Skip to content

Update action macos #78

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
levoncrypto wants to merge 11 commits into from
Closed

Update action macos #78

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
c960d56
Update action macos
levoncrypto Jan 25, 2026
c9efbbd
fix secp256k1 installing
levoncrypto Jan 25, 2026
e36da3e
fix zbar build
levoncrypto Jan 25, 2026
1c2ed21
Update python version for macos action
levoncrypto Jan 25, 2026
4f7a658
update python libs version
levoncrypto Jan 25, 2026
b01f30e
update python libs version
levoncrypto Jan 25, 2026
09ecdba
update requirements.txt
levoncrypto Jan 25, 2026
6f721ad
update python libs version
levoncrypto Jan 25, 2026
7dae367
fix install-osx.sh build
levoncrypto Jan 25, 2026
968fd70
fix install-osx.sh build
levoncrypto Jan 25, 2026
82052e2
fix install-osx.sh build
levoncrypto Jan 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 8 additions & 3 deletions .github/workflows/build_release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,14 +80,17 @@ jobs:
dist/Firo-Electrum-${{ steps.set_vars.outputs.pkg_ver }}-setup-win64.exe
dist/Firo-Electrum-${{ steps.set_vars.outputs.pkg_ver }}-setup-win32.exe
dist/Firo-Electrum-${{ steps.set_vars.outputs.pkg_ver }}-portable.exe

build_osx:
runs-on: macos-13
runs-on: macos-14
if: ${{ inputs.target_os == 'all' || inputs.target_os == 'osx' }}
name: create release for macOS
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Python 3.11
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Set outputs for pkg_ver
id: set_vars
run: |
Expand All @@ -96,14 +99,17 @@ jobs:
- name: Prepare build
env:
DASH_ELECTRUM_VERSION: ${{ steps.set_vars.outputs.pkg_ver }}
ARCH: arm64
run: |
./contrib/dash/actions/install-osx.sh
- name: Build dmg
env:
DASH_ELECTRUM_VERSION: ${{ steps.set_vars.outputs.pkg_ver }}
ARCH: arm64
run: |
# For troubleshooting
echo $DASH_ELECTRUM_VERSION
echo "ARCH=$ARCH"
Comment on lines 110 to +112

@coderabbitai coderabbitai Bot Jan 25, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Quote the version echo to avoid word-splitting.
Shellcheck SC2086 applies here.

🔧 Proposed fix 
-          echo $DASH_ELECTRUM_VERSION
+          echo "$DASH_ELECTRUM_VERSION"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# For troubleshooting
echo $DASH_ELECTRUM_VERSION
echo "ARCH=$ARCH"
# For troubleshooting
echo "$DASH_ELECTRUM_VERSION"
echo "ARCH=$ARCH"
🤖 Prompt for AI Agents 
In @.github/workflows/build_release.yml around lines 107 - 109, The echo of
DASH_ELECTRUM_VERSION is vulnerable to word-splitting; change the unquoted echo
$DASH_ELECTRUM_VERSION to use quotes (echo "$DASH_ELECTRUM_VERSION") so the
output is preserved as a single token and ShellCheck SC2086 is satisfied—keep
the existing echo "ARCH=$ARCH" as-is.

./contrib/dash/actions/script-osx.sh
- name: Upload Artifact
if: success()
Expand All @@ -112,7 +118,6 @@ jobs:
name: macos-bin
path: |
dist/Firo-Electrum-${{ steps.set_vars.outputs.pkg_ver }}-macosx.dmg

merge:
runs-on: ubuntu-latest
needs: [build_linux, build_windows, build_osx]
Expand Down
44 changes: 16 additions & 28 deletions contrib/dash/actions/install-osx.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,51 +1,39 @@
#!/bin/bash
set -ev

if [[ -n $GITHUB_ACTION ]]; then
PYTHON_VERSION=3.7.9
PYFTP=https://www.python.org/ftp/python/$PYTHON_VERSION
PYPKG_NAME=python-$PYTHON_VERSION-macosx10.9.pkg
PY_SHA256=bf54a14eef23467991e8c7a88c7307762e484c024a94ec1ee292ac1db3d41fc9
echo "$PY_SHA256 $PYPKG_NAME" > $PYPKG_NAME.sha256
curl -O $PYFTP/$PYPKG_NAME
shasum -a256 -s -c $PYPKG_NAME.sha256
sudo installer -pkg $PYPKG_NAME -target /
rm $PYPKG_NAME $PYPKG_NAME.sha256
fi
PYTHON_VERSION=$(python3 --version)
echo "Using system Python: $PYTHON_VERSION"

brew install gmp
brew install gettext libtool automake pkg-config

export PKG_CONFIG_PATH="/opt/homebrew/lib/pkgconfig:/usr/local/lib/pkgconfig"
export CFLAGS="-I/opt/homebrew/include -I/usr/local/include $CFLAGS"
export LDFLAGS="-L/opt/homebrew/lib -L/usr/local/lib $LDFLAGS"

LIBUSB_VER=1.0.24
LIBUSB_URI=https://github.com/libusb/libusb/releases/download
LIBUSB_SHA=7efd2685f7b327326dcfb85cee426d9b871fd70e22caa15bb68d595ce2a2b12a
LIBUSB_FILE=libusb-${LIBUSB_VER}.tar.bz2
echo "${LIBUSB_SHA} ${LIBUSB_FILE}" > ${LIBUSB_FILE}.sha256
curl -O -L ${LIBUSB_URI}/v${LIBUSB_VER}/${LIBUSB_FILE}
tar -xzvf ${LIBUSB_FILE}
tar -xjf ${LIBUSB_FILE}
shasum -a256 -s -c ${LIBUSB_FILE}.sha256
Comment on lines 18 to 21

@coderabbitai coderabbitai Bot Jan 25, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

git ls-files | grep -E "install-osx|dash" | head -20

Repository: firoorg/electrum-firo

Length of output: 805

🏁 Script executed:

cat -n contrib/dash/actions/install-osx.sh | head -30

Repository: firoorg/electrum-firo

Length of output: 1238

Verify libusb checksum before extracting.

The current code extracts the archive (line 15) before verifying its SHA-256 checksum (line 16), exposing the system to potential extraction of malicious or corrupted files. Reorder to verify the checksum immediately after download, before extraction.

Proposed fix 
curl -O -L ${LIBUSB_URI}/v${LIBUSB_VER}/${LIBUSB_FILE}
+shasum -a256 -s -c ${LIBUSB_FILE}.sha256
-tar -xjf ${LIBUSB_FILE}
-shasum -a256 -s -c ${LIBUSB_FILE}.sha256
+tar -xjf ${LIBUSB_FILE}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
echo "${LIBUSB_SHA} ${LIBUSB_FILE}" > ${LIBUSB_FILE}.sha256
curl -O -L ${LIBUSB_URI}/v${LIBUSB_VER}/${LIBUSB_FILE}
tar -xzvf ${LIBUSB_FILE}
tar -xjf ${LIBUSB_FILE}
shasum -a256 -s -c ${LIBUSB_FILE}.sha256
echo "${LIBUSB_SHA} ${LIBUSB_FILE}" > ${LIBUSB_FILE}.sha256
curl -O -L ${LIBUSB_URI}/v${LIBUSB_VER}/${LIBUSB_FILE}
shasum -a256 -s -c ${LIBUSB_FILE}.sha256
tar -xjf ${LIBUSB_FILE}
🤖 Prompt for AI Agents 
In `@contrib/dash/actions/install-osx.sh` around lines 13 - 16, The script
currently untars the downloaded libusb archive before verifying its checksum;
change the order in the install flow so verification happens immediately after
download and before extraction: after writing ${LIBUSB_FILE}.sha256 and running
curl -O -L ${LIBUSB_URI}/v${LIBUSB_VER}/${LIBUSB_FILE}, run the checksum
verification (shasum -a256 -s -c ${LIBUSB_FILE}.sha256) and only if it succeeds
proceed to extract (tar -xjf ${LIBUSB_FILE}); update the sequence around the
commands referencing LIBUSB_FILE, LIBUSB_URI, LIBUSB_VER and the shasum check so
extraction is performed after a successful checksum validation.

pushd libusb-${LIBUSB_VER}
./configure --disable-dependency-tracking --prefix=/opt/libusb
sudo env MACOSX_DEPLOYMENT_TARGET=10.13 make install
sudo env MACOSX_DEPLOYMENT_TARGET=11.0 make install
popd
sudo rm -rf libusb-${LIBUSB_VER}*
cp /opt/libusb/lib/libusb-1.*.dylib .
cp /opt/libusb/lib/libusb-1.*.dylib . || true

LSECP256K1_PATH=https://github.com/zebra-lucky/secp256k1/
LSECP256K1_PATH=${LSECP256K1_PATH}releases/download/210521
LSECP256K1_FILE=libsecp256k1-210521-osx.tgz
LIB_SHA256=51c861bfb894ec520cc1ee0225fae00447aa86096782a1acd1fc6e338a576ea7
echo "$LIB_SHA256 $LSECP256K1_FILE" > $LSECP256K1_FILE.sha256
curl -O -L ${LSECP256K1_PATH}/${LSECP256K1_FILE}
shasum -a256 -s -c ${LSECP256K1_FILE}.sha256
tar -xzf ${LSECP256K1_FILE}
rm -f libsecp256k1.0.dylib
cp libsecp256k1/libsecp256k1.0.dylib .
rm -rf libsecp256k1/ ${LSECP256K1_FILE} ${LSECP256K1_FILE}.sha256

brew install gettext libtool automake pkg-config
brew install secp256k1
cp /opt/homebrew/lib/libsecp256k1*.dylib . || true

if [[ -n $GITHUB_REF ]]; then
echo "Building ZBar dylib..."
rm -f libzbar.0.dylib
export MACOSX_DEPLOYMENT_TARGET=10.13
export MACOSX_DEPLOYMENT_TARGET=11.0
export LDFLAGS="$LDFLAGS -liconv"
./contrib/make_zbar.sh
rm -rf contrib/zbar/
fi
21 changes: 6 additions & 15 deletions contrib/dash/actions/script-osx.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,21 +1,13 @@
#!/bin/bash
set -ev

export MACOSX_DEPLOYMENT_TARGET=10.13
export MACOSX_DEPLOYMENT_TARGET=11.0

export PY37BINDIR=/Library/Frameworks/Python.framework/Versions/3.7/bin/
export PATH=$PATH:$PY37BINDIR
echo osx build version is $DASH_ELECTRUM_VERSION


if [[ -n $GITHUB_REF ]]; then
PIP_CMD="sudo python3 -m pip"
else
python3 -m virtualenv env
source env/bin/activate
PIP_CMD="pip"
fi

python3 -m venv env
source env/bin/activate
PIP_CMD="pip"

$PIP_CMD install --no-dependencies --no-warn-script-location -U \
-r contrib/deterministic-build/requirements.txt
Expand All @@ -24,11 +16,10 @@ $PIP_CMD install --no-dependencies --no-warn-script-location -U \
$PIP_CMD install --no-dependencies --no-warn-script-location -U \
-r contrib/deterministic-build/requirements-binaries-mac.txt
$PIP_CMD install --no-dependencies --no-warn-script-location -U x11_hash>=1.4

$PIP_CMD install --no-dependencies --no-warn-script-location -U \
-r contrib/deterministic-build/requirements-build-mac.txt

export PATH="/usr/local/opt/gettext/bin:$PATH"
export PATH="/opt/homebrew/bin:/usr/local/opt/gettext/bin:$PATH"

@coderabbitai coderabbitai Bot Jan 25, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's examine the file to understand the context
cat -n contrib/dash/actions/script-osx.sh | head -30

Repository: firoorg/electrum-firo

Length of output: 1285

🏁 Script executed:

# Let's also check if there are any other references to this PATH or gettext in the repo
rg "gettext" --type sh -B 2 -A 2

Repository: firoorg/electrum-firo

Length of output: 1409

Add arm64 gettext bin to PATH.

On macOS with arm64 (Apple Silicon), Homebrew installs packages under /opt/homebrew, but the current PATH only includes the Intel Homebrew prefix /usr/local/opt/gettext/bin. For keg-only packages like gettext, binaries are located at /opt/homebrew/opt/gettext/bin on arm64, which is not in the current PATH. This causes msgfmt and other gettext utilities to be unavailable when running ./contrib/make_locale on arm64 Macs.

🛠️ Proposed fix 
-export PATH="/opt/homebrew/bin:/usr/local/opt/gettext/bin:$PATH"
+export PATH="/opt/homebrew/bin:/opt/homebrew/opt/gettext/bin:/usr/local/opt/gettext/bin:$PATH"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
export PATH="/opt/homebrew/bin:/usr/local/opt/gettext/bin:$PATH"
export PATH="/opt/homebrew/bin:/opt/homebrew/opt/gettext/bin:/usr/local/opt/gettext/bin:$PATH"
🤖 Prompt for AI Agents 
In `@contrib/dash/actions/script-osx.sh` at line 22, Update the PATH export in
contrib/dash/actions/script-osx.sh so arm64 Homebrew's gettext binaries are
found: modify the export PATH line (the PATH export symbol) to include
/opt/homebrew/opt/gettext/bin in addition to the existing
/usr/local/opt/gettext/bin (and keep /opt/homebrew/bin) so msgfmt and other
gettext tools are available on Apple Silicon when running ./contrib/make_locale.

./contrib/make_locale
find . -name '*.po' -delete
find . -name '*.pot' -delete
Expand All @@ -44,4 +35,4 @@ pyinstaller --clean \

sudo hdiutil create -fs HFS+ -volname "Firo Electrum" \
-srcfolder dist/Firo\ Electrum.app \
dist/Firo-Electrum-$DASH_ELECTRUM_VERSION-macosx.dmg
dist/Firo-Electrum-$DASH_ELECTRUM_VERSION
Loading
Loading