Changed from onedir to one file to fix pyinstaller workflow

applepy.spec

@@ -1,5 +1,5 @@
 # PyInstaller spec: `pip install -e ".[bundle]"` then `pyinstaller applepy.spec`
-# Produces dist/applepy (one-folder) with bundled applepy data (JSON, optional compliance trees).
+# Produces dist/applepy (single self-contained binary) with bundled applepy data (JSON, optional compliance trees).
 # Run scripts/vendor_compliance_assets.sh before building to embed mSCP + Lynis (not in git).
 
 from pathlib import Path
@@ -11,12 +11,7 @@ _SPEC_DIR = Path(SPECPATH)
 
 
 def _mscp_data_files_excluding_generated(mscp: Path) -> list[tuple[str, str]]:
-    """
-    Per-file datas for mSCP: omit ``build/`` (output from generate_guidance on the host) and ``.git``.
-
-    Shipping ``build/`` bloats the bundle and, after ``sudo dist/.../applepy``, can leave root-owned
-    trees that break the next PyInstaller clean of ``dist/applepy``.
-    """
+    """Per-file datas for mSCP: omit ``build/`` (generate_guidance output) and ``.git``."""
     prefix = Path("applepy/data/macos_security")
     out: list[tuple[str, str]] = []
     for p in mscp.rglob("*"):
@@ -97,8 +92,10 @@ pyz = PYZ(a.pure)
 exe = EXE(
     pyz,
     a.scripts,
+    a.binaries,
+    a.datas,
     [],
-    exclude_binaries=True,
+    exclude_binaries=False,
     name="applepy",
     debug=False,
     bootloader_ignore_signals=False,
@@ -111,11 +108,3 @@ exe = EXE(
     codesign_identity=None,
     entitlements_file=None,
 )
-coll = COLLECT(
-    exe,
-    a.binaries,
-    a.datas,
-    strip=False,
-    upx=False,
-    name="applepy",
-)

scripts/build_bundle.sh

@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-# Build one-folder PyInstaller distribution (see applepy.spec). Requires: pip install -e ".[bundle]"
+# Build single-file PyInstaller binary (see applepy.spec). Requires: pip install -e ".[bundle]"
 # By default fetches NIST macos_security + Lynis into applepy/data/ (git + network). Offline:
 #   SKIP_VENDOR_COMPLIANCE=1 ./scripts/build_bundle.sh
 set -euo pipefail
@@ -17,15 +17,8 @@ fi
 python -m pip install -q -e ".[bundle]"
 DIST_OUT="${ROOT}/dist/applepy"
 if [[ -e "${DIST_OUT}" ]]; then
-  echo "Removing previous bundle: ${DIST_OUT}"
-  if ! rm -rf "${DIST_OUT}"; then
-    echo "ERROR: Could not remove ${DIST_OUT}." >&2
-    echo "This usually means root-owned files under .../macos_security/build from a prior sudo run of the bundle." >&2
-    echo "Fix:  sudo rm -rf \"${DIST_OUT}\"" >&2
-    echo "Then re-run this script. The spec omits mSCP build/ from the bundle to avoid shipping host output." >&2
-    exit 1
+  echo "Removing previous binary: ${DIST_OUT}"
+  rm -rf "${DIST_OUT}"
 fi
-fi
-python -m PyInstaller --noconfirm "${ROOT}/applepy.spec"
-echo "Output: ${ROOT}/dist/applepy/  →  run: dist/applepy/applepy --help"
-echo "Note: build/applepy/ is PyInstaller’s work dir only (no _internal/). Do not run that copy."
+python -m PyInstaller --noconfirm --clean "${ROOT}/applepy.spec"
+echo "Output: ${ROOT}/dist/applepy  →  run: dist/applepy --help"