build_binaries.yml

---
name: Build Matrix of Binaries

'on':
  push:
    tags:
      - "v[0-9]+.[0-9]+.[0-9]*"
    branches:
      - "build-all-*"
      - "build-bins-*"
  schedule:
    - cron: "05 00 * * *"
  workflow_dispatch:
    inputs:
      customTag:
        description: "Development Tag"
        required: true
        default: "development-tag"

env:
  TS_FILENAME: "clythor"
  TS_BUNDLE_ID_BASE: "com.tarilabs"
  TS_SIG_FN: "sha256-unsigned.txt"
  ## Must be a JSon string
  TS_FILES: '["clythor"]'
  toolchain: nightly-2024-03-01
  matrix-json-file: ".github/workflows/build_binaries.json"
  CARGO_HTTP_MULTIPLEXING: false
  CARGO_UNSTABLE_SPARSE_REGISTRY: true
  CARGO: cargo
  CARGO_OPTIONS: "--release"
  CARGO_CACHE: true

concurrency:
  # https://docs.github.com/en/actions/examples/using-concurrency-expressions-and-a-test-matrix
  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
  cancel-in-progress: ${{ !startsWith(github.ref, 'refs/tags/v') || github.ref != 'refs/heads/development' || github.ref != 'refs/heads/nextnet' || github.ref != 'refs/heads/stagenet' }}

permissions: {}

jobs:
  matrix-prep:
    runs-on: ubuntu-latest
    outputs:
      matrix: ${{ steps.set-matrix.outputs.matrix }}
    steps:
      - uses: actions/checkout@v4
        with:
          submodules: false

      - name: Set Matrix
        id: set-matrix
        run: |
          #
          # build all targets images
          # matrix=$( jq -s -c .[] .github/workflows/build_binaries.json )
          #
          # build only single target image
          # matrix_selection=$( jq -c '.[] | select( ."name" == "windows-x64" )' ${{ env.matrix-json-file }} )
          # matrix_selection=$( jq -c '.[] | select( ."name" | contains("macos") )' ${{ env.matrix-json-file }} )
          #
          # build select target images - build_enabled
          matrix_selection=$( jq -c '.[] | select( ."build_enabled" != false )' ${{ env.matrix-json-file }} )
          #
          # Setup the json build matrix
          matrix=$(echo ${matrix_selection} | jq -s -c '{"builds": .}')
          echo $matrix
          echo $matrix | jq .
          echo "matrix=${matrix}" >> $GITHUB_OUTPUT

  matrix-check:
    # Debug matrix
    if: ${{ false }}
    runs-on: ubuntu-latest
    needs: matrix-prep
    steps:
      - name: Install json2yaml
        run: |
          sudo npm install -g json2yaml

      - name: Check matrix definition
        run: |
          matrix='${{ needs.matrix-prep.outputs.matrix }}'
          echo $matrix
          echo $matrix | jq .
          echo $matrix | json2yaml

  builds:
    name: Building ${{ matrix.builds.name }} on ${{ matrix.builds.runs-on }}
    needs: matrix-prep
    continue-on-error: ${{ matrix.builds.best_effort || false }}
    outputs:
      TARI_VERSION: ${{ steps.set-tari-vars.outputs.TARI_VERSION }}
      VSHA_SHORT: ${{ steps.set-tari-vars.outputs.VSHA_SHORT }}
    strategy:
      fail-fast: false
      matrix: ${{ fromJson(needs.matrix-prep.outputs.matrix) }}

    runs-on: ${{ matrix.builds.runs-on }}

    steps:
      - name: Checkout source code
        uses: actions/checkout@v4

      - name: Declare Global Variables 4 GHA ${{ github.event_name }}
        id: set-tari-vars
        shell: bash
        run: |
          echo "VBRANCH=${{ github.ref_name }}" >> $GITHUB_ENV
          VSHA_SHORT=$(git rev-parse --short HEAD)
          echo "VSHA_SHORT=${VSHA_SHORT}" >> $GITHUB_ENV
          echo "VSHA_SHORT=${VSHA_SHORT}" >> $GITHUB_OUTPUT
          TARI_VERSION=$(awk -F ' = ' '$1 ~ /^version/ \
            { gsub(/["]/, "", $2); printf("%s",$2) }' \
            "$GITHUB_WORKSPACE/Cargo.toml")
          echo "TARI_VERSION=${TARI_VERSION}" >> $GITHUB_ENV
          echo "TARI_VERSION=${TARI_VERSION}" >> $GITHUB_OUTPUT
          TARGET_BINS=""
          if [[ "${{ matrix.builds.target_bins }}" == "" ]]; then
            ARRAY_BINS=( $(echo ${TS_FILES} | jq --raw-output '.[]' | awk '{ print $1 }') )
          else
            ARRAY_BINS=( $(echo "${{ matrix.builds.target_bins }}" | tr ', ' '\n') )
          fi
          for BIN_FILE in "${ARRAY_BINS[@]}"; do
            echo "Adding ${BIN_FILE} to Builds"
            TARGET_BINS+="--bin ${BIN_FILE} "
          done
          echo "TARGET_BINS=${TARGET_BINS}" >> $GITHUB_ENV
          TARI_BUILD_ISA_CPU=${{ matrix.builds.target }}
          # Strip unknown part
          TARI_BUILD_ISA_CPU=${TARI_BUILD_ISA_CPU//-unknown-linux-gnu}
          # Strip gc used by rust
          TARI_BUILD_ISA_CPU=${TARI_BUILD_ISA_CPU//gc}
          echo "TARI_BUILD_ISA_CPU=${TARI_BUILD_ISA_CPU}" >> $GITHUB_ENV

      - name: Scheduled Destination Folder Override
        if: ${{ github.event_name == 'schedule' && github.event.schedule == '05 00 * * *' }}
        shell: bash
        run: |
          echo "S3_DEST_OVERRIDE=daily/" >> $GITHUB_ENV

      - name: Setup Rust toolchain
        uses: dtolnay/rust-toolchain@master
        with:
          components: rustfmt, clippy
          toolchain: ${{ matrix.builds.rust }}
          targets: ${{ matrix.builds.target }}

      - name: Install Linux dependencies - Ubuntu
        if: ${{ startsWith(runner.os,'Linux') && ( ! matrix.builds.cross ) }}
        run: |
          sudo apt-get update
          sudo bash scripts/install_ubuntu_dependencies.sh

      - name: Install Linux dependencies - Ubuntu - cross-compiled ${{ env.TARI_BUILD_ISA_CPU }} on x86-64
        if: ${{ startsWith(runner.os,'Linux') && ( ! matrix.builds.cross ) && matrix.builds.name != 'linux-x86_64' }}
        run: |
          sudo apt-get update
          sudo bash scripts/install_ubuntu_dependencies-cross_compile.sh ${{ env.TARI_BUILD_ISA_CPU }}
          rustup target add ${{ matrix.builds.target }}
          echo "PKG_CONFIG_SYSROOT_DIR=/usr/${{ env.TARI_BUILD_ISA_CPU }}-linux-gnu/" >> $GITHUB_ENV

      - name: Install macOS dependencies
        if: startsWith(runner.os,'macOS')
        run: |
          # Already installed items
          # brew install openssl cmake autoconf zip
          brew install coreutils automake protobuf
          rustup target add ${{ matrix.builds.target }}

      - name: Install Windows dependencies
        if: startsWith(runner.os,'Windows')
        run: |
          vcpkg.exe install sqlite3:x64-windows zlib:x64-windows
          # Bug in choco - need to install each package individually
          choco upgrade llvm -y
          # psutils is out of date
          # choco upgrade psutils -y
          choco upgrade openssl -y
          # Should already be installed
          # choco upgrade strawberryperl -y
          choco upgrade protoc -y
          rustup target add ${{ matrix.builds.target }}

      - name: Set environment variables - Nix
        if: ${{ ! startsWith(runner.os,'Windows') }}
        shell: bash
        run: |
          echo "SHARUN=shasum --algorithm 256" >> $GITHUB_ENV
          echo "CC=gcc" >> $GITHUB_ENV
          echo "TS_EXT=" >> $GITHUB_ENV
          echo "SHELL_EXT=.sh" >> $GITHUB_ENV
          echo "PLATFORM_SPECIFIC_DIR=linux" >> $GITHUB_ENV
          echo "TS_DIST=/dist" >> $GITHUB_ENV

      - name: Set environment variables - macOS
        if: startsWith(runner.os,'macOS')
        shell: bash
        run: |
          echo "PLATFORM_SPECIFIC_DIR=osx" >> $GITHUB_ENV
          echo "LIB_EXT=.dylib" >> $GITHUB_ENV

      # Hardcoded sdk for MacOSX on ARM64
      - name: Set environment variables - macOS - ARM64 (pin/sdk)
        # Debug
        if: ${{ false }}
        # if: ${{ startsWith(runner.os,'macOS') && matrix.builds.name == 'macos-arm64' }}
        run: |
          xcrun --show-sdk-path
          ls -alhtR "/Library/Developer/CommandLineTools/SDKs/"
          echo "RANDOMX_RS_CMAKE_OSX_SYSROOT=/Library/Developer/CommandLineTools/SDKs/MacOSX12.1.sdk" >> $GITHUB_ENV

      - name: Set environment variables - Ubuntu
        if: startsWith(runner.os,'Linux')
        shell: bash
        run: |
          echo "LIB_EXT=.so" >> $GITHUB_ENV

      - name: Set environment variables - Windows
        if: startsWith(runner.os,'Windows')
        shell: bash
        run: |
          # echo "SHARUN=pwsh C:\ProgramData\chocolatey\lib\psutils\tools\psutils-master\shasum.ps1 --algorithm 256" >> $GITHUB_ENV
          mkdir -p "$GITHUB_WORKSPACE\psutils"
          curl -v -o "$GITHUB_WORKSPACE\psutils\getopt.ps1" "https://raw.githubusercontent.com/lukesampson/psutils/master/getopt.ps1"
          curl -v -o "$GITHUB_WORKSPACE\psutils\shasum.ps1" "https://raw.githubusercontent.com/lukesampson/psutils/master/shasum.ps1"
          echo "SHARUN=pwsh $GITHUB_WORKSPACE\psutils\shasum.ps1 --algorithm 256" >> $GITHUB_ENV
          echo "TS_EXT=.exe" >> $GITHUB_ENV
          echo "LIB_EXT=.dll" >> $GITHUB_ENV
          echo "SHELL_EXT=.bat" >> $GITHUB_ENV
          echo "TS_DIST=\dist" >> $GITHUB_ENV
          echo "PLATFORM_SPECIFIC_DIR=windows" >> $GITHUB_ENV
          echo "SQLITE3_LIB_DIR=C:\vcpkg\installed\x64-windows\lib" >> $GITHUB_ENV
          echo "OPENSSL_DIR=C:\Program Files\OpenSSL-Win64" >> $GITHUB_ENV
          echo "LIBCLANG_PATH=C:\Program Files\LLVM\bin" >> $GITHUB_ENV
          echo "C:\Strawberry\perl\bin" >> $GITHUB_PATH

      - name: Cache cargo files and outputs
        if: ${{ ( ! startsWith(github.ref, 'refs/tags/v') ) && ( ! matrix.builds.cross ) && ( env.CARGO_CACHE ) }}
        uses: Swatinem/rust-cache@v2
        with:
          key: ${{ matrix.builds.target }}

      - name: Install and setup cargo cross
        if: ${{ matrix.builds.cross }}
        shell: bash
        run: |
          #cargo install cross
          cargo install cross --git https://github.com/cross-rs/cross
          echo "CARGO=cross" >> $GITHUB_ENV

      - name: Install and setup cargo-auditable
        if: ${{ false }}
        # if: ${{ startsWith(github.ref, 'refs/tags/v') }}
        shell: bash
        run: |
          cargo install cargo-auditable
          echo "CARGO=${{ env.CARGO }} auditable" >> $GITHUB_ENV
          echo "CARGO_OPTIONS=${{ env.CARGO_OPTIONS }} --release" >> $GITHUB_ENV

      - name: Show command used for Cargo
        shell: bash
        run: |
          echo "cargo command is: ${{ env.CARGO }}"
          echo "cargo options is: ${{ env.CARGO_OPTIONS }}"
          echo "cross flag: ${{ matrix.builds.cross }}"

      - name: Build release binaries
        shell: bash
        run: |
          ${{ env.CARGO }} build ${{ env.CARGO_OPTIONS }} \
            --target ${{ matrix.builds.target }} \
            ${{ env.TARGET_BINS }} \
            ${{ matrix.builds.flags }} --locked

      - name: Sign Windows files with Trusted Certificate
        if: ${{ ( startsWith(runner.os,'Windows') ) && ( env.AZURE_TENANT_ID != '' ) }}
        env:
          AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
        uses: azure/trusted-signing-action@v0.4.0
        with:
          azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
          azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
          endpoint: https://eus.codesigning.azure.net/
          trusted-signing-account-name: Tari
          certificate-profile-name: Tarilabs
          files-folder: ${{ github.workspace }}/target/${{ matrix.builds.target }}/release/
          files-folder-filter: exe,dll
          file-digest: SHA256
          timestamp-rfc3161: http://timestamp.acs.microsoft.com
          timestamp-digest: SHA256

      - name: Copy binaries to folder for archiving
        shell: bash
        run: |
          # set -xo pipefail
          mkdir -p "$GITHUB_WORKSPACE${TS_DIST}"
          cd "$GITHUB_WORKSPACE${TS_DIST}"
          BINFILE="${TS_FILENAME}-${TARI_VERSION}-${VSHA_SHORT}-${{ matrix.builds.name }}${TS_EXT}"
          echo "BINFILE=${BINFILE}" >> $GITHUB_ENV
          echo "Copying files for ${BINFILE} to $(pwd)"
          echo "MTS_SOURCE=$(pwd)" >> $GITHUB_ENV
          ls -alht "$GITHUB_WORKSPACE/target/${{ matrix.builds.target }}/release/"
          ARRAY_FILES=( $(echo ${TS_FILES} | jq --raw-output '.[]' | awk '{ print $1 }') )
          for FILE in "${ARRAY_FILES[@]}"; do
            echo "checking for file - ${FILE}${TS_EXT}"
            if [ -f "${GITHUB_WORKSPACE}/target/${{ matrix.builds.target }}/release/${FILE}${TS_EXT}" ]; then
              cp -vf "${GITHUB_WORKSPACE}/target/${{ matrix.builds.target }}/release/${FILE}${TS_EXT}" .
            fi
          done
          if [[ "${{ matrix.builds.target_libs }}" == "" ]]; then
            ARRAY_LIBS=( $(echo ${TS_LIBRARIES} | tr ', ' '\n') )
          else
            ARRAY_LIBS=( $(echo "${{ matrix.builds.target_libs }}" | tr ', ' '\n') )
          fi
          for FILE in "${ARRAY_LIBS[@]}"; do
            echo "checking for file - ${FILE}${TS_EXT}"
            # Check on Nix for libs
            if [ -f "${GITHUB_WORKSPACE}/target/${{ matrix.builds.target }}/release/lib${FILE}${LIB_EXT}" ]; then
              cp -vf "${GITHUB_WORKSPACE}/target/${{ matrix.builds.target }}/release/lib${FILE}${LIB_EXT}" .
            fi
            # Check on Windows libs
            if [ -f "${GITHUB_WORKSPACE}/target/${{ matrix.builds.target }}/release/${FILE}${LIB_EXT}" ]; then
              cp -vf "${GITHUB_WORKSPACE}/target/${{ matrix.builds.target }}/release/${FILE}${LIB_EXT}" .
            fi
          done
          ls -alhtR ${{ env.MTS_SOURCE }}

      - name: Pre/unsigned OSX Artifact upload for Archive
        if: ${{ false }}
        # if: startsWith(runner.os,'macOS')
        continue-on-error: true
        uses: actions/upload-artifact@v4
        with:
          name: ${{ env.TS_FILENAME }}_unsigned-archive-${{ matrix.builds.name }}
          path: "${{ env.MTS_SOURCE }}/*"

      - name: Build the macOS pkg
        if: ${{ false }}
        # if: startsWith(runner.os,'macOS')
        continue-on-error: true
        env:
          MACOS_KEYCHAIN_PASS: ${{ secrets.MACOS_KEYCHAIN_PASS }}
          MACOS_APPLICATION_ID: ${{ secrets.MACOS_APPLICATION_ID }}
          MACOS_APPLICATION_CERT: ${{ secrets.MACOS_APPLICATION_CERT }}
          MACOS_APPLICATION_PASS: ${{ secrets.MACOS_APPLICATION_PASS }}
          MACOS_INSTALLER_ID: ${{ secrets.MACOS_INSTALLER_ID }}
          MACOS_INSTALLER_CERT: ${{ secrets.MACOS_INSTALLER_CERT }}
          MACOS_INSTALLER_PASS: ${{ secrets.MACOS_INSTALLER_PASS }}
          MACOS_NOTARIZE_USERNAME: ${{ secrets.MACOS_NOTARIZE_USERNAME }}
          MACOS_NOTARIZE_PASSWORD: ${{ secrets.MACOS_NOTARIZE_PASSWORD }}
          MACOS_ASC_PROVIDER: ${{ secrets.MACOS_ASC_PROVIDER }}
        run: |
          echo $MACOS_APPLICATION_CERT | base64 --decode > application.p12
          echo $MACOS_INSTALLER_CERT | base64 --decode > installer.p12
          security create-keychain -p $MACOS_KEYCHAIN_PASS build.keychain
          security default-keychain -s build.keychain
          security unlock-keychain -p $MACOS_KEYCHAIN_PASS build.keychain
          security import application.p12 -k build.keychain -P $MACOS_APPLICATION_PASS -T /usr/bin/codesign
          security import installer.p12 -k build.keychain -P $MACOS_INSTALLER_PASS -T /usr/bin/pkgbuild
          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $MACOS_KEYCHAIN_PASS build.keychain
          if [[ "${{ matrix.builds.name }}" == "macos-arm64" ]]; then
            echo "Add codesign extra args for ${{ matrix.builds.name }}"
            OSX_CODESIGN_EXTRAS="--entitlements ${GITHUB_WORKSPACE}/applications/minotari_node/osx-pkg/entitlements.xml"
          fi
          cd buildtools
          export target_release="target/${{ matrix.builds.target }}/release"
          mkdir -p "${{ runner.temp }}/osxpkg"
          export tarball_parent="${{ runner.temp }}/osxpkg"
          export tarball_source="${{ env.TARI_NETWORK_DIR }}"
          ./create_osx_install_zip.sh unused nozip
          ARRAY_FILES=( $(echo ${TS_FILES} | jq --raw-output '.[]' | awk '{ print $1 }') )
          find "${GITHUB_WORKSPACE}/${target_release}" \
            -name "randomx-*" -type f -perm -+x \
            -exec cp -vf {} "${{ runner.temp }}/osxpkg/${{ env.TARI_NETWORK_DIR }}/runtime/" \;
          FILES_DIAG_UTILS=( \
            $(find "${GITHUB_WORKSPACE}/${target_release}" \
                -name "randomx-*" -type f -perm -+x \
                  -exec sh -c 'echo "$(basename "{}")"' \; \
              ) \
          )
          ARRAY_FILES+=(${FILES_DIAG_UTILS[@]})
          for FILE in "${ARRAY_FILES[@]}"; do
            codesign --options runtime --force --verify --verbose --timestamp ${OSX_CODESIGN_EXTRAS} \
              --prefix "${{ env.TS_BUNDLE_ID_BASE }}.${{ env.TS_FILENAME }}." \
              --sign "Developer ID Application: $MACOS_APPLICATION_ID" \
              "${{ runner.temp }}/osxpkg/${{ env.TARI_NETWORK_DIR }}/runtime/$FILE"
            codesign --verify --deep --display --verbose=4 \
              "${{ runner.temp }}/osxpkg/${{ env.TARI_NETWORK_DIR }}/runtime/$FILE"
            cp -vf "${{ runner.temp }}/osxpkg/${{ env.TARI_NETWORK_DIR }}/runtime/$FILE" \
              "${{ env.MTS_SOURCE }}"
          done
          distDirPKG=$(mktemp -d -t ${{ env.TS_FILENAME }})
          echo "${distDirPKG}"
          echo "distDirPKG=${distDirPKG}" >> $GITHUB_ENV
          TS_Temp=${{ env.TS_FILENAME }}
          TS_BUNDLE_ID_VALID_NAME=$(echo "${TS_Temp//_/-}")
          # Strip apple-darwin
          TS_ARCH=$(echo "${${{ matrix.builds.target }}//-apple-darwin/}")
          pkgbuild --root "${{ runner.temp }}/osxpkg/${{ env.TARI_NETWORK_DIR }}" \
            --identifier "${{ env.TS_BUNDLE_ID_BASE }}.pkg.${TS_BUNDLE_ID_VALID_NAME}" \
            --version "${TARI_VERSION}" \
            --install-location "/tmp/tari" \
            --scripts "${{ runner.temp }}/osxpkg/${{ env.TARI_NETWORK_DIR }}/scripts" \
            --sign "Developer ID Installer: ${MACOS_INSTALLER_ID}" \
            "${distDirPKG}/${{ env.TS_FILENAME }}-${{ matrix.builds.name }}-${{ env.TARI_VERSION }}.pkg"
          echo -e "Submitting to Apple...\n\n"
          xcrun notarytool submit \
            "${distDirPKG}/${{ env.TS_FILENAME }}-${{ matrix.builds.name }}-${{ env.TARI_VERSION }}.pkg" \
            --apple-id "${MACOS_NOTARIZE_USERNAME}" \
            --password ${MACOS_NOTARIZE_PASSWORD} \
            --team-id ${MACOS_ASC_PROVIDER} \
            --verbose --wait 2>&1 | tee -a notarisation.result
          # Maybe use line from with "Processing complete"?
          requestUUID=$(tail -n5 notarisation.result | grep "id:" | cut -d" " -f 4)
          requestSTATUS=$(tail -n5 notarisation.result | grep "\ \ status:" | cut -d" " -f 4)
          if [[ ${requestUUID} == "" ]] || [[ ${requestSTATUS} != "Accepted" ]]; then
            echo "## status: ${requestSTATUS} - could not notarize - ${requestUUID} - ${{ env.TS_FILENAME }}-${{ matrix.builds.name }}-${{ env.TARI_VERSION }}.pkg"
            exit 1
          else
            echo "Notarization RequestUUID: ${requestUUID}"
            echo -e "\nStapling package...\
              ${{ env.TS_FILENAME }}-${{ matrix.builds.name }}-${{ env.TARI_VERSION }}.pkg\n"
            xcrun stapler staple -v \
              "${distDirPKG}/${{ env.TS_FILENAME }}-${{ matrix.builds.name }}-${{ env.TARI_VERSION }}.pkg"
          fi
          cd ${distDirPKG}
          echo "Compute pkg shasum"
          ${SHARUN} "${{ env.TS_FILENAME }}-${{ matrix.builds.name }}-${{ env.TARI_VERSION }}.pkg" \
            >> "${{ env.TS_FILENAME }}-${{ matrix.builds.name }}-${{ env.TARI_VERSION }}.pkg.sha256"
          cat "${{ env.TS_FILENAME }}-${{ matrix.builds.name }}-${{ env.TARI_VERSION }}.pkg.sha256"
          echo "Checksum verification for pkg is "
          ${SHARUN} --check "${{ env.TS_FILENAME }}-${{ matrix.builds.name }}-${{ env.TARI_VERSION }}.pkg.sha256"

      - name: Artifact upload for macOS pkg
        if: ${{ false }}
        # if: startsWith(runner.os,'macOS')
        continue-on-error: true
        uses: actions/upload-artifact@v4
        with:
          name: ${{ env.TS_FILENAME }}-${{ matrix.builds.name }}-${{ env.TARI_VERSION }}.pkg
          path: "${{ env.distDirPKG }}/${{ env.TS_FILENAME }}-${{ matrix.builds.name }}-${{ env.TARI_VERSION }}*.pkg*"

      - name: Build the Windows installer
        if: ${{ false }}
        # if: startsWith(runner.os,'Windows')
        continue-on-error: true
        shell: cmd
        run: |
          cd buildtools
          "%programfiles(x86)%\Inno Setup 6\iscc.exe" "/DMyAppVersion=${{ env.TARI_VERSION }}-${{ env.VSHA_SHORT }}-${{ matrix.builds.name }}-installer" "/DMinotariSuite=${{ env.TS_FILENAME }}" "/DTariSuitePath=${{ github.workspace }}${{ env.TS_DIST }}" "windows_inno_installer.iss"
          cd Output
          echo "Compute archive shasum"
          ${{ env.SHARUN }} "${{ env.TS_FILENAME }}-${{ env.TARI_VERSION }}-${{ env.VSHA_SHORT }}-${{ matrix.builds.name }}-installer.exe" >> "${{ env.TS_FILENAME }}-${{ env.TARI_VERSION }}-${{ env.VSHA_SHORT }}-${{ matrix.builds.name }}-installer.exe.sha256"
          echo "Show the shasum"
          cat "${{ env.TS_FILENAME }}-${{ env.TARI_VERSION }}-${{ env.VSHA_SHORT }}-${{ matrix.builds.name }}-installer.exe.sha256"
          echo "Checksum verification archive is "
          ${{ env.SHARUN }} --check "${{ env.TS_FILENAME }}-${{ env.TARI_VERSION }}-${{ env.VSHA_SHORT }}-${{ matrix.builds.name }}-installer.exe.sha256"

      - name: Artifact upload for Windows installer
        if: ${{ false }}
        # if: startsWith(runner.os,'Windows')
        continue-on-error: true
        uses: actions/upload-artifact@v4
        with:
          name: "${{ env.TS_FILENAME }}_windows_installer"
          path: "${{ github.workspace }}/buildtools/Output/*"

      - name: Archive and Checksum Binaries
        shell: bash
        run: |
          echo "Archive ${{ env.BINFILE }} too ${{ env.BINFILE }}.zip"
          cd "${{ env.MTS_SOURCE }}"
          echo "Compute files shasum"
          ${SHARUN} * >> "${{ env.BINFILE }}.sha256"
          echo "Show the shasum"
          cat "${{ env.BINFILE }}.sha256"
          echo "Checksum verification for files is "
          ${SHARUN} --check "${{ env.BINFILE }}.sha256"
          7z a "${{ env.BINFILE }}.zip" *
          echo "Compute archive shasum"
          ${SHARUN} "${{ env.BINFILE }}.zip" >> "${{ env.BINFILE }}.zip.sha256"
          echo "Show the shasum"
          cat "${{ env.BINFILE }}.zip.sha256"
          echo "Checksum verification archive is "
          ${SHARUN} --check "${{ env.BINFILE }}.zip.sha256"

      - name: Artifact upload for Archive
        uses: actions/upload-artifact@v4
        with:
          name: ${{ env.TS_FILENAME }}_archive-${{ matrix.builds.name }}
          path: "${{ github.workspace }}${{ env.TS_DIST }}/${{ env.BINFILE }}.zip*"

  macOS-universal-assemble:
    name: macOS universal assemble
    needs: builds

    env:
      TARI_VERSION: ${{ needs.builds.outputs.TARI_VERSION }}
      VSHA_SHORT: ${{ needs.builds.outputs.VSHA_SHORT }}
      SHARUN: "shasum --algorithm 256"

    continue-on-error: true

    runs-on: macos-14

    steps:
      - name: Checkout source code
        uses: actions/checkout@v4

      - name: Download macOS binaries
        uses: actions/download-artifact@v4
        with:
          path: osxuni
          # macos - x86_64 / arm64
          pattern: ${{ env.TS_FILENAME }}_archive-macos-*
          merge-multiple: true

      - name: Set environment variables for macOS universal
        shell: bash
        run: |
          BINFN="${TS_FILENAME}-${TARI_VERSION}-${VSHA_SHORT}"
          echo "BINFN=${BINFN}" >> $GITHUB_ENV

      - name: Install macOS dependencies
        shell: bash
        run: |
          brew install coreutils

      - name: Verify checksums and extract
        shell: bash
        working-directory: osxuni
        run: |
          ls -alhtR
          ${SHARUN} --ignore-missing --check \
            "${{ env.BINFN }}-macos-x86_64.zip.sha256"
          ${SHARUN} --ignore-missing --check \
            "${{ env.BINFN }}-macos-arm64.zip.sha256"
          ls -alhtR
          mkdir macos-universal macos-x86_64 macos-arm64
          cd macos-x86_64
          7z e "../${{ env.BINFN }}-macos-x86_64.zip"
          cd ../macos-arm64
          7z e "../${{ env.BINFN }}-macos-arm64.zip"

      - name: Assemble macOS universal binaries
        shell: bash
        working-directory: osxuni
        run: |
          ls -alhtR
          ARRAY_FILES=( $(echo ${TS_FILES} | jq --raw-output '.[]' | awk '{ print $1 }') )
          for FILE in "${ARRAY_FILES[@]}"; do
            echo "processing binary file - ${FILE}"
            lipo -create -output macos-universal/${FILE} \
              macos-x86_64/${FILE} \
              macos-arm64/${FILE}
          done
          ARRAY_LIBS=( $(echo ${TS_LIBRARIES} | tr ', ' '\n') )
          for FILE in "${ARRAY_LIBS[@]}"; do
            echo "processing library file - lib${FILE}.dylib"
            lipo -create -output macos-universal/lib${FILE}.dylib \
              macos-x86_64/lib${FILE}.dylib \
              macos-arm64/lib${FILE}.dylib
          done
          ls -alhtR macos-universal

      - name: Build the macOS universal pkg
        continue-on-error: true
        env:
          MACOS_KEYCHAIN_PASS: ${{ secrets.MACOS_KEYCHAIN_PASS }}
          MACOS_APPLICATION_ID: ${{ secrets.MACOS_APPLICATION_ID }}
          MACOS_APPLICATION_CERT: ${{ secrets.MACOS_APPLICATION_CERT }}
          MACOS_APPLICATION_PASS: ${{ secrets.MACOS_APPLICATION_PASS }}
          MACOS_INSTALLER_ID: ${{ secrets.MACOS_INSTALLER_ID }}
          MACOS_INSTALLER_CERT: ${{ secrets.MACOS_INSTALLER_CERT }}
          MACOS_INSTALLER_PASS: ${{ secrets.MACOS_INSTALLER_PASS }}
          MACOS_NOTARIZE_USERNAME: ${{ secrets.MACOS_NOTARIZE_USERNAME }}
          MACOS_NOTARIZE_PASSWORD: ${{ secrets.MACOS_NOTARIZE_PASSWORD }}
          MACOS_ASC_PROVIDER: ${{ secrets.MACOS_ASC_PROVIDER }}
        run: |
          echo $MACOS_APPLICATION_CERT | base64 --decode > application.p12
          echo $MACOS_INSTALLER_CERT | base64 --decode > installer.p12
          security create-keychain -p $MACOS_KEYCHAIN_PASS build.keychain
          security default-keychain -s build.keychain
          security unlock-keychain -p $MACOS_KEYCHAIN_PASS build.keychain
          security import application.p12 -k build.keychain -P $MACOS_APPLICATION_PASS -T /usr/bin/codesign
          security import installer.p12 -k build.keychain -P $MACOS_INSTALLER_PASS -T /usr/bin/pkgbuild
          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $MACOS_KEYCHAIN_PASS build.keychain
          OSX_CODESIGN_EXTRAS="--entitlements ${GITHUB_WORKSPACE}/applications/minotari_node/osx-pkg/entitlements.xml"
          cd buildtools
          # export target_release="target/${{ matrix.builds.target }}/release"
          # matrix.builds.target=macos-universal
          # matrix.builds.name=macos-universal
          export target_release="osxuni/macos-universal"
          mkdir -p "${{ runner.temp }}/osxpkg"
          export tarball_parent="${{ runner.temp }}/osxpkg"
          export tarball_source="${{ env.TARI_NETWORK_DIR }}"
          ./create_osx_install_zip.sh unused nozip
          ARRAY_FILES=( $(echo ${TS_FILES} | jq --raw-output '.[]' | awk '{ print $1 }') )
          for FILE in "${ARRAY_FILES[@]}"; do
            codesign --options runtime --force --verify --verbose --timestamp ${OSX_CODESIGN_EXTRAS} \
              --prefix "${{ env.TS_BUNDLE_ID_BASE }}.${{ env.TS_FILENAME }}." \
              --sign "Developer ID Application: $MACOS_APPLICATION_ID" \
              "${{ runner.temp }}/osxpkg/${{ env.TARI_NETWORK_DIR }}/runtime/$FILE"
            codesign --verify --deep --display --verbose=4 \
              "${{ runner.temp }}/osxpkg/${{ env.TARI_NETWORK_DIR }}/runtime/$FILE"
            cp -vf "${{ runner.temp }}/osxpkg/${{ env.TARI_NETWORK_DIR }}/runtime/$FILE" \
              "${{ github.workspace }}/osxuni/macos-universal/"
          done
          distDirPKG=$(mktemp -d -t ${{ env.TS_FILENAME }})
          echo "${distDirPKG}"
          echo "distDirPKG=${distDirPKG}" >> $GITHUB_ENV
          TS_Temp=${{ env.TS_FILENAME }}
          TS_BUNDLE_ID_VALID_NAME=$(echo "${TS_Temp//_/-}")
          TS_ARCH=universal
          pkgbuild --root "${{ runner.temp }}/osxpkg/${{ env.TARI_NETWORK_DIR }}" \
            --identifier "${{ env.TS_BUNDLE_ID_BASE }}.pkg.${TS_BUNDLE_ID_VALID_NAME}" \
            --version "${TARI_VERSION}" \
            --install-location "/tmp/tari" \
            --scripts "${{ runner.temp }}/osxpkg/${{ env.TARI_NETWORK_DIR }}/scripts" \
            --sign "Developer ID Installer: ${MACOS_INSTALLER_ID}" \
            "${distDirPKG}/${{ env.TS_FILENAME }}-macos-universal-${{ env.TARI_VERSION }}.pkg"
          echo -e "Submitting to Apple...\n\n"
          xcrun notarytool submit \
            "${distDirPKG}/${{ env.TS_FILENAME }}-macos-universal-${{ env.TARI_VERSION }}.pkg" \
            --apple-id "${MACOS_NOTARIZE_USERNAME}" \
            --password ${MACOS_NOTARIZE_PASSWORD} \
            --team-id ${MACOS_ASC_PROVIDER} \
            --verbose --wait 2>&1 | tee -a notarisation.result
          # Maybe use line from with "Processing complete"?
          requestUUID=$(tail -n5 notarisation.result | grep "id:" | cut -d" " -f 4)
          requestSTATUS=$(tail -n5 notarisation.result | grep "\ \ status:" | cut -d" " -f 4)
          if [[ ${requestUUID} == "" ]] || [[ ${requestSTATUS} != "Accepted" ]]; then
            echo "## status: ${requestSTATUS} - could not notarize - ${requestUUID} - ${{ env.TS_FILENAME }}-macos-universal-${{ env.TARI_VERSION }}.pkg"
            exit 1
          else
            echo "Notarization RequestUUID: ${requestUUID}"
            echo -e "\nStapling package...\
              ${{ env.TS_FILENAME }}-macos-universal-${{ env.TARI_VERSION }}.pkg\n"
            xcrun stapler staple -v \
              "${distDirPKG}/${{ env.TS_FILENAME }}-macos-universal-${{ env.TARI_VERSION }}.pkg"
          fi
          cd ${distDirPKG}
          echo "Compute pkg shasum"
          ${SHARUN} "${{ env.TS_FILENAME }}-macos-universal-${{ env.TARI_VERSION }}.pkg" \
            >> "${{ env.TS_FILENAME }}-macos-universal-${{ env.TARI_VERSION }}.pkg.sha256"
          cat "${{ env.TS_FILENAME }}-macos-universal-${{ env.TARI_VERSION }}.pkg.sha256"
          echo "Checksum verification for pkg is "
          ${SHARUN} --check "${{ env.TS_FILENAME }}-macos-universal-${{ env.TARI_VERSION }}.pkg.sha256"

      - name: Artifact upload for macOS universal pkg
        if: startsWith(runner.os,'macOS')
        continue-on-error: true
        uses: actions/upload-artifact@v4
        with:
          name: ${{ env.TS_FILENAME }}-macos-universal-${{ env.TARI_VERSION }}.pkg
          path: "${{ env.distDirPKG }}/${{ env.TS_FILENAME }}-macos-universal-${{ env.TARI_VERSION }}*.pkg*"

      - name: Archive and Checksum macOS universal Binaries
        shell: bash
        working-directory: osxuni/macos-universal
        run: |
          # set -xo pipefail
          BINFILE="${BINFN}-macos-universal"
          echo "BINFILE=${BINFILE}" >> $GITHUB_ENV
          echo "Archive ${BINFILE} into ${BINFILE}.zip"
          echo "Compute files shasum into ${BINFILE}.sha256"
          ${SHARUN} * >> "${BINFILE}.sha256"
          echo "Show the shasum"
          cat "${BINFILE}.sha256"
          echo "Checksum verification for files is "
          ${SHARUN} --check "${BINFILE}.sha256"
          7z a "${BINFILE}.zip" *
          echo "Compute archive shasum into ${BINFILE}.zip.sha256"
          ${SHARUN} "${BINFILE}.zip" >> "${BINFILE}.zip.sha256"
          echo "Show the shasum from ${BINFILE}.zip.sha256"
          cat "${BINFILE}.zip.sha256"
          echo "Checksum verification archive is "
          ${SHARUN} --check "${BINFILE}.zip.sha256"

      - name: Artifact upload for Archive
        uses: actions/upload-artifact@v4
        with:
          name: ${{ env.TS_FILENAME }}_archive-macos-universal
          path: "${{ github.workspace }}/osxuni/macos-universal/${{ env.BINFILE }}.zip*"

  create-release:
    if: ${{ startsWith(github.ref, 'refs/tags/v') }}

    runs-on: ubuntu-latest
    needs: builds

    env:
      TARI_VERSION: ${{ needs.builds.outputs.TARI_VERSION }}

    permissions:
      contents: write

    steps:
      - name: Download binaries
        uses: actions/download-artifact@v4
        with:
          path: ${{ env.TS_FILENAME }}
          pattern: "${{ env.TS_FILENAME }}*"
          merge-multiple: true

      - name: Verify checksums and Prep Uploads
        shell: bash
        working-directory: ${{ env.TS_FILENAME }}
        run: |
          # set -xo pipefail
          sudo apt-get update
          sudo apt-get --no-install-recommends --assume-yes install dos2unix
          ls -alhtR
          if [ -f "${{ env.TS_FILENAME }}-${{ env.TARI_VERSION }}.${{ env.TS_SIG_FN }}" ] ; then
            rm -fv "${{ env.TS_FILENAME }}-${{ env.TARI_VERSION }}.${{ env.TS_SIG_FN }}"
          fi
          # Merge all sha256 files into one
          find . -name "*.sha256" -type f -print | xargs cat >> "${{ env.TS_FILENAME }}-${{ env.TARI_VERSION }}.${{ env.TS_SIG_FN }}"
          dos2unix --quiet "${{ env.TS_FILENAME }}-${{ env.TARI_VERSION }}.${{ env.TS_SIG_FN }}"
          cat "${{ env.TS_FILENAME }}-${{ env.TARI_VERSION }}.${{ env.TS_SIG_FN }}"
          sha256sum --ignore-missing --check "${{ env.TS_FILENAME }}-${{ env.TARI_VERSION }}.${{ env.TS_SIG_FN }}"
          ls -alhtR

      - name: Create release
        uses: ncipollo/release-action@v1
        with:
          artifacts: "${{ env.TS_FILENAME }}*/**/*"
          token: ${{ secrets.GITHUB_TOKEN }}
          prerelease: true
          draft: true
          allowUpdates: true
          updateOnlyUnreleased: true
          replacesArtifacts: true

      - name: Sync assets to S3
        continue-on-error: true
        if: ${{ env.AWS_SECRET_ACCESS_KEY != '' && matrix.builds.runs-on != 'self-hosted' }}
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          S3CMD: "cp"
          S3OPTIONS: '--recursive --exclude "*" --include "*.sha256*" --include "*.zip*" --include "*.pkg*" --include "*installer.exe*"'
        shell: bash
        working-directory: ${{ env.TS_FILENAME }}
        run: |
          echo "Upload processing ..."
          ls -alhtR
          echo "Clean up"
          # Bash check if file with wildcards, does not work as expected
          echo "Folder setup"
          if ls ${{ env.TS_FILENAME }}*linux* > /dev/null 2>&1 ; then
            mkdir -p "linux/${{ env.TARI_NETWORK_DIR }}/"
            mv -v ${{ env.TS_FILENAME }}*linux* "linux/${{ env.TARI_NETWORK_DIR }}/"
          fi
          if ls ${{ env.TS_FILENAME }}*macos* > /dev/null 2>&1 ; then
            mkdir -p "osx/${{ env.TARI_NETWORK_DIR }}/"
            mv -v ${{ env.TS_FILENAME }}*macos* "osx/${{ env.TARI_NETWORK_DIR }}/"
          fi
          if ls ${{ env.TS_FILENAME }}*windows* > /dev/null 2>&1 ; then
            mkdir -p "windows/${{ env.TARI_NETWORK_DIR }}/"
            mv -v ${{ env.TS_FILENAME }}*windows* "windows/${{ env.TARI_NETWORK_DIR }}/"
          fi
          ls -alhtR
          aws --version
          echo "ls current"
          aws s3 ls --region ${{ secrets.AWS_REGION }} \
            s3://${{ secrets.AWS_S3_BUCKET }}/current/
          echo "Upload current"
          aws s3 ${{ env.S3CMD }} --region ${{ secrets.AWS_REGION }} \
            . \
            s3://${{ secrets.AWS_S3_BUCKET }}/current/ \
            ${{ env.S3OPTIONS }}