From 191d9c9a108114df8910dad9f67c217af6e862d0 Mon Sep 17 00:00:00 2001 From: Robin Windey Date: Tue, 17 Nov 2020 17:55:12 +0100 Subject: [PATCH 1/2] Update README with nighly and code-signing --- README.md | 82 +++++++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 73 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 8285d66..2735748 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,7 @@ The following workflow can be automated when using this Github Action: ## Prerequisites 1. **Register** you app in the Nextcloud appstore like described [here](https://nextcloudappstore.readthedocs.io/en/latest/developer.html). -2. Paste the content of your app's **private key into a new [Github Secret](https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets)** named `APP_PRIVATE_KEY`. This key is later used for signing the new app version before uploading it to the appstore. +2. Paste the content of your app's **private key (`.key`) into a new [Github Secret](https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets)** named `APP_PRIVATE_KEY`. This key is later used for signing the new app version before uploading it to the appstore. If you want to use [code signing](https://docs.nextcloud.com/server/latest/admin_manual/issues/code_signing.html) you will need the certificate (`.crt`) of your app, too. Store it inside another secret called `APP_CERT`. 3. For **authentication** against the Nextcloud appstore you can use one of the following approaches: 1. **Token** (recommended): create a new [Github Secret](https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets) for your Nextcloud appstore account [token](https://nextcloudappstore.readthedocs.io/en/latest/restapi.html#authentication) named `APPSTORE_TOKEN`. The token can be copied by logging into https://apps.nextcloud.com an then visiting *My account -> API-Token*. @@ -64,20 +64,84 @@ jobs: appstore_token: ${{ secrets.APPSTORE_TOKEN }} download_url: ${{ steps.attach_to_release.outputs.browser_download_url }} app_private_key: ${{ secrets.APP_PRIVATE_KEY }} - nightly: ${{ github.event.release.prerelease }} + nightly: false + +``` + +### Example including [code signing](https://docs.nextcloud.com/server/latest/admin_manual/issues/code_signing.html) +The following example show how to upload a app which makes use of [code signing](https://docs.nextcloud.com/server/latest/admin_manual/issues/code_signing.html). It assumes the following: +* You have a `Makefile` inside of your app's root folder which makes use of the [`occ integrity:sign-app`](https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/occ_command.html#integrity-check)-command to sign the code of your app before creating the app's tarball +* The `Makefile` will use the app's private key and certificate from the root of the app folder. Please modify the paths if they do not fit your needs. + +> :warning: Always make sure you never upload your app's private key inside the app's tarball by accident! Unfortunately the [`occ integrity:sign-app`](https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/occ_command.html#integrity-check)-command currently needs the `.key` and `.crt`-files to be persisted on the local disk for signing. + +```yaml +name: Build and publish app release + +on: + release: + types: [published] + +env: + APP_NAME: workflow_ocr + +jobs: + build_and_publish: + runs-on: ubuntu-latest + steps: + - name: Checkout NC server + uses: actions/checkout@v2 + with: + repository: nextcloud/server + ref: 'master' + - name: Checkout NC submodules + shell: bash + run: | + auth_header="$(git config --local --get http.https://github.com/.extraheader)" + git submodule sync --recursive + git -c "http.extraheader=$auth_header" -c protocol.version=2 submodule update --init --force --recursive --depth=1 + - name: Checkout app + uses: actions/checkout@v2 + with: + path: ${{ env.APP_NAME }} + - name: Run build + run: | + cd ${{ env.APP_NAME }} + echo "${{ secrets.APP_PRIVATE_KEY }}" > ${{ env.APP_NAME }}.key + echo "${{ secrets.APP_CERT }}" > ${{ env.APP_NAME }}.crt + make appstore + rm ${{ env.APP_NAME }}.key + rm ${{ env.APP_NAME }}.crt + - name: Upload app tarball to release + uses: svenstaro/upload-release-action@v2 + id: attach_to_release + with: + repo_token: ${{ secrets.GITHUB_TOKEN }} + file: ${{ env.APP_NAME }}/build/artifacts/appstore/${{ env.APP_NAME }}.tar.gz + asset_name: ${{ env.APP_NAME }}.tar.gz + tag: ${{ github.ref }} + overwrite: true + - name: Upload app to Nextcloud appstore + uses: R0Wi/nextcloud-appstore-push-action@v1 + env: + app_name: ${{ env.APP_NAME }} + appstore_token: ${{ secrets.APPSTORE_TOKEN }} + download_url: ${{ steps.attach_to_release.outputs.browser_download_url }} + app_private_key: ${{ secrets.APP_PRIVATE_KEY }} + nightly: false ``` ### Input variables | Name | Description | Default | Possible values | Required | |-------------------|---------------------------------------------------------------------------------------------|---------|-----------------|----------| -| `app_name` | The id of your Nextcloud app | - | `string` | `true` | -| `appstore_token` | A valid access token to upload a new version of your app into Nextcloud appstore | - | `string` | `false`* | -| `appstore_username` | Username for Nextcloud appstore | - | `string` | `false`* | -| `appstore_password` | Password for Nextcloud appstore | - | `string` | `false`* | -| `download_url` | The download url of you app tarball | - | `string` | `true` | -| `app_private_key` | The private key string of you app to sign the new release. Usually stored in Github Secrets | - | `string` | `true` | -| `nightly` | Controls if the app will be published as nightly into the Nextcloud appstore | `false` | `true`, `false` | `false` | +| `app_name` | The id of your Nextcloud app. | - | `string` | `true` | +| `appstore_token` | A valid access token to upload a new version of your app into Nextcloud appstore. | - | `string` | `false`* | +| `appstore_username` | Username for Nextcloud appstore. | - | `string` | `false`* | +| `appstore_password` | Password for Nextcloud appstore. | - | `string` | `false`* | +| `download_url` | The download url of your app's tarball. | - | `string` | `true` | +| `app_private_key` | The private key string of your app to sign the new release tarball (and eventually used for [code signing](https://docs.nextcloud.com/server/latest/admin_manual/issues/code_signing.html)). Usually stored in Github Secrets. | - | `string` | `true` | +| `nightly` | Controls if the app will be published as nightly into the Nextcloud appstore. This should only be set to `true` if you publish app releases via daily builds (e.g. from your `master`-branch). See [#5](https://github.com/R0Wi/nextcloud-appstore-push-action/issues/5) for more details. | `false` | `true`, `false` | `false` | > *Either `appstore_token` or `appstore_username` **and** `appstore_password` must be set. From 54d726d95058b5aaae0553dfd0d0186917e41bca Mon Sep 17 00:00:00 2001 From: Robin Windey Date: Tue, 17 Nov 2020 18:04:24 +0100 Subject: [PATCH 2/2] Add badges --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 2735748..862f971 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,7 @@ +![GitHub release (latest by date)](https://img.shields.io/github/v/release/R0Wi/nextcloud-appstore-push-action) +![Run tests](https://github.com/R0Wi/nextcloud-appstore-push-action/workflows/Run%20tests/badge.svg) +[![GitHub license](https://img.shields.io/github/license/R0Wi/nextcloud-appstore-push-action)](https://github.com/R0Wi/nextcloud-appstore-push-action/blob/master/LICENSE) + # Upload a new app version to Nextcloud's appstore This Github Action automatically publishes a new app version in the Nextcloud appstore after you created a new Github release.