]> jfr.im git - yt-dlp.git/blob - .github/workflows/build.yml
projects / yt-dlp.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
[build, test] Harden workflows' security (#5410)
[yt-dlp.git] / .github / workflows / build.yml
1 name: Build
2 on: workflow_dispatch
3 permissions:
4 contents: read
5
6 jobs:
7 prepare:
8 permissions:
9 contents: write # for push_release
10 runs-on: ubuntu-latest
11 outputs:
12 version_suffix: ${{ steps.version_suffix.outputs.version_suffix }}
13 ytdlp_version: ${{ steps.bump_version.outputs.ytdlp_version }}
14 head_sha: ${{ steps.push_release.outputs.head_sha }}
15 steps:
16 - uses: actions/checkout@v3
17 with:
18 fetch-depth: 0
19 - uses: actions/setup-python@v4
20 with:
21 python-version: '3.10'
22
23 - name: Set version suffix
24 id: version_suffix
25 env:
26 PUSH_VERSION_COMMIT: ${{ secrets.PUSH_VERSION_COMMIT }}
27 if: "env.PUSH_VERSION_COMMIT == ''"
28 run: echo "version_suffix=$(date -u +"%H%M%S")" >> "$GITHUB_OUTPUT"
29 - name: Bump version
30 id: bump_version
31 run: |
32 python devscripts/update-version.py ${{ steps.version_suffix.outputs.version_suffix }}
33 make issuetemplates
34
35 - name: Push to release
36 id: push_release
37 run: |
38 git config --global user.name github-actions
39 git config --global user.email github-actions@example.com
40 git add -u
41 git commit -m "[version] update" -m "Created by: ${{ github.event.sender.login }}" -m ":ci skip all :ci run dl"
42 git push origin --force ${{ github.event.ref }}:release
43 echo "head_sha=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"
44 - name: Update master
45 env:
46 PUSH_VERSION_COMMIT: ${{ secrets.PUSH_VERSION_COMMIT }}
47 if: "env.PUSH_VERSION_COMMIT != ''"
48 run: git push origin ${{ github.event.ref }}
49
50
51 build_unix:
52 needs: prepare
53 runs-on: ubuntu-18.04 # Standalone executable should be built on minimum supported OS
54
55 steps:
56 - uses: actions/checkout@v3
57 - uses: actions/setup-python@v4
58 with:
59 python-version: '3.10'
60 - name: Install Requirements
61 run: |
62 sudo apt-get -y install zip pandoc man
63 python -m pip install --upgrade pip setuptools wheel twine
64 python -m pip install Pyinstaller -r requirements.txt
65
66 - name: Prepare
67 run: |
68 python devscripts/update-version.py ${{ needs.prepare.outputs.version_suffix }}
69 python devscripts/make_lazy_extractors.py
70 - name: Build Unix executables
71 run: |
72 make all tar
73 python pyinst.py --onedir
74 (cd ./dist/yt-dlp_linux && zip -r ../yt-dlp_linux.zip .)
75 python pyinst.py
76
77 - name: Upload artifacts
78 uses: actions/upload-artifact@v3
79 with:
80 path: |
81 yt-dlp
82 yt-dlp.tar.gz
83 dist/yt-dlp_linux
84 dist/yt-dlp_linux.zip
85
86 - name: Build and publish on PyPi
87 env:
88 TWINE_USERNAME: __token__
89 TWINE_PASSWORD: ${{ secrets.PYPI_TOKEN }}
90 if: "env.TWINE_PASSWORD != ''"
91 run: |
92 rm -rf dist/*
93 python devscripts/set-variant.py pip -M "You installed yt-dlp with pip or using the wheel from PyPi; Use that to update"
94 python setup.py sdist bdist_wheel
95 twine upload dist/*
96
97 - name: Install SSH private key for Homebrew
98 env:
99 BREW_TOKEN: ${{ secrets.BREW_TOKEN }}
100 if: "env.BREW_TOKEN != ''"
101 uses: yt-dlp/ssh-agent@v0.5.3
102 with:
103 ssh-private-key: ${{ env.BREW_TOKEN }}
104 - name: Update Homebrew Formulae
105 env:
106 BREW_TOKEN: ${{ secrets.BREW_TOKEN }}
107 if: "env.BREW_TOKEN != ''"
108 run: |
109 git clone git@github.com:yt-dlp/homebrew-taps taps/
110 python devscripts/update-formulae.py taps/Formula/yt-dlp.rb "${{ needs.prepare.outputs.ytdlp_version }}"
111 git -C taps/ config user.name github-actions
112 git -C taps/ config user.email github-actions@example.com
113 git -C taps/ commit -am 'yt-dlp: ${{ needs.prepare.outputs.ytdlp_version }}'
114 git -C taps/ push
115
116
117 build_macos:
118 runs-on: macos-11
119 needs: prepare
120
121 steps:
122 - uses: actions/checkout@v3
123 # NB: In order to create a universal2 application, the version of python3 in /usr/bin has to be used
124 - name: Install Requirements
125 run: |
126 brew install coreutils
127 /usr/bin/python3 -m pip install -U --user pip Pyinstaller -r requirements.txt
128
129 - name: Prepare
130 run: |
131 /usr/bin/python3 devscripts/update-version.py ${{ needs.prepare.outputs.version_suffix }}
132 /usr/bin/python3 devscripts/make_lazy_extractors.py
133 - name: Build
134 run: |
135 /usr/bin/python3 pyinst.py --target-architecture universal2 --onedir
136 (cd ./dist/yt-dlp_macos && zip -r ../yt-dlp_macos.zip .)
137 /usr/bin/python3 pyinst.py --target-architecture universal2
138
139 - name: Upload artifacts
140 uses: actions/upload-artifact@v3
141 with:
142 path: |
143 dist/yt-dlp_macos
144 dist/yt-dlp_macos.zip
145
146
147 build_macos_legacy:
148 runs-on: macos-latest
149 needs: prepare
150
151 steps:
152 - uses: actions/checkout@v3
153 - name: Install Python
154 # We need the official Python, because the GA ones only support newer macOS versions
155 env:
156 PYTHON_VERSION: 3.10.5
157 MACOSX_DEPLOYMENT_TARGET: 10.9 # Used up by the Python build tools
158 run: |
159 # Hack to get the latest patch version. Uncomment if needed
160 #brew install python@3.10
161 #export PYTHON_VERSION=$( $(brew --prefix)/opt/python@3.10/bin/python3 --version | cut -d ' ' -f 2 )
162 curl https://www.python.org/ftp/python/${PYTHON_VERSION}/python-${PYTHON_VERSION}-macos11.pkg -o "python.pkg"
163 sudo installer -pkg python.pkg -target /
164 python3 --version
165 - name: Install Requirements
166 run: |
167 brew install coreutils
168 python3 -m pip install -U --user pip Pyinstaller -r requirements.txt
169
170 - name: Prepare
171 run: |
172 python3 devscripts/update-version.py ${{ needs.prepare.outputs.version_suffix }}
173 python3 devscripts/make_lazy_extractors.py
174 - name: Build
175 run: |
176 python3 pyinst.py
177 mv dist/yt-dlp_macos dist/yt-dlp_macos_legacy
178
179 - name: Upload artifacts
180 uses: actions/upload-artifact@v3
181 with:
182 path: |
183 dist/yt-dlp_macos_legacy
184
185
186 build_windows:
187 runs-on: windows-latest
188 needs: prepare
189
190 steps:
191 - uses: actions/checkout@v3
192 - uses: actions/setup-python@v4
193 with: # 3.8 is used for Win7 support
194 python-version: '3.8'
195 - name: Install Requirements
196 run: | # Custom pyinstaller built with https://github.com/yt-dlp/pyinstaller-builds
197 python -m pip install --upgrade pip setuptools wheel "py2exe<0.12"
198 pip install "https://yt-dlp.github.io/Pyinstaller-Builds/x86_64/pyinstaller-5.3-py3-none-any.whl" -r requirements.txt
199
200 - name: Prepare
201 run: |
202 python devscripts/update-version.py ${{ needs.prepare.outputs.version_suffix }}
203 python devscripts/make_lazy_extractors.py
204 - name: Build
205 run: |
206 python setup.py py2exe
207 Move-Item ./dist/yt-dlp.exe ./dist/yt-dlp_min.exe
208 python pyinst.py
209 python pyinst.py --onedir
210 Compress-Archive -Path ./dist/yt-dlp/* -DestinationPath ./dist/yt-dlp_win.zip
211
212 - name: Upload artifacts
213 uses: actions/upload-artifact@v3
214 with:
215 path: |
216 dist/yt-dlp.exe
217 dist/yt-dlp_min.exe
218 dist/yt-dlp_win.zip
219
220
221 build_windows32:
222 runs-on: windows-latest
223 needs: prepare
224
225 steps:
226 - uses: actions/checkout@v3
227 - uses: actions/setup-python@v4
228 with: # 3.7 is used for Vista support. See https://github.com/yt-dlp/yt-dlp/issues/390
229 python-version: '3.7'
230 architecture: 'x86'
231 - name: Install Requirements
232 run: |
233 python -m pip install --upgrade pip setuptools wheel
234 pip install "https://yt-dlp.github.io/Pyinstaller-Builds/i686/pyinstaller-5.3-py3-none-any.whl" -r requirements.txt
235
236 - name: Prepare
237 run: |
238 python devscripts/update-version.py ${{ needs.prepare.outputs.version_suffix }}
239 python devscripts/make_lazy_extractors.py
240 - name: Build
241 run: |
242 python pyinst.py
243
244 - name: Upload artifacts
245 uses: actions/upload-artifact@v3
246 with:
247 path: |
248 dist/yt-dlp_x86.exe
249
250
251 publish_release:
252 permissions:
253 contents: write # for action-gh-release
254 runs-on: ubuntu-latest
255 needs: [prepare, build_unix, build_windows, build_windows32, build_macos, build_macos_legacy]
256
257 steps:
258 - uses: actions/checkout@v3
259 - uses: actions/download-artifact@v3
260
261 - name: Get Changelog
262 run: |
263 changelog=$(grep -oPz '(?s)(?<=### ${{ needs.prepare.outputs.ytdlp_version }}\n{2}).+?(?=\n{2,3}###)' Changelog.md) || true
264 echo "changelog<<EOF" >> $GITHUB_ENV
265 echo "$changelog" >> $GITHUB_ENV
266 echo "EOF" >> $GITHUB_ENV
267 - name: Make Update spec
268 run: |
269 echo "# This file is used for regulating self-update" >> _update_spec
270 echo "lock 2022.07.18 .+ Python 3.6" >> _update_spec
271 - name: Make SHA2-SUMS files
272 run: |
273 sha256sum artifact/yt-dlp | awk '{print $1 " yt-dlp"}' >> SHA2-256SUMS
274 sha256sum artifact/yt-dlp.tar.gz | awk '{print $1 " yt-dlp.tar.gz"}' >> SHA2-256SUMS
275 sha256sum artifact/yt-dlp.exe | awk '{print $1 " yt-dlp.exe"}' >> SHA2-256SUMS
276 sha256sum artifact/yt-dlp_win.zip | awk '{print $1 " yt-dlp_win.zip"}' >> SHA2-256SUMS
277 sha256sum artifact/yt-dlp_min.exe | awk '{print $1 " yt-dlp_min.exe"}' >> SHA2-256SUMS
278 sha256sum artifact/yt-dlp_x86.exe | awk '{print $1 " yt-dlp_x86.exe"}' >> SHA2-256SUMS
279 sha256sum artifact/yt-dlp_macos | awk '{print $1 " yt-dlp_macos"}' >> SHA2-256SUMS
280 sha256sum artifact/yt-dlp_macos.zip | awk '{print $1 " yt-dlp_macos.zip"}' >> SHA2-256SUMS
281 sha256sum artifact/yt-dlp_macos_legacy | awk '{print $1 " yt-dlp_macos_legacy"}' >> SHA2-256SUMS
282 sha256sum artifact/dist/yt-dlp_linux | awk '{print $1 " yt-dlp_linux"}' >> SHA2-256SUMS
283 sha256sum artifact/dist/yt-dlp_linux.zip | awk '{print $1 " yt-dlp_linux.zip"}' >> SHA2-256SUMS
284 sha512sum artifact/yt-dlp | awk '{print $1 " yt-dlp"}' >> SHA2-512SUMS
285 sha512sum artifact/yt-dlp.tar.gz | awk '{print $1 " yt-dlp.tar.gz"}' >> SHA2-512SUMS
286 sha512sum artifact/yt-dlp.exe | awk '{print $1 " yt-dlp.exe"}' >> SHA2-512SUMS
287 sha512sum artifact/yt-dlp_win.zip | awk '{print $1 " yt-dlp_win.zip"}' >> SHA2-512SUMS
288 sha512sum artifact/yt-dlp_min.exe | awk '{print $1 " yt-dlp_min.exe"}' >> SHA2-512SUMS
289 sha512sum artifact/yt-dlp_x86.exe | awk '{print $1 " yt-dlp_x86.exe"}' >> SHA2-512SUMS
290 sha512sum artifact/yt-dlp_macos | awk '{print $1 " yt-dlp_macos"}' >> SHA2-512SUMS
291 sha512sum artifact/yt-dlp_macos.zip | awk '{print $1 " yt-dlp_macos.zip"}' >> SHA2-512SUMS
292 sha512sum artifact/yt-dlp_macos_legacy | awk '{print $1 " yt-dlp_macos_legacy"}' >> SHA2-512SUMS
293 sha512sum artifact/dist/yt-dlp_linux | awk '{print $1 " yt-dlp_linux"}' >> SHA2-512SUMS
294 sha512sum artifact/dist/yt-dlp_linux.zip | awk '{print $1 " yt-dlp_linux.zip"}' >> SHA2-512SUMS
295
296 - name: Publish Release
297 uses: yt-dlp/action-gh-release@v1
298 with:
299 tag_name: ${{ needs.prepare.outputs.ytdlp_version }}
300 name: yt-dlp ${{ needs.prepare.outputs.ytdlp_version }}
301 target_commitish: ${{ needs.prepare.outputs.head_sha }}
302 body: |
303 #### [A description of the various files]((https://github.com/yt-dlp/yt-dlp#release-files)) are in the README
304
305 ---
306 <details open><summary><h3>Changelog</summary>
307 <p>
308
309 ${{ env.changelog }}
310
311 </p>
312 </details>
313 files: |
314 SHA2-256SUMS
315 SHA2-512SUMS
316 artifact/yt-dlp
317 artifact/yt-dlp.tar.gz
318 artifact/yt-dlp.exe
319 artifact/yt-dlp_win.zip
320 artifact/yt-dlp_min.exe
321 artifact/yt-dlp_x86.exe
322 artifact/yt-dlp_macos
323 artifact/yt-dlp_macos.zip
324 artifact/yt-dlp_macos_legacy
325 artifact/dist/yt-dlp_linux
326 artifact/dist/yt-dlp_linux.zip
327 _update_spec
fork of https://github.com/yt-dlp/yt-dlp/