Add proper testing to CI + some modification to release procedure.

[sergey-yaroslavtsev]

1. add proper testing using add env variable to start pymca in test mode for CI #1147 instead just running the app
2. do not download from testPyPI use only local wheels (to avoid crash when last version is not ready for one of OS-arch-cpy) - maybe less logical but more stable
3. use only version from local file - not from testPyPI (sometimes version was read incorrectly leading to crash at last steps)
4. download wheels-artifacts at once using pattern as suggested by @t20100
5. add tests after creating DMG - maybe overkill, but then i would rather delete it for merged app, as DMG is an end product
6. remove TEST_APP_FUNCTION in _MacOS.yml since test function is now only two lines
7. if tests fail then CI should fail - https://github.com/sergey-yaroslavtsev/pymca/actions/runs/19329081104/job/55287584638 due to exit $LASTEXITCODE and set -e
8. add .src.tgz to the release assets - so now assets should completely mimic SourceForge
9. navigation image moved
10. small additions to CONTRIBUTION.rst

Notes:

1. testing of these modifications was done in https://github.com/sergey-yaroslavtsev/pymca/actions/runs/19329081104/job/55287584638 (last fail is due to missing DMG file but all modified steps have passed)
2. modification of CI is complicated since uploading and signing parts should be commented - hard to do full test outside of main repo - hopefully significant modifications will not be required in nearest future
3. the "easiest" way I found to modify CI is to create a new fork and manually comment all secrets/uploads/signing then test - then uncomment...

If you think commit history is "dirty" I can redo it from fresh branch.

[sergey-yaroslavtsev]

@mretegan can you please check _MacOS.yml file. Especially what happens after packaging-signing since i was not able to test it outside of main repo.

[sergey-yaroslavtsev]

Few additions:

1. remove "--no-build-isolation" while pip install bcflight, since issue was fixed problem via pip install vasole/bcflight#1
2. upload to testPyPI and PyPI is skipped if secrets are missing
3. now "release" have three options stop/force/local:
   a) stop - do nothing
   b) force - trigger full procedure manually
   c) local - skip upload, tag and version check

2 and 3 were added after discussion with @mretegan since he had similiar issues to mine described in "notes" of first comment:

Moreover, universal DMG is created and just not signed if secrets are missing (I did not know it) - so I've tested the unsigned DMG as well.

test of "force" option - https://github.com/sergey-yaroslavtsev/pymca_ci_mod/actions/runs/19698502347
test of "local" option - https://github.com/sergey-yaroslavtsev/pymca_ci_mod/actions/runs/19698505371

[sergey-yaroslavtsev]

I did not found a way to add new lines for description in GitHub option. <br> and \n do not work.
Can do like this:

name: Release
...
        description: |
          stop  - do nothing; safe precautions from accident run ----------------------------
          force - to start release with same version (useful if previous CI failed before uploading wheels) ------------------------
          local - to test changes; it create only artifacts, no upload or tag

[mretegan]

The default names are not very descriptive. I would use something like this:

on:
  release:
    types: [published]
  workflow_dispatch:
    inputs:
      mode:
        description: "Release mode"
        type: choice
        options:
          - standard  # check for version change, release if new.
          - force  # ignore version check, useful for retrying failed releases
          - dry-run  # build only, not tag, upload, or sign
        default: 'standard'

The complete file is here: https://github.com/mretegan/pymca/blob/CI_mod/.github/workflows/Release.yml. The _Version.yml is also slightly updated.
As formatting is an issue on GitHub, I would only use comments in the file.

Also, now that we can build without releasing, you can remove LocalWindowsInstaller.yml

[sergey-yaroslavtsev]

Did not agree with "standard" as it is actually do nothing on purpose as safety precaution. Everything else is OK - thanks.

Sorry for "test" commit - I've misunderstood Marius's previous "force-pushed".

[mretegan]

@sergey-yaroslavtsev I pushed a few changes to ensure that the macOS app is signed, modified the text in CONTRIBUTING.txt, and removed the deprecated LocalWindowsInstaller.yml.

[sergey-yaroslavtsev]

I think these explicit checks of secrets existence breaks the idea of "dry-run". Because now one is not able to run CI in "dry-run" mode if APPLE secrets do not exist.
Would such change to release be sufficient?:

APPLE_ID: ${{ github.event.inputs.mode != 'dry-run' && secrets.APPLE_ID || secrets.APPLE_ID || '' }}

If i am not mistaken - for not a dry-run it will pass secret explicitly
if it is a dry-run it will pass secret if it exist or empty string if the secret does not exist.
I assume that if secret is empty DMG will be packed but not signed - that what I understood from you. Is it OK?

[sergey-yaroslavtsev]

I think these explicit checks of secrets existence breaks the idea of "dry-run". Because now one is not able to run CI in "dry-run" mode if APPLE secrets do not exist.

Incorrect. CI works and pass empty string for secret if do not exist. required: true is still needed in _MacOS.yml as it should receive the secrete (it fails without it).
It means that now it should never fails because of signature - if there is no secret it is just empty and DMG is not signed.

[sergey-yaroslavtsev]

No uploads to testPyPI since it is not used anymore in further steps. testPyPI secret is removed from workflow. Upload to PyPI happens after all steps (to avoid any mess in PyPI).
There is no point to keep dispatch option for most of workflows as they could not be run independently anymore (use artifacts instead of testPyPI as source of wheels).