Merge pull request #2 from audiohacking/copilot/add-github-action-build-dmg

lmangani · web-flow · commit 1a44a7840c1d · 2026-03-09T01:52:11.000+01:00
Fix CI failures: pyright errors in job_executors + Darwin MPS policy test
diff --git a/.github/workflows/build-mac-dmg.yml b/.github/workflows/build-mac-dmg.yml
@@ -0,0 +1,113 @@
+name: Build macOS DMG
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+
+permissions:
+  contents: write  # required to upload assets to GitHub Releases
+
+jobs:
+  build-mac-dmg:
+    name: Build macOS DMG
+    runs-on: macos-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+
+      - name: Set up pnpm
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
+
+      - name: Set up Node.js
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          node-version: 24
+          cache: pnpm
+          cache-dependency-path: pnpm-lock.yaml
+
+      - name: Set up uv
+        uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2
+        with:
+          version: "latest"
+          enable-cache: true
+          cache-dependency-glob: "backend/uv.lock"
+
+      - name: Install Node dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Cache embedded Python environment
+        id: python-cache
+        uses: actions/cache@v4
+        with:
+          path: python-embed
+          key: python-embed-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('backend/uv.lock', 'backend/.python-version') }}
+
+      - name: Prepare embedded Python
+        if: steps.python-cache.outputs.cache-hit != 'true'
+        run: bash scripts/prepare-python.sh
+
+      - name: Generate Python dependency hash
+        run: shasum -a 256 backend/uv.lock | awk '{print $1}' > python-deps-hash.txt
+
+      - name: Build frontend
+        run: pnpm run build:frontend
+
+      - name: Build macOS app bundle (unsigned)
+        # Build the unpacked .app only — electron-builder signing is disabled entirely.
+        # Ad-hoc signing is applied in the next step via build/macos/codesign.sh.
+        id: build-app
+        env:
+          CSC_IDENTITY_AUTO_DISCOVERY: "false"
+        run: |
+          pnpm exec electron-builder --mac --dir \
+            --config.mac.notarize=false \
+            --config.publish.owner=${{ github.repository_owner }} \
+            --config.publish.repo=${{ github.event.repository.name }}
+
+          APP_PATH=$(find release/mac-* -name "*.app" -maxdepth 1 | head -1)
+          if [ -z "$APP_PATH" ]; then
+            echo "Error: No .app bundle found in release/"
+            exit 1
+          fi
+          echo "app_path=$APP_PATH" >> "$GITHUB_OUTPUT"
+
+      - name: Ad-hoc code sign the app bundle
+        # Signs all Mach-O binaries (Python natives, Electron frameworks, executables)
+        # and the app bundle using identity "-" (ad-hoc / self-signed).
+        # No Apple ID, no certificate, no notarization required.
+        # To use a real Developer ID certificate, set the MACOS_SIGNING_IDENTITY secret.
+        run: |
+          chmod +x build/macos/codesign.sh
+          ./build/macos/codesign.sh "${{ steps.build-app.outputs.app_path }}"
+        env:
+          MACOS_SIGNING_IDENTITY: ${{ secrets.MACOS_SIGNING_IDENTITY || '-' }}
+
+      - name: Create DMG from signed app
+        # Packages the signed .app into a DMG using the electron-builder.yml layout.
+        # --prepackaged skips the build phase; electron-builder only creates the DMG.
+        # CSC_IDENTITY_AUTO_DISCOVERY=false prevents any re-signing attempt.
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          CSC_IDENTITY_AUTO_DISCOVERY: "false"
+        run: |
+          PUBLISH_MODE="never"
+          if [ "${{ github.event_name }}" = "release" ]; then
+            PUBLISH_MODE="always"
+          fi
+
+          pnpm exec electron-builder --mac dmg \
+            --prepackaged "${{ steps.build-app.outputs.app_path }}" \
+            --config.mac.notarize=false \
+            --config.publish.owner=${{ github.repository_owner }} \
+            --config.publish.repo=${{ github.event.repository.name }} \
+            --publish "$PUBLISH_MODE"
+
+      - name: Upload DMG artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: macos-dmg
+          path: release/*.dmg
+          if-no-files-found: error
+          retention-days: 30
diff --git a/backend/handlers/job_executors.py b/backend/handlers/job_executors.py
@@ -3,11 +3,12 @@
 from __future__ import annotations
 
 import logging
-from typing import TYPE_CHECKING, Any
+from typing import TYPE_CHECKING, Any, Literal, cast
 
 from api_types import (
     GenerateImageRequest,
     GenerateVideoRequest,
+    VideoCameraMotion,
 )
 from state.job_queue import QueueJob
 
@@ -23,11 +24,14 @@ def _str(params: dict[str, Any], key: str, default: str = "") -> str:
     return str(v) if v is not None else default
 
 
-def _bool(params: dict[str, Any], key: str, default: bool = False) -> bool:
-    v = params.get(key, default)
-    if isinstance(v, bool):
-        return v
-    return str(v).lower() in ("1", "true", "yes", "on")
+def _camera_motion(params: dict[str, Any]) -> VideoCameraMotion:
+    """Return the cameraMotion param, defaulting to 'none'. Cast is safe: values come from validated queue jobs."""
+    return cast(VideoCameraMotion, _str(params, "cameraMotion", "none"))
+
+
+def _aspect_ratio(params: dict[str, Any]) -> Literal["16:9", "9:16"]:
+    """Return the aspectRatio param, defaulting to '16:9'. Cast is safe: values come from validated queue jobs."""
+    return cast(Literal["16:9", "9:16"], _str(params, "aspectRatio", "16:9"))
 
 
 def _int(params: dict[str, Any], key: str, default: int = 0) -> int:
@@ -65,8 +69,8 @@ def _execute_video(self, job: QueueJob) -> list[str]:
             duration=_str(p, "duration", "5"),
             fps=_str(p, "fps", "24"),
             audio=_str(p, "audio", "false"),
-            cameraMotion=_str(p, "cameraMotion", "none"),
-            aspectRatio=_str(p, "aspectRatio", "16:9"),
+            cameraMotion=_camera_motion(p),
+            aspectRatio=_aspect_ratio(p),
             model=job.model,
             negativePrompt=_str(p, "negativePrompt"),
         )
@@ -123,8 +127,8 @@ def execute(self, job: QueueJob) -> list[str]:
                 duration=_str(p, "duration", "5"),
                 fps=_str(p, "fps", "24"),
                 audio=_str(p, "audio", "false"),
-                cameraMotion=_str(p, "cameraMotion", "none"),
-                aspectRatio=_str(p, "aspectRatio", "16:9"),
+                cameraMotion=_camera_motion(p),
+                aspectRatio=_aspect_ratio(p),
                 model=job.model,
                 negativePrompt=_str(p, "negativePrompt"),
             )
diff --git a/backend/tests/test_runtime_policy_decision.py b/backend/tests/test_runtime_policy_decision.py
@@ -5,9 +5,10 @@
 from runtime_config.runtime_policy import decide_force_api_generations
 
 
-def test_darwin_always_forces_api() -> None:
-    assert decide_force_api_generations(system="Darwin", cuda_available=True, vram_gb=24) is True
-    assert decide_force_api_generations(system="Darwin", cuda_available=False, vram_gb=None) is True
+def test_darwin_allows_local_mps_generation() -> None:
+    # Darwin supports MPS (Apple Silicon GPU), so local generation is allowed.
+    assert decide_force_api_generations(system="Darwin", cuda_available=True, vram_gb=24) is False
+    assert decide_force_api_generations(system="Darwin", cuda_available=False, vram_gb=None) is False
 
 
 def test_windows_without_cuda_forces_api() -> None:
diff --git a/build/macos/codesign.sh b/build/macos/codesign.sh
@@ -0,0 +1,123 @@
+#!/usr/bin/env bash
+# build/macos/codesign.sh
+# Ad-hoc code signing for LTX Desktop macOS app bundle.
+#
+# No Apple Developer account or Apple ID is required. By default this script
+# uses ad-hoc signing (identity "-"), which prevents the "app is damaged" Gatekeeper
+# warning without needing a paid Apple Developer certificate.
+#
+# For production releases with a real Developer ID, set the MACOS_SIGNING_IDENTITY
+# environment variable to your certificate name (e.g. "Developer ID Application: …").
+#
+# Adapted from: https://github.com/audiohacking/AceForge/blob/main/build/macos/codesign.sh
+# Original reference: https://github.com/dylanwh/lilguy/blob/main/macos/build.sh
+#
+# Usage:
+#   bash build/macos/codesign.sh <path-to-app.bundle>
+
+set -euo pipefail
+
+APP_PATH="${1:?Usage: $0 <path-to-app.bundle>}"
+SIGNING_IDENTITY="${MACOS_SIGNING_IDENTITY:--}"   # Default: ad-hoc ("-")
+ENTITLEMENTS_PATH="resources/entitlements.mac.plist"
+
+echo "=================================================="
+echo "  LTX Desktop macOS Code Signing"
+echo "=================================================="
+echo "  App:          $APP_PATH"
+echo "  Identity:     $SIGNING_IDENTITY"
+echo "  Entitlements: $ENTITLEMENTS_PATH"
+echo ""
+
+# ── Pre-flight checks ────────────────────────────────────────────────────────
+if [ ! -d "$APP_PATH" ]; then
+    echo "Error: App bundle not found at $APP_PATH"
+    exit 1
+fi
+
+if [ ! -f "$ENTITLEMENTS_PATH" ]; then
+    echo "Error: Entitlements file not found at $ENTITLEMENTS_PATH"
+    echo "       Run this script from the project root."
+    exit 1
+fi
+
+# ── Signing helper ────────────────────────────────────────────────────────────
+# Ad-hoc signing ("-") does not support --timestamp (requires a CA).
+sign_target() {
+    local target="$1"
+    echo "  Signing: $(basename "$target")"
+
+    if [ "$SIGNING_IDENTITY" = "-" ]; then
+        xcrun codesign \
+            --sign "$SIGNING_IDENTITY" \
+            --force \
+            --options runtime \
+            --entitlements "$ENTITLEMENTS_PATH" \
+            --deep \
+            "$target"
+    else
+        xcrun codesign \
+            --sign "$SIGNING_IDENTITY" \
+            --force \
+            --options runtime \
+            --entitlements "$ENTITLEMENTS_PATH" \
+            --deep \
+            --timestamp \
+            "$target"
+    fi
+
+    echo "  ✓ Signed: $(basename "$target")"
+}
+
+# ── Step 1: Sign bundled Python native libraries ──────────────────────────────
+# Sign leaf Mach-O binaries first so the bundle signature remains valid.
+# The Python embed directory contains .dylib/.so native extensions.
+echo "Step 1: Signing bundled Python native libraries..."
+PYTHON_DIR="$APP_PATH/Contents/Resources/python"
+if [ -d "$PYTHON_DIR" ]; then
+    find "$PYTHON_DIR" -type f \( -name "*.dylib" -o -name "*.so" \) -print0 | \
+        while IFS= read -r -d '' lib; do
+            sign_target "$lib" || true   # keep going on individual failures
+        done
+    echo "  Python native libraries signed."
+else
+    echo "  No bundled Python directory found at Contents/Resources/python — skipping."
+fi
+
+# ── Step 2: Sign Electron framework libraries ────────────────────────────────
+echo ""
+echo "Step 2: Signing Electron framework libraries..."
+if [ -d "$APP_PATH/Contents/Frameworks" ]; then
+    find "$APP_PATH/Contents/Frameworks" -type f \( -name "*.dylib" -o -name "*.so" \) -print0 | \
+        while IFS= read -r -d '' f; do
+            sign_target "$f" || true
+        done
+fi
+
+# ── Step 3: Sign main executables ────────────────────────────────────────────
+echo ""
+echo "Step 3: Signing main executables..."
+for exe in "$APP_PATH/Contents/MacOS/"*; do
+    if [ -f "$exe" ] && [ -x "$exe" ]; then
+        sign_target "$exe"
+    fi
+done
+
+# ── Step 4: Sign the whole app bundle ────────────────────────────────────────
+echo ""
+echo "Step 4: Signing app bundle..."
+sign_target "$APP_PATH"
+
+# ── Verification ─────────────────────────────────────────────────────────────
+echo ""
+echo "Verification:"
+xcrun codesign --verify --deep --strict --verbose=2 "$APP_PATH" 2>&1 || true
+
+echo ""
+echo "Signature info:"
+xcrun codesign -dv "$APP_PATH" 2>&1 || true
+
+echo ""
+echo "=================================================="
+echo "  ✓ Code signing complete!"
+echo "=================================================="
