-
Notifications
You must be signed in to change notification settings - Fork 14
200 lines (192 loc) · 9.1 KB
/
deploy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
# Expected secrets
# GOOGLE_PLAY_CLOUD_PROJECT - Google Cloud project associated with Google Play
# GOOGLE_PLAY_SERVICE_ACCOUNT - Email address of service account
# GOOGLE_PLAY_SERVICE_ACCOUNT_KEY - Google Play Service Account key to authorize on Google Play
# GOOGLE_PLAY_PUBLISHER_API_KEY - Google Play Publisher API key to authorize the publisher on Google Play API
# GOOGLE_PLAY_WORKLOAD_IDENTITY_PROVIDER - Workload identity provider to generate temporary service account key
# UPLOAD_KEYSTORE_BASE_64 - The upload signing key for the app
# UPLOAD_KEYSTORE_PASSWORD - The password for UPLOAD_KEYSTORE_BASE_64
# UPLOAD_KEY_ALIAS - The key alias inside UPLOAD_KEYSTORE_BASE_64
# UPLOAD_KEY_ALIAS_PASSWORD - The password for the key alias
# FIREBASE_DEBUG_JSON_BASE64 - Optional JSON to enable Firebase (e.g. Crashlytics) for debug builds
# FIREBASE_RELEASE_JSON_BASE64 - Optional JSON to enable Firebase (e.g. Crashlytics) for release builds
# Expected variables
# SUPPORT_EMAIL_ADDRESS - Contact email address for sending requests from the app
name: Deploy
on:
workflow_dispatch:
push:
branches:
- main
paths-ignore:
- '.github/ISSUE_TEMPLATE/*'
- '.github/PULL_REQUEST_TEMPLATE.md'
- 'LICENSE'
- 'README.md'
- 'docs/**'
concurrency: deploy
jobs:
validate_gradle_wrapper:
permissions:
contents: read
runs-on: ubuntu-latest
steps:
- name: Checkout
timeout-minutes: 1
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
# Gradle Wrapper validation can be flaky
# https://github.com/gradle/wrapper-validation-action/issues/40
- name: Gradle Wrapper Validation
timeout-minutes: 1
uses: gradle/wrapper-validation-action@f9c9c575b8b21b6485636a91ffecd10e558c62f6
check_secrets:
environment: deployment
permissions:
contents: read
runs-on: ubuntu-latest
outputs:
has-secrets: ${{ steps.check_secrets.outputs.defined }}
steps:
- id: check_secrets
env:
GOOGLE_PLAY_CLOUD_PROJECT: ${{ secrets.GOOGLE_PLAY_CLOUD_PROJECT }}
# TODO [#1033]: Use token-based authorization on Google Play for automated deployment
# TODO [#1033]: https://github.com/Electric-Coin-Company/zashi-android/issues/1033
# Note that these properties are not currently used due to #1033
# GOOGLE_PLAY_SERVICE_ACCOUNT: ${{ secrets.GOOGLE_PLAY_SERVICE_ACCOUNT }}
# GOOGLE_PLAY_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GOOGLE_PLAY_WORKLOAD_IDENTITY_PROVIDER }}
GOOGLE_PLAY_SERVICE_ACCOUNT_KEY: ${{ secrets.GOOGLE_PLAY_SERVICE_ACCOUNT_KEY }}
GOOGLE_PLAY_PUBLISHER_API_KEY: ${{ secrets.GOOGLE_PLAY_PUBLISHER_API_KEY }}
if: "${{ env.GOOGLE_PLAY_CLOUD_PROJECT != '' &&
env.GOOGLE_PLAY_SERVICE_ACCOUNT_KEY != '' &&
env.GOOGLE_PLAY_PUBLISHER_API_KEY != ''
}}"
run: echo "defined=true" >> $GITHUB_OUTPUT
build_and_deploy:
if: needs.check_secrets.outputs.has-secrets == 'true'
needs: [validate_gradle_wrapper, check_secrets]
environment: deployment
permissions:
contents: read
id-token: write
runs-on: ubuntu-latest
steps:
- name: Checkout
timeout-minutes: 1
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
with:
ref: main
fetch-depth: 0 # To fetch all commits
- name: Set up Java
uses: actions/setup-java@6a0805fcefea3d4657a47ac4c165951e33482018
timeout-minutes: 1
with:
distribution: 'temurin'
java-version: 17
- name: Set up Gradle
uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1
timeout-minutes: 10
with:
gradle-home-cache-cleanup: true
- name: Export Google Services JSON
env:
FIREBASE_DEBUG_JSON_BASE64: ${{ secrets.FIREBASE_DEBUG_JSON_BASE64 }}
FIREBASE_RELEASE_JSON_BASE64: ${{ secrets.FIREBASE_RELEASE_JSON_BASE64 }}
if: "${{ env.FIREBASE_DEBUG_JSON_BASE64 != '' && env.FIREBASE_RELEASE_JSON_BASE64 != '' }}"
shell: bash
run: |
mkdir -p app/src/debug/
mkdir -p app/src/release/
echo ${FIREBASE_DEBUG_JSON_BASE64} | base64 --decode > app/src/debug/google-services.json
echo ${FIREBASE_RELEASE_JSON_BASE64} | base64 --decode > app/src/release/google-services.json
- name: Authenticate to Google Cloud for Google Play
# TODO [#1033]: Use token-based authorization on Google Play for automated deployment
# TODO [#1033]: https://github.com/Electric-Coin-Company/zashi-android/issues/1033
# Note that this step is not currently used due to #1033
if: false
id: auth_google_play
uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2
with:
create_credentials_file: true
project_id: ${{ secrets.GOOGLE_PLAY_CLOUD_PROJECT }}
service_account: ${{ secrets.GOOGLE_PLAY_SERVICE_ACCOUNT }}
workload_identity_provider: ${{ secrets.GOOGLE_PLAY_WORKLOAD_IDENTITY_PROVIDER }}
access_token_lifetime: '1500s'
- name: Set Env
shell: bash
run: |
echo "home=${HOME}" >> "$GITHUB_ENV"
- name: Export Signing Key
env:
# The upload key must be exported using `base64 -w 0 <filename.jks>` for use
# as a Github Secrets value; if the key is exported with standard wrapping,
# it will fail to import correctly.
# NOTE: This is the upload signing key, which may be replaced at will, not
# the application signing key which is escrowed by Google and may only be
# replaced once a year (and has a bunch of additional hassles associated with
# replacing it.)
SIGNING_KEYSTORE_BASE_64: ${{ secrets.UPLOAD_KEYSTORE_BASE_64 }}
SIGNING_KEY_PATH: ${{ format('{0}/release.jks', env.home) }}
shell: bash
run: |
echo ${SIGNING_KEYSTORE_BASE_64} | base64 --decode > ${SIGNING_KEY_PATH}
- name: Upload to Play Store
timeout-minutes: 25
env:
ORG_GRADLE_PROJECT_ZCASH_SUPPORT_EMAIL_ADDRESS: ${{ vars.SUPPORT_EMAIL_ADDRESS }}
# TODO [#1033]: Use token-based authorization on Google Play for automated deployment
# TODO [#1033]: https://github.com/Electric-Coin-Company/zashi-android/issues/1033
# Note that these properties are not currently used due to #1033
# ORG_GRADLE_PROJECT_ZCASH_GOOGLE_PLAY_SERVICE_ACCOUNT: ${{ secrets.GOOGLE_PLAY_SERVICE_ACCOUNT }}
# ORG_GRADLE_PROJECT_ZCASH_GOOGLE_PLAY_SERVICE_KEY_FILE_PATH: ${{ steps.auth_google_play.outputs.credentials_file_path }}
ORG_GRADLE_PROJECT_ZCASH_GOOGLE_PLAY_SERVICE_ACCOUNT_KEY: ${{ secrets.GOOGLE_PLAY_SERVICE_ACCOUNT_KEY }}
ORG_GRADLE_PROJECT_ZCASH_GOOGLE_PLAY_PUBLISHER_API_KEY: ${{ secrets.GOOGLE_PLAY_PUBLISHER_API_KEY }}
ORG_GRADLE_PROJECT_ZCASH_GOOGLE_PLAY_DEPLOY_TRACK: internal
ORG_GRADLE_PROJECT_ZCASH_GOOGLE_PLAY_DEPLOY_STATUS: completed
ORG_GRADLE_PROJECT_ZCASH_RELEASE_KEYSTORE_PATH: ${{ format('{0}/release.jks', env.home) }}
ORG_GRADLE_PROJECT_ZCASH_RELEASE_KEYSTORE_PASSWORD: ${{ secrets.UPLOAD_KEYSTORE_PASSWORD }}
ORG_GRADLE_PROJECT_ZCASH_RELEASE_KEY_ALIAS: ${{ secrets.UPLOAD_KEY_ALIAS }}
ORG_GRADLE_PROJECT_ZCASH_RELEASE_KEY_ALIAS_PASSWORD: ${{ secrets.UPLOAD_KEY_ALIAS_PASSWORD }}
run: |
./gradlew :app:publishToGooglePlay
- name: Collect Artifacts
timeout-minutes: 1
env:
ARTIFACTS_DIR_PATH: ${{ format('{0}/artifacts', env.home) }}
BINARIES_ZIP_PATH: ${{ format('{0}/artifacts/binaries.zip', env.home) }}
MAPPINGS_ZIP_PATH: ${{ format('{0}/artifacts/mappings.zip', env.home) }}
run: |
mkdir ${ARTIFACTS_DIR_PATH}
zip -r ${BINARIES_ZIP_PATH} . -i app/build/outputs/apk/\*/\*.apk app/build/outputs/apk_from_bundle/\*/\*.apk app/build/outputs/bundle/\*/\*.aab
zip -r ${MAPPINGS_ZIP_PATH} . -i app/build/outputs/mapping/\*/mapping.txt
- name: Upload Artifacts
uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a
timeout-minutes: 5
with:
name: Binaries
path: ~/artifacts
# Due to how the Gradle publishing plugin works, this scan happens after the upload to Google Play.
# Rather than being preventative, this is primarily an "early warning system" to verify that our
# binaries aren't being misclassified as malware.
antivirus:
needs: [build_and_deploy]
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout
timeout-minutes: 1
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
- name: Download release artifact
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
with:
name: Binaries
- name: Unzip artifacts
timeout-minutes: 1
run: |
unzip binaries.zip
- name: Antivirus
timeout-minutes: 12
with:
path-to-scan: .
uses: ./.github/actions/antivirus