSXCERT: ${{ secrets.OSX_SIGNING_CERT }} | |
| GRADLE_OPTS: -Xmx4g -Dorg.gradle.daemon=false -Dorg.gradle.vfs.watch=false | |
| JAVA_OPTS: -Xmx4g | |
| concurrency: | |
| group: "${{ github.workflow }}-${{ github.head_ref || github.ref }}" | |
| cancel-in-progress: true | |
| jobs: | |
| build: | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - os: macos-14 | |
| displayName: macOS (ARM64) | |
| suffix: '_arm64' | |
| runs-on: ${{ matrix.os }} | |
| outputs: | |
| major: ${{ steps.gitversion.outputs.Major }} | |
| minor: ${{ steps.gitversion.outputs.Minor }} | |
| branchname: ${{ steps.gitversion.outputs.branchName }} | |
| name: Create installer and portable version for ${{ matrix.displayName }} | |
| steps: | |
| - name: Check secrets presence | |
| id: checksecrets | |
| shell: bash | |
| run: | | |
| if [ "$BUILDJABREFPRIVATEKEY" == "" ]; then | |
| echo "secretspresent=NO" >> $GITHUB_OUTPUT | |
| echo "❌ Secret BUILDJABREFPRIVATEKEY not present" | |
| else | |
| echo "secretspresent=YES" >> $GITHUB_OUTPUT | |
| echo "✔️ Secret BUILDJABREFPRIVATEKEY present" | |
| fi | |
| env: | |
| BUILDJABREFPRIVATEKEY: ${{ secrets.buildJabRefPrivateKey }} | |
| - name: Fetch all history for all tags and branches | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| submodules: 'true' | |
| show-progress: 'false' | |
| - name: Install GitVersion | |
| uses: gittools/actions/gitversion/setup@v3.0.0 | |
| with: | |
| versionSpec: "5.x" | |
| - name: Run GitVersion | |
| id: gitversion | |
| uses: gittools/actions/gitversion/execute@v3.0.0 | |
| - name: Setup JDK | |
| uses: actions/setup-java@v4 | |
| with: | |
| java-version: 21.0.2 | |
| distribution: 'temurin' | |
| - name: Clean up keychain | |
| run: | | |
| security delete-keychain signing_temp.keychain ${{runner.temp}}/keychain/notarization.keychain || true | |
| - name: Setup OSX key chain on macOS-arm | |
| if: (steps.checksecrets.outputs.secretspresent == 'YES') | |
| uses: slidoapp/import-codesign-certs@1923310662e8682dd05b76b612b53301f431cd5d | |
| with: | |
| p12-file-base64: ${{ secrets.OSX_SIGNING_CERT }} | |
| p12-password: ${{ secrets.OSX_CERT_PWD }} | |
| keychain-password: jabref | |
| - name: Setup OSX key chain on OSX for app id cert | |
| if: (steps.checksecrets.outputs.secretspresent == 'YES') | |
| uses: slidoapp/import-codesign-certs@1923310662e8682dd05b76b612b53301f431cd5d | |
| with: | |
| p12-file-base64: ${{ secrets.OSX_SIGNING_CERT_APPLICATION }} | |
| p12-password: ${{ secrets.OSX_CERT_PWD }} | |
| create-keychain: false | |
| keychain-password: jabref | |
| - name: Setup Gradle | |
| uses: gradle/actions/setup-gradle@v4 | |
| with: | |
| gradle-home-cache-cleanup: true | |
| - name: Prepare merged jars and modules dir (macOS) | |
| run: ./gradlew -i -PprojVersion="${{ steps.gitversion.outputs.AssemblySemVer }}" -PprojVersionInfo="${{ steps.gitversion.outputs.InformationalVersion }}" prepareModulesDir | |
| - name: Build dmg (macOS) | |
| if: (steps.checksecrets.outputs.secretspresent == 'YES') | |
| shell: bash | |
| run: | | |
| jpackage \ | |
| --module org.jabref/org.jabref.Launcher \ | |
| --module-path ${{env.JAVA_HOME}}/jmods/:build/jlinkbase/jlinkjars \ | |
| --add-modules org.jabref,org.jabref.merged.module \ | |
| --add-modules jdk.incubator.vector \ | |
| --dest build/distribution \ | |
| --app-content buildres/mac/jabrefHost.py \ | |
| --app-content buildres/mac/native-messaging-host \ | |
| --name JabRef \ | |
| --app-version ${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }} \ | |
| --verbose \ | |
| --mac-sign \ | |
| --vendor "JabRef e.V." \ | |
| --mac-package-identifier JabRef \ | |
| --mac-package-name JabRef \ | |
| --type dmg --mac-signing-key-user-name "JabRef e.V. (6792V39SK3)" \ | |
| --mac-package-signing-prefix org.jabref \ | |
| --mac-entitlements buildres/mac/jabref.entitlements \ | |
| --icon src/main/resources/icons/jabref.icns \ | |
| --resource-dir buildres/mac \ | |
| --file-associations buildres/mac/bibtexAssociations.properties \ | |
| --jlink-options --bind-services \ | |
| --java-options --add-exports=javafx.base/com.sun.javafx.event=org.jabref.merged.module \ | |
| --java-options --add-exports=javafx.controls/com.sun.javafx.scene.control=org.jabref.merged.module \ | |
| --java-options --add-opens=javafx.graphics/javafx.scene=org.jabref.merged.module \ | |
| --java-options --add-opens=javafx.controls/javafx.scene.control=org.jabref.merged.module \ | |
| --java-options --add-opens=javafx.controls/javafx.scene.control.skin=org.jabref.merged.module \ | |
| --java-options --add-opens=javafx.controls/com.sun.javafx.scene.control=org.jabref.merged.module \ | |
| --java-options --add-opens=javafx.controls/javafx.scene.control=org.jabref \ | |
| --java-options --add-exports=javafx.base/com.sun.javafx.event=org.jabref \ | |
| --java-options --add-exports=javafx.controls/com.sun.javafx.scene.control=org.jabref \ | |
| --java-options --add-opens=javafx.graphics/javafx.scene=org.jabref \ | |
| --java-options --add-opens=javafx.controls/javafx.scene.control=org.jabref \ | |
| --java-options --add-opens=javafx.controls/com.sun.javafx.scene.control=org.jabref \ | |
| --java-options --add-opens=javafx.base/javafx.collections=org.jabref \ | |
| --java-options --add-opens=javafx.base/javafx.collections.transformation=org.jabref \ | |
| --java-options --add-modules=jdk.incubator.vector | |
| - name: Build pkg (macOS) | |
| if: (steps.checksecrets.outputs.secretspresent == 'YES') | |
| shell: bash | |
| run: | | |
| jpackage \ | |
| --module org.jabref/org.jabref.Launcher \ | |
| --module-path ${{env.JAVA_HOME}}/jmods/:build/jlinkbase/jlinkjars \ | |
| --add-modules org.jabref,org.jabref.merged.module \ | |
| --add-modules jdk.incubator.vector \ | |
| --dest build/distribution \ | |
| --app-content buildres/mac/jabrefHost.py \ | |
| --app-content buildres/mac/native-messaging-host \ | |
| --name JabRef \ | |
| --app-version ${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }} \ | |
| --verbose \ | |
| --mac-sign \ | |
| --vendor "JabRef e.V." \ | |
| --mac-package-identifier JabRef \ | |
| --mac-package-name JabRef \ | |
| --type pkg --mac-signing-key-user-name "JabRef e.V. (6792V39SK3)" \ | |
| --mac-package-signing-prefix org.jabref \ | |
| --mac-entitlements buildres/mac/jabref.entitlements \ | |
| --icon src/main/resources/icons/jabref.icns \ | |
| --resource-dir buildres/mac \ | |
| --file-associations buildres/mac/bibtexAssociations.properties \ | |
| --jlink-options --bind-services \ | |
| --java-options --add-exports=javafx.base/com.sun.javafx.event=org.jabref.merged.module \ | |
| --java-options --add-exports=javafx.controls/com.sun.javafx.scene.control=org.jabref.merged.module \ | |
| --java-options --add-opens=javafx.graphics/javafx.scene=org.jabref.merged.module \ | |
| --java-options --add-opens=javafx.controls/javafx.scene.control=org.jabref.merged.module \ | |
| --java-options --add-opens=javafx.controls/com.sun.javafx.scene.control=org.jabref.merged.module \ | |
| --java-options --add-opens=javafx.controls/javafx.scene.control=org.jabref \ | |
| --java-options --add-exports=javafx.base/com.sun.javafx.event=org.jabref \ | |
| --java-options --add-exports=javafx.controls/com.sun.javafx.scene.control=org.jabref \ | |
| --java-options --add-opens=javafx.graphics/javafx.scene=org.jabref \ | |
| --java-options --add-opens=javafx.controls/javafx.scene.control=org.jabref \ | |
| --java-options --add-opens=javafx.controls/com.sun.javafx.scene.control=org.jabref \ | |
| --java-options --add-opens=javafx.base/javafx.collections=org.jabref \ | |
| --java-options --add-opens=javafx.base/javafx.collections.transformation=org.jabref \ | |
| --java-options --add-modules=jdk.incubator.vector | |
| - name: Rename files with arm64 suffix as well | |
| if: (steps.checksecrets.outputs.secretspresent == 'YES') | |
| shell: bash | |
| run: | | |
| mv build/distribution/JabRef-${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}.dmg build/distribution/JabRef-${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}-arm64.dmg | |
| mv build/distribution/JabRef-${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}.pkg build/distribution/JabRef-${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}-arm64.pkg | |
| - name: Setup rsync (macOS) | |
| if: ${{ (!startsWith(github.ref, 'refs/heads/gh-readonly-queue')) && (steps.checksecrets.outputs.secretspresent == 'YES') && ((matrix.os == 'macos-14') && !((startsWith(github.ref, 'refs/tags/') || inputs.notarization == true))) }} | |
| run: brew install rsync | |
| - name: Setup SSH key | |
| if: ${{ (steps.checksecrets.outputs.secretspresent == 'YES') && (!startsWith(github.ref, 'refs/heads/gh-readonly-queue')) && ((matrix.os != 'macos-14') || !((startsWith(github.ref, 'refs/tags/') || (inputs.notarization == true)))) }} | |
| run: | | |
| echo "${{ secrets.buildJabRefPrivateKey }}" > sshkey | |
| chmod 600 sshkey | |
| - name: Upload to builds.jabref.org (linux, macOS) | |
| # macOS: Negated condition of "Upload to GitHub workflow artifacts store (macOS)" | |
| # Reason: We either upload the non-notarized files - or notarize the files later (and upload these later) | |
| # needs to be on one line; multi line does not work | |
| if: ${{ (!startsWith(github.ref, 'refs/heads/gh-readonly-queue')) && (steps.checksecrets.outputs.secretspresent == 'YES') && ((matrix.os == 'ubuntu-latest') || ((matrix.os == 'macos-14') && !((startsWith(github.ref, 'refs/tags/') || inputs.notarization == true)))) }} | |
| shell: bash | |
| run: | | |
| rsync -rt --chmod=Du=rwx,Dg=rx,Do=rx,Fu=rw,Fg=r,Fo=r --itemize-changes --stats --rsync-path="mkdir -p /var/www/builds.jabref.org/www/${{ steps.gitversion.outputs.branchName }} && rsync" -e 'ssh -p 9922 -i sshkey -o StrictHostKeyChecking=no' build/distribution/ jrrsync@build-upload.jabref.org:/var/www/builds.jabref.org/www/${{ steps.gitversion.outputs.branchName }}/ | |
| - name: Upload to GitHub workflow artifacts store (macOS) | |
| if: (matrix.os == 'macos-14') && (steps.checksecrets.outputs.secretspresent == 'YES') && (startsWith(github.ref, 'refs/tags/') || inputs.notarization == true) | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| # tbn = to-be-notarized | |
| name: JabRef-macOS-arm-tbn | |
| path: build/distribution | |
| compression-level: 0 # no compression | |
| - name: Upload to GitHub workflow artifacts store | |
| if: (steps.checksecrets.outputs.secretspresent != 'YES') | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| # tbn = to-be-notarized | |
| name: JabRef-${{ matrix.os }} | |
| path: build/distribution | |
| compression-level: 0 # no compression | |
| notarize: # outsourced in a separate job to be able to rerun if this fails for timeouts | |
| name: macOS notarization-arm | |
| runs-on: macos-14 | |
| needs: [build] | |
| if: ${{ startsWith(github.ref, 'refs/tags/') || inputs.notarization == true }} | |
| steps: | |
| - name: Check secrets presence | |
| id: checksecrets | |
| shell: bash | |
| run: | | |
| if [ "$BUILDJABREFPRIVATEKEY" == "" ]; then | |
| echo "secretspresent=NO" >> $GITHUB_OUTPUT | |
| echo "❌ Secret BUILDJABREFPRIVATEKEY not present" | |
| else | |
| echo "secretspresent=YES" >> $GITHUB_OUTPUT | |
| echo "✔️ Secret BUILDJABREFPRIVATEKEY present" | |
| fi | |
| env: | |
| BUILDJABREFPRIVATEKEY: ${{ secrets.buildJabRefPrivateKey }} | |
| - name: Download from GitHub workflow artifacts store (macOS) | |
| if: (steps.checksecrets.outputs.secretspresent == 'YES') | |
| uses: actions/download-artifact@master | |
| with: | |
| name: JabRef-macOS-arm-tbn | |
| path: build/distribution/ | |
| - name: Notarize dmg | |
| if: (steps.checksecrets.outputs.secretspresent == 'YES') | |
| shell: bash | |
| run: | | |
| xcrun notarytool store-credentials "notarytool-profile" --apple-id "vorstand@jabref.org" --team-id "6792V39SK3" --password "${{ secrets.OSX_NOTARIZATION_APP_PWD }}" | |
| xcrun notarytool submit build/distribution/JabRef-${{ needs.build.outputs.major }}.${{ needs.build.outputs.minor }}-arm64.dmg --keychain-profile "notarytool-profile" --wait | |
| xcrun stapler staple build/distribution/JabRef-${{ needs.build.outputs.major }}.${{ needs.build.outputs.minor }}-arm64.dmg | |
| - name: Notarize pkg | |
| if: (steps.checksecrets.outputs.secretspresent == 'YES') | |
| shell: bash | |
| run: | | |
| xcrun notarytool store-credentials "notarytool-profile" --apple-id "vorstand@jabref.org" --team-id "6792V39SK3" --password "${{ secrets.OSX_NOTARIZATION_APP_PWD }}" | |
| xcrun notarytool submit build/distribution/JabRef-${{ needs.build.outputs.major }}.${{ needs.build.outputs.minor }}-arm64.pkg --keychain-profile "notarytool-profile" --wait | |
| xcrun stapler staple build/distribution/JabRef-${{ needs.build.outputs.major }}.${{ needs.build.outputs.minor }}-arm64.pkg | |
| - name: Upload to builds.jabref.org | |
| if: (steps.checksecrets.outputs.secretspresent == 'YES') | |
| shell: bash | |
| run: | | |
| echo "${{ secrets.buildJabRefPrivateKey }}" > sshkey | |
| chmod 600 sshkey | |
| rsync -rt --chmod=Du=rwx,Dg=rx,Do=rx,Fu=rw,Fg=r,Fo=r --itemize-changes --stats --rsync-path="mkdir -p /var/www/builds.jabref.org/www/${{ needs.build.outputs.branchname }} && rsync" -e 'ssh -p 9922 -i sshkey -o StrictHostKeyChecking=no' build/distribution/ jrrsync@build-upload.jabref.org:/var/www/builds.jabref.org/www/${{ needs.build.outputs.branchname }}/ |