It Wallet - [Graphene OS] - Criteri di sicurezza Documenti su IO #755
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Canary release | |
on: | |
workflow_dispatch: | |
issue_comment: | |
types: [created, edited, deleted] | |
jobs: | |
run-static-checks: | |
if: contains(github.event.comment.html_url, '/pull/') && contains(github.event.comment.body, '/canary') | |
uses: ./.github/workflows/staticcheck.yaml | |
prepare-canary-release: | |
needs: run-static-checks | |
environment: canary | |
runs-on: ubuntu-latest | |
outputs: | |
currentAppVersion: ${{ steps.store-current-version.outputs.CURRENT_APP_VERSION }} | |
currentAppBuildCode: ${{ steps.store-current-version.outputs.CURRENT_APP_BUILD_CODE }} | |
steps: | |
- id: checkout | |
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab #v3.5.2 | |
with: | |
fetch-depth: 0 | |
- id: store-current-version | |
run: | | |
APP_VERSION=$(node -p -e "require('./package.json').version") | |
echo "CURRENT_APP_VERSION=$APP_VERSION" >> $GITHUB_OUTPUT | |
BUILD_CODE=$(node ./scripts/canary/readAndroidBuildCode.js) | |
echo "CURRENT_APP_BUILD_CODE=$BUILD_CODE" >> $GITHUB_OUTPUT | |
- id: replace-version-with-canary | |
run: | | |
node scripts/canary/replaceCanaryVersion.js ${{ vars.CANARY_VERSION }} ${{ vars.CANARY_BUILD_CODE }} | |
bash ./.github/scripts/package-name-replacer.sh it.pagopa.io.app it.pagopa.io.app.canary android | |
bash ./.github/scripts/package-name-replacer.sh it.pagopa.app.io it.pagopa.app.io.canary ios | |
bash ./.github/scripts/package-name-replacer.sh "git\@github.com:pagopa\/IO-App-certs.git" "git\@github.com:pagopa\/IO-App-canary-certs.git" ios | |
- id: bump-version | |
run: | | |
git config --local user.email "github-actions[bot]@users.noreply.github.com" | |
git config --local user.name "github-actions[bot]" | |
yarn release-canary | |
- id: push-tags | |
run: | | |
git push --no-verify --follow-tags origin HEAD:${{ github.head_ref }} | |
- id: github-release-creation | |
run: | | |
APP_VERSION=$(node -p -e "require('./package.json').version") | |
gh release create "(Canary) $APP_VERSION" --generate-notes | |
gh variable set CANARY_VERSION -b "$APP_VERSION" -e canary | |
BUILD_CODE=$(node ./scripts/canary/readAndroidBuildCode.js) | |
gh variable set CANARY_BUILD_CODE -b "$BUILD_CODE" -e canary | |
release-android: | |
needs: prepare-canary-release | |
environment: canary | |
runs-on: ubuntu-latest | |
steps: | |
- id: checkout | |
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab #v3.5.2 | |
with: | |
fetch-depth: 0 | |
ref: ${{ needs.prepare-canary-release.outputs.currentAppVersion }} | |
- id: setup | |
uses: ./.github/actions/setup-composite | |
- id: setup-jdk-17 | |
uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 #v3.11.0 | |
with: | |
java-version: '17' | |
distribution: 'temurin' | |
cache: gradle | |
- id: setup-android-sdk | |
uses: android-actions/setup-android@00854ea68c109d98c75d956347303bf7c45b0277 #v3.2.1 | |
- id: setup-ruby | |
uses: ruby/setup-ruby@d2b39ad0b52eca07d23f3aa14fdf2a3fcc1f411c #v1.149.0 | |
with: | |
bundler-cache: true | |
- id: build-release-android | |
run: | | |
./scripts/android-release.sh ./android/app | |
cd android && bundle exec fastlane alpha | |
shell: bash | |
env: | |
RUBYOPT: '-rostruct' # TODO: Remove when https://github.com/fastlane/fastlane/pull/21950 gets released | |
ENCODED_IOAPP_GOOGLE_SERVICES_JSON_FILE: ${{secrets.ENCODED_IOAPP_GOOGLE_SERVICES_JSON_FILE}} | |
ENCODED_IOAPP_JSON_KEY_FILE: ${{secrets.ENCODED_IOAPP_JSON_KEY_FILE}} | |
ENCODED_IO_APP_RELEASE_KEYSTORE: ${{secrets.ENCODED_IO_APP_RELEASE_KEYSTORE}} | |
ENCODED_IO_APP_SENTRY_PROPERTIES: ${{secrets.ENCODED_IO_APP_SENTRY_PROPERTIES}} | |
IO_APP_RELEASE_STORE_FILE : ${{secrets.IO_APP_RELEASE_STORE_FILE}} | |
IO_APP_RELEASE_STORE_PASSWORD: ${{secrets.IO_APP_RELEASE_STORE_PASSWORD}} | |
IO_APP_RELEASE_KEY_ALIAS: ${{secrets.IO_APP_RELEASE_KEY_ALIAS}} | |
IO_APP_RELEASE_KEY_PASSWORD: ${{secrets.IO_APP_RELEASE_KEY_PASSWORD}} | |
- id: download-universal-apk-from-store | |
# We don't want to fail whole job if the universal APK is not downloaded from the play store | |
continue-on-error: true | |
run: | | |
./scripts/android-release.sh ./android/app | |
cd android | |
VERSION_CODE=$(sed -n 's/.*versionCode \(.*\)/\1/p' "app/build.gradle") | |
echo "VERSION_CODE=$VERSION_CODE" >> $GITHUB_ENV | |
bundle exec fastlane download_apk | |
env: | |
RUBYOPT: '-rostruct' # TODO: Remove when https://github.com/fastlane/fastlane/pull/21950 gets released | |
ENCODED_IOAPP_JSON_KEY_FILE: ${{ secrets.ENCODED_IOAPP_JSON_KEY_FILE }} | |
VERSION_CODE: ${{ env.VERSION_CODE }} | |
- id: upload-universal-apk | |
# We don't want to fail whole job if the universal APK upload step fails | |
continue-on-error: true | |
uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 | |
with: | |
name: io-app-universal.apk | |
path: android/io-app-universal.apk | |
- id: upload-aab | |
# We don't want to fail whole job if the AAB upload step fails | |
continue-on-error: true | |
uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 | |
with: | |
name: app-release.aab | |
path: android/app/build/outputs/bundle/release/app-release.aab | |
- id: upload-android-assets-release | |
continue-on-error: true | |
run: | | |
APP_VERSION=$(node -p -e "require('./package.json').version") | |
gh release upload "(Canary) $APP_VERSION" android/app/build/outputs/bundle/release/app-release.aab#android-app-release.aab android/io-app-universal.apk#io-app-universal.apk | |
env: | |
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
release-ios: | |
needs: prepare-canary-release | |
environment: canary | |
runs-on: macos-13-xlarge | |
steps: | |
- id: set-xcode-version | |
run: sudo xcode-select -s '/Applications/Xcode_15.2.app/Contents/Developer' | |
shell: bash | |
- id: checkout | |
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab #v3.5.2 | |
with: | |
fetch-depth: 0 | |
ref: ${{ needs.prepare-canary-release.outputs.currentAppVersion }} | |
- id: setup | |
uses: ./.github/actions/setup-composite | |
- id: setup-ruby | |
uses: ruby/setup-ruby@5f19ec79cedfadb78ab837f95b87734d0003c899 #v1.173.0 | |
with: | |
bundler-cache: true | |
- id: prepare-ios-build | |
run: ./scripts/ios-release-build.sh | |
env: | |
APP_STORE_API_KEY_ID: ${{secrets.APP_STORE_API_KEY_ID}} | |
APP_STORE_API_PRIVATE_KEY: ${{secrets.APP_STORE_API_PRIVATE_KEY}} | |
ENCODED_IO_APP_SENTRY_PROPERTIES: ${{secrets.ENCODED_IO_APP_SENTRY_PROPERTIES}} | |
- id: add-ssh-deploy-key | |
run: | | |
echo -e "Host github.com | |
AddKeysToAgent yes | |
IdentityFile ~/.ssh/id_ed25519" > ~/.ssh/config | |
echo -e "$SSH_DEPLOY_KEY" > ~/.ssh/id_ed25519 | |
chmod 400 ~/.ssh/id_ed25519 | |
ssh-add ~/.ssh/id_ed25519 | |
env: | |
SSH_DEPLOY_KEY: ${{secrets.SSH_CERTS_DEPLOY_KEY}} | |
- id: build-upload-app-store | |
name: Build & submit to App store | |
run: | | |
cd ios | |
bundle exec fastlane beta_circleci_testflight | |
env: | |
LC_ALL: en_US.UTF-8 | |
LANG: en_US.UTF-8 | |
RUBYOPT: '-rostruct' # TODO: Remove when https://github.com/fastlane/fastlane/pull/21950 gets released | |
APP_STORE_API_KEY_ID: ${{secrets.APP_STORE_API_KEY_ID}} | |
APP_STORE_API_PRIVATE_KEY: ${{secrets.APP_STORE_API_PRIVATE_KEY}} | |
APP_STORE_API_KEY_ISSUER_ID: ${{secrets.APP_STORE_API_KEY_ISSUER_ID}} | |
ITMSTRANSPORTER_FORCE_ITMS_PACKAGE_UPLOAD: ${{secrets.ITMSTRANSPORTER_FORCE_ITMS_PACKAGE_UPLOAD}} | |
MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }} | |
- id: upload-dsym-files | |
# Sometimes the build-upload-app-store step fails for timeout, | |
# in this case we want to upload the dSYM files anyway | |
if: ${{ always() }} | |
# We don't want to fail whole job if the dSYM upload step fails | |
continue-on-error: true | |
uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.0.3 | |
with: | |
name: IO.app.dSYM.zip | |
path: ios/IO.app.dSYM.zip | |
- id: upload-ipa | |
# We don't want to fail whole job if the IPA upload step fails | |
continue-on-error: true | |
uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 | |
with: | |
name: IO.ipa | |
path: ios/IO.ipa | |
- id: upload-ipa-release | |
continue-on-error: true | |
run: | | |
APP_VERSION=$(node -p -e "require('./package.json').version") | |
gh release upload "(Canary) $APP_VERSION" ios/IO.ipa#IO-iOS.ipa | |
env: | |
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
notify-new-version: | |
runs-on: ubuntu-latest | |
needs: | |
- prepare-canary-release | |
- release-android | |
- release-ios | |
steps: | |
- id: checkout | |
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab #v3.5.2 | |
- id: revert-package-and-version | |
run: | | |
git config --local user.email "github-actions[bot]@users.noreply.github.com" | |
git config --local user.name "github-actions[bot]" | |
node scripts/canary/replaceCanaryVersion.js ${{ needs.prepare-canary-release.outputs.currentAppVersion }} ${{ needs.prepare-canary-release.outputs.currentAppBuildCode }} | |
bash ./.github/scripts/package-name-restore.sh it.pagopa.io.app.canary it.pagopa.io.app android | |
bash ./.github/scripts/package-name-restore.sh it.pagopa.app.io.canary it.pagopa.app.io ios | |
bash ./.github/scripts/package-name-replacer.sh "git\@github.com:pagopa\/IO-App-canary-certs.git" "git\@github.com:pagopa\/IO-App-certs.git" ios | |
git add . | |
git commit -m "revert: restoring repository to default package name and version" --no-verify | |
git push --no-verify origin HEAD:${{ github.head_ref }} | |
- id: comment-process-end | |
if: github.event.issue.number | |
run: | | |
gh issue comment ${{ github.event.issue.number }} -b "Release correctly created, check it at the [release list](https://github.com/pagopa/io-app/releases)" | |
env: | |
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} |