-
-
Notifications
You must be signed in to change notification settings - Fork 103
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(mac): rework of main build script #11444
Conversation
User Test ResultsTest specification and instructions
Test Artifacts
|
builder_die "Writing download_info file failed!" | ||
do_install() { | ||
if ! builder_has_option --quick; then | ||
do_notarize |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note: ./build.sh install --debug
will fail if not --quick
. See do_notarize
, which fails when code signing is disabled (currently, "new" line 215)... which is part of debug builds.
The conversion to the format does mean we can no longer do code-signed --debug
builds. Push come to shove, we could add a builder-option to force it, though.
Perhaps it would be better to flip the option and/or condition the install-type based on --debug
? Talking with @sgschantz, he mentioned doing most local builds the equivalent of --debug
and --quick
.
If based on --debug
, I'm not sure how to best give instructions to resolve the error regarding "Disable SecAssessment". It existed before (see "old" line 270), and I don't want to break something where I'm still a bit unclear.
I currently believe that dropping --quick
and basing install-action based notarization on --debug
is likely best... or at least, most convenient. That's just my position though, and I can see good arguments being made to the contrary... so between that note and my lack of clarity on the error/warning, I maintained the complexity of the original script pending further feedback.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's keep with the original design for those parameters for now and revisit once this is ready.
mac/build.sh
Outdated
"build" \ | ||
"publish Publishes debug info to Sentry and builds DMG, .download_info for distribution" \ | ||
"test" \ | ||
"install Installs result of Keyman4MacIM locally." \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Formerly -deploy
- either local
or quicklocal
variant. Renamed to match the install
action from #11421, as it has the same purpose.
mac/build.sh
Outdated
"clean" \ | ||
"configure" \ | ||
"build" \ | ||
"publish Publishes debug info to Sentry and builds DMG, .download_info for distribution" \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Formerly -upload-sentry
+ -deploy preprelease
. As with #11421, these make sense paired as part of a similar, release-oriented action. Developer has a publish
action, and consistent nomenclature among our scripts is generally a good thing - it's part of why we made the whole "builder-script" thing.
mac/build.sh
Outdated
":engine KeymanEngine4Mac" \ | ||
":im Keyman4MacIM" \ | ||
":testapp Keyman4Mac (test harness)" \ | ||
"--quick,-q Bypasses notarization for $(builder_term install)" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Exists to provide the local
vs quicklocal
distinction. That said, I suspect we should drop this in favor of simplicity, basing the distinction based on presence of --debug
. (See a different comment for more details + request for guidance in the matter.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is looking good. A few minor feedback points. I will work on the CI integration soon (including ensuring that 17.0 continues to work...)
builder_die "Writing download_info file failed!" | ||
do_install() { | ||
if ! builder_has_option --quick; then | ||
do_notarize |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's keep with the original design for those parameters for now and revisit once this is ready.
echo "For deployment, even locally, the app must be code-signed and notarized by Apple (see README.md for more" | ||
echo "options). This requires a valid code certificate and an active Appstoreconnect Apple ID. These must be" | ||
echo "supplied in environment variables or in localenv.sh in this folder" | ||
echo | ||
echo " * CERTIFICATE_ID: Specifies a certificate from your keychain (e.g. use sha1 or name of certificate)" | ||
echo " Use with -no-codesign if you don't have access to the core developer certificates." | ||
echo " Core development team members should not need to specify this as the certificate reference is" | ||
echo " already configured in the project." | ||
echo " * APPSTORECONNECT_PROVIDER: The shortname of the preferred provider in your Apple Developer account" | ||
echo " To find this, run:" | ||
echo " /Applications/Xcode.app/Contents/Developer/usr/bin/iTMSTransporter \\" | ||
echo " -m provider -u 'USERNAME' -p 'PASSWORD' -account_type itunes_connect -v off" | ||
echo " * APPSTORECONNECT_USERNAME: Your Apple ID login name." | ||
echo " * APPSTORECONNECT_PASSWORD: Your Apple ID password (may need to be a app-specific password)." | ||
echo " * DEVELOPMENT_TEAM: Your development team ID; if unspecified uses the default Keyman development team." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see this information is captured in mac/README.md
mac/build.sh
Outdated
fi | ||
|
||
# Create download info | ||
eval "$KM4MIM_BASE_PATH/write-download_info.sh" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we're not doing eval
s from an earlier review comment.
probably outside the scope here. but could write-download-info.sh be an "inc"? (e.g. write-download-file.inc.sh
that other platforms can use to generate their .download_info files?
Could this replace some of the PowerShell on CI?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
probably outside the scope here. but could write-download-info.sh be an "inc"? (e.g.
write-download-file.inc.sh
that other platforms can use to generate their .download_info files?Could this replace some of the PowerShell on CI?
Yes outside scope here but looking forward to consolidating this in the future.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've gone ahead and created #11595 for this.
mac/build.sh
Outdated
execCodeSign eval --force --sign $CERTIFICATE_ID --timestamp --verbose --preserve-metadata=identifier,entitlements "$KM4MIM_BASE_PATH/build/$CONFIG/Keyman.app/Contents/Frameworks/Sentry.framework" | ||
|
||
execCodeSign eval --force --sign $CERTIFICATE_ID --timestamp --verbose --preserve-metadata=identifier,entitlements "$KM4MIM_BASE_PATH/build/$CONFIG/Keyman.app/Contents/Frameworks/KeymanEngine4Mac.framework" | ||
execCodeSign eval --force --sign $CERTIFICATE_ID --timestamp --verbose --preserve-metadata=identifier,entitlements "$KM4MIM_BASE_PATH/build/$CONFIG/Keyman.app/Contents/Frameworks/KeymanEngine4Mac.framework" | ||
|
||
execCodeSign eval --force --sign $CERTIFICATE_ID --timestamp --verbose -o runtime \ | ||
--entitlements "$KM4MIM_BASE_PATH/$ENTITLEMENTS_FILE" \ | ||
--requirements "'=designated => anchor apple generic and identifier \"\$self.identifier\" and ((cert leaf[field.1.2.840.113635.100.6.1.9] exists) or ( certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and certificate leaf[subject.OU] = \"$DEVELOPMENT_TEAM\" ))'" \ | ||
"$KM4MIM_BASE_PATH/build/$CONFIG/Keyman.app" | ||
fi | ||
execCodeSign eval --force --sign $CERTIFICATE_ID --timestamp --verbose -o runtime \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've gone ahead and eliminated the calls that are straightforward from my perspective, but these are a few evals that I'm less clear on how to fix at the moment. I'm away from my Mac dev machine this week due to travel, and I'd definitely want to test changes to these lines locally first.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
git blame
points me to #10243. There's no linked issue and the description is very sparse, so I'm currently unable to infer details about why the eval
vs direct
pattern is in place. (I see it was about "code signing robustness" in some way, but that's about all I can glean.)
It's a fairly recent PR as well, so I get the feeling I should leave the eval
bits here unless directed otherwise by someone with "headspace documentation"..
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I am not sure why eval
is needed. I would have to experiment, and I have a vague recollection of this being more difficult than it seemed like it should have to be. Let's leave the execCodeSign eval calls for now -- it works after all.
I have updated CI to use the new build script. The release build appears to have the wrong search path -- see https://build.palaso.org/buildConfiguration/Keyman_KeymanMac_PullRequests/464688?buildTab=log
Note that the older CI would do a debug build to run the tests, and then do a release build. The 18.0 CI does a release build and runs tests on that build. |
I ran the debug build locally, ran tests and installed and ran the app and everything looked good. I did need to include Also, deleting a core library caused it to be rebuilt, which is good. I don't think that was happening with the old script. (maybe?) The clean action should only clean mac products and not clean anything that the mac build is dependent upon in core since core is a separate target managed with its own build script -- is that correct? That might be a dumb question, but I don't think I understand the relationship, because core gets built if I delete it and run build:app for mac. |
Correct. Dependencies will be automatically configured and built if they are missing. No other actions are automatic (e.g. clean, test, etc). See keyman/resources/build/builder.md Lines 186 to 191 in b7c3d65
|
if [ -e "$SOURCEAPP" ]; then | ||
rm -rf "$SOURCEAPP" | ||
fi |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
-f
matches when "FILE" is a plain and simple file, but not when a directory.
Using -e
- essentially, "is a valid path" or -d
- "is a directory" will work for this check, while the original does not.
(This is why /mac/setup/build.sh
was falling over for me on repeated local testing without an intervening /mac/build.sh clean
command.)
builder_heading "Cleaning pods folder (CocoaPods)" | ||
rm -rf "$PODS_FOLDER" | ||
builder_heading "Cleaning source (Carthage)" | ||
rm -rf "$KEYMAN_MAC_BASE_PATH/Carthage" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I personally find it odd to remove configure
artifacts during the clean
action as is done here. That said, the original version of the script's clean
... only cleaned the Carthage output.
I'm making a point of this to ask: should I drop these two lines from the clean
action and keep the others? Or should I keep them here to stick closer to this script's original version, even if we don't clean configure
outputs in other scripts?
- Keyman Engine for Web scripts never clean
configure
outputs.- Granted, for Web... that's mostly just
node_modules
. So, it may be a special case.
- Granted, for Web... that's mostly just
- I'm fairly sure our iOS and Android platforms' scripts similarly don't clean
configure
outputs.- Android downloads default keyboard + model resources... to a place that doesn't get cleaned. (Just .gitignore'd.)
- Similarly for iOS.
- Do our
windows
,developer
, orlinux
platform build scripts ever do so?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We're not 100% consistent on it, and probably can't be, because of the variety of what goes in configure
steps.
clean
on core (meson) removes thebuild/<arch>
folder which is created in theconfigure
step.clean
on windows and developer, depends on the module type:- node, no, because that's is generally
/node_modules
- C++, meson toolchain, yes, removes
build/<arch>
folder which is created in theconfigure
step - C++, msbuild toolchain, no, because configuration is shared across modules in
/resources/build/win
- Delphi, no, because configuration is shared across modules in
/resources/build/win
- node, no, because that's is generally
I'm not too worried about it. The build scripts are pretty good at picking up the pieces after a build.sh clean
and that's the main thing.
Also, Carthage has been a problem in the past with instability, which may be why the clean
action removed everything there too. Personally, I'd leave the clean of Carthage and Cocoapods in this script for now.
And of course, git clean -fdx
is the hardcore clean tool to really deep clean the repo. Such a fresh new feeling.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Some minor nits only.
CI has been updated for test builds (and seems to be working), and for release builds (will be tested when this merges). |
Co-authored-by: Marc Durdin <marc@durdin.net>
One last remaining question: do we want to do something about this thread now, leave it as is and create a follow-up issue, or leave it as is permanently?
It appears we're pretty much there, so consider this the follow-up. |
I think we leave it as is, and don't create a follow-up issue. I plan to do a future round of consolidation across all our build scripts and will probably revisit script-specific parameters and try and make them consistent (e.g. We have other parameters in Windows, Developer build scripts that could also benefit). But we don't need an issue for it because I would be doing a cross-script analysis anyway to start, so the issue would just add noise to our already very big queue. |
Discussion with @sgschantz pointed out that I may just need to merge in more recent fixes to this PR. I'm not always on top of when I most recently merged stuff in... and swapping back to
🤦 @keymanapp-test-bot retest all |
Test ResultsTEST_ABILITY_TO_TEST (PASSED): I tested this issue with the attached "Keyman 18.0.45-alpha-local" build on the macOS environment. Here is my observation.
|
Changes in this pull request will be available for download in Keyman version 18.0.45-alpha |
3 similar comments
Changes in this pull request will be available for download in Keyman version 18.0.45-alpha |
Changes in this pull request will be available for download in Keyman version 18.0.45-alpha |
Changes in this pull request will be available for download in Keyman version 18.0.45-alpha |
This PR reworks
/mac/build.sh
to use the same patterns and formats as the primary build.sh scripts for all of our other platforms, thus making it builder-based.User Testing
TEST_ABILITY_TO_TEST: Verify that the test-bot provides a valid link to the Keyman for macOS installer. Also do very light testing to ensure the app works as before.
There are no changes to the app itself, but since the build script's being overhauled, we want to make sure we didn't break things in subtle ways without realizing it.