Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Investigate Mac Builds for 'x64' + 'arm64' or 'universal' #468 #469

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 31 additions & 2 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ jobs:
strategy:
fail-fast: false
matrix:
os: [windows-2019, ubuntu-22.04, macos-13]
os: [windows-2019, ubuntu-22.04, macos-13, macos-14] # macOS-13 is for x64, macOS-14 is for arm64
node: ['20.x']

runs-on: ${{ matrix.os }}
Expand All @@ -42,7 +42,8 @@ jobs:
with:
python-version: '3.11'

- name: Build and package
- name: Build and package (Windows, Linux)
if: runner.os == 'Windows' || runner.os == 'Linux'
shell: bash
run: |
yarn --skip-integrity-check --network-timeout 100000
Expand All @@ -53,6 +54,34 @@ jobs:
NODE_OPTIONS: --max_old_space_size=4096
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # https://github.com/microsoft/vscode-ripgrep/issues/9

- name: Update electron-builder.yml for macOS-14
if: matrix.os == 'macos-14'
run: |
sed -i '' 's|https://download.eclipse.org/theia/ide/latest/macos|https://download.eclipse.org/theia/ide/latest/macos-arm|g' applications/electron/electron-builder.yml

- name: Build and package (Mac)
if: runner.os == 'macOS'
shell: bash
run: |
yarn --skip-integrity-check --network-timeout 100000
yarn build
yarn download:plugins
yarn package:applications
env:
NODE_OPTIONS: --max_old_space_size=4096
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # https://github.com/microsoft/vscode-ripgrep/issues/9

- name: Upload Mac Dist Files
if: runner.os == 'macOS'
uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 #4.6.1
with:
name: ${{ matrix.os == 'macos-13' && 'mac-x64' || matrix.os == 'macos-14' && 'mac-arm64'}}
path: |
applications/electron/dist/**
!applications/electron/dist/mac/**
!applications/electron/dist/mac-arm64/**
retention-days: 1

- name: Test (Linux)
if: matrix.tests != 'skip' && runner.os == 'Linux'
uses: GabrielBB/xvfb-action@86d97bde4a65fe9b290c0b3fb92c2c4ed0e5302d #1.6
Expand Down
204 changes: 164 additions & 40 deletions Jenkinsfile

Large diffs are not rendered by default.

8 changes: 7 additions & 1 deletion PUBLISHING.md
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,13 @@ Follow these steps to update dependencies and package versions:

6. If there was a Theia release, review breaking changes, new built-ins, and sample applications, and update code as necessary.

After completing these steps, open a PR with your changes. Merging the PR automatically triggers a preview release.
7. After completing these steps, open a PR with your changes.

8. The PR will trigger a verification build that generates two zip files with mac artifacts.
Download these zips and replace them in this pre-release: <https://github.com/eclipse-theia/theia-ide/releases/tag/pre-release>.
These unsigned dmgs will be used as input for the Jenkins build.

9. Merging the PR automatically triggers a preview release, so make sure step 8 is fully completed before merging.

## 3. Preview, Testing, and Release Process

Expand Down
4 changes: 2 additions & 2 deletions applications/browser/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
"name": "theia-ide-browser-app",
"description": "Eclipse Theia IDE browser product",
"productName": "Theia IDE",
"version": "1.59.1",
"version": "1.59.2",
"license": "MIT",
"author": "Eclipse Theia <[email protected]>",
"homepage": "https://github.com/eclipse-theia/theia-ide#readme",
Expand Down Expand Up @@ -104,7 +104,7 @@
"@theia/vsx-registry": "1.59.0",
"@theia/workspace": "1.59.0",
"fs-extra": "^9.0.1",
"theia-ide-product-ext": "1.59.1"
"theia-ide-product-ext": "1.59.2"
},
"devDependencies": {
"@theia/cli": "1.59.0",
Expand Down
9 changes: 5 additions & 4 deletions applications/electron/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
"name": "theia-ide-electron-app",
"description": "Eclipse Theia IDE product",
"productName": "Theia IDE",
"version": "1.59.1",
"version": "1.59.2",
"main": "scripts/theia-electron-main.js",
"license": "MIT",
"author": "Eclipse Theia <[email protected]>",
Expand Down Expand Up @@ -112,9 +112,9 @@
"@theia/vsx-registry": "1.59.0",
"@theia/workspace": "1.59.0",
"fs-extra": "^9.0.1",
"theia-ide-launcher-ext": "1.59.1",
"theia-ide-product-ext": "1.59.1",
"theia-ide-updater-ext": "1.59.1"
"theia-ide-launcher-ext": "1.59.2",
"theia-ide-product-ext": "1.59.2",
"theia-ide-updater-ext": "1.59.2"
},
"devDependencies": {
"@theia/cli": "1.59.0",
Expand Down Expand Up @@ -158,6 +158,7 @@
"update:blockmap": "ts-node scripts/update-blockmap.ts",
"update:theia": "ts-node ../../scripts/update-theia-version.ts",
"update:next": "ts-node ../../scripts/update-theia-version.ts next",
"sign:directory": "ts-node scripts/sign-directory.ts",
"test": "mocha --timeout 60000 \"./test/*.spec.js\"",
"lint": "eslint --ext js,jsx,ts,tsx scripts && eslint --ext js,jsx,ts,tsx test",
"lint:fix": "eslint --ext js,jsx,ts,tsx scripts --fix && eslint --ext js,jsx,ts,tsx test -fix"
Expand Down
178 changes: 178 additions & 0 deletions applications/electron/scripts/sign-directory.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,178 @@
/********************************************************************************
* Copyright (C) 2025 EclipseSource and others.
*
* This program and the accompanying materials are made available under the
* terms of the MIT License, which is available in the project root.
*
* SPDX-License-Identifier: MIT
********************************************************************************/

import { hideBin } from 'yargs/helpers';
import yargs from 'yargs/yargs';
import path from 'path';
import fs from 'fs';
import child_process from 'child_process';

const signCommand = path.join(__dirname, 'sign.sh');
const notarizeCommand = path.join(__dirname, 'notarize.sh');
const entitlements = path.resolve(__dirname, '..', 'entitlements.plist');

// File extensions and patterns that need code signing on macOS
const BINARY_EXTENSIONS = ['.dylib', '.so', '.node', '.framework'];
const BINARY_PATTERNS = [
/^MacOS\//, // Executable files in MacOS directory
/^Contents\/MacOS\//, // Executable files in Contents/MacOS directory
];
const EXECUTABLE_NAMES = [
'node', 'electron', 'rg', 'macos-trash', 'chrome-sandbox'
];

// Function to check if a file is likely a binary that needs signing
function isBinaryFile(filePath: string): boolean {
const extension = path.extname(filePath);
const fileName = path.basename(filePath);
const relativePath = filePath.replace(/^.*?\.app\//, ''); // Get path relative to .app bundle

// Check by extension
if (BINARY_EXTENSIONS.includes(extension)) {
return true;
}

// Check by executable name
if (EXECUTABLE_NAMES.includes(fileName)) {
return true;
}

// Check by pattern
for (const pattern of BINARY_PATTERNS) {
if (pattern.test(relativePath)) {
return true;
}
}

// Check if file is executable (Unix-only check)
try {
const stat = fs.statSync(filePath);
if ((stat.mode & 0o111) !== 0) { // Check if execute bit is set
// Further verify it's a binary with 'file' command if available
try {
const fileType = child_process.execSync(`file "${filePath}"`).toString();
return fileType.includes('Mach-O') ||
fileType.includes('executable') ||
fileType.includes('shared library') ||
fileType.includes('dynamically linked');
} catch (e) {
// If 'file' command fails, fall back to assuming it's a binary if it has execute permission
return true;
}
}
} catch (e) {
// If stat fails, skip this check
}

return false;
}

// Function to recursively find binaries in a directory
function findBinariesToSign(dirPath: string): string[] {
const result: string[] = [];

function scanDirectory(currentPath: string): void {
const entries = fs.readdirSync(currentPath, { withFileTypes: true });

for (const entry of entries) {
const fullPath = path.join(currentPath, entry.name);

// Skip node_modules and .git directories
if (entry.isDirectory() &&
entry.name !== 'node_modules' &&
entry.name !== '.git') {
scanDirectory(fullPath);
} else if (entry.isFile() && isBinaryFile(fullPath)) {
result.push(fullPath);
}
}
}

scanDirectory(dirPath);

// Sort by path depth (deepest first) to ensure nested binaries are signed first
return result.sort((a, b) => {
const aDepth = a.split(path.sep).length;
const bDepth = b.split(path.sep).length;
return bDepth - aDepth;
});
}

const signFile = (file: string) => {
const stat = fs.lstatSync(file);
const mode = stat.isFile() ? stat.mode : undefined;

// Get SHA hash of file before signing - only for actual files, not directories
let shaBeforeSigning: string | undefined;
if (stat.isFile()) {
shaBeforeSigning = child_process.execSync(`shasum -a 256 "${file}"`).toString().trim();
}

console.log(`Signing ${file}...`);
child_process.spawnSync(signCommand, [
path.basename(file),
entitlements
], {
cwd: path.dirname(file),
maxBuffer: 1024 * 10000,
env: process.env,
stdio: 'inherit',
encoding: 'utf-8'
});

// Get SHA hash of file after signing - only for actual files, not directories
if (stat.isFile()) {
const shaAfterSigning = child_process.execSync(`shasum -a 256 "${file}"`).toString().trim();
// Log a warning if the SHA hash hasn't changed after signing
if (shaBeforeSigning === shaAfterSigning) {
console.warn(`WARNING: SHA hash did not change after signing for ${file}. This might indicate the file was not properly signed.`);
}
}

if (mode) {
console.log(`Setting attributes of ${file}...`);
fs.chmodSync(file, mode);
}
};

const argv = yargs(hideBin(process.argv))
.option('directory', { alias: 'd', type: 'string', default: 'dist', description: 'The directory which contains the application to be signed' })
.version(false)
.wrap(120)
.parseSync();

execute();

async function execute(): Promise<void> {
console.log(`signCommand: ${signCommand}; notarizeCommand: ${notarizeCommand}; entitlements: ${entitlements}; directory: ${argv.directory}`);

// First sign all individual binaries inside the app bundle
const binariesToSign = findBinariesToSign(argv.directory);

for (const binaryPath of binariesToSign) {
signFile(binaryPath);
}

// Then sign the main app bundle
console.log('Signing main application bundle...');
signFile(argv.directory);

// Notarize app
console.log('Notarizing application...');
child_process.spawnSync(notarizeCommand, [
path.basename(argv.directory),
'eclipse.theia'
], {
cwd: path.dirname(argv.directory),
maxBuffer: 1024 * 10000,
env: process.env,
stdio: 'inherit',
encoding: 'utf-8'
});
}
Loading