Skip to content

Merge pull request #1274 from radixdlt/feature/ABW-3847-integrate-sar… #1315

Merge pull request #1274 from radixdlt/feature/ABW-3847-integrate-sar…

Merge pull request #1274 from radixdlt/feature/ABW-3847-integrate-sar… #1315

name: "App releases"
on:
push:
branches:
- "main"
release:
types:
- "published"
workflow_dispatch:
inputs:
track:
description: "Which track do you want to deploy to"
required: true
type: choice
options:
- 'Firebase Dev'
- 'Firebase Release'
default: 'Firebase Dev'
jobs:
firebase_alpha:
if: >
( github.ref == 'refs/heads/main' && github.event_name == 'push' ) ||
( github.event.inputs.track == 'Firebase Dev' && github.event_name == 'workflow_dispatch' )
name: "Publish to Firebase Dev"
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
pull-requests: read
steps:
- name: Fetch Radixbot push commit token
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
app_name: 'wallet-android'
step_name: 'gpc-alpha-1'
secret_prefix: 'GH'
secret_name: "github-actions/radixdlt/babylon-wallet-android/push-pat-token"
parse_json: true
- uses: RDXWorks-actions/checkout@main
with:
token: ${{ env.GH_RADIXBOT_PUSH_COMMIT_PAT_TOKEN }}
- name: Dump context
uses: RDXWorks-actions/ghaction-dump-context@master
- name: Download Ruby (action)
uses: RDXWorks-actions/setup-ruby@master
with:
ruby-version: '3.1.2'
bundler-cache: true
- uses: RDXWorks-actions/setup-java@main
with:
distribution: 'zulu' # See 'Supported distributions' for available options
java-version: '17'
- name: Fetch Firebase App ID
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
app_name: 'babylon-wallet-android'
step_name: 'push-app-id'
secret_prefix: 'GH'
secret_name: "github-actions/radixdlt/babylon-wallet-android/firebase/secrets"
parse_json: true
- name: Decode Google Service account credentials
uses: RDXWorks-actions/base64-to-file@main
id: google_application_credentials
with:
fileName: "service_account.json"
encodedString: ${{ env.GH_GOOGLE_SERVICE_ACCOUNT_JSON_FILE_BASE64 }}
- name: Decode Firebase Crashlytics json
uses: RDXWorks-actions/base64-to-file@main
id: crashlytics_credentials
with:
fileName: "google-services.json"
fileDir: "app/"
encodedString: ${{ env.GH_CRASHLYTICS_GOOGLE_SERVICES_JSON_FILE_BASE64 }}
- name: Fetch GPR credentials
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
app_name: 'wallet-android'
step_name: 'firebase-dev'
secret_prefix: 'GH'
secret_name: "github-actions/radixdlt/babylon-wallet-android/gpr-credentials"
parse_json: true
- name: Fetch AppsFlyer credentials
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
app_name: 'wallet-android'
step_name: 'unit-flyers'
secret_prefix: 'GH'
secret_name: "github-actions/radixdlt/babylon-wallet-android/apps-flyer-secret"
parse_json: true
- name: Output AppsFlyer secret to file
shell: bash
run: |
mkdir -p config/secrets/
echo "appsFlyerDevKey=${{ env.GH_APPS_FLYER_DEV_KEY }}" > config/secrets/secrets.properties
- name: Distribute Alpha to Firebase
run: |
git config user.name $GIT_USER
git config user.email $GIT_USER
bundle exec fastlane deployFirebaseAlpha
echo "### Distributed to Firebase Dev! :rocket:" >> $GITHUB_STEP_SUMMARY
env:
FIREBASE_APP_ID: ${{ env.GH_FIREBASE_DEV_APP_ID }}
GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.google_application_credentials.outputs.filePath }}
GROUPS: "alpha-devs"
GIT_USER: ${{ env.GH_GPR_USER }}
GPR_USER: ${{ env.GH_GPR_USER }}
GPR_TOKEN: ${{ env.GH_GPR_TOKEN }}
firebase_release:
if: >
( github.event_name == 'release' && github.event.release.prerelease == false ) ||
( github.event.inputs.track == 'Firebase Release' && github.event_name == 'workflow_dispatch' )
name: "Publish to Firebase Release"
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
pull-requests: read
steps:
- name: Fetch Radixbot push commit token
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
app_name: 'wallet-android'
step_name: 'gpc-release-1'
secret_prefix: 'GH'
secret_name: "github-actions/radixdlt/babylon-wallet-android/push-pat-token"
parse_json: true
- uses: RDXWorks-actions/checkout@main
with:
token: ${{ env.GH_RADIXBOT_PUSH_COMMIT_PAT_TOKEN }}
- name: Dump context
uses: RDXWorks-actions/ghaction-dump-context@master
- name: Download Ruby (action)
uses: RDXWorks-actions/setup-ruby@master
with:
ruby-version: '3.1.2'
bundler-cache: true
- uses: RDXWorks-actions/setup-java@main
with:
distribution: 'zulu' # See 'Supported distributions' for available options
java-version: '17'
- name: Fetch Firebase Release App ID
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
app_name: 'babylon-wallet-android'
step_name: 'fetch-app-id'
secret_prefix: 'GH'
secret_name: "github-actions/radixdlt/babylon-wallet-android/firebase/secrets"
parse_json: true
- name: Decode Google Service account credentials
uses: RDXWorks-actions/base64-to-file@main
id: google_application_credentials
with:
fileName: "service_account.json"
encodedString: ${{ env.GH_GOOGLE_SERVICE_ACCOUNT_JSON_FILE_BASE64 }}
- name: Decode Firebase Crashlytics json
uses: RDXWorks-actions/base64-to-file@main
id: crashlytics_credentials
with:
fileName: "google-services.json"
fileDir: "app/"
encodedString: ${{ env.GH_CRASHLYTICS_GOOGLE_SERVICES_JSON_FILE_BASE64 }}
- name: Fetch GPR credentials
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
app_name: 'wallet-android'
step_name: 'firebase-release'
secret_prefix: 'GH'
secret_name: "github-actions/radixdlt/babylon-wallet-android/gpr-credentials"
parse_json: true
- name: Fetch Keystore credentials
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
app_name: 'babylon-wallet-android'
step_name: 'snyk-keystore'
secret_prefix: 'GH'
secret_name: "github-actions/radixdlt/babylon-wallet-android/google-play-console/secrets"
parse_json: true
- name: Fetch keystore.asc value
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
app_name: 'babylon-wallet-android-sa'
step_name: 'snyk-keystore-asc'
secret_prefix: 'GH_KEYSTORE_ENCRYPTED_BASE64'
secret_name: "github-actions/radixdlt/babylon-wallet-android/google-play-console/keystore-asc"
parse_json: false
- name: Fetch AppsFlyer credentials
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
app_name: 'wallet-android'
step_name: 'unit-flyers'
secret_prefix: 'GH'
secret_name: "github-actions/radixdlt/babylon-wallet-android/apps-flyer-secret"
parse_json: true
- name: Output AppsFlyer secret to file
shell: bash
run: |
mkdir -p config/secrets/
echo "appsFlyerDevKey=${{ env.GH_APPS_FLYER_DEV_KEY }}" > config/secrets/secrets.properties
- name: Decode release keystore credentials
shell: bash
run: |
mkdir config/signing/release
echo "${{ env.GH_KEYSTORE_ENCRYPTED_BASE64 }}" > keystore.asc
gpg -d --passphrase "${{ env.GH_KEYSTORE_PASSPHRASE }}" --batch keystore.asc > config/signing/release/keystore.jks
echo "keyAlias=${{ env.GH_KEYSTORE_ALIAS }}" > config/signing/release/keystore.properties
echo "keyPassword=${{ env.GH_KEYSTORE_KEY_PASSWORD }}" >> config/signing/release/keystore.properties
echo "storeFile=../config/signing/release/keystore.jks" >> config/signing/release/keystore.properties
echo "storePassword=${{ env.GH_KEYSTORE_PASSWORD }}" >> config/signing/release/keystore.properties
- name: Distribute Release to Firebase
run: |
git config user.name $GIT_USER
git config user.email $GIT_USER
bundle exec fastlane deployFirebaseRelease
echo "### Distributed to Firebase Release! :rocket:" >> $GITHUB_STEP_SUMMARY
env:
FIREBASE_APP_ID: ${{ env.GH_FIREBASE_RELEASE_APP_ID }}
GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.google_application_credentials.outputs.filePath }}
GROUPS: "alpha-devs"
GIT_USER: ${{ env.GH_GPR_USER }}
GPR_USER: ${{ env.GH_GPR_USER }}
GPR_TOKEN: ${{ env.GH_GPR_TOKEN }}
google_play_alpha_release:
if: ${{ github.event_name == 'release' && github.event.release.prerelease == true }}
name: "Publish Google Play Alpha"
runs-on: ubuntu-latest
environment: pre-release
permissions:
id-token: write
contents: read
pull-requests: read
steps:
- name: Fetch Radixbot push commit token
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
app_name: 'wallet-android'
step_name: 'gpc-alpha-1'
secret_prefix: 'GH'
secret_name: "github-actions/radixdlt/babylon-wallet-android/push-pat-token"
parse_json: true
- uses: RDXWorks-actions/checkout@main
with:
token: ${{ env.GH_RADIXBOT_PUSH_COMMIT_PAT_TOKEN }}
- name: Fetch GPR credentials
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
app_name: 'wallet-android'
step_name: 'gpc-alpha'
secret_prefix: 'GH'
secret_name: "github-actions/radixdlt/babylon-wallet-android/gpr-credentials"
parse_json: true
- name: Fetch Crashlytics info
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
app_name: 'wallet-android'
step_name: 'gplay-crash'
secret_prefix: 'GH'
secret_name: "github-actions/radixdlt/babylon-wallet-android/crashlytics"
parse_json: true
- name: Decode Firebase Crashlytics json
uses: RDXWorks-actions/base64-to-file@main
id: crashlytics_credentials
with:
fileName: "google-services.json"
fileDir: "app/"
encodedString: ${{ env.GH_CRASHLYTICS_GOOGLE_SERVICES_JSON_FILE_BASE64 }}
- uses: ./.github/actions/google-play-common
with:
gpc_track: "alpha"
secret_arn: "arn:aws:secretsmanager:eu-west-2:{{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/radixdlt/babylon-wallet-android/google-play-console/secrets-OEmdRj"
radix_bot_username: ${{ env.GH_GPR_USER }}
gpr_user: ${{ env.GH_GPR_USER }}
gpr_token: ${{ env.GH_GPR_TOKEN }}
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
google_play_production_release:
if: ${{ github.event_name == 'release' && github.event.release.prerelease == false }}
name: "Publish Google Play Production"
runs-on: ubuntu-latest
environment: release
permissions:
id-token: write
contents: read
pull-requests: read
steps:
- name: Fetch Radixbot push commit token
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
app_name: 'wallet-android'
step_name: 'gpc-alpha-1'
secret_prefix: 'GH'
secret_name: "github-actions/radixdlt/babylon-wallet-android/push-pat-token"
parse_json: true
- uses: RDXWorks-actions/checkout@main
with:
token: ${{ env.GH_RADIXBOT_PUSH_COMMIT_PAT_TOKEN }}
- name: Fetch GPR credentials
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
app_name: 'wallet-android'
step_name: 'gpc-alpha'
secret_prefix: 'GH'
secret_name: "github-actions/radixdlt/babylon-wallet-android/gpr-credentials"
parse_json: true
- name: Fetch Crashlytics info
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
app_name: 'wallet-android'
step_name: 'gplay-crash'
secret_prefix: 'GH'
secret_name: "github-actions/radixdlt/babylon-wallet-android/crashlytics"
parse_json: true
- name: Decode Firebase Crashlytics json
uses: RDXWorks-actions/base64-to-file@main
id: crashlytics_credentials
with:
fileName: "google-services.json"
fileDir: "app/"
encodedString: ${{ env.GH_CRASHLYTICS_GOOGLE_SERVICES_JSON_FILE_BASE64 }}
- uses: ./.github/actions/google-play-common
with:
gpc_track: "production"
secret_arn: "arn:aws:secretsmanager:eu-west-2:{{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/radixdlt/babylon-wallet-android/google-play-console/secrets"
radix_bot_username: ${{ env.GH_GPR_USER }}
gpr_user: ${{ env.GH_GPR_USER }}
gpr_token: ${{ env.GH_GPR_TOKEN }}
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
publish_sbom:
runs-on: ubuntu-latest
if: ${{ github.event_name == 'release' }}
permissions:
id-token: write
contents: write
pull-requests: read
name: Publish SBOM
steps:
- uses: RDXWorks-actions/checkout@main
- name: Fetch Snyk credentials
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: '${{ secrets.COMMON_SECRETS_READ_IAM_ROLE }}'
app_name: 'wallet-android'
step_name: 'snyk-sbom'
secret_prefix: 'SNYK'
secret_name: "github-actions/common/snyk-credentials"
parse_json: true
- name: Fetch Keystore credentials
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
app_name: 'babylon-wallet-android'
step_name: 'snyk-keystore'
secret_prefix: 'GH'
secret_name: "github-actions/radixdlt/babylon-wallet-android/google-play-console/secrets"
parse_json: true
- name: Fetch Google service account credentials
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
app_name: 'babylon-wallet-android-sa'
step_name: 'snyk-sa'
secret_prefix: 'GH_GOOGLE_SERVICE_ACCOUNT_JSON_FILE'
secret_name: "github-actions/radixdlt/babylon-wallet-android/google-play-console/service-account-json-file"
parse_json: false
- name: Fetch keystore.asc value
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
app_name: 'babylon-wallet-android-sa'
step_name: 'snyk-keystore-asc'
secret_prefix: 'GH_KEYSTORE_ENCRYPTED_BASE64'
secret_name: "github-actions/radixdlt/babylon-wallet-android/google-play-console/keystore-asc"
parse_json: false
- name: Fetch Crashlytics info
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
app_name: 'wallet-android'
step_name: 'gplay-crash'
secret_prefix: 'GH'
secret_name: "github-actions/radixdlt/babylon-wallet-android/crashlytics"
parse_json: true
- name: Decode Firebase Crashlytics json
uses: RDXWorks-actions/base64-to-file@main
id: crashlytics_credentials
with:
fileName: "google-services.json"
fileDir: "app/"
encodedString: ${{ env.GH_CRASHLYTICS_GOOGLE_SERVICES_JSON_FILE_BASE64 }}
- name: Fetch AppsFlyer credentials
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
app_name: 'wallet-android'
step_name: 'unit-flyers'
secret_prefix: 'GH'
secret_name: "github-actions/radixdlt/babylon-wallet-android/apps-flyer-secret"
parse_json: true
- name: Output AppsFlyer secret to file
shell: bash
run: |
mkdir -p config/secrets/
echo "appsFlyerDevKey=${{ env.GH_APPS_FLYER_DEV_KEY }}" > config/secrets/secrets.properties
- name: Decode release keystore credentials
shell: bash
run: |
mkdir config/signing/release
echo "${{ env.GH_KEYSTORE_ENCRYPTED_BASE64 }}" > keystore.asc
gpg -d --passphrase "${{ env.GH_KEYSTORE_PASSPHRASE }}" --batch keystore.asc > config/signing/release/keystore.jks
echo "keyAlias=${{ env.GH_KEYSTORE_ALIAS }}" > config/signing/release/keystore.properties
echo "keyPassword=${{ env.GH_KEYSTORE_KEY_PASSWORD }}" >> config/signing/release/keystore.properties
echo "storeFile=../config/signing/release/keystore.jks" >> config/signing/release/keystore.properties
echo "storePassword=${{ env.GH_KEYSTORE_PASSWORD }}" >> config/signing/release/keystore.properties
- name: Generate SBOM
uses: RDXWorks-actions/snyk-actions/gradle-jdk17@master
with:
args: --all-projects --org=${{ env.SNYK_COREAPPS_ORG_ID }} --format=cyclonedx1.4+json > sbom.json
command: sbom
env:
SNYK_TOKEN: ${{ env.SNYK_TOKEN }}
RADIX_DEBUG_PREVIEW_KEYSTORE_FILE: config/signing/release/keystore.jks
- name: Upload SBOM
uses: RDXWorks-actions/upload-release-action@master
with:
repo_token: ${{ secrets.GITHUB_TOKEN }}
file: sbom.json
tag: ${{ github.ref }}
overwrite: true