@@ -189,6 +189,12 @@ jobs:
189189 fi
190190 echo "RELEASE_NAME=${RELEASE_PREFIX}-${REF_SUFFIX}${OPENGL_BUILD}" >> $GITHUB_ENV
191191
192+ # Ensure ~/.local/bin is first in PATH for all local tools (uv, python, pip, conan)
193+ # This is especially important for old CentOS 7 containers with old system versions
194+ - name : Fix PATH for local tools
195+ run : |
196+ echo "$HOME/.local/bin" >> $GITHUB_PATH
197+
192198name : Set up python 3.11
193199 uses : actions/setup-python@v5
194200 if : matrix.ostype == 'mac'
@@ -199,35 +205,34 @@ jobs:
199205 # Unfortunately astral-sh/setup-uv action doesn't work on CentOS 7, its GLIBC is too old.
200206
201207 - name : Set up uv manually
202- if : matrix.release_prefix == 'linux-vfx2021'
208+ if : matrix.vfx-cy == 2021 || matrix.vfx-cy == 2022
203209 run : |
204210 curl -LsSf https://astral.sh/uv/install.sh | sh
205- source ~/.local/bin/env
206- echo After sourcing uv env: "$PATH"
207- uv python install --preview 3.11
208-
209- # Python is in $(uv python dir)/cpython-*/bin
210- # uv also installs a symlink in $HOME/.local/bin but because
211- # that is only a symlink, it causes problems with pip and venv.
212- # As a workaround, prepend the actual bin dir to $PATH.
213- uv_python_dir="$(uv python dir)"
214- uv_cpython_name="$(/bin/ls -1 $uv_python_dir)"
215- uv_python_path="$uv_python_dir/$uv_cpython_name/bin"
216- PATH="$uv_python_path":$PATH
217- # Prepend to path for future steps (note: don't use $GITHUB_ENV here)
218- echo "$uv_python_path" >> $GITHUB_PATH
211+ # No need to source env - we already added ~/.local/bin to PATH above
212+
213+ # Use --default to create python/python3 symlinks in ~/.local/bin
214+ # This ensures the sigstore action can find 'python' (not just 'python3')
215+ ~/.local/bin/uv python install --default 3.11
219216
220217name : Check python, uv paths
221218 run : |
222- echo $PATH
223- echo -n 'which python: ' && which python
224- echo -n 'which python3: ' && which python3
225- echo -n 'python version: ' && python --version
226- echo -n 'python3 version: ' && python3 --version
227- echo -n 'which uv: ' && (which uv || echo "No python uv; continuing")
219+ echo "PATH=$PATH"
220+ echo -n 'which python: ' && which python && python --version
221+ echo -n 'which python3: ' && which python3 && python3 --version
222+ echo -n 'python symlink target: ' && (readlink -f $(which python) || echo "not a symlink")
223+ echo -n 'which uv: ' && (which uv || echo "No uv; continuing")
224+
225+ # Install Conan manually for old CentOS 7 using uv-installed Python
226+ # The get-conan action doesn't know about uv Python and would use system Python
227+ - name : Install Conan manually (CentOS 7)
228+ if : matrix.vfx-cy == 2021 || matrix.vfx-cy == 2022
229+ run : |
230+ python3.11 -m pip install --user conan==${{ matrix.conan_version }}
228231
232+ # Use get-conan action for other platforms
229233 - name : Install Conan
230234 id : conan
235+ if : matrix.vfx-cy != 2021 && matrix.vfx-cy != 2022
231236 uses : turtlebrowser/get-conan@main
232237 with :
233238 version : ${{ matrix.conan_version }}
@@ -397,8 +402,24 @@ jobs:
397402 run : |
398403 tar -czf openfx-$RELEASE_NAME.tar.gz -C Install OpenFX
399404
400- name : Sign header/libs tarball with Sigstore
401- if : github.event_name == 'release'
405+ # Install and run sigstore manually for CentOS 7 (sigstore action doesn't work with uv Python)
406+ - name : Install sigstore manually (CentOS 7)
407+ if : github.event_name == 'release' && (matrix.vfx-cy == 2021 || matrix.vfx-cy == 2022)
408+ run : |
409+ # Conan installed urllib3 1.26.x, but tuf (required by sigstore) needs urllib3 2.x for BaseHTTPResponse
410+ # Explicitly upgrade urllib3 first, then install sigstore
411+ python3.11 -m pip install --user --upgrade 'urllib3>=2.0'
412+ python3.11 -m pip install --user sigstore
413+
414+ name : Sign header/libs tarball with Sigstore manually (CentOS 7)
415+ if : github.event_name == 'release' && (matrix.vfx-cy == 2021 || matrix.vfx-cy == 2022)
416+ run : |
417+ # uv Python needs SSL_CERT_FILE to use certifi's CA bundle instead of outdated system certs
418+ export SSL_CERT_FILE=$(python3.11 -c "import certifi; print(certifi.where())")
419+ python3.11 -m sigstore sign openfx-${{ env.RELEASE_NAME }}.tar.gz
420+
421+ name : Sign header/libs tarball with Sigstore (action for other platforms)
422+ if : github.event_name == 'release' && matrix.vfx-cy != 2021 && matrix.vfx-cy != 2022
402423 uses : sigstore/gh-action-sigstore-python@f514d46b907ebcd5bedc05145c03b69c1edd8b46 # v3.0.0
403424 with :
404425 inputs : openfx-${{ env.RELEASE_NAME }}.tar.gz
@@ -428,8 +449,16 @@ jobs:
428449 run : |
429450 tar -czf openfx_plugins-$RELEASE_NAME.tar.gz -C build/Install .
430451
431- name : Sign plugins tarball with Sigstore
432- if : github.event_name == 'release'
452+ # Sign plugins manually for CentOS 7 (sigstore already installed above)
453+ - name : Sign plugins tarball with Sigstore manually (CentOS 7)
454+ if : github.event_name == 'release' && (matrix.vfx-cy == 2021 || matrix.vfx-cy == 2022)
455+ run : |
456+ # uv Python needs SSL_CERT_FILE to use certifi's CA bundle instead of outdated system certs
457+ export SSL_CERT_FILE=$(python3.11 -c "import certifi; print(certifi.where())")
458+ python3.11 -m sigstore sign openfx_plugins-${{ env.RELEASE_NAME }}.tar.gz
459+
460+ name : Sign plugins tarball with Sigstore (action for other platforms)
461+ if : github.event_name == 'release' && matrix.vfx-cy != 2021 && matrix.vfx-cy != 2022
433462 uses : sigstore/gh-action-sigstore-python@f514d46b907ebcd5bedc05145c03b69c1edd8b46 # v3.0.0
434463 with :
435464 inputs : openfx_plugins-${{ env.RELEASE_NAME }}.tar.gz
0 commit comments