refactor: package and releasing

.github/workflows/build-macos.yml

@@ -25,125 +25,55 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
 
-      - name: Detect Tag Version
-        if: startsWith(github.ref, 'refs/tags/v')
-        run: echo "VERSION=${{ github.ref_name }}" >> $GITHUB_ENV
-
-      - name: Detect Commit Hash
-        if: github.event_name == 'workflow_dispatch'
-        run: echo "VERSION=$(echo ${{ github.sha }} | cut -c1-7)" >> $GITHUB_ENV
-
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
           go-version: 1.24.3
           cache-dependency-path: runner/go.sum
 
-      - name: Download runtime
-        run: |
-          cd runner
-          make download
-
-      - name: Build Nexa Cli
+      - name: Build Nexa SDK
+        env:
+          VERSION: ${{ github.ref_name }}
         run: |
           cd runner
-          make build
+          make download build
           rm build/ml.h
 
-      - name: Upload Artifact
+      - name: Upload build Artifact
         uses: actions/upload-artifact@v4
         with:
           name: nexa-cli_macos_${{ matrix.arch }}
           path: runner/build
           include-hidden-files: true
 
-  package-and-release:
-    name: Package for macos_${{ matrix.arch }}
-    needs: build-cli
-    runs-on: ${{ matrix.runner }}
-    if: github.ref_type == 'tag'
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - runner: macos-13
-            arch: x86_64
-          - runner: macos-14
-            arch: arm64
-    env:
-      VERSION: ${{ github.ref_name }}
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
-      - name: Download build artifacts
-        uses: actions/download-artifact@v4
-        with:
-          name: nexa-cli_macos_${{ matrix.arch }}
-          path: artifacts
-
-      - name: Prepare file structure for packaging
-        id: prep_files
-        run: |
-          chmod +x  runner/release/darwin/scripts/prepackage.sh
-          bash  runner/release/darwin/scripts/prepackage.sh "${{ env.VERSION }}"
-
-      - name: Fix dylib Linkages (RPATH)
-        run: |
-          RESOURCES_PATH="${{ env.APP_PATH }}/Contents/Resources"
-          install_name_tool -add_rpath "@loader_path" "${RESOURCES_PATH}/nexa-cli"
-
-      - name: Import Code Signing Certificates
+      - name: Sign Nexa SDK
         env:
           APP_CERTIFICATE_BASE64: ${{ secrets.APPLE_CERTIFICATE_BASE64 }}
           APP_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+          APP_SIGNING_IDENTITY: ${{ secrets.APPLE_ID_APPLICATION }}
           INSTALLER_CERTIFICATE_BASE64: ${{ secrets.APPLE_INSTALLER_CERTIFICATE_BASE64 }}
           INSTALLER_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+          INSTALLER_SIGNING_IDENTITY: ${{ secrets.APPLE_ID_INSTALLER }}
+          APPLE_ID: ${{ secrets.APPLE_ID }}
+          APPLE_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
+          TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+          VERSION: ${{ github.ref_name }}
         run: |
-          echo $APP_CERTIFICATE_BASE64 | base64 --decode > app_certificate.p12
-          echo $INSTALLER_CERTIFICATE_BASE64 | base64 --decode > installer_certificate.p12
-          security create-keychain -p "" build.keychain
-          security default-keychain -s build.keychain
-          security unlock-keychain -p "" build.keychain
-          security import app_certificate.p12 -k build.keychain -P $APP_CERTIFICATE_PASSWORD -T /usr/bin/codesign
-          security import installer_certificate.p12 -k build.keychain -P $INSTALLER_CERTIFICATE_PASSWORD -T /usr/bin/productsign
-          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "" build.keychain
-
-      - name: Sign binaries and libraries
-        run: |
-          chmod +x  runner/release/darwin/scripts/sign.sh
-          bash  runner/release/darwin/scripts/sign.sh "${{ env.APP_PATH }}" "${{ secrets.APPLE_ID_APPLICATION }}"
-
-      - name: Build PKG
-        run: |
-          pkgbuild --root "${{ steps.prep_files.outputs.STAGING_DIR }}" \
-                   --scripts "${{ steps.prep_files.outputs.SCRIPTS_DIR }}" \
-                   --identifier "com.nexaai.nexa-sdk" \
-                   --version "${{ env.VERSION }}" \
-                   --install-location / \
-                   "artifacts/nexa-cli_macos_${{ matrix.arch }}-unsigned.pkg"
-
-      - name: Productsign PKG
-        run: |
-          productsign --sign "${{ secrets.APPLE_ID_INSTALLER }}" --timestamp "artifacts/nexa-cli_macos_${{ matrix.arch }}-unsigned.pkg" "artifacts/nexa-cli_macos_${{ matrix.arch }}.pkg"
-          pkgutil --check-signature "artifacts/nexa-cli_macos_${{ matrix.arch }}.pkg"
-          rm "artifacts/nexa-cli_macos_${{ matrix.arch }}-unsigned.pkg"
+          cd runner
+          make package
 
-      - name: Notarize & Staple PKG
-        run: |
-          chmod +x  runner/release/darwin/scripts/notarize.sh
-          bash  runner/release/darwin/scripts/notarize.sh \
-            "artifacts/nexa-cli_macos_${{ matrix.arch }}.pkg" \
-            "${{ secrets.APPLE_ID }}" \
-            "${{ secrets.APPLE_ID_PASSWORD }}" \
-            "${{ secrets.APPLE_TEAM_ID }}"
+      - name: Upload pkg Artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: nexa-cli_macos_${{ matrix.arch }}.pkg
+          path: runner/artifacts/nexa-cli_macos_${{ matrix.arch }}.pkg
+          include-hidden-files: true
 
       - name: Create GitHub Release
         uses: softprops/action-gh-release@v2
         with:
           repository: NexaAI/nexa-sdk
-          tag_name: ${{ env.VERSION }}
+          tag_name: ${{ github.ref_name }}
           files: |
             artifacts/nexa-cli_macos_${{ matrix.arch }}.pkg
           draft: ${{ contains(github.ref, '-rc') }}

.gitignore

@@ -1,5 +1,6 @@
 # Build and binary files
 build/
+artifacts/
 *.exe
 *.exe~
 *.dll

runner/.gitignore

@@ -1,3 +1,4 @@
+build/
 *.png
 *.jpg
 

runner/Makefile

@@ -1,12 +1,14 @@
 BRIDGE_VERSION ?= v1.0.19-rc19
 
+VERSION ?= $(shell git rev-parse --short HEAD)
 ifeq ($(OS), Windows_NT)
 	OS      := windows
 	ARCH    ?= $(shell powershell -NoProfile -NonInteractive "switch ((Get-CimInstance Win32_Processor).Architecture) { 0 {'x86'} 5 {'arm'} 9 {'x86_64'} 12 {'arm64'} Default {'unknown'} }")
 	EXE     := .exe
 	RM      := powershell -NoProfile -NonInteractive "Remove-Item -Recurse -Force -ErrorAction SilentlyContinue -Path"
 	MKDIR   := powershell -NoProfile -NonInteractive "New-Item -ItemType Directory -Force -Path"
 	MKLINK  := powershell -NoProfile -NonInteractive "New-Item -ItemType Junction -Path 'build' -Target '..\..\nexasdk-bridge\build\out'"
+	MKPACKAGE := echo "Package not supported yet on Windows" && exit 1
 else
 	OS      := $(shell echo $(shell uname -s) | tr '[:upper:]' '[:lower:]')
 	ifeq ($(OS), darwin)
@@ -20,9 +22,10 @@ else
 	RM      := rm -rf
 	MKDIR   := mkdir -p
 	MKLINK  := ln -s ../../nexasdk-bridge/build/out build
+	MKPACKAGE := ./release/$(OS)/package.sh $(VERSION) $(ARCH)
 endif
 
-.PHONY: build link download clean
+.PHONY: build link download package clean
 
 build:
 	go build -ldflags "-s -w" -o build/nexa$(EXE) ./cmd/nexa-launcher
@@ -41,5 +44,11 @@ download: clean
 		https://nexa-model-hub-bucket.s3.us-west-1.amazonaws.com/public/nexasdk/$(BRIDGE_VERSION)/$(OS)_$(ARCH)/nexasdk-bridge.zip
 	cd build && tar -xf nexasdk-bridge.zip && $(RM) nexasdk-bridge.zip && $(RM) nexa_bridge.lib
 
+package:
+	@echo "====> Creating installer package for $(OS)_$(ARCH)"
+	-$(RM) artifacts
+	$(MKPACKAGE)
+
 clean:
 	-$(RM) build
+	-$(RM) artifacts

runner/release/macos/Applications/NexaCLI.app/Contents/MacOS/launcher

@@ -0,0 +1,5 @@
+#!/usr/bin/osascript
+tell application "Terminal"
+    activate
+    do script "nexa"
+end tell