ci(GITHUB): deprecate monterey, add sonoma #805
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: mac_maker-push | |
# Workflow Secrets: | |
# SLACK_WEBHOOK (Required, for slack notifications...) | |
on: | |
push: | |
schedule: | |
- cron: "0 6 * * 1" | |
workflow_dispatch: | |
env: | |
PROJECT_NAME: "mac_maker" | |
USERNAME: "osx-provisioner" | |
VERBOSE_NOTIFICATIONS: 0 | |
jobs: | |
_start_notification: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Start -- Checkout Repository | |
uses: actions/checkout@v3 | |
- name: Start -- Setup Environment | |
run: | | |
source ./.github/scripts/setup.sh | |
env: | |
WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }} | |
- name: Start -- Report Job Status on Success | |
run: | | |
./.github/scripts/notifications.sh "${NOTIFICATION}" ":white_check_mark: workflow has started!" | |
- name: Start -- Report Job Status on Failure | |
if: failure() | |
run: | | |
./.github/scripts/notifications.sh "${NOTIFICATION}" ":x: error reporting job status!" | |
_success_notification: | |
needs: [attach_release_binaries] | |
runs-on: ubuntu-latest | |
steps: | |
- name: Success -- Checkout Repository | |
uses: actions/checkout@v3 | |
- name: Success -- Setup Environment | |
run: | | |
source .github/scripts/setup.sh | |
env: | |
WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }} | |
- name: Success -- Report Job Status on Success | |
run: | | |
./.github/scripts/notifications.sh "${NOTIFICATION}" ":white_check_mark: all checks were successful!" | |
- name: Success -- Report Job Status on Failure | |
if: failure() | |
run: | | |
./.github/scripts/notifications.sh "${NOTIFICATION}" ":x: error reporting job status!" | |
apply: | |
needs: [container_build, osx_build] | |
# Only on tags, main and production branches. | |
runs-on: macos-${{ matrix.os.version }} | |
strategy: | |
max-parallel: 4 | |
matrix: | |
os: | |
- version: 13 | |
platform: x86_64 | |
- version: 14 | |
platform: arm64 | |
python-version: [3.11.11] | |
steps: | |
- name: Apply Test -- Branch Filter | |
id: branch_filter | |
run: | | |
MATCH="FALSE" | |
[[ "${{ github.event.ref }}" =~ /tags/v\.* ]] && MATCH="TRUE" | |
[[ "${{ github.event.ref }}" == "refs/heads/main" ]] && MATCH="TRUE" | |
[[ "${{ github.event.ref }}" == "refs/heads/production" ]] && MATCH="TRUE" | |
echo "MATCH=${MATCH}" >> $GITHUB_OUTPUT | |
- name: Apply Test -- Checkout | |
if: steps.branch_filter.outputs.match == 'TRUE' | |
uses: actions/checkout@v3 | |
- name: Apply Test -- Setup Environment | |
if: steps.branch_filter.outputs.match == 'TRUE' | |
run: | | |
source .github/scripts/setup.sh | |
env: | |
WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }} | |
PYTHON_VERSION: ${{ matrix.python-version }} | |
- name: Apply Test -- Download Built Binary | |
if: steps.branch_filter.outputs.match == 'TRUE' | |
uses: actions/download-artifact@v3 | |
with: | |
name: built_binary_${{ matrix.os.version }}_${{ matrix.os.platform }}_${{ env.BRANCH_OR_TAG }} | |
- name: Apply Test -- Clear Quarantine Attribute | |
if: steps.branch_filter.outputs.match == 'TRUE' | |
run: | | |
tar xvzf mac_maker_${{ matrix.os.version }}_${{ matrix.os.platform }}_${BRANCH_OR_TAG}.tar.gz | |
xattr -d -r com.apple.quarantine mac_maker_${{ matrix.os.version }}_${{ matrix.os.platform }}_${BRANCH_OR_TAG} | |
- name: Apply Test -- Apply a Profile | |
if: steps.branch_filter.outputs.match == 'TRUE' | |
run: | | |
cd mac_maker_${{ matrix.os.version }}_${{ matrix.os.platform }}_${BRANCH_OR_TAG} | |
export ANSIBLE_BECOME_PASSWORD="skip the prompt" | |
./mac_maker apply github https://github.com/osx-provisioner/profile-example.git | |
- name: Apply Test -- Report Job Status (Success) | |
if: steps.branch_filter.outputs.match == 'TRUE' && env.VERBOSE_NOTIFICATIONS == '1' | |
run: | | |
./.github/scripts/notifications.sh "${NOTIFICATION}" ":white_check_mark: ${{ matrix.os }} profile application using built binary (${{ matrix.os.version }} ${{ matrix.os.platform }}) was successful" | |
- name: Apply Test -- Report Job Status (Failure) | |
if: failure() | |
run: | | |
./.github/scripts/notifications.sh "${NOTIFICATION}" ":x: ${{ matrix.os.version }} profile application using built binary (${{ matrix.os }} ${{ matrix.os.platform }}) failed!" | |
attach_release_binaries: | |
needs: [create_release] | |
runs-on: ubuntu-latest | |
strategy: | |
max-parallel: 4 | |
matrix: | |
os: | |
- version: 13 | |
platform: x86_64 | |
- version: 14 | |
platform: arm64 | |
python-version: [3.11.11] | |
steps: | |
- name: Attach Release Binaries -- Branch Filter | |
id: branch_filter | |
run: | | |
MATCH="FALSE" | |
[[ "${{ github.event.ref }}" =~ /tags/v\.* ]] && MATCH="TRUE" | |
echo "MATCH=${MATCH}" >> $GITHUB_OUTPUT | |
- name: Attach Release Binaries -- Checkout | |
if: steps.branch_filter.outputs.match == 'TRUE' | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
- name: Attach Release Binaries -- Setup Environment | |
if: steps.branch_filter.outputs.match == 'TRUE' | |
run: | | |
source .github/scripts/setup.sh | |
env: | |
WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }} | |
PYTHON_VERSION: ${{ matrix.python-version }} | |
- name: Attach Release Binaries -- Download Built Binary | |
if: steps.branch_filter.outputs.match == 'TRUE' | |
uses: actions/download-artifact@v3 | |
with: | |
name: built_binary_${{ matrix.os.version }}_${{ matrix.os.platform }}_${{ env.BRANCH_OR_TAG }} | |
- name: Attach Release Binaries -- Identify Binary | |
if: steps.branch_filter.outputs.match == 'TRUE' | |
run: | | |
ls -la | |
BINARY_NAME=$(ls *.tar.gz) | |
echo "BINARY_NAME=${BINARY_NAME}" >> $GITHUB_ENV | |
- name: Attach Release Binaries -- Upload Release Asset | |
if: steps.branch_filter.outputs.match == 'TRUE' | |
run: | | |
source ./.github/scripts/upload_asset.sh | |
env: | |
FILE_PATH: ${{ env.BINARY_NAME }} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
UPLOAD_URL: ${{ needs.create_release.outputs.upload_url }} | |
- name: Attach Release Binaries -- Report Success | |
if: steps.branch_filter.outputs.match == 'TRUE' && env.VERBOSE_NOTIFICATIONS == '1' | |
run: | | |
./.github/scripts/notifications.sh "${NOTIFICATION}" ":white_check_mark: compiled binary has been attached to release: ${BINARY_NAME}" | |
- name: Attach Release Binaries -- Report Failure | |
if: failure() && contains(github.ref, '/tags/v') | |
run: | | |
./.github/scripts/notifications.sh "${NOTIFICATION}" ":x: compiled binaries could not be attached to release!" | |
container_build: | |
runs-on: ubuntu-latest | |
strategy: | |
max-parallel: 4 | |
matrix: | |
include: | |
- python-version: 3.11 | |
steps: | |
- name: Container Build -- Checkout | |
uses: actions/checkout@v3 | |
- name: Container Build -- Setup Environment | |
run: | | |
source .github/scripts/setup.sh | |
env: | |
WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }} | |
PYTHON_VERSION: ${{ matrix.python-version }} | |
- name: Container Build -- Create Docker Mounted Content | |
run: | | |
echo | ssh-keygen | |
touch ${HOME}/.gitconfig | |
touch ${HOME}/.gitconfig_global | |
- name: Container Build -- Build Container | |
run: | | |
source .github/scripts/build_container.sh | |
- name: Container Build -- Ensure GIT is working | |
run: | | |
docker compose exec -T "${PROJECT_NAME}" git status | |
- name: Container Build -- Run TOML Linter | |
run: | | |
docker compose exec -T "${PROJECT_NAME}" tomll /app/pyproject.toml | |
- name: Container Build -- Run Documentation Build | |
run: | | |
docker compose exec -T "${PROJECT_NAME}" dev build-docs | |
- name: Container Build -- Run Linter | |
run: | | |
docker compose exec -T "${PROJECT_NAME}" dev lint | |
- name: Container Build -- Run Sec Test | |
run: | | |
docker compose exec -T "${PROJECT_NAME}" dev sectest | |
- name: Container Build -- Run Unit Tests | |
run: | | |
docker compose exec -T "${PROJECT_NAME}" dev coverage | |
- name: Container Build -- Run MyPy | |
run: | | |
docker compose exec -T "${PROJECT_NAME}" dev types | |
- name: Container Build -- Run Release Validation | |
run: | | |
docker compose exec -T "${PROJECT_NAME}" ./scripts/release.sh | |
- name: Container Build -- Report Job Status (Success) | |
if: env.VERBOSE_NOTIFICATIONS == '1' | |
run: | | |
./.github/scripts/notifications.sh "${NOTIFICATION}" ":white_check_mark: container build for Python ${PYTHON_VERSION} was successful" | |
- name: Container Build -- Report Job Status (Failure) | |
if: failure() | |
run: | | |
./.github/scripts/notifications.sh "${NOTIFICATION}" ":x: container build for Python ${PYTHON_VERSION} failed!" | |
create_release: | |
needs: [_start_notification, apply, container_build, documentation_test, security_test, shellcheck_test, workflow_lint_test] | |
runs-on: ubuntu-latest | |
outputs: | |
upload_url: ${{ fromJSON(steps.create_release.outputs.result).data.upload_url }} | |
steps: | |
- name: Create Release -- Branch Filter | |
id: branch_filter | |
run: | | |
MATCH="FALSE" | |
[[ "${{ github.event.ref }}" =~ /tags/v\.* ]] && MATCH="TRUE" | |
echo "MATCH=${MATCH}" >> $GITHUB_OUTPUT | |
- name: Create Release -- Checkout | |
if: steps.branch_filter.outputs.match == 'TRUE' | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
- name: Create Release -- Setup Environment | |
if: steps.branch_filter.outputs.match == 'TRUE' | |
run: | | |
source .github/scripts/setup.sh | |
env: | |
WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }} | |
- name: Create Release -- Prepare Content | |
if: steps.branch_filter.outputs.match == 'TRUE' | |
run: | | |
echo "{}" > package.json | |
- name: Create Release -- Generate Changelog | |
if: steps.branch_filter.outputs.match == 'TRUE' | |
run: | |
source ./.github/scripts/changelog.sh | |
- name: Create Release -- Generate Github Release Draft | |
id: create_release | |
uses: actions/github-script@v6 | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
script: | | |
try { | |
if (process.env.RELEASE_BRANCH !== 'TRUE') { | |
return { data: { upload_url: null }} | |
} | |
const result = await github.rest.repos.createRelease({ | |
body: process.env.CHANGE_LOG_CONTENT, | |
draft: true, | |
name: "Release " + process.env.BRANCH_OR_TAG, | |
owner: context.repo.owner, | |
prerelease: false, | |
repo: context.repo.repo, | |
tag_name: process.env.BRANCH_OR_TAG, | |
}); | |
return result | |
} catch (error) { | |
core.setFailed(error.message); | |
} | |
env: | |
RELEASE_BRANCH: ${{ steps.branch_filter.outputs.match }} | |
- name: Create Release -- Report Success | |
if: steps.branch_filter.outputs.match == 'TRUE' && env.VERBOSE_NOTIFICATIONS == '1' | |
run: | | |
./.github/scripts/notifications.sh "${NOTIFICATION}" ":white_check_mark: automated release has been created:\nhttps://github.com/${USERNAME}/${PROJECT_NAME}/releases" | |
- name: Create Release -- Report Failure | |
if: failure() | |
run: | | |
./.github/scripts/notifications.sh "${NOTIFICATION}" ":x: automated release generation failed!" | |
documentation_test: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Documentation Test -- Checkout Repository | |
uses: actions/checkout@v3 | |
- name: Documentation Test -- Setup Environment | |
run: | | |
source .github/scripts/setup.sh | |
env: | |
WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }} | |
- name: Documentation Test -- Documentation Validation | |
uses: gaurav-nelson/github-action-markdown-link-check@1.0.13 | |
with: | |
config-file: '.github/config/actions/gaurav-nelson-github-action-markdown-link-check.json' | |
use-quiet-mode: 'no' | |
use-verbose-mode: 'yes' | |
- name: Documentation Test -- Report Success | |
if: env.VERBOSE_NOTIFICATIONS == '1' | |
run: | | |
./.github/scripts/notifications.sh "${NOTIFICATION}" ":white_check_mark: documentation checks were successful!" | |
- name: Documentation Test -- Report Failure | |
if: failure() | |
run: | | |
./.github/scripts/notifications.sh "${NOTIFICATION}" ":x: documentation checks failed!" | |
security_test: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Security Test -- Checkout Repository | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
- name: Security Test -- Setup Environment | |
run: | | |
source .github/scripts/setup.sh | |
source .github/scripts/pushed_commit_range.sh | |
env: | |
WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }} | |
GITHUB_CONTEXT: ${{ toJson(github) }} | |
- name: Security Test -- Run Trufflehog | |
uses: trufflesecurity/trufflehog@v3.54.4 | |
with: | |
path: . | |
base: ${{ env.PUSHED_COMMIT_RANGE }} | |
head: ${{ env.BRANCH_OR_TAG }} | |
extra_args: --only-verified | |
- name: Security Test -- Report Success | |
if: env.VERBOSE_NOTIFICATIONS == '1' | |
run: | | |
./.github/scripts/notifications.sh "${NOTIFICATION}" ":white_check_mark: security checks were successful!" | |
- name: Security Test -- Report Failure | |
if: failure() | |
run: | | |
./.github/scripts/notifications.sh "${NOTIFICATION}" ":x: security checks failed!" | |
shellcheck_test: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Shellcheck -- Checkout Repository | |
uses: actions/checkout@v3 | |
- name: Shellcheck -- Setup Environment | |
run: | | |
source .github/scripts/setup.sh | |
env: | |
WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }} | |
- name: Shellcheck -- Check Scripts | |
run: | | |
source .github/scripts/shellcheck.sh | |
- name: Shellcheck -- Report Job Status on Success | |
if: env.VERBOSE_NOTIFICATIONS == '1' | |
run: | | |
./.github/scripts/notifications.sh "${NOTIFICATION}" ":white_check_mark: shellcheck checks were successful!" | |
- name: Shellcheck -- Report Job Status on Failure | |
if: failure() | |
run: | | |
./.github/scripts/notifications.sh "${NOTIFICATION}" ":x: shellcheck checks failed!" | |
workflow_lint_test: | |
runs-on: ubuntu-latest | |
strategy: | |
max-parallel: 4 | |
matrix: | |
python-version: [3.11] | |
steps: | |
- name: Workflow Lint -- Set up Python ${{ matrix.python-version }} | |
uses: actions/setup-python@v4 | |
with: | |
python-version: ${{ matrix.python-version }} | |
- name: Workflow Lint -- Checkout Repository | |
uses: actions/checkout@v3 | |
- name: Workflow Lint -- Setup Environment | |
run: | | |
source ./.github/scripts/setup.sh | |
pip install yamllint | |
env: | |
WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }} | |
- name: Workflow Lint -- Run Linter | |
run: | | |
yamllint ./.github/workflows -c .yamllint.yml -f standard | |
- name: Workflow Lint -- Report Job Status on Success | |
if: env.VERBOSE_NOTIFICATIONS == '1' | |
run: | | |
./.github/scripts/notifications.sh "${NOTIFICATION}" ":white_check_mark: workflow linting was successful!" | |
- name: Workflow Lint -- Report Job Status on Failure | |
if: failure() | |
run: | | |
./.github/scripts/notifications.sh "${NOTIFICATION}" ":x: workflow linting has failed!" | |
osx_build: | |
# Only on tags, main and production branches. | |
runs-on: macos-${{ matrix.os.version }} | |
strategy: | |
max-parallel: 4 | |
matrix: | |
os: | |
- version: 13 | |
platform: x86_64 | |
- version: 14 | |
platform: arm64 | |
python-version: [3.11.11] | |
steps: | |
- name: OSX Build -- Branch Filter | |
id: branch_filter | |
run: | | |
MATCH="FALSE" | |
[[ "${{ github.event.ref }}" =~ /tags/v\.* ]] && MATCH="TRUE" | |
[[ "${{ github.event.ref }}" == "refs/heads/main" ]] && MATCH="TRUE" | |
[[ "${{ github.event.ref }}" == "refs/heads/production" ]] && MATCH="TRUE" | |
echo "MATCH=${MATCH}" >> $GITHUB_OUTPUT | |
- name: OSX Build -- Checkout | |
if: steps.branch_filter.outputs.match == 'TRUE' | |
uses: actions/checkout@v3 | |
- name: OSX Build -- Setup Environment | |
if: steps.branch_filter.outputs.match == 'TRUE' | |
run: | | |
source .github/scripts/setup.sh | |
env: | |
WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }} | |
PYTHON_VERSION: ${{ matrix.python-version }} | |
- name: OSX Build -- Setup Python ${{ matrix.python-version }} | |
if: steps.branch_filter.outputs.match == 'TRUE' | |
run: | | |
./scripts/build.sh pyenv "${PYTHON_VERSION}" | |
env: | |
HOMEBREW_NO_INSTALLED_DEPENDENTS_CHECK: 1 | |
- name: OSX Build -- Setup Build Environment | |
if: steps.branch_filter.outputs.match == 'TRUE' | |
shell: bash -l {0} | |
run: | | |
eval $(~/.pyenv/bin/pyenv init --path) | |
pip install poetry wheel | |
env: | |
PYENV_VERSION: ${{ matrix.python-version }} | |
- name: OSX Build -- Build Mac Maker Binary | |
if: steps.branch_filter.outputs.match == 'TRUE' | |
shell: bash -l {0} | |
run: | | |
eval $(~/.pyenv/bin/pyenv init --path) | |
./scripts/build.sh binary "${OS_VERSION}" "${BRANCH_OR_TAG}" | |
env: | |
PYENV_VERSION: ${{ matrix.python-version }} | |
OS_VERSION: ${{ matrix.os.version }} | |
PLATFORM: ${{ matrix.os.platform }} | |
- name: OSX Build -- Test the version command | |
if: steps.branch_filter.outputs.match == 'TRUE' | |
shell: bash -l {0} | |
run: | | |
./dist/mac_maker version | |
env: | |
PYENV_VERSION: ${{ matrix.python-version }} | |
- name: OSX Build -- Upload Build Artifact | |
if: steps.branch_filter.outputs.match == 'TRUE' | |
uses: actions/upload-artifact@v3 | |
with: | |
name: built_binary_${{ matrix.os.version }}_${{ matrix.os.platform }}_${{ env.BRANCH_OR_TAG }} | |
path: ./dist/mac_maker_${{ matrix.os.version }}_${{ matrix.os.platform }}_${{ env.BRANCH_OR_TAG }}.tar.gz | |
retention-days: 1 | |
if-no-files-found: error | |
- name: OSX Build -- Report Job Status (Success) | |
if: steps.branch_filter.outputs.match == 'TRUE' && env.VERBOSE_NOTIFICATIONS == '1' | |
run: | | |
./.github/scripts/notifications.sh "${NOTIFICATION}" ":white_check_mark: ${{ matrix.os.version }} binary build for Python ${PYTHON_VERSION} was successful" | |
- name: OSX Build -- Report Job Status (Failure) | |
if: failure() | |
run: | | |
./.github/scripts/notifications.sh "${NOTIFICATION}" ":x: ${{ matrix.os.version }} binary build for Python ${PYTHON_VERSION} failed!" |