feat: add minimal AI processing support #133
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Jack Lau <[email protected]>
- Add enahnce_module.py (Real-ESRGAN), support GPU acceleration. - Both of GUI and CLI support call this AI feature. TODO: Add translation for AI page Signed-off-by: Jack Lau <[email protected]>
**Python Runtime Bundling:** - Add PythonManager for automatic Python environment setup - Add PythonInstallDialog for user-friendly installation UI - Bundle Python runtime with PyTorch, Real-ESRGAN, OpenCV, NumPy - Auto-detect bundled Python in Release builds **Library Bundling Refactor:** - Move ALL library bundling (Qt, FFmpeg, BMF) from CMake to fix_macos_libs.sh - Simplify CMakeLists.txt (67% reduction: 102 → 35 lines) - Add BMF library bundling to fix_macos_libs.sh - Auto-detect build directory and BMF_ROOT_PATH **BMF Integration:** - Add runtime BMF library path detection - Set BMF_MODULE_CONFIG_PATH and PYTHONPATH automatically - Support both system BMF (Debug) and bundled BMF (Release) **Benefits:** - Fully standalone Release builds (no dependencies) - Faster iteration (re-bundle without rebuild) - Simpler and easier to maintain Signed-off-by: Jack Lau <[email protected]>
Signed-off-by: Jack Lau <[email protected]>
Signed-off-by: Jack Lau <[email protected]>
Signed-off-by: Jack Lau <[email protected]>
Signed-off-by: Jack Lau <[email protected]>
Use callback data(frame numbder) from AI module when AI enabled. Signed-off-by: Jack Lau <[email protected]>
add jpg and png for transcoder_page Signed-off-by: Jack Lau <[email protected]>
Signed-off-by: Jack Lau <[email protected]>
Signed-off-by: Jack Lau <[email protected]>
Signed-off-by: Jack Lau <[email protected]>
Signed-off-by: Jack Lau <[email protected]>
Signed-off-by: Jack Lau <[email protected]>
Signed-off-by: Jack Lau <[email protected]>
Signed-off-by: Jack Lau <[email protected]>
Signed-off-by: Jack Lau <[email protected]>
enable bmf on linux Signed-off-by: Jack Lau <[email protected]>
Signed-off-by: Jack Lau <[email protected]>
Signed-off-by: Jack Lau <[email protected]>
Signed-off-by: Jack Lau <[email protected]>
Signed-off-by: Jack Lau <[email protected]>
Signed-off-by: Jack Lau <[email protected]>
add run.sh for quick start Signed-off-by: Jack Lau <[email protected]>
Signed-off-by: Jack Lau <[email protected]>
add requirements.txt in linux build Signed-off-by: Jack Lau <[email protected]>
JackLau1222
force-pushed
the
ai
branch
2 times, most recently
from
d936b5b to
a824cf1
Compare
Signed-off-by: Jack Lau <[email protected]>
Signed-off-by: Jack Lau <[email protected]>
Signed-off-by: Jack Lau <[email protected]>
Signed-off-by: Jack Lau <[email protected]>
Signed-off-by: Jack Lau <[email protected]>
Signed-off-by: Jack Lau <[email protected]>
Signed-off-by: Jack Lau <[email protected]>
Signed-off-by: Jack Lau <[email protected]>
Signed-off-by: Jack Lau <[email protected]>
Signed-off-by: Jack Lau <[email protected]>
- upload the layer rather than uab - modify the app id to io.github.openconverterlab Signed-off-by: Jack Lau <[email protected]>
Signed-off-by: Jack Lau <[email protected]>
Signed-off-by: Jack Lau <[email protected]>
Signed-off-by: Jack Lau <[email protected]>
Signed-off-by: Jack Lau <[email protected]>
Signed-off-by: Jack Lau <[email protected]>
Signed-off-by: Jack Lau <[email protected]>
Signed-off-by: Jack Lau <[email protected]>
…rt installed Signed-off-by: Jack Lau <[email protected]>
Enable ai_processing page only if bmf is enabled Signed-off-by: Jack Lau <[email protected]>
Signed-off-by: Jack Lau <[email protected]>
Signed-off-by: Jack Lau <[email protected]>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Comment on lines
+16
to
+139
| strategy: | ||
| matrix: | ||
| include: | ||
| - arch: x86_64 | ||
| runner: ubuntu-22.04 | ||
| ffmpeg_url: https://github.com/BtbN/FFmpeg-Builds/releases/download/autobuild-2024-11-30-13-12/ffmpeg-n5.1.6-11-gcde3c5fc0c-linux64-gpl-shared-5.1.tar.xz | ||
| ffmpeg_dir: ffmpeg-n5.1.6-11-gcde3c5fc0c-linux64-gpl-shared-5.1 | ||
| bmf_url: https://github.com/OpenConverterLab/bmf/releases/download/oc0.0.3/bmf-bin-linux-x86_64-cp39.tar.gz | ||
| appimagetool: appimagetool-x86_64.AppImage | ||
| - arch: aarch64 | ||
| runner: ubuntu-22.04-arm | ||
| ffmpeg_url: https://github.com/BtbN/FFmpeg-Builds/releases/download/autobuild-2024-11-30-13-12/ffmpeg-n5.1.6-11-gcde3c5fc0c-linuxarm64-gpl-shared-5.1.tar.xz | ||
| ffmpeg_dir: ffmpeg-n5.1.6-11-gcde3c5fc0c-linuxarm64-gpl-shared-5.1 | ||
| bmf_url: https://github.com/OpenConverterLab/bmf/releases/download/oc0.0.3/bmf-bin-linux-aarch64-cp39.tar.gz | ||
| appimagetool: appimagetool-aarch64.AppImage | ||
| runs-on: ${{ matrix.runner }} | ||
| concurrency: | ||
| group: "review-linux-${{ matrix.arch }}-${{ github.event.pull_request.number }}" | ||
| cancel-in-progress: true | ||
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v2 | ||
|
|
||
| - name: Print current branch and commit hash | ||
| run: | | ||
| echo "Current branch: $(git rev-parse --abbrev-ref HEAD)" | ||
| echo "Current commit hash: $(git rev-parse HEAD)" | ||
| echo "Architecture: ${{ matrix.arch }}" | ||
|
|
||
| - name: Install dependencies | ||
| run: | | ||
| sudo apt update | ||
| sudo apt install -y make git pkg-config cmake gcc g++ wget libgl1 | ||
|
|
||
| - name: Get FFmpeg | ||
| run: | | ||
| wget ${{ matrix.ffmpeg_url }} | ||
| tar xJvf ${{ matrix.ffmpeg_dir }}.tar.xz | ||
| ls ${{ matrix.ffmpeg_dir }} | ||
| echo "FFMPEG_ROOT_PATH=$(pwd)/${{ matrix.ffmpeg_dir }}" >> $GITHUB_ENV | ||
|
|
||
| - name: Get BMF | ||
| run: | | ||
| wget ${{ matrix.bmf_url }} | ||
| tar xzvf bmf-bin-linux-${{ matrix.arch }}-cp39.tar.gz | ||
| echo "BMF_ROOT_PATH=$(pwd)/output/bmf" >> $GITHUB_ENV | ||
|
|
||
| - name: Set up Qt | ||
| run: | | ||
| sudo apt-get install -y qt5-qmake qtbase5-dev qtchooser qtbase5-dev-tools cmake build-essential | ||
|
|
||
| - name: Build with CMake | ||
| run: | | ||
| export PATH=$PATH:$FFMPEG_ROOT_PATH/bin | ||
| (cd src && cmake -B build && cd build && make -j$(nproc)) | ||
|
|
||
| - name: Copy libs | ||
| run: | | ||
| export LD_LIBRARY_PATH=$FFMPEG_ROOT_PATH/lib/:$BMF_ROOT_PATH/lib | ||
| export LIBRARY_PATH=$FFMPEG_ROOT_PATH/lib/:$BMF_ROOT_PATH/lib | ||
| # linuxdeployqt | ||
| sudo apt-get -y install git g++ libgl1-mesa-dev | ||
| git clone https://github.com/probonopd/linuxdeployqt.git | ||
| # Then build in Qt Creator, or use | ||
| export PATH=$(readlink -f /tmp/.mount_QtCreator-*-${{ matrix.arch }}/*/gcc_64/bin/):$PATH | ||
| (cd linuxdeployqt && qmake && make && sudo make install) | ||
| # patchelf | ||
| wget https://nixos.org/releases/patchelf/patchelf-0.9/patchelf-0.9.tar.bz2 | ||
| tar xf patchelf-0.9.tar.bz2 | ||
| ( cd patchelf-0.9/ && ./configure && make && sudo make install ) | ||
| # appimage | ||
| sudo wget -c "https://github.com/AppImage/AppImageKit/releases/download/continuous/${{ matrix.appimagetool }}" -O /usr/local/bin/appimagetool | ||
| sudo chmod a+x /usr/local/bin/appimagetool | ||
| (linuxdeployqt/bin/linuxdeployqt ./src/build/OpenConverter -appimage) | ||
| # clean up | ||
| rm -rf CMake* Makefile cmake_install.cmake OpenConverter_autogen/ doc/ | ||
| continue-on-error: true | ||
|
|
||
|
|
||
| - name: Copy runtime | ||
| run: | | ||
| cp $FFMPEG_ROOT_PATH/lib/libswscale.so.6 src/build/lib | ||
| cp $FFMPEG_ROOT_PATH/lib/libavfilter.so.8 src/build/lib | ||
| cp $FFMPEG_ROOT_PATH/lib/libpostproc.so.56 src/build/lib | ||
| cp $FFMPEG_ROOT_PATH/lib/libavdevice.so.59 src/build/lib | ||
| cp $BMF_ROOT_PATH/lib/libbuiltin_modules.so src/build/lib | ||
| cp $BMF_ROOT_PATH/lib/libbmf_py_loader.so src/build/lib | ||
| cp $BMF_ROOT_PATH/BUILTIN_CONFIG.json src/build | ||
| touch src/build/run.sh | ||
| echo export LD_LIBRARY_PATH="~/.local/share/OpenConverter/Python.framework/lib:./lib" >> src/build/run.sh | ||
| echo ./OpenConverter >> src/build/run.sh | ||
| cp src/resources/requirements.txt src/build/requirements.txt | ||
| cp -r $BMF_ROOT_PATH src/build/ | ||
| (mkdir -p src/build/modules/weights && | ||
| cd src/build/modules/weights && | ||
| wget https://github.com/xinntao/Real-ESRGAN/releases/download/v0.2.5.0/realesr-animevideov3.pth) | ||
|
|
||
| # Step to package the build directory | ||
| - name: Create tar.gz package | ||
| run: | | ||
| BUILD_DIR="src/build" | ||
| PACKAGE_NAME="OpenConverter_Linux_${{ matrix.arch }}.tar.gz" | ||
| OUTPUT_DIR="OpenConverter_Linux_${{ matrix.arch }}" | ||
| mkdir -p $OUTPUT_DIR | ||
| cp -r $BUILD_DIR/* $OUTPUT_DIR/ | ||
| tar -czvf $PACKAGE_NAME $OUTPUT_DIR | ||
| rm -rf $OUTPUT_DIR | ||
|
|
||
| # Step to upload the tar.gz package as an artifact | ||
| - name: Upload build artifact | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: OpenConverter_Linux_${{ matrix.arch }} | ||
| path: OpenConverter_Linux_${{ matrix.arch }}.tar.gz | ||
|
|
||
| # - name: Setup tmate session | ||
| # if: ${{ failure() }} | ||
| # uses: mxschmitt/action-tmate@v3 | ||
|
|
||
| - name: Finish | ||
| run: echo "Build complete" | ||
|
|
||
| build-linglong: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 days ago
In general, the fix is to add an explicit permissions: block that limits the GITHUB_TOKEN to the minimal privileges needed. This can be done at the workflow root (applies to all jobs) or per job. Since all jobs here only need to read repository contents (for actions/checkout) and use artifacts (which don’t require repo write access), the safest minimal starting point is permissions: contents: read at the workflow root. If later any job needs more (for example, to update releases or PRs), its specific job-level permissions can override or extend the root configuration.
The single best fix without altering functionality is to add a top-level permissions: block right after the name: Build (or after on: if preferred), setting contents: read. This ensures all jobs (build-linux, build-linglong, build-macos-arm, etc.) run with a read-only token for repository contents and do not rely on potentially broader repository defaults. No changes are required to any steps or actions, and no imports or extra methods are involved because this is purely a YAML configuration change in .github/workflows/build.yaml.
Suggested changeset
1
.github/workflows/build.yaml
| @@ -1,5 +1,8 @@ | ||
| name: Build | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: | ||
| types: [opened, synchronize, reopened] |
Copilot is powered by AI and may make mistakes. Always verify output.
Comment on lines
+140
to
+241
| needs: build-linux | ||
| strategy: | ||
| matrix: | ||
| include: | ||
| - arch: x86_64 | ||
| runner: ubuntu-24.04 | ||
| - arch: aarch64 | ||
| runner: ubuntu-24.04-arm | ||
| runs-on: ${{ matrix.runner }} | ||
| concurrency: | ||
| group: "review-linglong-${{ matrix.arch }}-${{ github.event.pull_request.number }}" | ||
| cancel-in-progress: true | ||
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Remove unnecessary directories to free up space | ||
| run: | | ||
| sudo rm -rf /usr/local/.ghcup | ||
| sudo rm -rf /opt/hostedtoolcache/CodeQL | ||
| sudo rm -rf /usr/local/lib/android/sdk/ndk | ||
| sudo rm -rf /usr/share/dotnet | ||
| sudo rm -rf /opt/ghc | ||
| sudo rm -rf /usr/local/share/boost | ||
|
|
||
| - name: Download Linux build artifact | ||
| uses: actions/download-artifact@v4 | ||
| with: | ||
| name: OpenConverter_Linux_${{ matrix.arch }} | ||
|
|
||
| - name: Download linglong-builder cache | ||
| run: | | ||
| docker run --rm -v ~/.cache/:/target ghcr.io/jacklau1222/ll-cache-${{ matrix.arch }}:latest \ | ||
| bash -c "cp -r /root/.cache/linglong-builder /target/" | ||
|
|
||
| sudo chown -R "$USER:$USER" ~/.cache/linglong-builder | ||
| sudo chmod -R 755 ~/.cache/linglong-builder | ||
| du -sh ~/.cache/linglong-builder | ||
|
|
||
| - name: Install Linglong tools | ||
| run: | | ||
| echo "deb [trusted=yes] https://ci.deepin.com/repo/obs/linglong:/CI:/release/xUbuntu_24.04/ ./" | sudo tee /etc/apt/sources.list.d/linglong.list | ||
| sudo apt update | ||
| sudo apt install -y linglong-bin linglong-builder linglong-box | ||
|
|
||
| - name: build the desktop file | ||
| run: | | ||
| cd src/resources | ||
| touch default.desktop | ||
| echo "[Desktop Entry]" >> default.desktop | ||
| echo "Type=Application" >> default.desktop | ||
| echo "Name=OpenConverter" >> default.desktop | ||
| echo "Exec=/opt/apps/io.github.openconverterlab/files/bin/run.sh" >> default.desktop | ||
| echo "Icon=default" >> default.desktop | ||
| echo "Categories=Media;Video;Audio;Converter;" >> default.desktop | ||
| echo "Comment=OpenConverter Application" >> default.desktop | ||
| echo "Terminal=false" >> default.desktop | ||
| cat default.desktop | ||
|
|
||
| - name: Prepare Linglong build directory | ||
| run: | | ||
| # Extract the artifact | ||
| tar -xzvf OpenConverter_Linux_${{ matrix.arch }}.tar.gz | ||
|
|
||
| # Create ll-builder directory structure | ||
| mkdir -p ll-builder/binary | ||
| mkdir -p ll-builder/template_app/applications | ||
| mkdir -p ll-builder/template_app/icons/hicolor/500x500/apps | ||
|
|
||
| # Copy binary files from artifact | ||
| cp -r OpenConverter_Linux_${{ matrix.arch }}/* ll-builder/binary/ | ||
|
|
||
| # Copy linglong.yaml | ||
| cp src/resources/linglong.yaml ll-builder/ | ||
|
|
||
| # Copy desktop file | ||
| cp src/resources/default.desktop ll-builder/template_app/applications/ | ||
|
|
||
| # Copy icon file | ||
| cp src/resources/OpenConverter-logo.png ll-builder/template_app/icons/hicolor/500x500/apps/ | ||
|
|
||
| - name: Build Linglong package | ||
| run: | | ||
| cd ll-builder | ||
| ll-builder build | ||
| ll-builder export --layer --no-develop | ||
|
|
||
| - name: Setup tmate session | ||
| if: ${{ failure() }} | ||
| uses: mxschmitt/action-tmate@v3 | ||
|
|
||
| - name: Upload Linglong package | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: OpenConverter_Linglong_${{ matrix.arch }} | ||
| path: ll-builder/*.layer | ||
|
|
||
| - name: Finish | ||
| run: echo "Linglong build complete" | ||
|
|
||
| build-macos-arm: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 days ago
In general, you fix this by adding a permissions: block that grants only the minimum required scopes to the GITHUB_TOKEN. You can add it at the workflow root (applies to all jobs) or per job. Since all shown jobs only need to read repository content, we can set permissions: contents: read at the top level of the workflow. This directly addresses CodeQL’s recommendation and avoids changing job behavior.
Concretely, edit .github/workflows/build.yaml near the top: after the name: Build line (or equivalently at the same indentation level as on: and jobs:), insert a permissions: section:
permissions:
contents: readNo imports or additional definitions are required. This change does not alter any build steps or actions, it only constrains the automatically provided GITHUB_TOKEN permissions for all jobs including build-linglong.
Suggested changeset
1
.github/workflows/build.yaml
| @@ -1,5 +1,8 @@ | ||
| name: Build | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: | ||
| types: [opened, synchronize, reopened] |
Copilot is powered by AI and may make mistakes. Always verify output.
Comment on lines
+242
to
+375
| runs-on: macos-14 | ||
| concurrency: | ||
| group: "review-macos-${{ github.event.pull_request.number }}" | ||
| cancel-in-progress: true | ||
|
|
||
| steps: | ||
| - name: Checkout target branch code (using pull_request) | ||
| uses: actions/checkout@v2 | ||
|
|
||
| - name: Print current branch and commit hash | ||
| run: | | ||
| echo "Current branch: $(git rev-parse --abbrev-ref HEAD)" | ||
| echo "Current commit hash: $(git rev-parse HEAD)" | ||
|
|
||
| - name: Install FFmpeg and Qt via Homebrew | ||
| run: | | ||
| # Install FFmpeg 5 with x264, x265 support (pre-built from Homebrew) | ||
| brew install ffmpeg@5 qt@5 [email protected] | ||
|
|
||
| # Set FFmpeg path | ||
| export FFMPEG_ROOT_PATH=$(brew --prefix ffmpeg@5) | ||
| echo "FFMPEG_ROOT_PATH=$FFMPEG_ROOT_PATH" >> $GITHUB_ENV | ||
|
|
||
| # Verify FFmpeg has x264 and x265 | ||
| echo "FFmpeg configuration:" | ||
| $FFMPEG_ROOT_PATH/bin/ffmpeg -version | head -n 1 | ||
| $FFMPEG_ROOT_PATH/bin/ffmpeg -encoders 2>/dev/null | grep -E "libx264|libx265" || echo "Warning: x264/x265 not found" | ||
|
|
||
| - name: Checkout BMF repository(specific branch) | ||
| run: | | ||
| git clone https://github.com/OpenConverterLab/bmf.git | ||
|
|
||
| # wget https://invisible-island.net/archives/ncurses/ncurses-6.5.tar.gz | ||
| # wget https://ftp.gnu.org/gnu/binutils/binutils-2.43.1.tar.bz2 | ||
|
|
||
| # - name: Cache ncurses build | ||
| # uses: actions/cache@v3 | ||
| # with: | ||
| # path: opt/ncurses | ||
| # key: ${{ runner.os }}-ncurses-${{ hashFiles('ncurses-6.5.tar.gz') }} | ||
| # restore-keys: | | ||
| # ${{ runner.os }}-ncurses- | ||
|
|
||
| # - name: Cache binutils build | ||
| # uses: actions/cache@v3 | ||
| # with: | ||
| # path: opt/binutils | ||
| # key: ${{ runner.os }}-binutils-${{ hashFiles('binutils-2.43.1.tar.bz2') }} | ||
| # restore-keys: | | ||
| # ${{ runner.os }}-binutils- | ||
|
|
||
| # - name: compile dependencies | ||
| # run: | | ||
| # if [ ! -d "$(pwd)/opt/ncurses" ]; then | ||
| # tar -xzvf ncurses-6.5.tar.gz | ||
| # (cd ncurses-6.5 && ./configure --prefix=/Users/runner/work/OpenConverter/OpenConverter/opt/ncurses && make -j$(sysctl -n hw.ncpu) && sudo make install) | ||
| # else | ||
| # echo "ncurses is already installed, skipping build." | ||
| # fi | ||
|
|
||
| # if [ ! -d "$(pwd)/opt/binutils" ]; then | ||
| # tar xvf binutils-2.43.1.tar.bz2 | ||
| # (cd binutils-2.43.1 && ./configure --prefix=/Users/runner/work/OpenConverter/OpenConverter/opt/binutils --enable-install-libiberty && make -j$(sysctl -n hw.ncpu) && sudo make install) | ||
| # else | ||
| # echo "binutils is already installed, skipping build." | ||
| # fi | ||
|
|
||
| # - name: Cache BMF build | ||
| # uses: actions/cache@v3 | ||
| # with: | ||
| # path: bmf/output/ | ||
| # key: ${{ runner.os }}-bmf-${{ hashFiles('bmf/build.sh') }} | ||
| # restore-keys: | | ||
| # ${{ runner.os }}-bmf-macos-arm- | ||
|
|
||
| - name: Set up BMF if not cached | ||
| run: | | ||
| if [ ! -d "$(pwd)/bmf/output/" ]; then | ||
| # export LIBRARY_PATH=$(pwd)/opt/binutils/lib:$LIBRARY_PATH | ||
| # export CMAKE_PREFIX_PATH=$(pwd)/opt/binutils:$CMAKE_PREFIX_PATH | ||
| brew link --force [email protected] | ||
| export BMF_PYTHON_VERSION="3.9" | ||
| pip install setuptools | ||
| (cd bmf && git checkout oc && git submodule update --init --recursive && ./build_osx.sh) | ||
| else | ||
| echo "BMF is already installed, skipping build." | ||
| fi | ||
| echo "BMF_ROOT_PATH=$(pwd)/bmf/output/bmf" >> $GITHUB_ENV | ||
|
|
||
| - name: Build and Deploy | ||
| run: | | ||
| export PATH="$(brew --prefix ffmpeg@5)/bin:$PATH" | ||
| export CMAKE_PREFIX_PATH="$(brew --prefix qt@5):$CMAKE_PREFIX_PATH" | ||
| export QT_DIR="$(brew --prefix qt@5)/lib/cmake/Qt5" | ||
| export PATH="$(brew --prefix qt@5)/bin:$PATH" | ||
|
|
||
| cd src | ||
| cmake -B build -DCMAKE_BUILD_TYPE=Release \ | ||
| -DFFMPEG_ROOT_PATH="$(brew --prefix ffmpeg@5)" \ | ||
| -DBMF_TRANSCODER=ON | ||
|
|
||
| cd build | ||
| make -j$(sysctl -n hw.ncpu) | ||
|
|
||
| # Use the fix_macos_libs.sh script to handle deployment | ||
| cd .. | ||
| chmod +x ../tool/fix_macos_libs.sh | ||
| ../tool/fix_macos_libs.sh | ||
|
|
||
| cd build | ||
|
|
||
| # Create DMG using simple shell script | ||
| echo "Creating DMG..." | ||
| chmod +x ../../tool/create_dmg_simple.sh | ||
| ../../tool/create_dmg_simple.sh OpenConverter.app | ||
|
|
||
| cd ../.. | ||
| mv src/build/OpenConverter.dmg OpenConverter_macOS_aarch64.dmg | ||
|
|
||
| # Step to upload the dmg package as an artifact | ||
| - name: Upload build artifact | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: OpenConverter_macOS_aarch64 | ||
| path: OpenConverter_macOS_aarch64.dmg | ||
|
|
||
| # - name: Setup tmate session | ||
| # if: ${{ failure() }} | ||
| # uses: mxschmitt/action-tmate@v3 | ||
|
|
||
| - name: Finish | ||
| run: echo "Release upload complete" | ||
|
|
||
| build-windows-x64: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 days ago
To fix the problem, we should explicitly specify minimal GITHUB_TOKEN permissions either at the workflow level (applying to all jobs) or at the job level for build-macos-arm. Since the analyzer flagged the build-macos-arm job and we only see a subset of the workflow, the least invasive, guaranteed-safe fix within the shown snippet is to add a permissions: block to that job. The job only needs to read repository contents (for actions/checkout) and upload artifacts (which is covered by the token’s default actions scope and does not require repository write permissions), so contents: read is an appropriate minimal setting.
Concretely, in .github/workflows/build.yaml, within the build-macos-arm job definition starting at line 241, add a permissions: section directly under the job name and before runs-on. This will ensure that the token for this job is limited to read-only access to repository contents while preserving existing behavior. No additional imports, methods, or external packages are needed.
Suggested changeset
1
.github/workflows/build.yaml
| @@ -239,6 +239,8 @@ | ||
| run: echo "Linglong build complete" | ||
|
|
||
| build-macos-arm: | ||
| permissions: | ||
| contents: read | ||
| runs-on: macos-14 | ||
| concurrency: | ||
| group: "review-macos-${{ github.event.pull_request.number }}" |
Copilot is powered by AI and may make mistakes. Always verify output.
Comment on lines
+376
to
+447
| runs-on: windows-latest | ||
| concurrency: | ||
| group: "review-win-${{ github.event.pull_request.number }}" | ||
| cancel-in-progress: true | ||
|
|
||
| steps: | ||
| # Check out the repository code. | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v2 | ||
|
|
||
| # Set up the Qt environment. | ||
| - name: (2) Install Qt | ||
| uses: jurplel/install-qt-action@v3 | ||
| with: | ||
| version: 6.4.3 | ||
| host: windows | ||
| target: desktop | ||
| arch: win64_msvc2019_64 | ||
| dir: ${{ runner.temp }} | ||
| setup-python: false | ||
|
|
||
| # Download FFmpeg from the specified release URL. | ||
| - name: Download FFmpeg | ||
| shell: powershell | ||
| run: | | ||
| $ffmpegUrl = "https://github.com/BtbN/FFmpeg-Builds/releases/download/autobuild-2024-11-30-13-12/ffmpeg-n5.1.6-11-gcde3c5fc0c-win64-gpl-shared-5.1.zip" | ||
| $outputZip = "ffmpeg.zip" | ||
| Invoke-WebRequest -Uri $ffmpegUrl -OutFile $outputZip | ||
| Expand-Archive -Path $outputZip -DestinationPath ffmpeg | ||
| echo "FFMPEG_ROOT_PATH=$(pwd)/ffmpeg/ffmpeg-n5.1.6-11-gcde3c5fc0c-win64-gpl-shared-5.1" >> $GITHUB_ENV | ||
|
|
||
| # Create a build directory, run qmake, and build the project. | ||
| - name: Build Qt project | ||
| run: | | ||
| (cd src && | ||
| cmake -S . -B build "-DFFMPEG_ROOT_PATH=../ffmpeg/ffmpeg-n5.1.6-11-gcde3c5fc0c-win64-gpl-shared-5.1" -DFFTOOL_TRANSCODER=OFF -DBMF_TRANSCODER=OFF && | ||
| cmake --build build --config Release --parallel) | ||
|
|
||
| - name : Deploy project | ||
| run: | | ||
| # 1) Create the deploy folder under the repo workspace | ||
| New-Item -ItemType Directory -Force -Path OpenConverter_win64 | ||
|
|
||
| # 2) Copy your built exe into OpenConverter_win64/ | ||
| Copy-Item -Path "src\build\Release\OpenConverter.exe" -Destination "OpenConverter_win64" | ||
|
|
||
| # 3) Bundle Qt runtime into OpenConverter_win64/ | ||
| & "D:\a\_temp\Qt\6.4.3\msvc2019_64\bin\windeployqt.exe" ` | ||
| "--qmldir=src" ` | ||
| "OpenConverter_win64\OpenConverter.exe" | ||
|
|
||
| # 4) Copy FFmpeg DLLs into OpenConverter_win64/ | ||
| Copy-Item ` | ||
| -Path "ffmpeg\ffmpeg-n5.1.6-11-gcde3c5fc0c-win64-gpl-shared-5.1\bin\*.dll" ` | ||
| -Destination "OpenConverter_win64" | ||
|
|
||
| # Upload the build artifacts (upload-artifact will automatically zip the folder) | ||
| - name: Upload build artifacts | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: OpenConverter_win64 | ||
| path: OpenConverter_win64 | ||
|
|
||
| # - name: Setup tmate session | ||
| # if: ${{ failure() }} | ||
| # uses: mxschmitt/action-tmate@v3 | ||
|
|
||
| - name: Finish | ||
| run: echo "Windows x64 build complete" | ||
|
|
||
| # Upload all artifacts to GitHub Release (only runs on tag push or release creation) | ||
| upload-release: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 days ago
In general, the fix is to add an explicit permissions: block either at the workflow root (for defaults) and/or at individual jobs, limiting the GITHUB_TOKEN to the minimal scopes required. Build-only jobs that just check out code, download dependencies, and upload artifacts usually need only contents: read (and, if needed by third-party actions, possibly id-token: write or others), while a release job that publishes a GitHub Release requires contents: write.
For this workflow, the safest minimal change without altering behavior is:
- Add a root-level
permissions:block aftername: Buildthat setscontents: readas the default for all jobs. - Override this default in the
upload-releasejob, adding a job-levelpermissions:block that grantscontents: write(needed forsoftprops/action-gh-release@v1to upload release assets). - We do not need any changes to the
build-windows-x64job body or other build jobs; they will inherit the rootcontents: read, which is sufficient foractions/checkout,actions/upload-artifact, andactions/download-artifact.
No imports or additional methods are required because this is a YAML workflow configuration change only. All edits must be within .github/workflows/build.yaml, so we will confine the changes there.
Suggested changeset
1
.github/workflows/build.yaml
| @@ -1,5 +1,8 @@ | ||
| name: Build | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: | ||
| types: [opened, synchronize, reopened] | ||
| @@ -448,6 +451,8 @@ | ||
| if: startsWith(github.ref, 'refs/tags/') | ||
| needs: [build-linux, build-linglong, build-macos-arm, build-windows-x64] | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: write | ||
|
|
||
| steps: | ||
| - name: Download all artifacts |
Copilot is powered by AI and may make mistakes. Always verify output.
Comment on lines
+448
to
+516
| if: startsWith(github.ref, 'refs/tags/') | ||
| needs: [build-linux, build-linglong, build-macos-arm, build-windows-x64] | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Download all artifacts | ||
| uses: actions/download-artifact@v4 | ||
| with: | ||
| path: artifacts | ||
|
|
||
| - name: List downloaded artifacts | ||
| run: | | ||
| echo "Downloaded artifacts:" | ||
| ls -la artifacts/ | ||
| find artifacts -type f | ||
|
|
||
| - name: Prepare release packages | ||
| run: | | ||
| cd artifacts | ||
|
|
||
| # Linux x86_64 - already a tar.gz | ||
| if [ -f "OpenConverter_Linux_x86_64/OpenConverter_Linux_x86_64.tar.gz" ]; then | ||
| cp OpenConverter_Linux_x86_64/OpenConverter_Linux_x86_64.tar.gz ../OpenConverter_Linux_x86_64.tar.gz | ||
| fi | ||
|
|
||
| # Linux aarch64 - already a tar.gz | ||
| if [ -f "OpenConverter_Linux_aarch64/OpenConverter_Linux_aarch64.tar.gz" ]; then | ||
| cp OpenConverter_Linux_aarch64/OpenConverter_Linux_aarch64.tar.gz ../OpenConverter_Linux_aarch64.tar.gz | ||
| fi | ||
|
|
||
| # Linglong x86_64 - layer file | ||
| if [ -d "OpenConverter_Linglong_x86_64" ]; then | ||
| cp OpenConverter_Linglong_x86_64/*.layer ../OpenConverter_Linglong_x86_64.layer || true | ||
| fi | ||
|
|
||
| # Linglong aarch64 - layer file | ||
| if [ -d "OpenConverter_Linglong_aarch64" ]; then | ||
| cp OpenConverter_Linglong_aarch64/*.layer ../OpenConverter_Linglong_aarch64.layer || true | ||
| fi | ||
|
|
||
| # macOS aarch64 - already a dmg | ||
| if [ -f "OpenConverter_macOS_aarch64/OpenConverter_macOS_aarch64.dmg" ]; then | ||
| cp OpenConverter_macOS_aarch64/OpenConverter_macOS_aarch64.dmg ../OpenConverter_macOS_aarch64.dmg | ||
| fi | ||
|
|
||
| # Windows x64 - create zip from folder | ||
| if [ -d "OpenConverter_win64" ]; then | ||
| cd OpenConverter_win64 | ||
| zip -r ../../OpenConverter_win64.zip . | ||
| cd .. | ||
| fi | ||
|
|
||
| cd .. | ||
| echo "Release packages:" | ||
| ls -la *.tar.gz *.dmg *.zip *.layer 2>/dev/null || echo "Some packages may be missing" | ||
|
|
||
| - name: Upload Release Assets | ||
| uses: softprops/action-gh-release@v1 | ||
| with: | ||
| files: | | ||
| OpenConverter_Linux_x86_64.tar.gz | ||
| OpenConverter_Linux_aarch64.tar.gz | ||
| OpenConverter_Linglong_x86_64.layer | ||
| OpenConverter_Linglong_aarch64.layer | ||
| OpenConverter_macOS_aarch64.dmg | ||
| OpenConverter_win64.zip | ||
|
|
||
| - name: Finish | ||
| run: echo "Release upload complete" |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 days ago
In general, fixing this class of problem means adding an explicit permissions: block either at the top level of the workflow (applies to all jobs that don’t override it) or on individual jobs, granting only the scopes actually required. For this workflow, most jobs only need to read repository contents (for checkout) and upload artifacts (which uses the token but via the contents/actions scopes as needed), while the upload-release job additionally needs permission to write release assets (contents: write is sufficient for softprops/action-gh-release).
The best, minimal-impact fix here is to add a workflow-level permissions: block near the top (right under name: Build or under on:) that sets contents: read by default, and then override it in the upload-release job to allow contents: write. This keeps existing functionality while tightening privileges elsewhere. Concretely:
- In
.github/workflows/build.yaml, after theon:trigger block and beforejobs:, add:permissions: contents: read
- In the same file, inside the
upload-release:job definition, add:directly under thepermissions: contents: write
needs:/runs-on:block (ordering among job keys is flexible in YAML, but we’ll place it right afterruns-on:for clarity). No imports or additional methods are needed, as this is pure workflow configuration.
Suggested changeset
1
.github/workflows/build.yaml
| @@ -11,6 +11,9 @@ | ||
| - created | ||
| workflow_dispatch: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| build-linux: | ||
| strategy: | ||
| @@ -448,6 +451,8 @@ | ||
| if: startsWith(github.ref, 'refs/tags/') | ||
| needs: [build-linux, build-linglong, build-macos-arm, build-windows-x64] | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: write | ||
|
|
||
| steps: | ||
| - name: Download all artifacts |
Copilot is powered by AI and may make mistakes. Always verify output.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.