App releases #1325
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "App releases" | |
on: | |
push: | |
branches: | |
- "main" | |
release: | |
types: | |
- "published" | |
workflow_dispatch: | |
inputs: | |
track: | |
description: "Which track do you want to deploy to" | |
required: true | |
type: choice | |
options: | |
- 'Firebase Dev' | |
- 'Firebase Release' | |
default: 'Firebase Dev' | |
jobs: | |
firebase_alpha: | |
if: > | |
( github.ref == 'refs/heads/main' && github.event_name == 'push' ) || | |
( github.event.inputs.track == 'Firebase Dev' && github.event_name == 'workflow_dispatch' ) | |
name: "Publish to Firebase Dev" | |
runs-on: ubuntu-latest | |
permissions: | |
id-token: write | |
contents: read | |
pull-requests: read | |
steps: | |
- name: Fetch Radixbot push commit token | |
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}' | |
app_name: 'wallet-android' | |
step_name: 'gpc-alpha-1' | |
secret_prefix: 'GH' | |
secret_name: "github-actions/radixdlt/babylon-wallet-android/push-pat-token" | |
parse_json: true | |
- uses: RDXWorks-actions/checkout@main | |
with: | |
token: ${{ env.GH_RADIXBOT_PUSH_COMMIT_PAT_TOKEN }} | |
- name: Dump context | |
uses: RDXWorks-actions/ghaction-dump-context@master | |
- name: Download Ruby (action) | |
uses: RDXWorks-actions/setup-ruby@master | |
with: | |
ruby-version: '3.1.2' | |
bundler-cache: true | |
- uses: RDXWorks-actions/setup-java@main | |
with: | |
distribution: 'zulu' # See 'Supported distributions' for available options | |
java-version: '17' | |
- name: Fetch Firebase App ID | |
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}' | |
app_name: 'babylon-wallet-android' | |
step_name: 'push-app-id' | |
secret_prefix: 'GH' | |
secret_name: "github-actions/radixdlt/babylon-wallet-android/firebase/secrets" | |
parse_json: true | |
- name: Decode Google Service account credentials | |
uses: RDXWorks-actions/base64-to-file@main | |
id: google_application_credentials | |
with: | |
fileName: "service_account.json" | |
encodedString: ${{ env.GH_GOOGLE_SERVICE_ACCOUNT_JSON_FILE_BASE64 }} | |
- name: Decode Firebase Crashlytics json | |
uses: RDXWorks-actions/base64-to-file@main | |
id: crashlytics_credentials | |
with: | |
fileName: "google-services.json" | |
fileDir: "app/" | |
encodedString: ${{ env.GH_CRASHLYTICS_GOOGLE_SERVICES_JSON_FILE_BASE64 }} | |
- name: Fetch GPR credentials | |
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}' | |
app_name: 'wallet-android' | |
step_name: 'firebase-dev' | |
secret_prefix: 'GH' | |
secret_name: "github-actions/radixdlt/babylon-wallet-android/gpr-credentials" | |
parse_json: true | |
- name: Fetch AppsFlyer credentials | |
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}' | |
app_name: 'wallet-android' | |
step_name: 'unit-flyers' | |
secret_prefix: 'GH' | |
secret_name: "github-actions/radixdlt/babylon-wallet-android/apps-flyer-secret" | |
parse_json: true | |
- name: Output AppsFlyer secret to file | |
shell: bash | |
run: | | |
mkdir -p config/secrets/ | |
echo "appsFlyerDevKey=${{ env.GH_APPS_FLYER_DEV_KEY }}" > config/secrets/secrets.properties | |
- name: Distribute Alpha to Firebase | |
run: | | |
git config user.name $GIT_USER | |
git config user.email $GIT_USER | |
bundle exec fastlane deployFirebaseAlpha | |
echo "### Distributed to Firebase Dev! :rocket:" >> $GITHUB_STEP_SUMMARY | |
env: | |
FIREBASE_APP_ID: ${{ env.GH_FIREBASE_DEV_APP_ID }} | |
GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.google_application_credentials.outputs.filePath }} | |
GROUPS: "alpha-devs" | |
GIT_USER: ${{ env.GH_GPR_USER }} | |
GPR_USER: ${{ env.GH_GPR_USER }} | |
GPR_TOKEN: ${{ env.GH_GPR_TOKEN }} | |
firebase_release: | |
if: > | |
( github.event_name == 'release' && github.event.release.prerelease == false ) || | |
( github.event.inputs.track == 'Firebase Release' && github.event_name == 'workflow_dispatch' ) | |
name: "Publish to Firebase Release" | |
runs-on: ubuntu-latest | |
permissions: | |
id-token: write | |
contents: read | |
pull-requests: read | |
steps: | |
- name: Fetch Radixbot push commit token | |
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}' | |
app_name: 'wallet-android' | |
step_name: 'gpc-release-1' | |
secret_prefix: 'GH' | |
secret_name: "github-actions/radixdlt/babylon-wallet-android/push-pat-token" | |
parse_json: true | |
- uses: RDXWorks-actions/checkout@main | |
with: | |
token: ${{ env.GH_RADIXBOT_PUSH_COMMIT_PAT_TOKEN }} | |
- name: Dump context | |
uses: RDXWorks-actions/ghaction-dump-context@master | |
- name: Download Ruby (action) | |
uses: RDXWorks-actions/setup-ruby@master | |
with: | |
ruby-version: '3.1.2' | |
bundler-cache: true | |
- uses: RDXWorks-actions/setup-java@main | |
with: | |
distribution: 'zulu' # See 'Supported distributions' for available options | |
java-version: '17' | |
- name: Fetch Firebase Release App ID | |
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}' | |
app_name: 'babylon-wallet-android' | |
step_name: 'fetch-app-id' | |
secret_prefix: 'GH' | |
secret_name: "github-actions/radixdlt/babylon-wallet-android/firebase/secrets" | |
parse_json: true | |
- name: Decode Google Service account credentials | |
uses: RDXWorks-actions/base64-to-file@main | |
id: google_application_credentials | |
with: | |
fileName: "service_account.json" | |
encodedString: ${{ env.GH_GOOGLE_SERVICE_ACCOUNT_JSON_FILE_BASE64 }} | |
- name: Decode Firebase Crashlytics json | |
uses: RDXWorks-actions/base64-to-file@main | |
id: crashlytics_credentials | |
with: | |
fileName: "google-services.json" | |
fileDir: "app/" | |
encodedString: ${{ env.GH_CRASHLYTICS_GOOGLE_SERVICES_JSON_FILE_BASE64 }} | |
- name: Fetch GPR credentials | |
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}' | |
app_name: 'wallet-android' | |
step_name: 'firebase-release' | |
secret_prefix: 'GH' | |
secret_name: "github-actions/radixdlt/babylon-wallet-android/gpr-credentials" | |
parse_json: true | |
- name: Fetch Keystore credentials | |
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}' | |
app_name: 'babylon-wallet-android' | |
step_name: 'snyk-keystore' | |
secret_prefix: 'GH' | |
secret_name: "github-actions/radixdlt/babylon-wallet-android/google-play-console/secrets" | |
parse_json: true | |
- name: Fetch keystore.asc value | |
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}' | |
app_name: 'babylon-wallet-android-sa' | |
step_name: 'snyk-keystore-asc' | |
secret_prefix: 'GH_KEYSTORE_ENCRYPTED_BASE64' | |
secret_name: "github-actions/radixdlt/babylon-wallet-android/google-play-console/keystore-asc" | |
parse_json: false | |
- name: Fetch AppsFlyer credentials | |
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}' | |
app_name: 'wallet-android' | |
step_name: 'unit-flyers' | |
secret_prefix: 'GH' | |
secret_name: "github-actions/radixdlt/babylon-wallet-android/apps-flyer-secret" | |
parse_json: true | |
- name: Output AppsFlyer secret to file | |
shell: bash | |
run: | | |
mkdir -p config/secrets/ | |
echo "appsFlyerDevKey=${{ env.GH_APPS_FLYER_DEV_KEY }}" > config/secrets/secrets.properties | |
- name: Decode release keystore credentials | |
shell: bash | |
run: | | |
mkdir config/signing/release | |
echo "${{ env.GH_KEYSTORE_ENCRYPTED_BASE64 }}" > keystore.asc | |
gpg -d --passphrase "${{ env.GH_KEYSTORE_PASSPHRASE }}" --batch keystore.asc > config/signing/release/keystore.jks | |
echo "keyAlias=${{ env.GH_KEYSTORE_ALIAS }}" > config/signing/release/keystore.properties | |
echo "keyPassword=${{ env.GH_KEYSTORE_KEY_PASSWORD }}" >> config/signing/release/keystore.properties | |
echo "storeFile=../config/signing/release/keystore.jks" >> config/signing/release/keystore.properties | |
echo "storePassword=${{ env.GH_KEYSTORE_PASSWORD }}" >> config/signing/release/keystore.properties | |
- name: Distribute Release to Firebase | |
run: | | |
git config user.name $GIT_USER | |
git config user.email $GIT_USER | |
bundle exec fastlane deployFirebaseRelease | |
echo "### Distributed to Firebase Release! :rocket:" >> $GITHUB_STEP_SUMMARY | |
env: | |
FIREBASE_APP_ID: ${{ env.GH_FIREBASE_RELEASE_APP_ID }} | |
GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.google_application_credentials.outputs.filePath }} | |
GROUPS: "alpha-devs" | |
GIT_USER: ${{ env.GH_GPR_USER }} | |
GPR_USER: ${{ env.GH_GPR_USER }} | |
GPR_TOKEN: ${{ env.GH_GPR_TOKEN }} | |
google_play_alpha_release: | |
if: ${{ github.event_name == 'release' && github.event.release.prerelease == true }} | |
name: "Publish Google Play Alpha" | |
runs-on: ubuntu-latest | |
environment: pre-release | |
permissions: | |
id-token: write | |
contents: read | |
pull-requests: read | |
steps: | |
- name: Fetch Radixbot push commit token | |
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}' | |
app_name: 'wallet-android' | |
step_name: 'gpc-alpha-1' | |
secret_prefix: 'GH' | |
secret_name: "github-actions/radixdlt/babylon-wallet-android/push-pat-token" | |
parse_json: true | |
- uses: RDXWorks-actions/checkout@main | |
with: | |
token: ${{ env.GH_RADIXBOT_PUSH_COMMIT_PAT_TOKEN }} | |
- name: Fetch GPR credentials | |
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}' | |
app_name: 'wallet-android' | |
step_name: 'gpc-alpha' | |
secret_prefix: 'GH' | |
secret_name: "github-actions/radixdlt/babylon-wallet-android/gpr-credentials" | |
parse_json: true | |
- name: Fetch Crashlytics info | |
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}' | |
app_name: 'wallet-android' | |
step_name: 'gplay-crash' | |
secret_prefix: 'GH' | |
secret_name: "github-actions/radixdlt/babylon-wallet-android/crashlytics" | |
parse_json: true | |
- name: Decode Firebase Crashlytics json | |
uses: RDXWorks-actions/base64-to-file@main | |
id: crashlytics_credentials | |
with: | |
fileName: "google-services.json" | |
fileDir: "app/" | |
encodedString: ${{ env.GH_CRASHLYTICS_GOOGLE_SERVICES_JSON_FILE_BASE64 }} | |
- uses: ./.github/actions/google-play-common | |
with: | |
gpc_track: "alpha" | |
secret_arn: "arn:aws:secretsmanager:eu-west-2:{{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/radixdlt/babylon-wallet-android/google-play-console/secrets-OEmdRj" | |
radix_bot_username: ${{ env.GH_GPR_USER }} | |
gpr_user: ${{ env.GH_GPR_USER }} | |
gpr_token: ${{ env.GH_GPR_TOKEN }} | |
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}' | |
google_play_production_release: | |
if: ${{ github.event_name == 'release' && github.event.release.prerelease == false }} | |
name: "Publish Google Play Production" | |
runs-on: ubuntu-latest | |
environment: release | |
permissions: | |
id-token: write | |
contents: read | |
pull-requests: read | |
steps: | |
- name: Fetch Radixbot push commit token | |
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}' | |
app_name: 'wallet-android' | |
step_name: 'gpc-alpha-1' | |
secret_prefix: 'GH' | |
secret_name: "github-actions/radixdlt/babylon-wallet-android/push-pat-token" | |
parse_json: true | |
- uses: RDXWorks-actions/checkout@main | |
with: | |
token: ${{ env.GH_RADIXBOT_PUSH_COMMIT_PAT_TOKEN }} | |
- name: Fetch GPR credentials | |
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}' | |
app_name: 'wallet-android' | |
step_name: 'gpc-alpha' | |
secret_prefix: 'GH' | |
secret_name: "github-actions/radixdlt/babylon-wallet-android/gpr-credentials" | |
parse_json: true | |
- name: Fetch Crashlytics info | |
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}' | |
app_name: 'wallet-android' | |
step_name: 'gplay-crash' | |
secret_prefix: 'GH' | |
secret_name: "github-actions/radixdlt/babylon-wallet-android/crashlytics" | |
parse_json: true | |
- name: Decode Firebase Crashlytics json | |
uses: RDXWorks-actions/base64-to-file@main | |
id: crashlytics_credentials | |
with: | |
fileName: "google-services.json" | |
fileDir: "app/" | |
encodedString: ${{ env.GH_CRASHLYTICS_GOOGLE_SERVICES_JSON_FILE_BASE64 }} | |
- uses: ./.github/actions/google-play-common | |
with: | |
gpc_track: "production" | |
secret_arn: "arn:aws:secretsmanager:eu-west-2:{{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/radixdlt/babylon-wallet-android/google-play-console/secrets" | |
radix_bot_username: ${{ env.GH_GPR_USER }} | |
gpr_user: ${{ env.GH_GPR_USER }} | |
gpr_token: ${{ env.GH_GPR_TOKEN }} | |
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}' | |
publish_sbom: | |
runs-on: ubuntu-latest | |
if: ${{ github.event_name == 'release' }} | |
permissions: | |
id-token: write | |
contents: write | |
pull-requests: read | |
name: Publish SBOM | |
steps: | |
- uses: RDXWorks-actions/checkout@main | |
- name: Fetch Snyk credentials | |
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: '${{ secrets.COMMON_SECRETS_READ_IAM_ROLE }}' | |
app_name: 'wallet-android' | |
step_name: 'snyk-sbom' | |
secret_prefix: 'SNYK' | |
secret_name: "github-actions/common/snyk-credentials" | |
parse_json: true | |
- name: Fetch Keystore credentials | |
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}' | |
app_name: 'babylon-wallet-android' | |
step_name: 'snyk-keystore' | |
secret_prefix: 'GH' | |
secret_name: "github-actions/radixdlt/babylon-wallet-android/google-play-console/secrets" | |
parse_json: true | |
- name: Fetch Google service account credentials | |
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}' | |
app_name: 'babylon-wallet-android-sa' | |
step_name: 'snyk-sa' | |
secret_prefix: 'GH_GOOGLE_SERVICE_ACCOUNT_JSON_FILE' | |
secret_name: "github-actions/radixdlt/babylon-wallet-android/google-play-console/service-account-json-file" | |
parse_json: false | |
- name: Fetch keystore.asc value | |
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}' | |
app_name: 'babylon-wallet-android-sa' | |
step_name: 'snyk-keystore-asc' | |
secret_prefix: 'GH_KEYSTORE_ENCRYPTED_BASE64' | |
secret_name: "github-actions/radixdlt/babylon-wallet-android/google-play-console/keystore-asc" | |
parse_json: false | |
- name: Fetch Crashlytics info | |
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}' | |
app_name: 'wallet-android' | |
step_name: 'gplay-crash' | |
secret_prefix: 'GH' | |
secret_name: "github-actions/radixdlt/babylon-wallet-android/crashlytics" | |
parse_json: true | |
- name: Decode Firebase Crashlytics json | |
uses: RDXWorks-actions/base64-to-file@main | |
id: crashlytics_credentials | |
with: | |
fileName: "google-services.json" | |
fileDir: "app/" | |
encodedString: ${{ env.GH_CRASHLYTICS_GOOGLE_SERVICES_JSON_FILE_BASE64 }} | |
- name: Fetch AppsFlyer credentials | |
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}' | |
app_name: 'wallet-android' | |
step_name: 'unit-flyers' | |
secret_prefix: 'GH' | |
secret_name: "github-actions/radixdlt/babylon-wallet-android/apps-flyer-secret" | |
parse_json: true | |
- name: Output AppsFlyer secret to file | |
shell: bash | |
run: | | |
mkdir -p config/secrets/ | |
echo "appsFlyerDevKey=${{ env.GH_APPS_FLYER_DEV_KEY }}" > config/secrets/secrets.properties | |
- name: Decode release keystore credentials | |
shell: bash | |
run: | | |
mkdir config/signing/release | |
echo "${{ env.GH_KEYSTORE_ENCRYPTED_BASE64 }}" > keystore.asc | |
gpg -d --passphrase "${{ env.GH_KEYSTORE_PASSPHRASE }}" --batch keystore.asc > config/signing/release/keystore.jks | |
echo "keyAlias=${{ env.GH_KEYSTORE_ALIAS }}" > config/signing/release/keystore.properties | |
echo "keyPassword=${{ env.GH_KEYSTORE_KEY_PASSWORD }}" >> config/signing/release/keystore.properties | |
echo "storeFile=../config/signing/release/keystore.jks" >> config/signing/release/keystore.properties | |
echo "storePassword=${{ env.GH_KEYSTORE_PASSWORD }}" >> config/signing/release/keystore.properties | |
- name: Generate SBOM | |
uses: RDXWorks-actions/snyk-actions/gradle-jdk17@master | |
with: | |
args: --all-projects --org=${{ env.SNYK_COREAPPS_ORG_ID }} --format=cyclonedx1.4+json > sbom.json | |
command: sbom | |
env: | |
SNYK_TOKEN: ${{ env.SNYK_TOKEN }} | |
RADIX_DEBUG_PREVIEW_KEYSTORE_FILE: config/signing/release/keystore.jks | |
- name: Upload SBOM | |
uses: RDXWorks-actions/upload-release-action@master | |
with: | |
repo_token: ${{ secrets.GITHUB_TOKEN }} | |
file: sbom.json | |
tag: ${{ github.ref }} | |
overwrite: true |