-
-
Notifications
You must be signed in to change notification settings - Fork 45
107 lines (92 loc) · 4.11 KB
/
Copy pathbuild.yml
File metadata and controls
107 lines (92 loc) · 4.11 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
# PR-time build gate. If xcodebuild fails here, the PR can't merge.
#
# Runs on PRs into main AND on pushes to main. The push-to-main run exists
# so a future README badge can reflect current main health — otherwise the
# badge would only ever show whichever PR last ran.
#
# Why Debug config: the compile surface (every file type-checked) is the
# same as Release, but Debug is faster and more deterministic. Release-only
# behavior (dead-code stripping, optimization-dependent bugs) isn't what
# we're guarding against at PR time.
name: Build
on:
pull_request:
branches: [main]
push:
branches: [main]
# Cancel older runs for the same ref when a new commit arrives. Without this,
# force-pushes and rapid pushes leave a backlog of stale builds consuming
# runner minutes for nothing.
concurrency:
group: build-${{ github.ref }}
cancel-in-progress: true
jobs:
build:
name: xcodebuild (macOS)
runs-on: macos-latest
timeout-minutes: 20
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
# Pin Xcode explicitly. GitHub-hosted runner images drift their default
# Xcode without notice, which surfaces as false-red or false-green
# builds. Bump `xcode-version` deliberately when the project is known
# to support a newer one.
- name: Select Xcode
uses: maxim-lobanov/setup-xcode@ed7a3b1fda3918c0306d1b724322adc0b8cc0a90 # v1.7.0
with:
xcode-version: latest-stable
- name: Toolchain info
run: |
xcodebuild -version
swift --version
# Package.resolved is gitignored, so SwiftPM must materialize it before
# the Sparkle pin check can compare against it.
- name: Resolve Swift package dependencies
run: |
xcodebuild \
-project Cotabby.xcodeproj \
-resolvePackageDependencies
- name: Verify Sparkle version pin
run: |
set -euo pipefail
# Sparkle must use exactVersion pinning. upToNextMajorVersion lets
# Xcode silently upgrade the framework, which drifts the signing
# tools hash and breaks releases.
sparkle_block="$(sed -n '/XCRemoteSwiftPackageReference "Sparkle" \*\/ = {/,/};/p' Cotabby.xcodeproj/project.pbxproj)"
if ! echo "${sparkle_block}" | grep -q 'kind = exactVersion'; then
echo "Sparkle must use exactVersion pinning in project.pbxproj." >&2
exit 1
fi
# pbxproj and Package.resolved must agree on the version.
pbxproj_version="$(echo "${sparkle_block}" | grep -A1 'kind = exactVersion' | grep 'version' | sed 's/.*= //;s/;.*//' | tr -d '[:space:]')"
resolved_version="$(python3 -c "
import json, sys
resolved = json.load(open('Cotabby.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved'))
pins = {p['identity']: p for p in resolved['pins']}
if 'sparkle' not in pins:
print('sparkle not found in Package.resolved. Available: ' + ', '.join(sorted(pins.keys())), file=sys.stderr)
sys.exit(1)
print(pins['sparkle']['state']['version'])
")"
if [[ -z "${pbxproj_version}" ]]; then
echo "Could not extract Sparkle version from pbxproj." >&2
exit 1
fi
if [[ "${pbxproj_version}" != "${resolved_version}" ]]; then
echo "Sparkle version mismatch: pbxproj=${pbxproj_version}, Package.resolved=${resolved_version}" >&2
exit 1
fi
echo "Sparkle pin verified: ${resolved_version}"
# CODE_SIGNING_ALLOWED=NO because CI runners don't have the dev cert.
# The project uses Automatic signing, so we can't simply strip the team
# identifier without pbxproj surgery — disabling signing for the build
# check keeps the check focused on compile correctness.
- name: Build
run: |
xcodebuild \
-project Cotabby.xcodeproj \
-scheme Cotabby \
-configuration Debug \
-destination 'platform=macOS' \
CODE_SIGNING_ALLOWED=NO \
build