Bump gradle/gradle-build-action from 2.8.0 to 2.8.1 (#971) #292
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Expected secrets | |
| # GOOGLE_PLAY_CLOUD_PROJECT - Google Cloud project associated with Google Play | |
| # GOOGLE_PLAY_SERVICE_ACCOUNT - Email address of service account | |
| # GOOGLE_PLAY_WORKLOAD_IDENTITY_PROVIDER - Workload identity provider to generate temporary service account key | |
| # UPLOAD_KEYSTORE_BASE_64 - The upload signing key for the app | |
| # UPLOAD_KEYSTORE_PASSWORD - The password for UPLOAD_KEYSTORE_BASE_64 | |
| # UPLOAD_KEY_ALIAS - The key alias inside UPLOAD_KEYSTORE_BASE_64 | |
| # UPLOAD_KEY_ALIAS_PASSWORD - The password for the key alias | |
| # FIREBASE_DEBUG_JSON_BASE64 - Optional JSON to enable Firebase (e.g. Crashlytics) for debug builds | |
| # FIREBASE_RELEASE_JSON_BASE64 - Optional JSON to enable Firebase (e.g. Crashlytics) for release builds | |
| # Expected variables | |
| # SUPPORT_EMAIL_ADDRESS - Contact email address for sending requests from the app | |
| name: Deploy | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - main | |
| paths-ignore: | |
| - '.github/ISSUE_TEMPLATE/*' | |
| - '.github/PULL_REQUEST_TEMPLATE.md' | |
| - 'LICENSE' | |
| - 'README.md' | |
| - 'docs/**' | |
| concurrency: deploy | |
| jobs: | |
| validate_gradle_wrapper: | |
| permissions: | |
| contents: read | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| timeout-minutes: 1 | |
| uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 | |
| # Gradle Wrapper validation can be flaky | |
| # https://github.com/gradle/wrapper-validation-action/issues/40 | |
| - name: Gradle Wrapper Validation | |
| timeout-minutes: 1 | |
| uses: gradle/wrapper-validation-action@56b90f209b02bf6d1deae490e9ef18b21a389cd4 | |
| check_secrets: | |
| environment: deployment | |
| permissions: | |
| contents: read | |
| runs-on: ubuntu-latest | |
| outputs: | |
| has-secrets: ${{ steps.check_secrets.outputs.defined }} | |
| steps: | |
| - id: check_secrets | |
| env: | |
| GOOGLE_PLAY_CLOUD_PROJECT: ${{ secrets.GOOGLE_PLAY_CLOUD_PROJECT }} | |
| GOOGLE_PLAY_SERVICE_ACCOUNT: ${{ secrets.GOOGLE_PLAY_SERVICE_ACCOUNT }} | |
| GOOGLE_PLAY_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GOOGLE_PLAY_WORKLOAD_IDENTITY_PROVIDER }} | |
| if: "${{ env.GOOGLE_PLAY_CLOUD_PROJECT != '' && env.GOOGLE_PLAY_SERVICE_ACCOUNT != '' && env.GOOGLE_PLAY_WORKLOAD_IDENTITY_PROVIDER != '' }}" | |
| run: echo "defined=true" >> $GITHUB_OUTPUT | |
| build_and_deploy: | |
| if: needs.check_secrets.outputs.has-secrets == 'true' | |
| needs: [validate_gradle_wrapper, check_secrets] | |
| environment: deployment | |
| permissions: | |
| contents: read | |
| id-token: write | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| timeout-minutes: 1 | |
| uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 | |
| - name: Set up Java | |
| uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 | |
| timeout-minutes: 1 | |
| with: | |
| distribution: 'temurin' | |
| java-version: 17 | |
| - name: Set up Gradle | |
| uses: gradle/gradle-build-action@b5126f31dbc19dd434c3269bf8c28c315e121da2 | |
| timeout-minutes: 10 | |
| with: | |
| gradle-home-cache-cleanup: true | |
| - name: Export Google Services JSON | |
| env: | |
| FIREBASE_DEBUG_JSON_BASE64: ${{ secrets.FIREBASE_DEBUG_JSON_BASE64 }} | |
| FIREBASE_RELEASE_JSON_BASE64: ${{ secrets.FIREBASE_RELEASE_JSON_BASE64 }} | |
| if: "${{ env.FIREBASE_DEBUG_JSON_BASE64 != '' && env.FIREBASE_RELEASE_JSON_BASE64 != '' }}" | |
| shell: bash | |
| run: | | |
| mkdir -p app/src/debug/ | |
| mkdir -p app/src/release/ | |
| echo ${FIREBASE_DEBUG_JSON_BASE64} | base64 --decode > app/src/debug/google-services.json | |
| echo ${FIREBASE_RELEASE_JSON_BASE64} | base64 --decode > app/src/release/google-services.json | |
| - name: Authenticate to Google Cloud for Google Play | |
| id: auth_google_play | |
| uses: google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033 | |
| with: | |
| create_credentials_file: true | |
| project_id: ${{ secrets.GOOGLE_PLAY_CLOUD_PROJECT }} | |
| service_account: ${{ secrets.GOOGLE_PLAY_SERVICE_ACCOUNT }} | |
| workload_identity_provider: ${{ secrets.GOOGLE_PLAY_WORKLOAD_IDENTITY_PROVIDER }} | |
| access_token_lifetime: '1500s' | |
| - name: Set Env | |
| shell: bash | |
| run: | | |
| echo "home=${HOME}" >> "$GITHUB_ENV" | |
| - name: Export Signing Key | |
| env: | |
| SIGNING_KEYSTORE_BASE_64: ${{ secrets.UPLOAD_KEYSTORE_BASE_64 }} | |
| SIGNING_KEY_PATH: ${{ format('{0}/release.jks', env.home) }} | |
| shell: bash | |
| run: | | |
| echo ${SIGNING_KEYSTORE_BASE_64} | base64 --decode > ${SIGNING_KEY_PATH} | |
| - name: Upload to Play Store | |
| timeout-minutes: 25 | |
| env: | |
| ORG_GRADLE_PROJECT_ZCASH_SUPPORT_EMAIL_ADDRESS: ${{ vars.SUPPORT_EMAIL_ADDRESS }} | |
| ORG_GRADLE_PROJECT_ZCASH_GOOGLE_PLAY_SERVICE_KEY_FILE_PATH: ${{ steps.auth_google_play.outputs.credentials_file_path }} | |
| ORG_GRADLE_PROJECT_ZCASH_RELEASE_KEYSTORE_PATH: ${{ format('{0}/release.jks', env.home) }} | |
| ORG_GRADLE_PROJECT_ZCASH_RELEASE_KEYSTORE_PASSWORD: ${{ secrets.UPLOAD_KEYSTORE_PASSWORD }} | |
| ORG_GRADLE_PROJECT_ZCASH_RELEASE_KEY_ALIAS: ${{ secrets.UPLOAD_KEY_ALIAS }} | |
| ORG_GRADLE_PROJECT_ZCASH_RELEASE_KEY_ALIAS_PASSWORD: ${{ secrets.UPLOAD_KEY_ALIAS_PASSWORD }} | |
| ORG_GRADLE_PROJECT_ZCASH_GOOGLE_PLAY_DEPLOY_MODE: deploy | |
| run: | | |
| ./gradlew :app:assembleDebug :app:publishBundle :app:packageZcashmainnetReleaseUniversalApk | |
| - name: Collect Artifacts | |
| timeout-minutes: 1 | |
| env: | |
| ARTIFACTS_DIR_PATH: ${{ format('{0}/artifacts', env.home) }} | |
| BINARIES_ZIP_PATH: ${{ format('{0}/artifacts/binaries.zip', env.home) }} | |
| MAPPINGS_ZIP_PATH: ${{ format('{0}/artifacts/mappings.zip', env.home) }} | |
| run: | | |
| mkdir ${ARTIFACTS_DIR_PATH} | |
| zip -r ${BINARIES_ZIP_PATH} . -i app/build/outputs/apk/\*/\*.apk app/build/outputs/universal_apk/\*/\*.apk app/build/outputs/bundle/\*/\*.aab | |
| zip -r ${MAPPINGS_ZIP_PATH} . -i app/build/outputs/mapping/\*/mapping.txt | |
| - name: Upload Artifacts | |
| uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 | |
| timeout-minutes: 1 | |
| with: | |
| name: Binaries | |
| path: ~/artifacts | |
| # Due to how the Gradle publishing plugin works, this scan happens after the upload to Google Play. | |
| # Rather than being preventative, this is primarily an "early warning system" to verify that our | |
| # binaries aren't being misclassified as malware. | |
| antivirus: | |
| needs: [build_and_deploy] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout | |
| timeout-minutes: 1 | |
| uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 | |
| - name: Download release artifact | |
| uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a | |
| with: | |
| name: Binaries | |
| - name: Unzip artifacts | |
| timeout-minutes: 1 | |
| run: | | |
| unzip binaries.zip | |
| - name: Antivirus | |
| timeout-minutes: 12 | |
| with: | |
| path-to-scan: . | |
| uses: ./.github/actions/antivirus |