It Wallet - [Graphene OS] - Criteri di sicurezza Documenti su IO #2690
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Canary release | |
on: | |
issue_comment: | |
types: [created] | |
jobs: | |
run-static-checks: | |
if: contains(github.event.comment.html_url, '/pull/') && contains(github.event.comment.body, '/canary') | |
uses: ./.github/workflows/staticcheck.yaml | |
prepare-canary-release: | |
needs: run-static-checks | |
runs-on: ubuntu-latest | |
outputs: | |
canaryVersion: ${{ steps.github-release-creation.outputs.CANARY_VERSION }} | |
steps: | |
- id: checkout | |
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab #v3.5.2 | |
with: | |
fetch-depth: 0 | |
- id: setup-node | |
uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 | |
with: | |
node-version-file: ".node-version" | |
- id: yarn-cache | |
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 | |
env: | |
cache-name: cache-node-modules | |
with: | |
# npm cache files are stored in `~/.npm` on Linux/macOS | |
path: ~/.npm | |
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/yarn.lock') }} | |
- id: install-packages | |
run: yarn install --frozen-lockfile | |
- id: replace-version-with-canary | |
run: | | |
UPDATED_BUILD_CODE=$(git rev-list HEAD --count) | |
node scripts/canary/replaceCanaryVersion.js $UPDATED_BUILD_CODE | |
mv ios/fastlane/Matchfile ios/fastlane/Matchfile_prod | |
mv ios/fastlane/Matchfile_canary ios/fastlane/Matchfile | |
- id: bump-version | |
run: | | |
git config --local user.email "github-actions[bot]@users.noreply.github.com" | |
git config --local user.name "github-actions[bot]" | |
git add .; git commit -m "Replace Matchfile for canary" --no-verify; | |
yarn release-canary | |
- id: push-tags | |
run: | | |
APP_VERSION=$(node -p -e "require('./package.json').version") | |
git push --no-verify origin tag $APP_VERSION | |
- id: github-release-creation | |
run: | | |
APP_VERSION=$(node -p -e "require('./package.json').version") | |
gh release create $APP_VERSION --generate-notes | |
echo "CANARY_VERSION=$APP_VERSION" >> $GITHUB_OUTPUT | |
env: | |
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
release-android: | |
needs: prepare-canary-release | |
environment: canary | |
runs-on: ubuntu-latest | |
steps: | |
- id: checkout | |
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab #v3.5.2 | |
with: | |
fetch-depth: 0 | |
ref: ${{ needs.prepare-canary-release.outputs.canaryVersion }} | |
- id: setup-node | |
uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 | |
with: | |
node-version-file: ".node-version" | |
- id: yarn-cache | |
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 | |
env: | |
cache-name: cache-node-modules | |
with: | |
# npm cache files are stored in `~/.npm` on Linux/macOS | |
path: ~/.npm | |
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/yarn.lock') }} | |
- id: install-packages | |
run: yarn install --frozen-lockfile | |
- id: download-locales | |
uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 | |
with: | |
name: locales | |
path: locales/ | |
- id: download-api-client | |
uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 | |
with: | |
name: api-client | |
path: definitions/ | |
- id: setup-jdk-17 | |
uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 #v3.11.0 | |
with: | |
java-version: '17' | |
distribution: 'temurin' | |
cache: gradle | |
- id: setup-android-sdk | |
uses: android-actions/setup-android@00854ea68c109d98c75d956347303bf7c45b0277 #v3.2.1 | |
- id: setup-ruby | |
uses: ruby/setup-ruby@401c19e14f474b54450cd3905bb8b86e2c8509cf #v1.204.0 | |
with: | |
bundler-cache: true | |
- id: build-release-android | |
run: | | |
./scripts/android-release.sh ./android/app | |
cd android && bundle exec fastlane alpha_canary | |
shell: bash | |
env: | |
RUBYOPT: '-rostruct' # TODO: Remove when https://github.com/fastlane/fastlane/pull/21950 gets released | |
ENCODED_IOAPP_GOOGLE_SERVICES_JSON_FILE: ${{secrets.ENCODED_IOAPP_GOOGLE_SERVICES_JSON_FILE}} | |
ENCODED_IOAPP_JSON_KEY_FILE: ${{secrets.ENCODED_IOAPP_JSON_KEY_FILE}} | |
ENCODED_IO_APP_RELEASE_KEYSTORE: ${{secrets.ENCODED_IO_APP_RELEASE_KEYSTORE}} | |
ENCODED_IO_APP_SENTRY_PROPERTIES: ${{secrets.ENCODED_IO_APP_SENTRY_PROPERTIES}} | |
IO_APP_RELEASE_STORE_FILE : ${{secrets.IO_APP_RELEASE_STORE_FILE}} | |
IO_APP_RELEASE_STORE_PASSWORD: ${{secrets.IO_APP_RELEASE_STORE_PASSWORD}} | |
IO_APP_RELEASE_KEY_ALIAS: ${{secrets.IO_APP_RELEASE_KEY_ALIAS}} | |
IO_APP_RELEASE_KEY_PASSWORD: ${{secrets.IO_APP_RELEASE_KEY_PASSWORD}} | |
- id: download-universal-apk-from-store | |
# We don't want to fail whole job if the universal APK is not downloaded from the play store | |
continue-on-error: true | |
run: | | |
./scripts/android-release.sh ./android/app | |
cd android | |
VERSION_CODE=$(sed -n 's/.*versionCode \(.*\)/\1/p' "app/build.gradle") | |
echo "VERSION_CODE=$VERSION_CODE" >> $GITHUB_ENV | |
bundle exec fastlane download_canary_apk | |
env: | |
RUBYOPT: '-rostruct' # TODO: Remove when https://github.com/fastlane/fastlane/pull/21950 gets released | |
ENCODED_IOAPP_JSON_KEY_FILE: ${{ secrets.ENCODED_IOAPP_JSON_KEY_FILE }} | |
VERSION_CODE: ${{ env.VERSION_CODE }} | |
- id: upload-universal-apk | |
# We don't want to fail whole job if the universal APK upload step fails | |
continue-on-error: true | |
uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 | |
with: | |
name: io-app-canary-universal.apk | |
path: android/io-app-canary-universal.apk | |
- id: upload-aab | |
# We don't want to fail whole job if the AAB upload step fails | |
continue-on-error: true | |
uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 | |
with: | |
name: app-canary-release.aab | |
path: android/app/build/outputs/bundle/canaryRelease/app-canary-release.aab | |
- id: upload-android-assets-release | |
continue-on-error: true | |
run: | | |
APP_VERSION=$(node -p -e "require('./package.json').version") | |
gh release upload $APP_VERSION android/app/build/outputs/bundle/canaryRelease/app-canary-release.aab#android-app-canary-release.aab android/io-app-canary-universal.apk#io-app-canary-universal.apk | |
env: | |
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
release-ios: | |
needs: prepare-canary-release | |
environment: canary | |
runs-on: macos-13-xlarge | |
steps: | |
- id: set-xcode-version | |
run: sudo xcode-select -s '/Applications/Xcode_15.2.app/Contents/Developer' | |
shell: bash | |
- id: checkout | |
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab #v3.5.2 | |
with: | |
fetch-depth: 0 | |
ref: ${{ needs.prepare-canary-release.outputs.canaryVersion }} | |
- id: setup-node | |
uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 | |
with: | |
node-version-file: ".node-version" | |
- id: yarn-cache | |
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 | |
env: | |
cache-name: cache-node-modules | |
with: | |
# npm cache files are stored in `~/.npm` on Linux/macOS | |
path: ~/.npm | |
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/yarn.lock') }} | |
- id: install-packages | |
run: yarn install --frozen-lockfile | |
- id: download-locales | |
uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 | |
with: | |
name: locales | |
path: locales/ | |
- id: download-api-client | |
uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 | |
with: | |
name: api-client | |
path: definitions/ | |
- id: setup-ruby | |
uses: ruby/setup-ruby@401c19e14f474b54450cd3905bb8b86e2c8509cf #v1.204.0 | |
with: | |
bundler-cache: true | |
- id: prepare-ios-build | |
run: ./scripts/ios-release-build.sh | |
env: | |
APP_STORE_API_KEY_ID: ${{secrets.APP_STORE_API_KEY_ID}} | |
APP_STORE_API_PRIVATE_KEY: ${{secrets.APP_STORE_API_PRIVATE_KEY}} | |
ENCODED_IO_APP_SENTRY_PROPERTIES: ${{secrets.ENCODED_IO_APP_SENTRY_PROPERTIES}} | |
- id: add-ssh-deploy-key | |
run: | | |
echo -e "Host github.com | |
AddKeysToAgent yes | |
IdentityFile ~/.ssh/id_ed25519" > ~/.ssh/config | |
echo -e "$SSH_DEPLOY_KEY" > ~/.ssh/id_ed25519 | |
chmod 400 ~/.ssh/id_ed25519 | |
ssh-add ~/.ssh/id_ed25519 | |
env: | |
SSH_DEPLOY_KEY: ${{secrets.SSH_CERTS_DEPLOY_KEY}} | |
- id: build-upload-app-store | |
name: Build & submit to App store | |
run: | | |
cd ios | |
bundle exec fastlane canary_ci_testflight | |
env: | |
LC_ALL: en_US.UTF-8 | |
LANG: en_US.UTF-8 | |
RUBYOPT: '-rostruct' # TODO: Remove when https://github.com/fastlane/fastlane/pull/21950 gets released | |
APP_STORE_API_KEY_ID: ${{secrets.APP_STORE_API_KEY_ID}} | |
APP_STORE_API_PRIVATE_KEY: ${{secrets.APP_STORE_API_PRIVATE_KEY}} | |
APP_STORE_API_KEY_ISSUER_ID: ${{secrets.APP_STORE_API_KEY_ISSUER_ID}} | |
ITMSTRANSPORTER_FORCE_ITMS_PACKAGE_UPLOAD: ${{secrets.ITMSTRANSPORTER_FORCE_ITMS_PACKAGE_UPLOAD}} | |
MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }} | |
- id: upload-dsym-files | |
# Sometimes the build-upload-app-store step fails for timeout, | |
# in this case we want to upload the dSYM files anyway | |
if: ${{ always() }} | |
# We don't want to fail whole job if the dSYM upload step fails | |
continue-on-error: true | |
uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.0.3 | |
with: | |
name: IO.app.dSYM.zip | |
path: ios/IO.app.dSYM.zip | |
- id: upload-ipa | |
# We don't want to fail whole job if the IPA upload step fails | |
continue-on-error: true | |
uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 | |
with: | |
name: IO.ipa | |
path: ios/IO.ipa | |
- id: upload-ipa-release | |
continue-on-error: true | |
run: | | |
APP_VERSION=$(node -p -e "require('./package.json').version") | |
gh release upload $APP_VERSION ios/IO.ipa#IO-canary-iOS.ipa | |
env: | |
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
notify-new-version: | |
runs-on: ubuntu-latest | |
needs: | |
- prepare-canary-release | |
- release-android | |
- release-ios | |
steps: | |
- id: checkout | |
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab #v3.5.2 | |
- id: comment-process-end | |
if: github.event.issue.number | |
run: | | |
gh issue comment ${{ github.event.issue.number }} -b "Release correctly created, [${{ needs.prepare-canary-release.outputs.canaryVersion }}](https://github.com/pagopa/io-app/releases/tag/${{ needs.prepare-canary-release.outputs.canaryVersion }})" | |
env: | |
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} |