.github/workflows/macOS.yml

name: macOS

on: [push, pull_request]

env:
  PYTHON_VER: '3.11.1'
  PYTHON_VER_SHORT: '3.11'
  PYTHON_VER_SHORT_COMPACT: '311'
  PYOTHERSIDE_VER: '1.5.9'
  OPENSSL_VER: '1.1.1i'

jobs:
  build:

    runs-on: macOS-latest

    steps:
      - uses: actions/checkout@v1

      - name: Install Qt
        uses: jurplel/install-qt-action@v2
        with:
          version: '5.15.1'
          host: 'mac'
          target: 'desktop'

      - name: Install dependencies from homebrew
        run: |
          pip install --upgrade pip
          brew update
          brew install swig zlib curl coreutils || true

      - name: Setup GPG
        run: |
          curl https://keybase.io/pablogsal/pgp_keys.asc?fingerprint=a035c8c19219ba821ecea86b64e628f8d684696d | gpg --import
          curl "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x7953ac1fbc3dc8b3b292393ed5e9e43f7df9ee8c" -o ./key1.asc
          curl "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x8657ABB260F056B1E5190839D9C4D26D0E604491" -o ./key2.asc
          gpg --import ./key1.asc
          gpg --import ./key2.asc

      - name: Build OpenSSL
        run: |
          wget https://www.openssl.org/source/openssl-${OPENSSL_VER}.tar.gz
          wget https://www.openssl.org/source/openssl-${OPENSSL_VER}.tar.gz.asc
          gpg --verify openssl-${OPENSSL_VER}.tar.gz.asc
          tar -xzvf openssl-${OPENSSL_VER}.tar.gz
          cd openssl-${OPENSSL_VER}
          sudo env MACOSX_DEPLOYMENT_TARGET=10.13 ./config --prefix=/opt/openssl
          sudo env MACOSX_DEPLOYMENT_TARGET=10.13 make
          sudo make install
 
      - name: Build Python as a framework
        run: |
          wget https://www.python.org/ftp/python/${PYTHON_VER}/Python-${PYTHON_VER}.tgz
          wget https://www.python.org/ftp/python/${PYTHON_VER}/Python-${PYTHON_VER}.tgz.asc
          gpg --verify Python-${PYTHON_VER}.tgz.asc
          tar -xzvf Python-${PYTHON_VER}.tgz
          cd Python-${PYTHON_VER}
          # Make sure gettext is not installed when configuring Python,
          # otherwise it seems to break the linking for PyOtherSide build later.
          # Re-intall after, because it's needed for wget.
          brew uninstall gettext --ignore-dependencies
          #brew unlink python@3.9
          ./configure MACOSX_DEPLOYMENT_TARGET=10.13 CPPFLAGS="-I/opt/openssl/include" LDFLAGS="-L/opt/openssl/lib" CC=clang --enable-framework --with-openssl=/opt/openssl --enable-optimizations
          sudo make altinstall
          #brew link --overwrite python@3.9
          brew reinstall gettext

      - name: Install python dependencies
        run: |
          sudo /Library/Frameworks/Python.framework/Versions/${PYTHON_VER_SHORT}/bin/pip${PYTHON_VER_SHORT} install --upgrade pip
          sudo env MACOSX_DEPLOYMENT_TARGET=10.13 CFLAGS="-I/opt/openssl/include" LDFLAGS="-L/opt/openssl/lib" /Library/Frameworks/Python.framework/Versions/${PYTHON_VER_SHORT}/bin/pip${PYTHON_VER_SHORT} install -r requirements.txt
          sudo patch /Library/Frameworks/Python.framework/Versions/${PYTHON_VER_SHORT}/lib/python${PYTHON_VER_SHORT}/site-packages/ykman/otp.py .github/workflows/macos-ykman-patch.patch


      - name: Change id for bundled Python
        run: sudo sed -i '' 's/org.python.python/com.yubico.python/g' /Library/Frameworks/Python.framework/Versions/${PYTHON_VER_SHORT}/Resources/Python.app/Contents/Info.plist

      - name: Build PyOtherSide QML plugin
        run: |
          wget https://github.com/thp/pyotherside/archive/${PYOTHERSIDE_VER}.tar.gz
          echo "189cb0b973e40fcb6b95fd51b0bcd6cc8494b514d49ffe966ec488cf05bbf51e ${PYOTHERSIDE_VER}.tar.gz" | sha256sum -c -
          tar -xzvf ${PYOTHERSIDE_VER}.tar.gz
          echo "DEFINES += QT_NO_DEBUG_OUTPUT" >> pyotherside-${PYOTHERSIDE_VER}/src/src.pro
          cd pyotherside-${PYOTHERSIDE_VER}
          qmake PYTHON_CONFIG=/Library/Frameworks/Python.framework/Versions/${PYTHON_VER_SHORT}/bin/python${PYTHON_VER_SHORT}-config
          make
          sudo make install

      - name: Build yubikey-manager-qt
        run: |
          qmake
          make

      - name: Copy over CLI binary to app bundle
        run: cp ykman-cli/ykman ykman-gui/ykman-gui.app/Contents/MacOS/

      - name: Run macdeployqt
        run: macdeployqt ykman-gui/ykman-gui.app/ -qmldir=ykman-gui/qml/ -appstore-compliant

      - name: Copy over dynamic libraries
        run: |
          sudo find /opt/openssl/ -name '*.dylib' -exec cp '{}' ykman-gui/ykman-gui.app/Contents/Frameworks/ ';'

      - name: Copy over Python.framework to app bundle
        run: |
          cp -a /Library/Frameworks/Python.framework ykman-gui/ykman-gui.app/Contents/Frameworks/
          sudo find ykman-gui/ykman-gui.app/Contents/Frameworks/Python.framework -name '*.pyc' -delete
          sudo find ykman-gui/ykman-gui.app/Contents/Frameworks/Python.framework -name '__pycache__' -delete

      - name: Point pyotherside to relative Python
        run: |
          sudo install_name_tool -change /Library/Frameworks/Python.framework/Versions/${PYTHON_VER_SHORT}/Python @executable_path/../Frameworks/Python.framework/Versions/${PYTHON_VER_SHORT}/Python ykman-gui/ykman-gui.app/Contents/PlugIns/quick/libpyothersideplugin.dylib

      - name: Point custom Python share objects to relative openssl dylibs
        run: |
          sudo install_name_tool -change /opt/openssl/lib/libcrypto.1.1.dylib @executable_path/../Frameworks/libcrypto.1.1.dylib ykman-gui/ykman-gui.app/Contents/Frameworks/Python.framework/Versions/${PYTHON_VER_SHORT}/lib/python${PYTHON_VER_SHORT}/lib-dynload/_ssl.cpython-${PYTHON_VER_SHORT_COMPACT}-darwin.so
          sudo install_name_tool -change /opt/openssl/lib/libssl.1.1.dylib @executable_path/../Frameworks/libssl.1.1.dylib ykman-gui/ykman-gui.app/Contents/Frameworks/Python.framework/Versions/${PYTHON_VER_SHORT}/lib/python${PYTHON_VER_SHORT}/lib-dynload/_ssl.cpython-${PYTHON_VER_SHORT_COMPACT}-darwin.so
          sudo install_name_tool -change /opt/openssl/lib/libcrypto.1.1.dylib @executable_path/../Frameworks/libcrypto.1.1.dylib ykman-gui/ykman-gui.app/Contents/Frameworks/Python.framework/Versions/${PYTHON_VER_SHORT}/lib/python${PYTHON_VER_SHORT}/lib-dynload/_hashlib.cpython-${PYTHON_VER_SHORT_COMPACT}-darwin.so
          sudo install_name_tool -change /opt/openssl/lib/libssl.1.1.dylib @executable_path/../Frameworks/libssl.1.1.dylib ykman-gui/ykman-gui.app/Contents/Frameworks/Python.framework/Versions/${PYTHON_VER_SHORT}/lib/python${PYTHON_VER_SHORT}/lib-dynload/_hashlib.cpython-${PYTHON_VER_SHORT_COMPACT}-darwin.so
          sudo install_name_tool -change /opt/openssl/lib/libcrypto.1.1.dylib @executable_path/../Frameworks/libcrypto.1.1.dylib ykman-gui/ykman-gui.app/Contents/Frameworks/libssl.1.1.dylib
          sudo install_name_tool -change /opt/openssl/lib/libcrypto.1.1.dylib @executable_path/../Frameworks/libcrypto.1.1.dylib ykman-gui/ykman-gui.app/Contents/Frameworks/Python.framework/Versions/${PYTHON_VER_SHORT}/lib/python${PYTHON_VER_SHORT}/site-packages/cryptography/hazmat/bindings/_openssl.abi3.so
          sudo install_name_tool -change /opt/openssl/lib/libssl.1.1.dylib @executable_path/../Frameworks/libssl.1.1.dylib ykman-gui/ykman-gui.app/Contents/Frameworks/Python.framework/Versions/${PYTHON_VER_SHORT}/lib/python${PYTHON_VER_SHORT}/site-packages/cryptography/hazmat/bindings/_openssl.abi3.so

      - name: Point to relative Qt for CLI binary (macdeployqt doesn't fix this)
        run: |
          sudo install_name_tool -change /usr/local/opt/qt/lib/QtQml.framework/Versions/5/QtQml @executable_path/../Frameworks/QtQml.framework/Versions/5/QtQml ykman-gui/ykman-gui.app/Contents/MacOS/ykman
          sudo install_name_tool -change /usr/local/opt/qt/lib/QtNetwork.framework/Versions/5/QtNetwork @executable_path/../Frameworks/QtNetwork.framework/Versions/5/QtNetwork ykman-gui/ykman-gui.app/Contents/MacOS/ykman
          sudo install_name_tool -change /usr/local/opt/qt/lib/QtCore.framework/Versions/5/QtCore @executable_path/../Frameworks/QtCore.framework/Versions/5/QtCore ykman-gui/ykman-gui.app/Contents/MacOS/ykman

      - name: Remove extra files
        run: |
          rm -rf ykman-gui/ykman-gui.app/Contents/Frameworks/Python.framework/Versions/2.7
          rm -rf ykman-gui/ykman-gui.app/Contents/Resources/pymodules

      - name: Rename and archive app bundle
        run: |
          export REF=$(echo ${GITHUB_REF} | cut -d '/' -f 3)
          mv ykman-gui/ykman-gui.app YubiKey\ Manager.app
          tar -czf yubikey-manager-qt-${REF}.app.tar.gz YubiKey\ Manager.app
          mkdir deploy
          mv yubikey-manager-qt-${REF}.app.tar.gz deploy

      - name: Uninstall runtime dependencies
        run: |
          brew uninstall openssl@1.1 python --ignore-dependencies
          sudo rm -rf /usr/local/Cellar/qt

      - name: Run GUI
        run: |
          ./YubiKey\ Manager.app/Contents/MacOS/ykman-gui --version
          ./YubiKey\ Manager.app/Contents/MacOS/ykman-gui --help

      - name: Run CLI
        run: |
          ./YubiKey\ Manager.app/Contents/MacOS/ykman --version
          [[ -z "$(./YubiKey\ Manager.app/Contents/MacOS/ykman --version | grep -E "not found|missing")" ]]

      - name: Upload artifact
        uses: actions/upload-artifact@v1
        with:
          name: yubikey-manager-qt-macos-app-bundle
          path: deploy