Skip to content

Update dependencies & enable Windows code signing #604

Update dependencies & enable Windows code signing

Update dependencies & enable Windows code signing #604

Workflow file for this run

name: Artifact CI
on:
push:
env:
JAVA_VERSION: 22
permissions:
contents: write
jobs:
build_bot_artifacts:
name: Build Discord Bot
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-java@v4
with:
distribution: 'oracle'
java-version: ${{ env.JAVA_VERSION }}
- name: Setup Gradle
uses: gradle/actions/setup-gradle@v4
- run: ./gradlew assembleBot
- name: Upload plugin artifact
uses: actions/upload-artifact@v4
with:
name: plugin
path: bot/build/plugin/*.zip
- name: Upload plugin bot
uses: actions/upload-artifact@v4
with:
name: bot
path: bot/build/distributions/*.zip
build_desktop_app:
name: Build Desktop App
strategy:
matrix:
os: [ ubuntu-latest, macos-14, windows-latest ]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
- name: 'Set up latest JDK code tool jextract'
uses: oracle-actions/setup-java@v1
if: matrix.os == 'windows-latest'
with:
website: jdk.java.net
release: jextract
- uses: actions/setup-java@v4
with:
distribution: 'oracle'
java-version: ${{env.JAVA_VERSION}}
- uses: actions-rust-lang/setup-rust-toolchain@v1
if: matrix.os == 'windows-latest'
with:
cache-workspaces: app/desktop/uwp_helper
# https://docs.github.com/en/actions/deployment/deploying-xcode-applications/installing-an-apple-certificate-on-macos-runners-for-xcode-development#add-a-step-to-your-workflow
- name: Setup MacOS signing
if: matrix.os == 'macos-14'
env:
BUILD_CERTIFICATE_BASE64: ${{ secrets.MACOS_SIGNING_CERTIFICATE }}
P12_PASSWORD: ${{ secrets.MAC_SIGNING_PASSWORD }}
KEYCHAIN_PASSWORD: ${{ secrets.MAC_SIGNING_PASSWORD }}
PASSWORD: ${{ secrets.APPLE_PASSWORD }}
INSTALLER_CERTIFICATE_BASE64: ${{ secrets.APPLE_INSTALLER_KEY }}
run: |
# create variables
CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
INSTALLER_CERTIFICATE_PATH=$RUNNER_TEMP/installer_certificate.p12
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
# import certificate and provisioning profile from secrets
echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH
echo -n "$INSTALLER_CERTIFICATE_BASE64" | base64 --decode -o INSTALLER_CERTIFICATE_PATH
# create temporary keychain
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
# import certificate to keychain
security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security import INSTALLER_CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security list-keychain -d user -s $KEYCHAIN_PATH
- name: Setup Gradle
uses: gradle/actions/setup-gradle@v4
- run: ./gradlew packageReleaseDistributionForCurrentOS -Pcompose.desktop.mac.sign=true
shell: bash
- name: Package Linux Distribution
if: matrix.os == 'ubuntu-latest'
run: ./gradlew packageDistributable
- name: Setup MSbuild
if: matrix.os == 'windows-latest'
uses: microsoft/setup-msbuild@v2
- name: Build MSIX
if: matrix.os == 'windows-latest'
run: |
& 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64/makeappx.exe' pack /d app/desktop/build/msix-workspace /p Tonbrett.msix
- name: Notarize MacOS installer
if: matrix.os == 'macos-14' && startsWith(github.ref, 'refs/tags/')
env:
NOTARIZATION_PASSWORD: ${{ secrets.NOTARIZATION_PASSWORD }}
run: ./gradlew notarizeReleasePkg -Pcompose.desktop.mac.sign=true
- name: Upload distributions
uses: actions/upload-artifact@v4
id: upload-artifact
with:
name: desktopapp-${{ matrix.os }}
path: |
*.msix
app/desktop/build/compose/binaries/main-release/deb/*.deb
app/desktop/build/compose/binaries/main-release/pkg/*.pkg
app/desktop/build/distributions/*.tar.gz
- name: Upload MSIX workspace
uses: actions/upload-artifact@v4
if: matrix.os == 'windows-latest'
with:
name: msstore-workspace
path: app/desktop/build/MSStore-msix-workspace/*
build_android_app:
runs-on: ubuntu-latest
name: Build Android App
steps:
- uses: actions/checkout@v4
- uses: actions/setup-java@v4
with:
distribution: 'oracle'
java-version: ${{env.JAVA_VERSION}}
- name: Decode Keystore
uses: timheuer/base64-to-file@v1
with:
fileName: 'android_keystore.jks'
fileDir: 'keystore'
encodedString: ${{ secrets.KEYSTORE }}
- name: Setup Gradle
uses: gradle/actions/setup-gradle@v4
- env:
SIGNING_KEY_ALIAS: ${{ secrets.KEY_ALIAS }}
SIGNING_KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}
SIGNING_STORE_PASSWORD: ${{ secrets.KEYSTORE_PASSWORD }}
run: ./gradlew :app:android:bundleRelease :app:android:assembleRelease
# https://github.com/r0adkll/sign-android-release/issues/84#issuecomment-1889636075
- name: Setup build tool version variable
shell: bash
run: |
BUILD_TOOL_VERSION=$(ls /usr/local/lib/android/sdk/build-tools/ | tail -n 1)
echo "BUILD_TOOL_VERSION=$BUILD_TOOL_VERSION" >> $GITHUB_ENV
echo Last build tool version is: $BUILD_TOOL_VERSION
- uses: r0adkll/sign-android-release@v1
id: sign_bundle
name: Sign AAB
with:
releaseDirectory: app/android/build/outputs/bundle/release/
signingKeyBase64: ${{ secrets.KEYSTORE }}
alias: ${{ secrets.KEY_ALIAS }}
keyStorePassword: ${{ secrets.KEYSTORE_PASSWORD }}
keyPassword: ${{ secrets.KEY_PASSWORD }}
- uses: r0adkll/sign-android-release@v1
id: sign_apk
name: Sign APK
env:
BUILD_TOOLS_VERSION: ${{ env.BUILD_TOOL_VERSION }}
with:
releaseDirectory: app/android/build/outputs/apk/release/
signingKeyBase64: ${{ secrets.KEYSTORE }}
alias: ${{ secrets.KEY_ALIAS }}
keyStorePassword: ${{ secrets.KEYSTORE_PASSWORD }}
keyPassword: ${{ secrets.KEY_PASSWORD }}
- name: Upload APK
uses: actions/upload-artifact@v4
with:
name: android-app
path: app/android/build/outputs/apk/release/*.apk
# https://github.com/r0adkll/upload-google-play/issues/188
- uses: Abushawish/upload-google-play@master
name: Release on Play Store
if: startsWith(github.ref, 'refs/tags/')
with:
serviceAccountJsonPlainText: ${{ secrets.SERVICE_ACCOUNT_JSON }}
packageName: dev.schlaubi.tonbrett.android
status: completed
releaseFiles: app/android/build/outputs/bundle/release/tonbrett-app-release.aab
#mappingFile: app/android/build/outputs/mapping/release/mapping.txt
track: alpha
release_to_msstore:
name: Publish to MSStore
runs-on: windows-latest
needs: [ build_desktop_app ]
if: startsWith(github.ref, 'refs/tags/')
steps:
- uses: actions/download-artifact@v4
name: Download Artifacts from Windows
with:
name: msstore-workspace
- name: Setup MSbuild
uses: microsoft/setup-msbuild@v2
- name: Configure the Microsoft Store CLI
run: |
Install-Module -Name StoreBroker -Force
- name: Build MSIX
run: |
& 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64/makeappx.exe' pack /d . /p Tonbrett.msix
- name: Upload to MSStore
env:
CLIENT_ID: ${{ secrets.MS_CLIENT_ID }}
CLIENT_SECRET: ${{ secrets.MS_CLIENT_SECRET }}
run: |
# Login
$user = $Env:CLIENT_ID
$password = ConvertTo-SecureString $Env:CLIENT_SECRET -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential($user, $password)
Set-StoreBrokerAuthentication -TenantId ${{ secrets.MS_TENANT_ID }} -Credential $Cred
$appId = "9P61S67DVWM2"
$global:SBDisableTelemetry = $true
# Create submission package
New-SubmissionPackage -ConfigPath .\submission.json -AppxPath .\Tonbrett.msix -OutPath out -OutName package
# Create new submission
$sub = New-ApplicationSubmission -AppId $appId -Force
# Parse submission meta
$json = (Get-Content out\package.json -Encoding UTF8) | ConvertFrom-Json
# Delete old packages
foreach ($package in $sub.applicationPackages) {
$package.fileStatus = "PendingDelete"
}
# add new packages
$sub.applicationPackages += $json.applicationPackages
# Upload submission meta
Set-ApplicationSubmission -AppId $appId -UpdatedSubmission $sub
# Upload submission package
Set-SubmissionPackage -PackagePath out\package.zip -UploadUrl ($sub.fileUploadUrl)
# Commit changes
Complete-ApplicationSubmission -AppId $appId -SubmissionId ($sub.id)
build_ios_app:
name: Deploy to test flight
runs-on: macos-14
if: startsWith(github.ref, 'refs/tags/')
steps:
- uses: actions/checkout@v4
- uses: maxim-lobanov/setup-xcode@v1
with:
xcode-version: '15.0'
- uses: ruby/setup-ruby@v1
with:
ruby-version: '3.3'
bundler-cache: true
working-directory: 'app/ios'
- run: brew install xcodesorg/made/xcodes
- uses: actions/setup-java@v4
with:
distribution: 'oracle'
java-version: ${{ env.JAVA_VERSION }}
- uses: olegtarasov/get-tag@v2
env:
ACTIONS_ALLOW_UNSECURE_COMMANDS: true
id: tagName
- name: Setup Gradle
uses: gradle/actions/setup-gradle@v4
- run: ./gradlew :app:ios:podInstall :app:ios:linkPodReleaseFrameworkIosArm64
- name: Deploy iOS Beta to TestFlight via Fastlane
uses: maierj/[email protected]
with:
subdirectory: app/ios
lane: closed_beta
env:
APP_STORE_CONNECT_TEAM_ID: '${{ secrets.APP_STORE_CONNECT_TEAM_ID }}'
DEVELOPER_APP_ID: '${{ secrets.DEVELOPER_APP_ID }}'
DEVELOPER_APP_IDENTIFIER: '${{ secrets.DEVELOPER_APP_IDENTIFIER }}'
DEVELOPER_PORTAL_TEAM_ID: '${{ secrets.DEVELOPER_PORTAL_TEAM_ID }}'
FASTLANE_APPLE_ID: '${{ secrets.FASTLANE_APPLE_ID }}'
FASTLANE_APPLE_APPLICATION_SPECIFIC_PASSWORD: '${{ secrets.FASTLANE_APPLE_APPLICATION_SPECIFIC_PASSWORD }}'
MATCH_PASSWORD: '${{ secrets.MATCH_PASSWORD }}'
GIT_AUTHORIZATION: '${{ secrets.GH_CERT_TOKEN }}'
PROVISIONING_PROFILE_SPECIFIER: '${{ secrets.PROVISIONING_PROFILE_SPECIFIER }}'
TEMP_KEYCHAIN_PASSWORD: '${{ secrets.TEMP_KEYCHAIN_PASSWORD }}'
TEMP_KEYCHAIN_USER: '${{ secrets.TEMP_KEYCHAIN_USER }}'
APPLE_KEY_ID: '${{ secrets.APPLE_KEY_ID }}'
APPLE_ISSUER_ID: '${{ secrets.APPLE_ISSUER_ID }}'
APPLE_KEY_CONTENT: '${{ secrets.APPLE_KEY_CONTENT }}'
create_release:
name: Create Release
runs-on: windows-latest # for some weird reason this job does not get picked on ubuntu
needs: [ build_bot_artifacts, build_desktop_app, build_android_app ]
if: startsWith(github.ref, 'refs/tags/')
outputs:
release_id: ${{ steps.release.outputs.id }}
steps:
- uses: actions/download-artifact@v4
name: Download Artifacts from Ubuntu
with:
name: desktopapp-ubuntu-latest
- uses: actions/download-artifact@v4
name: Download Artifacts from MacOS
with:
name: desktopapp-macos-14
- uses: actions/download-artifact@v4
name: Download Bot
with:
name: bot
- uses: actions/download-artifact@v4
name: Download Plugin
with:
name: plugin
- uses: actions/download-artifact@v4
name: Download Android App
with:
name: android-app
- name: Release
uses: softprops/action-gh-release@v2
id: release
with:
files: |
app/desktop/build/compose/binaries/main-release/deb/*.deb
app/desktop/build/compose/binaries/main-release/pkg/*.pkg
app/desktop/build/distributions/*.tar.gz
*.zip
*-signed.apk
sign_windows_binary:
runs-on: windows-latest
needs: [create_release, build_desktop_app]
steps:
- uses: actions/download-artifact@v4
name: Download Artifacts from Windows
with:
name: desktopapp-windows-latest
path: artifact
- name: Upload Artifact
id: upload-unsigned-artifact
uses: actions/upload-artifact@v4
with:
name: windows-unsigned
path: artifact/*.msix
- uses: SignPath/[email protected]
with:
api-token: ${{ secrets.SIGNPATH_KEY }}
organization-id: e6101c42-2f2b-468e-9bf4-225c01ba183f
project-slug: tonbrett
signing-policy-slug: test-signing
artifact-configuration-slug: tonbrett
github-artifact-id: ${{ steps.upload-unsigned-artifact.outputs.artifact_id }}
wait-for-completion-timeout-in-seconds: 36288000 # SignPath needs to manually validate this, so let's give this a week
output-artifact-directory: signed
- name: Edit Release
uses: irongut/[email protected]
with:
id: ${{ needs.create_release.outputs.release_id }}
files: signed/Tonbrett.msix
token: ${{ secrets.GITHUB_TOKEN }}