actions: remove add_lib hack and use contents_directory PyInstaller feature instead

.github/actions/entitlements.plist

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+        <!-- These are required for binaries built by PyInstaller -->
+        <key>com.apple.security.cs.allow-jit</key>
+        <true/>
+        <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+        <true/>
+        <key>com.apple.security.cs.disable-library-validation</key>
+        <true/>
+</dict>
+</plist>

.github/workflows/build.yml

@@ -201,6 +201,14 @@ jobs:
           #brew install swig
           #brew install ncurses
 
+      - name: MacOS import developer certificates for signing
+        if: runner.os == 'macOS'
+        uses: apple-actions/import-codesign-certs@v3
+        with:
+          keychain: signing_temp
+          p12-file-base64: ${{ secrets.CERTIFICATES_P12 }}
+          p12-password: ${{ secrets.CERTIFICATES_P12_PASSWORD }}
+
       - name: Windows Configure VCode
         uses: ilammy/msvc-dev-cmd@v1
         if: runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
@@ -521,32 +529,31 @@ jobs:
       - name: Build GAM with PyInstaller
         if: matrix.goal != 'test'
         run: |
-          if [[ "${staticx}" == "yes" ]]; then
-            export distpath="./dist/gam"
-            export gampath="${distpath}"
-          else
-            export distpath="./dist"
-            export gampath="${distpath}/gam"
-          fi
+          export distpath="./dist/gam"
+          export gampath="$distpath"
           mkdir -p -v "${gampath}"
           if [[ "${RUNNER_OS}" == "macOS" ]]; then
-            # brew OpenSSL gets picked up by PyInstaller breaking our self-compiled version
+            # Tell our gam.spec to use our code sign certificate
+            export codesign_identity="Jay Lee"
+            # brew OpenSSL gets picked up by PyInstaller
+            # breaking our self-compiled version
             brew uninstall --ignore-dependencies openssl
-            export gampath=$($PYTHON -c "import os; print(os.path.realpath('$gampath'))")
+            export PYINSTALLER_BUILD_ONEDIR=yes
+            export gampath=$($PYTHON -c "import os; print(os.path.realpath('${gampath}/gam'))")
           elif [[ "${RUNNER_OS}" == "Windows" ]]; then
             # Work around issue where PyInstaller picks up python3.dll from other Python versions
             # https://github.com/pyinstaller/pyinstaller/issues/7102
             export PATH="$(dirname ${PYTHON}):/usr/bin"
+            export PYINSTALLER_BUILD_ONEDIR=no
           else
             export gampath=$(realpath "${gampath}")
+            export PYINSTALLER_BUILD_ONEDIR=no
           fi
           export gam="${gampath}/gam"
           echo "gampath=${gampath}" >> $GITHUB_ENV
-          # TEMP force everything back to one file.
-          export PYINSTALLER_BUILD_ONEFILE="yes"
-          export distpath="./dist/gam"
-          export gampath="${distpath}"
           "${PYTHON}" -m PyInstaller --clean --noconfirm --distpath="${distpath}" gam.spec
+          echo "dist results:"
+          ls -alRF "$distpath"
           echo "WARNINGS FROM build/gam/warn-gam.txt"
           cat build/gam/warn-gam.txt
           echo "Analysis FROM build/gam/Analysis-00.toc"
@@ -570,12 +577,12 @@ jobs:
       - name: Copy extra package files
         if: matrix.goal == 'build'
         run: |
-          cp -v cacerts.pem $gampath
-          cp -v LICENSE $gampath
-          cp -v GamCommands.txt $gampath
-          cp -v GamUpdate.txt $gampath
+          cp -v cacerts.pem "$gampath"
+          cp -v LICENSE "$gampath"
+          cp -v GamCommands.txt "$gampath"
+          cp -v GamUpdate.txt "$gampath"
           if [[ "${RUNNER_OS}" == "Windows" ]]; then
-              cp -v gam-setup.bat $gampath
+              cp -v gam-setup.bat "$gampath"
           fi
 
       - name: Install StaticX
@@ -596,9 +603,21 @@ jobs:
               ;;
           esac
           echo "ldlib=${ldlib}"
-          $PYTHON -m staticx -l "${ldlib}" "${gam}" "${gam}-staticx"
-          rm -v "${gam}"
-          mv -v "${gam}-staticx" "${gam}"
+          $PYTHON -m staticx -l "${ldlib}" "$gam" "${gam}-staticx"
+          rm -v "$gam"
+          mv -v "${gam}-staticx" "$gam"
+
+      - name: MacOS send GAM binary for Apple notarization
+        if: runner.os == 'macOS'
+        env:
+          ASP_NOTARIZE: ${{ secrets.ASP_NOTARIZE }}
+        run: |
+          # Apple wants some kind of "package" submitted so just add gam to a .zip
+          # name it something we can track and link in Apple's notarize process
+          zipfilename="./gam-${RUNNER_ARCH}-${GITHUB_RUN_ID}-${GITHUB_RUN_NUMBER}.zip"
+          zip -r "$zipfilename" "$gampath"
+          xcrun notarytool submit --apple-id "jay0lee@gmail.com" --password "$ASP_NOTARIZE" --team-id GZ85H2DRLM "$zipfilename"
+          rm -v "$zipfilename"
 
       - name: Basic Tests all jobs
         id: basictests
@@ -715,7 +734,8 @@ jobs:
           done
           driveid=$($gam user $gam_user add shareddrive "${newbase}" returnidonly)
           echo "Created shared drive ${driveid}"
-          $gam create user $newuser firstname GHA lastname $JID displayname "Github Actions ${JID}" password random ou "${newou}" recoveryphone 12125121110 recoveryemail jay0lee@gmail.com gha.jid $JID languages en+,en-GB-
+          # 9/17/24 - temp create in root due to Google API issues creating users in new OUs
+          $gam create user $newuser firstname GHA lastname $JID displayname "Github Actions ${JID}" password random recoveryphone 12125121110 recoveryemail jay0lee@gmail.com gha.jid $JID languages en+,en-GB- # ou "${newou}"
           $gam user $newuser update photo https://dummyimage.com/400x600/000/fff
           $gam user $newuser get photo
           $gam user $newuser delete photo
@@ -734,7 +754,8 @@ jobs:
           $gam update group $newgroup add owner $gam_user
           $gam update group $newgroup add member $newuser
           $gam config enable_dasa false save
-          $gam create admin $newuser _GROUPS_EDITOR_ROLE CUSTOMER # condition nonsecuritygroup
+          # 9/17/24 temp disable due to Google API sluggishness to see new users for admin commands
+          # $gam create admin $newuser _GROUPS_EDITOR_ROLE CUSTOMER # condition nonsecuritygroup
           $gam create admin $newgroup _HELP_DESK_ADMIN_ROLE org_unit "${newou}"
           $gam config csv_output_row_filter "assignedToUser:regex:${newuser}" print admins | $gam csv - gam delete admin "~roleAssignmentId"
           $gam config csv_output_row_filter "assignedToGroup:regex:${newgroup}" print admins | $gam csv - gam delete admin "~roleAssignmentId"
@@ -858,7 +879,7 @@ jobs:
           echo "printer model count:"
           $gam print printermodels | wc -l
           $gam print printers
-          printerid=$($gam create printer displayname "${newbase}" uri ipp://localhost:631 driverless description "made by $(gam_user)" ou "${newou}" nodetails | awk '{print substr($2, 1, length($2)-1)}')
+          printerid=$($gam create printer displayname "${newbase}" uri ipp://localhost:631 driverless description "made by ${gam_user}" ou "${newou}" nodetails | awk '{print substr($2, 1, length($2)-1)}')
           $gam info printer "$printerid"
           $gam delete printer "$printerid"
           $gam delete ou "${newou}"

README.md

@@ -1,6 +1,6 @@
 GAM is a command line tool for Google Workspace admins to manage domain and user settings quickly and easily.
 
-![Build Status](https://github.com/GAM-team/GAM/workflows/Build%20and%20test%20GAM/badge.svg)
+[![Build StatusM](https://github.com/GAM-team/GAM/actions/workflows/build.yml/badge.svg)](https://github.com/GAM-team/GAM/actions/workflows/build.yml)
 
 # Quick Start
 

src/add_lib.py

@@ -0,0 +1,12 @@
+import os
+import sys
+
+'''
+for onedir, add_lib.py allows moving many
+library files into a lib/ directory to make
+onedir cleaner. Thanks to:
+https://medium.com/@philipp.h/reduce-clutter-when-using-pyinstaller-in    -one-directory-mode-b631b9f7f89b
+'''
+
+sys.path.append(os.path.join(os.getcwd(), 'lib'))
+sys._MEIPASS=os.path.join(sys._MEIPASS, 'lib')

src/gam.spec

@@ -21,7 +21,7 @@ hiddenimports = [
      'gam.gamlib.yubikey',
      ]
 
-print(f"datas before analysis:\n{datas}")
+runtime_hooks = []
 a = Analysis(
     ['gam/__main__.py'],
     pathex=[],
@@ -30,7 +30,7 @@ a = Analysis(
     hiddenimports=hiddenimports,
     hookspath=[],
     hooksconfig={},
-    runtime_hooks=[],
+    runtime_hooks=runtime_hooks,
     excludes=[],
     win_no_prefer_redirects=False,
     win_private_assemblies=False,
@@ -48,12 +48,17 @@ pyz = PYZ(a.pure,
           cipher=None)
 # requires Python 3.10+ but no one should be compiling
 # GAM with older versions anyway
+target_arch = None
+codesign_identity = None
+entitlements_file = None
 match platform:
     case "darwin":
         if getenv('arch') == 'universal2':
             target_arch = "universal2"
-        else:
-            target_arch = None
+
+        codesign_identity = getenv('codesign_identity')
+        if codesign_identity:
+            entitlements_file = '../.github/actions/entitlements.plist'
         strip = True
     case "win32":
         target_arch = None
@@ -68,9 +73,38 @@ upx = False
 console = True
 disable_windowed_traceback = False
 argv_emulation = False
-codesign_identity = None
-entitlements_file = None
-if not getenv('PYINSTALLER_BUILD_ONEDIR') == 'yes':
+if getenv('PYINSTALLER_BUILD_ONEDIR') == 'yes':
+    # Build one directory
+    exe = EXE(
+              pyz,
+              a.scripts,
+              [],
+              exclude_binaries=True,
+              name=name,
+              debug=debug,
+              bootloader_ignore_signals=bootloader_ignore_signals,
+              strip=strip,
+              upx=upx,
+              console=console,
+              # put most everyting under a lib/ subfolder
+              contents_directory='lib',
+              disable_windowed_traceback=disable_windowed_traceback,
+              argv_emulation=argv_emulation,
+              target_arch=target_arch,
+              codesign_identity=codesign_identity,
+              entitlements_file=entitlements_file,
+              )
+    coll = COLLECT(
+        exe,
+        a.binaries,
+        a.zipfiles,
+        a.datas,
+        strip=strip,
+        upx=upx,
+        upx_exclude=[],
+        name=name,
+        )
+else:
     # Build one file
     exe = EXE(
               pyz,
@@ -91,32 +125,4 @@ if not getenv('PYINSTALLER_BUILD_ONEDIR') == 'yes':
               codesign_identity=codesign_identity,
               entitlements_file=entitlements_file,
               )
-else:
-    # Build one folder
-    exe = EXE(
-              pyz,
-              a.scripts,
-              [],
-              exclude_binaries=True,
-              name=name,
-              debug=debug,
-              bootloader_ignore_signals=bootloader_ignore_signals,
-              strip=strip,
-              upx=upx,
-              console=console,
-              disable_windowed_traceback=disable_windowed_traceback,
-              argv_emulation=argv_emulation,
-              target_arch=target_arch,
-              codesign_identity=codesign_identity,
-              entitlements_file=entitlements_file,
-              )
-    coll = COLLECT(
-        exe,
-        a.binaries,
-        a.zipfiles,
-        a.datas,
-        strip=strip,
-        upx=upx,
-        upx_exclude=[],
-        name=name,
-        )
+