|
43 | 43 | runs-on: "macos-selfhosted-12" |
44 | 44 | - os: "mac" |
45 | 45 | name: "arm64" |
46 | | - runs-on: "macos-13-arm" |
| 46 | + runs-on: "macos-silicon" |
47 | 47 | # - os: "windows" |
48 | 48 | # name: "amd64" |
49 | 49 | # runs-on: "windows-cuda-12-0" |
@@ -148,13 +148,54 @@ jobs: |
148 | 148 | echo "PYTHON_FOLDER=$PYTHON_FOLDER" >> $GITHUB_ENV |
149 | 149 | echo "github end PYTHON_FOLDER: ${{env.PYTHON_FOLDER}}" |
150 | 150 |
|
| 151 | + - name: create plist file |
| 152 | + if: runner.os == 'macOS' |
| 153 | + run: | |
| 154 | + cat << EOF > /tmp/entitlements.plist |
| 155 | + <?xml version="1.0" encoding="UTF-8"?> |
| 156 | + <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> |
| 157 | + <plist version="1.0"> |
| 158 | + <dict> |
| 159 | + <!-- These are required for binaries built by PyInstaller --> |
| 160 | + <key>com.apple.security.cs.allow-jit</key> |
| 161 | + <true/> |
| 162 | + <key>com.apple.security.cs.allow-unsigned-executable-memory</key> |
| 163 | + <true/> |
| 164 | +
|
| 165 | + <!-- Add these for additional permissions --> |
| 166 | + <key>com.apple.security.app-sandbox</key> |
| 167 | + <false/> |
| 168 | + <key>com.apple.security.network.client</key> |
| 169 | + <true/> |
| 170 | + <key>com.apple.security.network.server</key> |
| 171 | + <true/> |
| 172 | + <key>com.apple.security.device.audio-input</key> |
| 173 | + <true/> |
| 174 | + <key>com.apple.security.device.microphone</key> |
| 175 | + <true/> |
| 176 | + <key>com.apple.security.device.camera</key> |
| 177 | + <true/> |
| 178 | + <key>com.apple.security.files.user-selected.read-write</key> |
| 179 | + <true/> |
| 180 | + <key>com.apple.security.cs.disable-library-validation</key> |
| 181 | + <true/> |
| 182 | + <key>com.apple.security.cs.allow-dyld-environment-variables</key> |
| 183 | + <true/> |
| 184 | + <key>com.apple.security.cs.allow-executable-memory</key> |
| 185 | + <true/> |
| 186 | + </dict> |
| 187 | + </plist> |
| 188 | + EOF |
| 189 | +
|
151 | 190 | - name: Notary macOS Binary |
152 | 191 | if: runner.os == 'macOS' |
153 | 192 | run: | |
154 | | - codesign --force --entitlements="./engine/templates/macos/entitlements.plist" -s "${{ secrets.DEVELOPER_ID }}" --options=runtime ${{env.PYTHON_FOLDER}}/bin/python |
155 | | - codesign --force --entitlements="./engine/templates/macos/entitlements.plist" -s "${{ secrets.DEVELOPER_ID }}" --options=runtime ${{env.PYTHON_FOLDER}}/bin/python3 |
156 | | - curl -sSfL https://raw.githubusercontent.com/anchore/quill/main/install.sh | sh -s -- -b /usr/local/bin |
157 | | - cd engine/cortex |
| 193 | + codesign --force --entitlements="/tmp/entitlements.plist" -s "${{ secrets.DEVELOPER_ID }}" --options=runtime ${{env.PYTHON_FOLDER}}/bin/python |
| 194 | + codesign --force --entitlements="/tmp/entitlements.plist" -s "${{ secrets.DEVELOPER_ID }}" --options=runtime ${{env.PYTHON_FOLDER}}/bin/python3 |
| 195 | + # Code sign all .so files and .dylib files |
| 196 | + find ${{env.PYTHON_FOLDER}} -type f \( -name "*.so" -o -name "*.dylib" \) -exec codesign --force --entitlements="/tmp/entitlements.plist" -s "${{ secrets.DEVELOPER_ID }}" --options=runtime {} \; |
| 197 | +
|
| 198 | + curl -sSfL https://raw.githubusercontent.com/anchore/quill/main/install.sh | sudo sh -s -- -b /usr/local/bin |
158 | 199 | # Notarize the binary |
159 | 200 | quill notarize ${{env.PYTHON_FOLDER}}/bin/python |
160 | 201 | quill notarize ${{env.PYTHON_FOLDER}}/bin/python3 |
|
0 commit comments