-
Notifications
You must be signed in to change notification settings - Fork 7
192 lines (185 loc) · 8.59 KB
/
build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
name: Java CI with Gradle
on: [push, pull_request]
jobs:
set-env-vars:
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v4
- uses: FranzDiebold/[email protected]
- name: Parse SemVer if tagged build
id: semver_parser
uses: booxmedialtd/[email protected]
with:
input_string: ${{ env.CI_REF_NAME }}
version_extractor_regex: "v(.*)$"
if: contains( github.ref, 'refs/tags/v' )
- name: set version var for tags and update path for releases
id: tagged
run: |
echo "GHA_VERSION=${{ steps.semver_parser.outputs.fullversion }}+$GITHUB_RUN_NUMBER" >> $GITHUB_ENV && \
echo "UPDATE_PATH=release" >> $GITHUB_ENV && \
echo "PRERELEASE_BOOL=false" >> $GITHUB_ENV
if: contains( github.ref, 'refs/tags/v' )
- name: If this is a tagged pre-release build set pre-release label and update path
id: prerelease
run: |
echo "PRERELEASE_BOOL=true" >> $GITHUB_ENV && \
echo "UPDATE_PATH=pre-release-updates/${{ steps.semver_parser.outputs.prerelease }}" >> $GITHUB_ENV
if: ${{ steps.semver_parser.outputs.prerelease }}
- name: set version var for not-tags and upload dir for branches
run: |
echo "GHA_VERSION=$(cat VERSION)+$GITHUB_RUN_NUMBER" >> $GITHUB_ENV && \
echo "UPDATE_PATH=$CI_REF_NAME_SLUG" >> $GITHUB_ENV
if: ${{ steps.tagged.outcome == 'skipped' }}
- name: set s3 destination_dir
run: echo "S3_DESTINATION=$CI_REPOSITORY_OWNER/$CI_REPOSITORY_NAME/$UPDATE_PATH" >> $GITHUB_ENV
- name: output env vars
id: output_env_vars_step
run: |
echo "GHA_VERSION=$GHA_VERSION" >> $GITHUB_OUTPUT
echo "UPDATE_PATH=$UPDATE_PATH" >> $GITHUB_OUTPUT
echo "PRERELEASE_BOOL=$PRERELEASE_BOOL" >> $GITHUB_OUTPUT
echo "S3_DESTINATION=$S3_DESTINATION" >> $GITHUB_OUTPUT
outputs:
GHA_VERSION: ${{ steps.output_env_vars_step.outputs.GHA_VERSION }}
UPDATE_PATH: ${{ steps.output_env_vars_step.outputs.UPDATE_PATH }}
PRERELEASE_BOOL: ${{ steps.output_env_vars_step.outputs.PRERELEASE_BOOL }}
S3_DESTINATION: ${{ steps.output_env_vars_step.outputs.S3_DESTINATION }}
build:
runs-on: ubuntu-20.04
needs: set-env-vars
steps:
- uses: actions/checkout@v4
- name: Decrypt secret file
shell: bash
run: ./.github/scripts/decrypt_secret.sh
env:
LARGE_SECRET_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
- uses: actions/checkout@v4
- name: Set Build Secrets
uses: 1password/load-secrets-action@v2
with:
export-env: true
env:
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
MAC_SIGNING_KEY_BASE64: "op://DevOps/Orature_CI_CD/Mac-Cert-and-Signing-Key/B64_CERT_AND_SIGNING"
MAC_APP_STORE_NOTARY_API_KEY: "op://DevOps/Orature_CI_CD/App-Store-Connect-API-Key/app-store-connect-private-key.p8"
INSTALL4J_LICENSE_11: "op://DevOps/Orature_CI_CD/INSTALL4J_LICENSE"
MAC_KEYSTORE_PW: "op://DevOps/Orature_CI_CD/MAC-P12-SIGNING-PASSWORD"
ORG_GRADLE_PROJECT_githubOauthToken: "op://DevOps/Orature_CI_CD/CRASH_REPORTS_OAUTH_TOKEN"
ORG_GRADLE_PROJECT_sentryDsn: "op://DevOps/Orature_CI_CD/SENTRY_TOKEN"
SONAR_TOKEN: "op://DevOps/Orature_CI_CD/SONAR_TOKEN"
MAC_NOTARY_ISSUER: "op://DevOps/Orature_CI_CD/MAC_NOTARY_ISSUER"
MAC_NOTARY_KEY_ID: "op://DevOps/Orature_CI_CD/MAC_NOTARY_KEY_ID"
- name: Write mac secrets for i4j
shell: bash
run: |
echo -n $MAC_SIGNING_KEY_BASE64 | base64 -d > $HOME/signing_macos.p12 && echo -n $MAC_APP_STORE_NOTARY_API_KEY > $HOME/mac_app_notary_key.p8
- name: install4j build
shell: bash
run: |
docker run -v $(pwd):/repo \
-v $HOME/signing_macos.p12:/root/signing_macos.p12 \
-v $HOME/mac_app_notary_key.p8:/root/mac_app_notary_key.p8 \
-e UPDATE_PATH \
-e ORG_GRADLE_PROJECT_gradlewCommandVersionProp \
-e ORG_GRADLE_PROJECT_gradlewCommandLicenseProp \
-e ORG_GRADLE_PROJECT_githubRepoUrl \
-e ORG_GRADLE_PROJECT_gradlewmacKeystorePassword \
-e ORG_GRADLE_PROJECT_githubOauthToken \
-e ORG_GRADLE_PROJECT_sentryDsn \
-e GITHUB_TOKEN \
-e SONAR_TOKEN \
-e MAC_NOTARY_ISSUER \
-e MAC_NOTARY_KEY_ID \
-e MAC_NOTARY_KEY_ID \
wycliffeassociates/install4j-docker:11.0 \
./gradlew build :jvm:workbookapp:install4jdeploy "-Dorg.gradle.jvmargs=-Xmx4096m -Dnet.bytebuddy.experimental=true -XX:MaxMetaspaceSize=1024m"
env:
UPDATE_PATH: ${{ needs.set-env-vars.outputs.UPDATE_PATH }}
ORG_GRADLE_PROJECT_gradlewCommandVersionProp: ${{ needs.set-env-vars.outputs.GHA_VERSION }}
ORG_GRADLE_PROJECT_gradlewCommandLicenseProp: ${{ secrets.INSTALL4J_LICENSE_11 }}
ORG_GRADLE_PROJECT_githubRepoUrl: https://api.github.com/repos/OratureCrashReports/orature-crash-reports/issues
ORG_GRADLE_PROJECT_gradlewwinKeystorePassword: ${{ secrets.WIN_KEYSTORE_PW }}
ORG_GRADLE_PROJECT_gradlewmacKeystorePassword: ${{ secrets.MAC_KEYSTORE_PW }}
ORG_GRADLE_PROJECT_githubOauthToken: ${{ secrets.GH_API_OAUTH_TOKEN }}
ORG_GRADLE_PROJECT_sentryDsn: ${{ secrets.SENTRY_OTTER_DSN }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
MAC_NOTARY_ISSUER: ${{ secrets.MAC_NOTARY_ISSUER }}
MAC_NOTARY_KEY_ID: ${{ secrets.MAC_NOTARY_KEY_ID }}
- name: Dump container to artifact
if: ${{ failure() }}
uses: actions/upload-artifact@v3
with:
name: build-container
path: $(pwd)
retention-days: 7
- name: cache binaries
uses: actions/upload-artifact@v4
with:
name: unsigned-binaries
include-hidden-files: true
path: jvm/workbookapp/.exec/
sign-windows:
runs-on: windows-latest
needs: build
steps:
- name: Checkout
uses: actions/checkout@v3
- uses: FranzDiebold/[email protected]
- name: Setup .NET Core SDK
uses: actions/setup-dotnet@v2
with:
dotnet-version: 6.0.x
- name: download artifacts from previous job
uses: actions/download-artifact@v4
with:
name: unsigned-binaries
include-hidden-files: true
path: ${{ github.workspace }}/binaries
- name: Sign files with Azure Code Signing
uses: azure/[email protected]
with:
azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
endpoint: https://eus.codesigning.azure.net/
trusted-signing-account-name: ${{ secrets.AZURE_CODE_SIGNING_ACCOUNT_NAME }}
certificate-profile-name: ${{ secrets.AZURE_CERTIFICATE_PROFILE_NAME }}
files-folder: ${{ github.workspace }}/binaries
files-folder-filter: exe
file-digest: SHA256
timestamp-rfc3161: http://timestamp.acs.microsoft.com
timestamp-digest: SHA256
- name: cache binaries
uses: actions/upload-artifact@v4
with:
name: upload-binaries
include-hidden-files: true
path: ${{ github.workspace }}/binaries
upload:
runs-on: ubuntu-20.04
needs: [sign-windows, set-env-vars]
steps:
- name: download artifacts from previous job
uses: actions/download-artifact@v4
with:
name: upload-binaries
include-hidden-files: true
path: ${{ github.workspace }}/binaries
- name: upload
if: github.event_name != 'pull_request'
run: |
AWS_DEFAULT_REGION=us-east-1 AWS_ACCESS_KEY_ID=${{secrets.AWS_KEY_ID}} AWS_SECRET_ACCESS_KEY=${{secrets.AWS_SECRET_ACCESS_KEY}} aws s3 sync . s3://${{ secrets.AWS_BUCKET }}/${{ needs.set-env-vars.outputs.S3_DESTINATION }}
working-directory: ${{ github.workspace }}/binaries
- name: upload artifacts to github releases on tags
uses: "marvinpinto/[email protected]"
if: contains( github.ref, 'refs/tags/v' )
with:
repo_token: "${{ secrets.GITHUB_TOKEN }}"
prerelease: ${{ needs.set-env-vars.outputs.PRERELEASE_BOOL }}
files: |
${{ github.workspace }}/binaries/*.exe
${{ github.workspace }}/binaries/*.deb
${{ github.workspace }}/binaries/*.dmg