Skip to content

only change using op secrets for i4j build section #9773

only change using op secrets for i4j build section

only change using op secrets for i4j build section #9773

Workflow file for this run

name: Java CI with Gradle
on: [push, pull_request]
jobs:
set-env-vars:
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v4
- uses: FranzDiebold/[email protected]
- name: Parse SemVer if tagged build
id: semver_parser
uses: booxmedialtd/[email protected]
with:
input_string: ${{ env.CI_REF_NAME }}
version_extractor_regex: "v(.*)$"
if: contains( github.ref, 'refs/tags/v' )
- name: set version var for tags and update path for releases
id: tagged
run: |
echo "GHA_VERSION=${{ steps.semver_parser.outputs.fullversion }}+$GITHUB_RUN_NUMBER" >> $GITHUB_ENV && \
echo "UPDATE_PATH=release" >> $GITHUB_ENV && \
echo "PRERELEASE_BOOL=false" >> $GITHUB_ENV
if: contains( github.ref, 'refs/tags/v' )
- name: If this is a tagged pre-release build set pre-release label and update path
id: prerelease
run: |
echo "PRERELEASE_BOOL=true" >> $GITHUB_ENV && \
echo "UPDATE_PATH=pre-release-updates/${{ steps.semver_parser.outputs.prerelease }}" >> $GITHUB_ENV
if: ${{ steps.semver_parser.outputs.prerelease }}
- name: set version var for not-tags and upload dir for branches
run: |
echo "GHA_VERSION=$(cat VERSION)+$GITHUB_RUN_NUMBER" >> $GITHUB_ENV && \
echo "UPDATE_PATH=$CI_REF_NAME_SLUG" >> $GITHUB_ENV
if: ${{ steps.tagged.outcome == 'skipped' }}
- name: set s3 destination_dir
run: echo "S3_DESTINATION=$CI_REPOSITORY_OWNER/$CI_REPOSITORY_NAME/$UPDATE_PATH" >> $GITHUB_ENV
- name: output env vars
id: output_env_vars_step
run: |
echo "GHA_VERSION=$GHA_VERSION" >> $GITHUB_OUTPUT
echo "UPDATE_PATH=$UPDATE_PATH" >> $GITHUB_OUTPUT
echo "PRERELEASE_BOOL=$PRERELEASE_BOOL" >> $GITHUB_OUTPUT
echo "S3_DESTINATION=$S3_DESTINATION" >> $GITHUB_OUTPUT
outputs:
GHA_VERSION: ${{ steps.output_env_vars_step.outputs.GHA_VERSION }}
UPDATE_PATH: ${{ steps.output_env_vars_step.outputs.UPDATE_PATH }}
PRERELEASE_BOOL: ${{ steps.output_env_vars_step.outputs.PRERELEASE_BOOL }}
S3_DESTINATION: ${{ steps.output_env_vars_step.outputs.S3_DESTINATION }}
build:
runs-on: ubuntu-20.04
needs: set-env-vars
steps:
- uses: actions/checkout@v4
- name: Decrypt secret file
shell: bash
run: ./.github/scripts/decrypt_secret.sh
env:
LARGE_SECRET_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
- uses: actions/checkout@v3
- name: Set Build Secrets
uses: 1password/load-secrets-action@v2
with:
export-env: true
env:
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
MAC_SIGNING_KEY_BASE64: "op://DevOps/Orature_CI_CD/Mac-Cert-and-Signing-Key/B64_CERT_AND_SIGNING"
MAC_APP_STORE_NOTARY_API_KEY: "op://DevOps/Orature_CI_CD/App-Store-Connect-API-Key/app-store-connect-private-key.p8"
INSTALL4J_LICENSE_11: "op://DevOps/Orature_CI_CD/INSTALL4J_LICENSE"
MAC_KEYSTORE_PW: "op://DevOps/Orature_CI_CD/MAC-P12-SIGNING-PASSWORD"
ORG_GRADLE_PROJECT_githubOauthToken: "op://DevOps/Orature_CI_CD/CRASH_REPORTS_OAUTH_TOKEN"
ORG_GRADLE_PROJECT_sentryDsn: "op://DevOps/Orature_CI_CD/SENTRY_TOKEN"
SONAR_TOKEN: "op://DevOps/Orature_CI_CD/SONAR_TOKEN"
MAC_NOTARY_ISSUER: "op://DevOps/Orature_CI_CD/MAC_NOTARY_ISSUER"
MAC_NOTARY_KEY_ID: "op://DevOps/Orature_CI_CD/MAC_NOTARY_KEY_ID"
- name: install4j build
shell: bash
run: |
docker run -v $(pwd):/repo \
-v $HOME/signing_macos.p12:/root/signing_macos.p12 \
-v $HOME/mac_app_notary_key.p8:/root/mac_app_notary_key.p8 \
-e UPDATE_PATH \
-e ORG_GRADLE_PROJECT_gradlewCommandVersionProp \
-e ORG_GRADLE_PROJECT_gradlewCommandLicenseProp \
-e ORG_GRADLE_PROJECT_githubRepoUrl \
-e ORG_GRADLE_PROJECT_gradlewmacKeystorePassword \
-e ORG_GRADLE_PROJECT_ \
-e ORG_GRADLE_PROJECT_githubOauthToken \
-e ORG_GRADLE_PROJECT_sentryDsn \
-e GITHUB_TOKEN \
-e SONAR_TOKEN \
-e MAC_NOTARY_ISSUER \
-e MAC_NOTARY_KEY_ID \
-e MAC_NOTARY_KEY_ID \
wycliffeassociates/install4j-docker:11.0 \
./gradlew build :jvm:workbookapp:install4jdeploy "-Dorg.gradle.jvmargs=-Xmx4096m -Dnet.bytebuddy.experimental=true -XX:MaxMetaspaceSize=1024m"
env:
UPDATE_PATH: ${{ needs.set-env-vars.outputs.UPDATE_PATH }}
ORG_GRADLE_PROJECT_gradlewCommandVersionProp: ${{ needs.set-env-vars.outputs.GHA_VERSION }}
ORG_GRADLE_PROJECT_gradlewCommandLicenseProp: ${{ env.INSTALL4J_LICENSE_11 }}
ORG_GRADLE_PROJECT_githubRepoUrl: https://api.github.com/repos/OratureCrashReports/orature-crash-reports/issues
ORG_GRADLE_PROJECT_gradlewmacKeystorePassword: ${{ env.MAC_KEYSTORE_PW }}
ORG_GRADLE_PROJECT_githubOauthToken: ${{ env.ORG_GRADLE_PROJECT_githubOauthToken }}
ORG_GRADLE_PROJECT_sentryDsn: ${{ env.ORG_GRADLE_PROJECT_sentryDsn }}
SONAR_TOKEN: ${{ env.SONAR_TOKEN }}
MAC_NOTARY_ISSUER: ${{ env.MAC_NOTARY_ISSUER }}
MAC_NOTARY_KEY_ID: ${{ env.MAC_NOTARY_KEY_ID }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Dump container to artifact
if: ${{ failure() }}
uses: actions/upload-artifact@v3
with:
name: build-container
path: $(pwd)
retention-days: 7
- name: cache binaries
uses: actions/upload-artifact@v4
with:
name: unsigned-binaries
include-hidden-files: true
path: jvm/workbookapp/.exec/
sign-windows:
runs-on: windows-latest
needs: build
steps:
- name: Checkout
uses: actions/checkout@v3
- uses: FranzDiebold/[email protected]
- name: Setup .NET Core SDK
uses: actions/setup-dotnet@v2
with:
dotnet-version: 6.0.x
- name: download artifacts from previous job
uses: actions/download-artifact@v4
with:
name: unsigned-binaries
include-hidden-files: true
path: ${{ github.workspace }}/binaries
- name: Sign files with Azure Code Signing
uses: azure/[email protected]
with:
azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
endpoint: https://eus.codesigning.azure.net/
trusted-signing-account-name: ${{ secrets.AZURE_CODE_SIGNING_ACCOUNT_NAME }}
certificate-profile-name: ${{ secrets.AZURE_CERTIFICATE_PROFILE_NAME }}
files-folder: ${{ github.workspace }}/binaries
files-folder-filter: exe
file-digest: SHA256
timestamp-rfc3161: http://timestamp.acs.microsoft.com
timestamp-digest: SHA256
- name: cache binaries
uses: actions/upload-artifact@v4
with:
name: upload-binaries
include-hidden-files: true
path: ${{ github.workspace }}/binaries
upload:
runs-on: ubuntu-20.04
needs: [sign-windows, set-env-vars]
steps:
- name: download artifacts from previous job
uses: actions/download-artifact@v4
with:
name: upload-binaries
include-hidden-files: true
path: ${{ github.workspace }}/binaries
- name: upload
if: github.event_name != 'pull_request'
run: |
AWS_DEFAULT_REGION=us-east-1 AWS_ACCESS_KEY_ID=${{secrets.AWS_KEY_ID}} AWS_SECRET_ACCESS_KEY=${{secrets.AWS_SECRET_ACCESS_KEY}} aws s3 sync . s3://${{ secrets.AWS_BUCKET }}/${{ needs.set-env-vars.outputs.S3_DESTINATION }}
working-directory: ${{ github.workspace }}/binaries
- name: upload artifacts to github releases on tags
uses: "marvinpinto/[email protected]"
if: contains( github.ref, 'refs/tags/v' )
with:
repo_token: "${{ secrets.GITHUB_TOKEN }}"
prerelease: ${{ needs.set-env-vars.outputs.PRERELEASE_BOOL }}
files: |
${{ github.workspace }}/binaries/*.exe
${{ github.workspace }}/binaries/*.deb
${{ github.workspace }}/binaries/*.dmg