@@ -76,15 +76,11 @@ jobs:
7676
7777 rm -f "$cert_path"
7878
79- # macOS: Build both onefile and onedir versions
79+ # macOS: Build onefile version
8080 - name : Build standalone binary (macOS onefile)
8181 if : runner.os == 'macOS'
8282 run : make build-bin
8383
84- - name : Build standalone binary (macOS onedir)
85- if : runner.os == 'macOS'
86- run : make build-bin-onedir
87-
8884 # macOS: Sign onefile binary
8985 - name : Sign macOS onefile binary
9086 if : runner.os == 'macOS'
9894 echo "✅ Onefile binary signed"
9995 codesign -dv --verbose=2 dist/onefile/kimi
10096
101- # macOS: Sign onedir binaries (all dylibs and executables)
102- - name : Sign macOS onedir binaries
103- if : runner.os == 'macOS'
104- run : |
105- set -euo pipefail
106- echo "Signing onedir binaries..."
107-
108- # 1. Sign all dylibs and so files first (excluding those inside frameworks)
109- find dist/onedir/kimi -type f \( -name "*.dylib" -o -name "*.so" \) ! -path "*.framework/*" | while read -r lib; do
110- echo "Signing: $lib"
111- codesign --force --options runtime --timestamp \
112- --sign "$APPLE_SIGNING_IDENTITY" \
113- --keychain "$APPLE_KEYCHAIN_PATH" \
114- "$lib"
115- done
116-
117- # 2. Sign all frameworks with --deep (important for Python.framework)
118- find dist/onedir/kimi -type d -name "*.framework" | while read -r framework; do
119- echo "Signing framework: $framework"
120- codesign --deep --force --options runtime --timestamp \
121- --sign "$APPLE_SIGNING_IDENTITY" \
122- --keychain "$APPLE_KEYCHAIN_PATH" \
123- "$framework"
124- done
125-
126- # 3. Sign the main executable last
127- echo "Signing main executable: dist/onedir/kimi/kimi"
128- codesign --force --options runtime --timestamp \
129- --sign "$APPLE_SIGNING_IDENTITY" \
130- --keychain "$APPLE_KEYCHAIN_PATH" \
131- dist/onedir/kimi/kimi
132-
133- echo "✅ Onedir binaries signed"
134- codesign -dv --verbose=2 dist/onedir/kimi/kimi
135- codesign --verify --deep --strict dist/onedir/kimi/kimi && echo "✅ Deep verification passed"
136-
13797# macOS: Notarize onefile binary
13898 - name : Notarize macOS onefile binary
13999 if : runner.os == 'macOS'
@@ -192,66 +152,6 @@ jobs:
192152 # Cleanup
193153 rm -f "$zip_path" /tmp/notarize-onefile.log
194154
195- # macOS: Notarize onedir binaries
196- - name : Notarize macOS onedir binaries
197- if : runner.os == 'macOS'
198- env :
199- APPLE_NOTARIZATION_KEY_P8 : ${{ secrets.APPLE_NOTARIZATION_KEY_P8 }}
200- APPLE_NOTARIZATION_KEY_ID : ${{ secrets.APPLE_NOTARIZATION_KEY_ID }}
201- APPLE_NOTARIZATION_ISSUER_ID : ${{ secrets.APPLE_NOTARIZATION_ISSUER_ID }}
202- run : |
203- set -euo pipefail
204-
205- # Save API key (might already exist from previous step)
206- key_path="${RUNNER_TEMP}/AuthKey.p8"
207- if [[ ! -f "$key_path" ]]; then
208- echo "$APPLE_NOTARIZATION_KEY_P8" | base64 -d > "$key_path"
209- fi
210-
211- # Create zip for notarization (use --norsrc to avoid ._ AppleDouble files)
212- zip_path="${RUNNER_TEMP}/kimi-onedir.zip"
213- ditto -c -k --norsrc --keepParent dist/onedir/kimi "$zip_path"
214-
215- echo "Submitting onedir for notarization..."
216-
217- # Submit and capture output for status verification
218- xcrun notarytool submit "$zip_path" \
219- --key "$key_path" \
220- --key-id "$APPLE_NOTARIZATION_KEY_ID" \
221- --issuer "$APPLE_NOTARIZATION_ISSUER_ID" \
222- --wait \
223- --timeout 15m \
224- 2>&1 | tee /tmp/notarize-onedir.log
225-
226- # Verify notarization was accepted
227- if ! grep -q "status: Accepted" /tmp/notarize-onedir.log; then
228- echo "❌ Onedir notarization failed!"
229- cat /tmp/notarize-onedir.log
230-
231- # Get detailed error log from Apple
232- submission_id=$(grep "id:" /tmp/notarize-onedir.log | head -1 | awk '{print $2}')
233- if [[ -n "$submission_id" ]]; then
234- echo "Fetching notarization log for submission: $submission_id"
235- xcrun notarytool log "$submission_id" \
236- --key "$key_path" \
237- --key-id "$APPLE_NOTARIZATION_KEY_ID" \
238- --issuer "$APPLE_NOTARIZATION_ISSUER_ID" 2>&1 || true
239- fi
240- exit 1
241- fi
242-
243- echo "✅ Onedir notarization completed and accepted"
244-
245- # Verify signature and notarization status
246- echo "Verifying onedir signature..."
247- codesign -dv --verbose=2 dist/onedir/kimi/kimi
248-
249- echo "Verifying onedir notarization (online check)..."
250- spctl -a -vvv -t install dist/onedir/kimi/kimi
251-
252- # Cleanup
253- rm -f "$key_path" "$zip_path" /tmp/notarize-onedir.log
254-
255155# macOS: Cleanup keychain
256156 - name : Cleanup macOS keychain
257157 if : always() && runner.os == 'macOS'
@@ -288,35 +188,6 @@ jobs:
288188
289189 print(f"Built onefile artifact: {archive_path}")
290190
291- # Package onedir artifact
292- - name : Package onedir artifact
293- shell : python
294- env :
295- TARGET : ${{ matrix.target }}
296- run : |
297- import os
298- import pathlib
299- import tarfile
300-
301- target = os.environ["TARGET"]
302-
303- dist_dir = pathlib.Path("dist")
304- artifacts_dir = pathlib.Path("artifacts")
305- artifacts_dir.mkdir(parents=True, exist_ok=True)
306-
307- onedir_path = dist_dir / "onedir" / "kimi"
308- if not onedir_path.exists() or not onedir_path.is_dir():
309- raise SystemExit(f"Onedir directory not found at {onedir_path}")
310-
311- archive_name = f"kimi-{target}-onedir.tar.gz"
312- archive_path = artifacts_dir / archive_name
313- with tarfile.open(archive_path, "w:gz") as archive_file:
314- # Add the directory contents with kimi/ as the root
315- for item in onedir_path.iterdir():
316- archive_file.add(item, arcname=f"kimi/{item.name}")
317-
318- print(f"Built onedir artifact: {archive_path}")
319-
320191name : Upload artifact
321192 uses : actions/upload-artifact@v4
322193 with :
0 commit comments