Linux and MacOS workflows

[MathiasMagnus]

No description provided.

[CLAassistant]

All committers have signed the CLA.

[MarkCallow]

Please fix the syntax error at line 70 in publish-pyktx.yml. Because the YAML is broken the .yml file is shown strangely in the list of workflows even when not working on the github-actions branch.

[MarkCallow]

Since wrote that you think you are finished, I have reviewed even though the PR is still set as draft. I have included in this review the changes I requested in my e-mail yesterday.

The "big red button" looks fine. The workflows I want in it are android, emscripten web, linux, macos, mingw and windows

[MarkCallow]

Just in case you missed the edit I made, please call the additional workflow for the Emscripten/WASM builds `web.yml" as the packages it creates have web in their names.

[MarkCallow]

Please remove all the checkmkvk remnants from linux.yml and macos.yml. The Check mkvk workflow handles that now. The code was still in .travis.yml because I planned to not include it when porting to GHA so I simply disabled it by never setting the relevant environment variable.

[MarkCallow]

Have you looked up the "error 65"? If not, see https://circleci.com/blog/xcodebuild-exit-code-65-what-it-is-and-how-to-solve-for-ios-and-macos-builds/ and do man sysexits.

I don't think the code signing has anything to do with this error. That happens long after cmake instantiates xcodebuild and, when secrets are available, nothing related to code signing is passed to xcodebuild on its command line.

EX_DATAERR (65)       The input data was incorrect in some way.  This should only be used for
                           user's data and not system files.

It also has nothing to do with the CMake warning you can see in the log. I have that too. It's been present since 3.31 and it isn't preventing my builds from working.

That said I don't have any idea what it is. I suggest removing the | handle_compiler_output to see if helpful messages are being swallowed.

[MarkCallow]

I don't think the code signing has anything to do with this error.

Well I was wrong.

[MathiasMagnus]

@MarkCallow I was going off on this hunch.

[MarkCallow]

Add build.keychain on the end of the command to find the installer cert. The command doesn't seem to use the default keychain. Even locally I had to add login.keychain before it found the certs.

I think GHA may be swallowing some of the output in the name of security. The developer cert was clearly found but no output from the command is visible. Locally I see

keychain: "/Users/mark/Library/Keychains/login.keychain-db"
version: 512
class: 0x80001000 
attributes:
    "alis"<blob>="Symantec Class 3 Organizational CA - G2"
    "cenc"<uint32>=0x00000003 
    "ctyp"<uint32>=0x00000001 
    "hpky"<blob>=0x75E1E3CEB21FAC8F96C5C6175C4AFDE1E01D3A06  "u\341\343\316\262\037\254\217\226\305\306\027\134J\375\341\340\035:\006"
  ...

Also add security default-keychain to verify the default is build.keychain. Try adding that in the script stage as well to make sure it is still the default.

[MarkCallow]

It seems to have the Installer certificate under both names. I'll regenerate the .p12 file and make a new secret.

[MarkCallow]

I verified the base64 encoded file with the certs has the correct certs in it by decoding it back to a .p12 file and importing it into my keychain. There were no complaints and no new certs appeared which means the existing ones were re-imported or ignored. I have again copied the base64 encoded data to the MACOS_CERTIFICATES_P12 secret. Please try again.

I gave you a slightly incorrect security command. You need to add -c before the certificate name. It was ignoring the name and showing the first certificate in the keychain. Please fix that too.

[MarkCallow]

I have to go. I hope you can figure this out now. I have uploaded the APPLE_CODE_SIGN_IDENTITY and APPLE_PKG_SIGN_IDENTITY secrets again in case I made some error last time.

[MarkCallow]

The visible parts of the certificates printed in the latest build match what I see locally so I think they've been added to the keychain correctly.

[MarkCallow]

It's working now. There must have been an error in either MACOS_CERTIFICATES_P12 or APPLE_CODE_SIGN_IDENTITY before. I just uploaded both again. Sorry about that. It's an infernal nuisance that even the person who set the secrets can't view them.

[MarkCallow]

Terrific. It has worked. It was even notarized correctly.

[MarkCallow]

One final thing. Move check reuse into its own workflow, which does not need to be callable from manual.yml. This workflow will need to run no matter what file in the repo has changed so no ignore:.

Please delete the tag you created and the draft release.

[MarkCallow]

Look good. Like the simplification. One very minor change please.

[MarkCallow]

Two more minor changes. @aqnuep's additional review request took me a view of all the changes. I was previously looking at just those made since I last viewed.

[MarkCallow]

Thanks for the excellent work, @MathiasMagnus.