Use released libzim 8.2.0

rgaudin · rgaudin · commit 4054038d63cf · 2023-05-01T14:01:16.000Z
Split wheels workflow into:
- wheels workflow ran on PRs to ensure we can build properly
- release workflow with release environment that builds and uploads to PyPI
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -0,0 +1,116 @@
+name: Build and upload to PyPI
+
+on:
+  release:
+    types:
+      - published
+
+env:
+  LIBZIM_DL_VERSION: "8.2.0"
+  MACOSX_DEPLOYMENT_TARGET: "11.0"
+  CIBW_ENVIRONMENT_PASS_LINUX: "LIBZIM_DL_VERSION"
+  # APPLE_SIGNING_KEYCHAIN_PATH set in prepare keychain step
+  APPLE_SIGNING_KEYCHAIN_PROFILE: "build-profile"
+  APPLE_SIGNING_IDENTITY: "${{ secrets.APPLE_SIGNING_IDENTITY }}"
+  SIGN_APPLE: "yes"
+
+
+jobs:
+  build_wheels:
+    environment: release
+    name: Build wheels on ${{ matrix.os }}
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-20.04, macos-12]  # macos-11, windows-2019
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Set up QEMU
+        if: runner.os == 'Linux'
+        uses: docker/setup-qemu-action@v2
+        with:
+          platforms: all
+
+      - name: Prepare Apple Keychain for Signing
+        if: matrix.os == 'macos-12'
+        shell: bash
+        run: |
+          # store certificate on filesystem
+          export CERTIFICATE="$(mktemp -d)/wmch-devid.p12"
+          echo "${{ secrets.APPLE_SIGNING_CERTIFICATE }}" | base64 --decode -o $CERTIFICATE
+
+          # create a dedicated keychain
+          export APPLE_SIGNING_KEYCHAIN_PATH="$(mktemp -d)/build.keychain"
+          echo "APPLE_SIGNING_KEYCHAIN_PATH=${APPLE_SIGNING_KEYCHAIN_PATH}" >> "$GITHUB_ENV"
+          security create-keychain -p mysecretpassword ${APPLE_SIGNING_KEYCHAIN_PATH}
+          security default-keychain -s ${APPLE_SIGNING_KEYCHAIN_PATH}
+          security unlock-keychain -p mysecretpassword ${APPLE_SIGNING_KEYCHAIN_PATH}
+
+          # import certificate into keychain then remove from filesystem
+          security import ${CERTIFICATE} -k ${APPLE_SIGNING_KEYCHAIN_PATH} -P "${{ secrets.APPLE_SIGNING_P12_PASSWORD }}" -A
+          rm $CERTIFICATE
+
+          # store signing credentials into the keychain
+          security set-key-partition-list -S "apple-tool:,apple:" -s -k mysecretpassword ${APPLE_SIGNING_KEYCHAIN_PATH}
+          security find-identity -v
+          xcrun notarytool store-credentials \
+            --apple-id "${{ secrets.APPLE_SIGNING_ALTOOL_USERNAME }}" \
+            --password "${{ secrets.APPLE_SIGNING_ALTOOL_PASSWORD }}" \
+            --team-id "${{ secrets.APPLE_SIGNING_TEAM }}" \
+            --validate \
+            --keychain ${APPLE_SIGNING_KEYCHAIN_PATH} \
+            ${APPLE_SIGNING_KEYCHAIN_PROFILE}
+
+          # disable auto-locking of keychain
+          security set-keychain-settings ${APPLE_SIGNING_KEYCHAIN_PATH}
+          security unlock-keychain -p mysecretpassword ${APPLE_SIGNING_KEYCHAIN_PATH}
+
+      - name: Build wheels
+        uses: pypa/cibuildwheel@v2.12.1
+
+      - name: Cleanup Apple Keychain
+        if: matrix.os == 'macos-12'
+        shell: bash
+        run: |
+          security lock-keychain ${APPLE_SIGNING_KEYCHAIN_PATH}
+          security delete-keychain ${APPLE_SIGNING_KEYCHAIN_PATH}
+          rm -f ${APPLE_SIGNING_KEYCHAIN_PATH}
+
+      - uses: actions/upload-artifact@v3
+        with:
+          path: ./wheelhouse/*.whl
+
+  build_sdist:
+    name: Build source distribution
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Build sdist
+        run: pipx run build --sdist
+
+      - uses: actions/upload-artifact@v3
+        with:
+          path: dist/*.tar.gz
+
+  upload_pypi:
+    needs: [build_wheels, build_sdist]
+    runs-on: ubuntu-latest
+    environment: release
+    steps:
+      - uses: actions/download-artifact@v3
+        with:
+          # unpacks default artifact into dist/
+          # if `name: artifact` is omitted, the action will create extra parent dir
+          name: artifact
+          path: dist
+
+      - uses: pypa/gh-action-pypi-publish@v1.5.0
+        with:
+          user: __token__
+          # password: ${{ secrets.PYPI_TEST_API_TOKEN }}
+          password: ${{ secrets.PYPI_API_TOKEN }}
+          # uncomment for test
+          # repository_url: https://test.pypi.org/legacy/
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -2,8 +2,7 @@ name: test
 on: [push]
 
 env:
-  # TODO: use a release (once available)
-  LIBZIM_DL_VERSION: "2023-04-26"
+  LIBZIM_DL_VERSION: "8.2.0"
 
 jobs:
   lint:
diff --git a/.github/workflows/wheels.yml b/.github/workflows/wheels.yml
@@ -1,26 +1,19 @@
-name: Build and maybe upload to PyPI
+name: Build sdist and wheels
 
 on:
-  push:
   pull_request:
-  release:
-    types:
-      - published
+  push:
+    branches:
+      - main
 
 env:
-  # LIBZIM_DL_VERSION: "8.2.0"
-  LIBZIM_DL_VERSION: "2023-04-26"
+  LIBZIM_DL_VERSION: "8.2.0"
   MACOSX_DEPLOYMENT_TARGET: "11.0"
   CIBW_ENVIRONMENT_PASS_LINUX: "LIBZIM_DL_VERSION"
-  # APPLE_SIGNING_KEYCHAIN_PATH set in prepare keychain step
-  APPLE_SIGNING_KEYCHAIN_PROFILE: "build-profile"
-  APPLE_SIGNING_IDENTITY: "${{ secrets.APPLE_SIGNING_IDENTITY }}"
-  SIGN_APPLE: "yes"
 
 
 jobs:
   build_wheels:
-    environment: release
     name: Build wheels on ${{ matrix.os }}
     runs-on: ${{ matrix.os }}
     strategy:
@@ -36,51 +29,9 @@ jobs:
         with:
           platforms: all
 
-      - name: Prepare Apple Keychain for Signing
-        if: matrix.os == 'macos-12'
-        shell: bash
-        run: |
-          # store certificate on filesystem
-          export CERTIFICATE="$(mktemp -d)/wmch-devid.p12"
-          echo "${{ secrets.APPLE_SIGNING_CERTIFICATE }}" | base64 --decode -o $CERTIFICATE
-
-          # create a dedicated keychain
-          export APPLE_SIGNING_KEYCHAIN_PATH="$(mktemp -d)/build.keychain"
-          echo "APPLE_SIGNING_KEYCHAIN_PATH=${APPLE_SIGNING_KEYCHAIN_PATH}" >> "$GITHUB_ENV"
-          security create-keychain -p mysecretpassword ${APPLE_SIGNING_KEYCHAIN_PATH}
-          security default-keychain -s ${APPLE_SIGNING_KEYCHAIN_PATH}
-          security unlock-keychain -p mysecretpassword ${APPLE_SIGNING_KEYCHAIN_PATH}
-
-          # import certificate into keychain then remove from filesystem
-          security import ${CERTIFICATE} -k ${APPLE_SIGNING_KEYCHAIN_PATH} -P "${{ secrets.APPLE_SIGNING_P12_PASSWORD }}" -A
-          rm $CERTIFICATE
-
-          # store signing credentials into the keychain
-          security set-key-partition-list -S "apple-tool:,apple:" -s -k mysecretpassword ${APPLE_SIGNING_KEYCHAIN_PATH}
-          security find-identity -v
-          xcrun notarytool store-credentials \
-            --apple-id "${{ secrets.APPLE_SIGNING_ALTOOL_USERNAME }}" \
-            --password "${{ secrets.APPLE_SIGNING_ALTOOL_PASSWORD }}" \
-            --team-id "${{ secrets.APPLE_SIGNING_TEAM }}" \
-            --validate \
-            --keychain ${APPLE_SIGNING_KEYCHAIN_PATH} \
-            ${APPLE_SIGNING_KEYCHAIN_PROFILE}
-
-          # disable auto-locking of keychain
-          security set-keychain-settings ${APPLE_SIGNING_KEYCHAIN_PATH}
-          security unlock-keychain -p mysecretpassword ${APPLE_SIGNING_KEYCHAIN_PATH}
-
       - name: Build wheels
         uses: pypa/cibuildwheel@v2.12.1
 
-      - name: Cleanup Apple Keychain
-        if: matrix.os == 'macos-12'
-        shell: bash
-        run: |
-          security lock-keychain ${APPLE_SIGNING_KEYCHAIN_PATH}
-          security delete-keychain ${APPLE_SIGNING_KEYCHAIN_PATH}
-          rm -f ${APPLE_SIGNING_KEYCHAIN_PATH}
-
       - uses: actions/upload-artifact@v3
         with:
           path: ./wheelhouse/*.whl
@@ -97,23 +48,3 @@ jobs:
       - uses: actions/upload-artifact@v3
         with:
           path: dist/*.tar.gz
-
-  upload_pypi:
-    needs: [build_wheels, build_sdist]
-    runs-on: ubuntu-latest
-    if: github.event_name == 'release' && github.event.action == 'published'
-    steps:
-      - uses: actions/download-artifact@v3
-        with:
-          # unpacks default artifact into dist/
-          # if `name: artifact` is omitted, the action will create extra parent dir
-          name: artifact
-          path: dist
-
-      - uses: pypa/gh-action-pypi-publish@v1.5.0
-        with:
-          user: __token__
-          # password: ${{ secrets.PYPI_API_TOKEN }}
-          password: ${{ secrets.PYPI_TEST_API_TOKEN }}
-          # uncomment for test
-          repository_url: https://test.pypi.org/legacy/
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,7 +9,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Changed
 
-- Revamped setup to create proper wheel and sdist out-of-the-box (`python3 -m build`)
+- Revamped setup to create proper wheels and sdist out-of-the-box (`python3 -m build`)
+  - Build can now sign + notarize for macOS
+  - Build can now create macOS universal wheels
+  - Added cibuildwheel config
+- Build with (and target) libzim 8.2.0
 
 ## [3.0.0] - 2023-03-16
 
diff --git a/setup.py b/setup.py
@@ -28,7 +28,7 @@
 
 
 class Config:
-    libzim_dl_version: str = os.getenv("LIBZIM_DL_VERSION", "8.1.1")
+    libzim_dl_version: str = os.getenv("LIBZIM_DL_VERSION", "8.2.0")
     use_system_libzim: bool = bool(os.getenv("USE_SYSTEM_LIBZIM", False))
     download_libzim: bool = not bool(os.getenv("DONT_DOWNLOAD_LIBZIM", False))
 
@@ -197,9 +197,6 @@ def _download_and_extract(self, filename: str) -> pathlib.Path:
         source_url = "http://download.openzim.org/release/libzim"
         if self.is_nightly:
             source_url = f"http://download.openzim.org/nightly/{self.libzim_dl_version}"
-        # TODO: remove once merged
-        if "bionic" in fpath.name:
-            source_url = "https://tmp.kiwix.org/ci/libzim_bionic"
         url = f"{source_url}/{fpath.name}"
 
         # download a local copy if none present
