Skip to content

It Wallet - [Graphene OS] - Criteri di sicurezza Documenti su IO #2513

It Wallet - [Graphene OS] - Criteri di sicurezza Documenti su IO

It Wallet - [Graphene OS] - Criteri di sicurezza Documenti su IO #2513

name: Canary release
on:
workflow_dispatch:
issue_comment:
types: [created, edited, deleted]
jobs:
run-static-checks:
if: contains(github.event.comment.html_url, '/pull/') && contains(github.event.comment.body, '/canary')
uses: ./.github/workflows/staticcheck.yaml
prepare-canary-release:
needs: run-static-checks
environment: canary
runs-on: ubuntu-latest
outputs:
currentAppVersion: ${{ steps.store-current-version.outputs.CURRENT_APP_VERSION }}
currentAppBuildCode: ${{ steps.store-current-version.outputs.CURRENT_APP_BUILD_CODE }}
steps:
- id: checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab #v3.5.2
with:
fetch-depth: 0
- id: store-current-version
run: |
APP_VERSION=$(node -p -e "require('./package.json').version")
echo "CURRENT_APP_VERSION=$APP_VERSION" >> $GITHUB_OUTPUT
BUILD_CODE=$(node ./scripts/canary/readAndroidBuildCode.js)
echo "CURRENT_APP_BUILD_CODE=$BUILD_CODE" >> $GITHUB_OUTPUT
- id: replace-version-with-canary
run: |
node scripts/canary/replaceCanaryVersion.js ${{ vars.CANARY_VERSION }} ${{ vars.CANARY_BUILD_CODE }}
bash ./.github/scripts/package-name-replacer.sh it.pagopa.io.app it.pagopa.io.app.canary android
bash ./.github/scripts/package-name-replacer.sh it.pagopa.app.io it.pagopa.app.io.canary ios
bash ./.github/scripts/package-name-replacer.sh "git\@github.com:pagopa\/IO-App-certs.git" "git\@github.com:pagopa\/IO-App-canary-certs.git" ios
- id: bump-version
run: |
git config --local user.email "github-actions[bot]@users.noreply.github.com"
git config --local user.name "github-actions[bot]"
yarn release-canary
- id: push-tags
run: |
git push --no-verify --follow-tags origin HEAD:${{ github.head_ref }}
- id: github-release-creation
run: |
APP_VERSION=$(node -p -e "require('./package.json').version")
gh release create "(Canary) $APP_VERSION" --generate-notes
gh variable set CANARY_VERSION -b "$APP_VERSION" -e canary
BUILD_CODE=$(node ./scripts/canary/readAndroidBuildCode.js)
gh variable set CANARY_BUILD_CODE -b "$BUILD_CODE" -e canary
release-android:
needs: prepare-canary-release
environment: canary
runs-on: ubuntu-latest
steps:
- id: checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab #v3.5.2
with:
fetch-depth: 0
ref: ${{ needs.prepare-canary-release.outputs.currentAppVersion }}
- id: setup
uses: ./.github/actions/setup-composite
- id: setup-jdk-17
uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 #v3.11.0
with:
java-version: '17'
distribution: 'temurin'
cache: gradle
- id: setup-android-sdk
uses: android-actions/setup-android@00854ea68c109d98c75d956347303bf7c45b0277 #v3.2.1
- id: setup-ruby
uses: ruby/setup-ruby@401c19e14f474b54450cd3905bb8b86e2c8509cf #v1.204.0
with:
bundler-cache: true
- id: build-release-android
run: |
./scripts/android-release.sh ./android/app
cd android && bundle exec fastlane alpha
shell: bash
env:
RUBYOPT: '-rostruct' # TODO: Remove when https://github.com/fastlane/fastlane/pull/21950 gets released
ENCODED_IOAPP_GOOGLE_SERVICES_JSON_FILE: ${{secrets.ENCODED_IOAPP_GOOGLE_SERVICES_JSON_FILE}}
ENCODED_IOAPP_JSON_KEY_FILE: ${{secrets.ENCODED_IOAPP_JSON_KEY_FILE}}
ENCODED_IO_APP_RELEASE_KEYSTORE: ${{secrets.ENCODED_IO_APP_RELEASE_KEYSTORE}}
ENCODED_IO_APP_SENTRY_PROPERTIES: ${{secrets.ENCODED_IO_APP_SENTRY_PROPERTIES}}
IO_APP_RELEASE_STORE_FILE : ${{secrets.IO_APP_RELEASE_STORE_FILE}}
IO_APP_RELEASE_STORE_PASSWORD: ${{secrets.IO_APP_RELEASE_STORE_PASSWORD}}
IO_APP_RELEASE_KEY_ALIAS: ${{secrets.IO_APP_RELEASE_KEY_ALIAS}}
IO_APP_RELEASE_KEY_PASSWORD: ${{secrets.IO_APP_RELEASE_KEY_PASSWORD}}
- id: download-universal-apk-from-store
# We don't want to fail whole job if the universal APK is not downloaded from the play store
continue-on-error: true
run: |
./scripts/android-release.sh ./android/app
cd android
VERSION_CODE=$(sed -n 's/.*versionCode \(.*\)/\1/p' "app/build.gradle")
echo "VERSION_CODE=$VERSION_CODE" >> $GITHUB_ENV
bundle exec fastlane download_apk
env:
RUBYOPT: '-rostruct' # TODO: Remove when https://github.com/fastlane/fastlane/pull/21950 gets released
ENCODED_IOAPP_JSON_KEY_FILE: ${{ secrets.ENCODED_IOAPP_JSON_KEY_FILE }}
VERSION_CODE: ${{ env.VERSION_CODE }}
- id: upload-universal-apk
# We don't want to fail whole job if the universal APK upload step fails
continue-on-error: true
uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8
with:
name: io-app-universal.apk
path: android/io-app-universal.apk
- id: upload-aab
# We don't want to fail whole job if the AAB upload step fails
continue-on-error: true
uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8
with:
name: app-release.aab
path: android/app/build/outputs/bundle/release/app-release.aab
- id: upload-android-assets-release
continue-on-error: true
run: |
APP_VERSION=$(node -p -e "require('./package.json').version")
gh release upload "(Canary) $APP_VERSION" android/app/build/outputs/bundle/release/app-release.aab#android-app-release.aab android/io-app-universal.apk#io-app-universal.apk
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
release-ios:
needs: prepare-canary-release
environment: canary
runs-on: macos-13-xlarge
steps:
- id: set-xcode-version
run: sudo xcode-select -s '/Applications/Xcode_15.2.app/Contents/Developer'
shell: bash
- id: checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab #v3.5.2
with:
fetch-depth: 0
ref: ${{ needs.prepare-canary-release.outputs.currentAppVersion }}
- id: setup
uses: ./.github/actions/setup-composite
- id: setup-ruby
uses: ruby/setup-ruby@401c19e14f474b54450cd3905bb8b86e2c8509cf #v1.204.0
with:
bundler-cache: true
- id: prepare-ios-build
run: ./scripts/ios-release-build.sh
env:
APP_STORE_API_KEY_ID: ${{secrets.APP_STORE_API_KEY_ID}}
APP_STORE_API_PRIVATE_KEY: ${{secrets.APP_STORE_API_PRIVATE_KEY}}
ENCODED_IO_APP_SENTRY_PROPERTIES: ${{secrets.ENCODED_IO_APP_SENTRY_PROPERTIES}}
- id: add-ssh-deploy-key
run: |
echo -e "Host github.com
AddKeysToAgent yes
IdentityFile ~/.ssh/id_ed25519" > ~/.ssh/config
echo -e "$SSH_DEPLOY_KEY" > ~/.ssh/id_ed25519
chmod 400 ~/.ssh/id_ed25519
ssh-add ~/.ssh/id_ed25519
env:
SSH_DEPLOY_KEY: ${{secrets.SSH_CERTS_DEPLOY_KEY}}
- id: build-upload-app-store
name: Build & submit to App store
run: |
cd ios
bundle exec fastlane beta_circleci_testflight
env:
LC_ALL: en_US.UTF-8
LANG: en_US.UTF-8
RUBYOPT: '-rostruct' # TODO: Remove when https://github.com/fastlane/fastlane/pull/21950 gets released
APP_STORE_API_KEY_ID: ${{secrets.APP_STORE_API_KEY_ID}}
APP_STORE_API_PRIVATE_KEY: ${{secrets.APP_STORE_API_PRIVATE_KEY}}
APP_STORE_API_KEY_ISSUER_ID: ${{secrets.APP_STORE_API_KEY_ISSUER_ID}}
ITMSTRANSPORTER_FORCE_ITMS_PACKAGE_UPLOAD: ${{secrets.ITMSTRANSPORTER_FORCE_ITMS_PACKAGE_UPLOAD}}
MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }}
- id: upload-dsym-files
# Sometimes the build-upload-app-store step fails for timeout,
# in this case we want to upload the dSYM files anyway
if: ${{ always() }}
# We don't want to fail whole job if the dSYM upload step fails
continue-on-error: true
uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.0.3
with:
name: IO.app.dSYM.zip
path: ios/IO.app.dSYM.zip
- id: upload-ipa
# We don't want to fail whole job if the IPA upload step fails
continue-on-error: true
uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8
with:
name: IO.ipa
path: ios/IO.ipa
- id: upload-ipa-release
continue-on-error: true
run: |
APP_VERSION=$(node -p -e "require('./package.json').version")
gh release upload "(Canary) $APP_VERSION" ios/IO.ipa#IO-iOS.ipa
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
notify-new-version:
runs-on: ubuntu-latest
needs:
- prepare-canary-release
- release-android
- release-ios
steps:
- id: checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab #v3.5.2
- id: revert-package-and-version
run: |
git config --local user.email "github-actions[bot]@users.noreply.github.com"
git config --local user.name "github-actions[bot]"
node scripts/canary/replaceCanaryVersion.js ${{ needs.prepare-canary-release.outputs.currentAppVersion }} ${{ needs.prepare-canary-release.outputs.currentAppBuildCode }}
bash ./.github/scripts/package-name-restore.sh it.pagopa.io.app.canary it.pagopa.io.app android
bash ./.github/scripts/package-name-restore.sh it.pagopa.app.io.canary it.pagopa.app.io ios
bash ./.github/scripts/package-name-replacer.sh "git\@github.com:pagopa\/IO-App-canary-certs.git" "git\@github.com:pagopa\/IO-App-certs.git" ios
git add .
git commit -m "revert: restoring repository to default package name and version" --no-verify
git push --no-verify origin HEAD:${{ github.head_ref }}
- id: comment-process-end
if: github.event.issue.number
run: |
gh issue comment ${{ github.event.issue.number }} -b "Release correctly created, check it at the [release list](https://github.com/pagopa/io-app/releases)"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}