Skip to content

On macOS, add 64 bytes of headerpad to accommodate code signatures #1080

On macOS, add 64 bytes of headerpad to accommodate code signatures

On macOS, add 64 bytes of headerpad to accommodate code signatures #1080

Workflow file for this run

name: macos
on:
push:
branches: [main]
pull_request:
concurrency:
group: ${{ github.workflow }}-${{ github.ref_name }}-${{ github.event.pull_request.number || github.sha }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
env:
FORCE_COLOR: 1
permissions: {}
jobs:
crate-build:
needs:
- generate-matrix
runs-on: ${{ matrix.runner }}
strategy:
matrix: ${{ fromJson(needs.generate-matrix.outputs.crate-build-matrix) }}
fail-fast: false
name: crate / ${{ matrix.arch }}
steps:
- uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
with:
persist-credentials: false
- name: Emit rustc version
run: |
rustc --version > .rustc-version
- uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
with:
path: |
~/.cargo/registry
~/.cargo/git
target
key: ${{ runner.os }}-pythonbuild-${{ hashFiles('Cargo.lock', '.rustc-version') }}
- name: Build
run: |
cargo build --release
- name: Upload pythonbuild Executable
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: ${{ matrix.crate_artifact_name }}
path: target/release/pythonbuild
generate-matrix:
name: Generate build matrix
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.set-matrix.outputs.matrix }}
crate-build-matrix: ${{ steps.set-matrix.outputs.crate-build-matrix }}
any_builds: ${{ steps.set-matrix.outputs.any_builds }}
steps:
- uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
with:
fetch-depth: 0
persist-credentials: false
- name: Set up Python
uses: astral-sh/setup-uv@38f3f104447c67c051c4a08e39b64a148898af3a # v4.2.0
- name: Get pull request labels
id: get-labels
env:
PULL_REQUEST_LABELS: ${{ toJson(github.event.pull_request.labels.*.name) }}
run: |
# Convert GitHub labels array to comma-separated string
LABELS=$(echo "${PULL_REQUEST_LABELS}" | jq -r 'join(",")')
echo "labels=$LABELS" >> $GITHUB_OUTPUT
- name: Check if the `pythonbuild` crate changed
id: check-pythonbuild
env:
BASE_REF: ${{ github.event.pull_request.base.ref || 'main' }}
run: |
merge_base=$(git merge-base HEAD "origin/${BASE_REF}")
if git diff --quiet "${merge_base}...HEAD" -- ':src/*.rs'; then
echo "changed=false" >> "$GITHUB_OUTPUT"
else
echo "changed=true" >> "$GITHUB_OUTPUT"
fi
- name: Generate build matrix
id: set-matrix
run: |
uv run ci-matrix.py --platform darwin --labels "${STEPS_GET_LABELS_OUTPUTS_LABELS}" ${{ (steps.check-pythonbuild.outputs.changed == 'true' || github.ref == 'refs/heads/main') && '--force-crate-build' || '' }} > matrix.json
# Extract python-build matrix
echo "matrix=$(jq -c '."python-build"' matrix.json)" >> $GITHUB_OUTPUT
echo "crate-build-matrix=$(jq -c '."crate-build"' matrix.json)" >> $GITHUB_OUTPUT
# Display the matrix for debugging too
cat matrix.json | jq
if jq -e '."python-build".include | length > 0' matrix.json > /dev/null; then
# Build matrix has entries
echo "any_builds=true" >> $GITHUB_OUTPUT
else
# Build matrix is empty
echo "any_builds=false" >> $GITHUB_OUTPUT
fi
env:
STEPS_GET_LABELS_OUTPUTS_LABELS: ${{ steps.get-labels.outputs.labels }}
build:
needs:
- generate-matrix
- crate-build
# Permissions used for actions/attest-build-provenance
permissions:
id-token: write
attestations: write
runs-on: ${{ matrix.runner }}
strategy:
matrix: ${{ fromJson(needs.generate-matrix.outputs.matrix) }}
fail-fast: false
name: ${{ matrix.target_triple }} / ${{ matrix.python }} / ${{ matrix.build_options }}
steps:
- uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
with:
fetch-depth: 0
persist-credentials: false
- name: Install Python
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
with:
python-version: "3.11"
- name: Download pythonbuild
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: ${{ matrix.crate_artifact_name }}
path: build
- name: Build
if: ${{ ! matrix.dry-run }}
run: |
if [ "${MATRIX_TARGET_TRIPLE}" = "aarch64-apple-darwin" ]; then
export APPLE_SDK_PATH=/Applications/Xcode_15.2.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX14.2.sdk
elif [ "${MATRIX_TARGET_TRIPLE}" = "x86_64-apple-darwin" ]; then
export APPLE_SDK_PATH=/Applications/Xcode_15.2.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX14.2.sdk
else
echo "unhandled target triple: ${MATRIX_TARGET_TRIPLE}"
exit 1
fi
./build-macos.py --target-triple ${MATRIX_TARGET_TRIPLE} --python cpython-${MATRIX_PYTHON} --options ${MATRIX_BUILD_OPTIONS}
env:
MATRIX_TARGET_TRIPLE: ${{ matrix.target_triple }}
MATRIX_PYTHON: ${{ matrix.python }}
MATRIX_BUILD_OPTIONS: ${{ matrix.build_options }}
- name: Generate attestations
uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0
if: ${{ github.ref == 'refs/heads/main' }}
with:
subject-path: dist/*
- name: Upload Distributions
if: ${{ ! matrix.dry-run }}
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: cpython-${{ matrix.python }}-${{ matrix.target_triple }}-${{ matrix.build_options }}
path: dist/*
- name: Checkout macOS SDKs for validation
if: ${{ ! matrix.dry-run }}
uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
with:
repository: phracker/MacOSX-SDKs
ref: master
path: macosx-sdks
persist-credentials: false
- name: Validate Distribution
if: ${{ ! matrix.dry-run }}
run: |
chmod +x build/pythonbuild
build/pythonbuild validate-distribution --macos-sdks-path macosx-sdks --run dist/*.tar.zst