Skip to content

It Wallet - [Graphene OS] - Criteri di sicurezza Documenti su IO #2645

It Wallet - [Graphene OS] - Criteri di sicurezza Documenti su IO

It Wallet - [Graphene OS] - Criteri di sicurezza Documenti su IO #2645

name: Canary release
on:
issue_comment:
types: [created]
jobs:
run-static-checks:
if: contains(github.event.comment.html_url, '/pull/') && contains(github.event.comment.body, '/canary')
uses: ./.github/workflows/staticcheck.yaml
prepare-canary-release:
needs: run-static-checks
runs-on: ubuntu-latest
outputs:
canaryVersion: ${{ steps.github-release-creation.outputs.CANARY_VERSION }}
steps:
- id: checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab #v3.5.2
with:
fetch-depth: 0
- id: setup-node
uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
with:
node-version-file: ".node-version"
- id: yarn-cache
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
env:
cache-name: cache-node-modules
with:
# npm cache files are stored in `~/.npm` on Linux/macOS
path: ~/.npm
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/yarn.lock') }}
- id: install-packages
run: yarn install --frozen-lockfile
- id: replace-version-with-canary
run: |
UPDATED_BUILD_CODE=$(git rev-list HEAD --count)
node scripts/canary/replaceCanaryVersion.js $UPDATED_BUILD_CODE
mv ios/fastlane/Matchfile ios/fastlane/Matchfile_prod
mv ios/fastlane/Matchfile_canary ios/fastlane/Matchfile
- id: bump-version
run: |
git config --local user.email "github-actions[bot]@users.noreply.github.com"
git config --local user.name "github-actions[bot]"
git add .; git commit -m "Replace Matchfile for canary" --no-verify;
yarn release-canary
- id: push-tags
run: |
APP_VERSION=$(node -p -e "require('./package.json').version")
git push --no-verify origin tag $APP_VERSION
- id: github-release-creation
run: |
APP_VERSION=$(node -p -e "require('./package.json').version")
gh release create $APP_VERSION --generate-notes
echo "CANARY_VERSION=$APP_VERSION" >> $GITHUB_OUTPUT
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
release-android:
needs: prepare-canary-release
environment: canary
runs-on: ubuntu-latest
steps:
- id: checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab #v3.5.2
with:
fetch-depth: 0
ref: ${{ needs.prepare-canary-release.outputs.canaryVersion }}
- id: setup-node
uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
with:
node-version-file: ".node-version"
- id: yarn-cache
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
env:
cache-name: cache-node-modules
with:
# npm cache files are stored in `~/.npm` on Linux/macOS
path: ~/.npm
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/yarn.lock') }}
- id: install-packages
run: yarn install --frozen-lockfile
- id: download-locales
uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
with:
name: locales
path: locales/
- id: download-api-client
uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
with:
name: api-client
path: definitions/
- id: setup-jdk-17
uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 #v3.11.0
with:
java-version: '17'
distribution: 'temurin'
cache: gradle
- id: setup-android-sdk
uses: android-actions/setup-android@00854ea68c109d98c75d956347303bf7c45b0277 #v3.2.1
- id: setup-ruby
uses: ruby/setup-ruby@401c19e14f474b54450cd3905bb8b86e2c8509cf #v1.204.0
with:
bundler-cache: true
- id: build-release-android
run: |
./scripts/android-release.sh ./android/app
cd android && bundle exec fastlane alpha_canary
shell: bash
env:
RUBYOPT: '-rostruct' # TODO: Remove when https://github.com/fastlane/fastlane/pull/21950 gets released
ENCODED_IOAPP_GOOGLE_SERVICES_JSON_FILE: ${{secrets.ENCODED_IOAPP_GOOGLE_SERVICES_JSON_FILE}}
ENCODED_IOAPP_JSON_KEY_FILE: ${{secrets.ENCODED_IOAPP_JSON_KEY_FILE}}
ENCODED_IO_APP_RELEASE_KEYSTORE: ${{secrets.ENCODED_IO_APP_RELEASE_KEYSTORE}}
ENCODED_IO_APP_SENTRY_PROPERTIES: ${{secrets.ENCODED_IO_APP_SENTRY_PROPERTIES}}
IO_APP_RELEASE_STORE_FILE : ${{secrets.IO_APP_RELEASE_STORE_FILE}}
IO_APP_RELEASE_STORE_PASSWORD: ${{secrets.IO_APP_RELEASE_STORE_PASSWORD}}
IO_APP_RELEASE_KEY_ALIAS: ${{secrets.IO_APP_RELEASE_KEY_ALIAS}}
IO_APP_RELEASE_KEY_PASSWORD: ${{secrets.IO_APP_RELEASE_KEY_PASSWORD}}
- id: download-universal-apk-from-store
# We don't want to fail whole job if the universal APK is not downloaded from the play store
continue-on-error: true
run: |
./scripts/android-release.sh ./android/app
cd android
VERSION_CODE=$(sed -n 's/.*versionCode \(.*\)/\1/p' "app/build.gradle")
echo "VERSION_CODE=$VERSION_CODE" >> $GITHUB_ENV
bundle exec fastlane download_canary_apk
env:
RUBYOPT: '-rostruct' # TODO: Remove when https://github.com/fastlane/fastlane/pull/21950 gets released
ENCODED_IOAPP_JSON_KEY_FILE: ${{ secrets.ENCODED_IOAPP_JSON_KEY_FILE }}
VERSION_CODE: ${{ env.VERSION_CODE }}
- id: upload-universal-apk
# We don't want to fail whole job if the universal APK upload step fails
continue-on-error: true
uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8
with:
name: io-app-canary-universal.apk
path: android/io-app-canary-universal.apk
- id: upload-aab
# We don't want to fail whole job if the AAB upload step fails
continue-on-error: true
uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8
with:
name: app-canary-release.aab
path: android/app/build/outputs/bundle/canaryRelease/app-canary-release.aab
- id: upload-android-assets-release
continue-on-error: true
run: |
APP_VERSION=$(node -p -e "require('./package.json').version")
gh release upload $APP_VERSION android/app/build/outputs/bundle/canaryRelease/app-canary-release.aab#android-app-canary-release.aab android/io-app-canary-universal.apk#io-app-canary-universal.apk
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
release-ios:
needs: prepare-canary-release
environment: canary
runs-on: macos-13-xlarge
steps:
- id: set-xcode-version
run: sudo xcode-select -s '/Applications/Xcode_15.2.app/Contents/Developer'
shell: bash
- id: checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab #v3.5.2
with:
fetch-depth: 0
ref: ${{ needs.prepare-canary-release.outputs.canaryVersion }}
- id: setup-node
uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
with:
node-version-file: ".node-version"
- id: yarn-cache
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
env:
cache-name: cache-node-modules
with:
# npm cache files are stored in `~/.npm` on Linux/macOS
path: ~/.npm
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/yarn.lock') }}
- id: install-packages
run: yarn install --frozen-lockfile
- id: download-locales
uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
with:
name: locales
path: locales/
- id: download-api-client
uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
with:
name: api-client
path: definitions/
- id: setup-ruby
uses: ruby/setup-ruby@401c19e14f474b54450cd3905bb8b86e2c8509cf #v1.204.0
with:
bundler-cache: true
- id: prepare-ios-build
run: ./scripts/ios-release-build.sh
env:
APP_STORE_API_KEY_ID: ${{secrets.APP_STORE_API_KEY_ID}}
APP_STORE_API_PRIVATE_KEY: ${{secrets.APP_STORE_API_PRIVATE_KEY}}
ENCODED_IO_APP_SENTRY_PROPERTIES: ${{secrets.ENCODED_IO_APP_SENTRY_PROPERTIES}}
- id: add-ssh-deploy-key
run: |
echo -e "Host github.com
AddKeysToAgent yes
IdentityFile ~/.ssh/id_ed25519" > ~/.ssh/config
echo -e "$SSH_DEPLOY_KEY" > ~/.ssh/id_ed25519
chmod 400 ~/.ssh/id_ed25519
ssh-add ~/.ssh/id_ed25519
env:
SSH_DEPLOY_KEY: ${{secrets.SSH_CERTS_DEPLOY_KEY}}
- id: build-upload-app-store
name: Build & submit to App store
run: |
cd ios
bundle exec fastlane canary_ci_testflight
env:
LC_ALL: en_US.UTF-8
LANG: en_US.UTF-8
RUBYOPT: '-rostruct' # TODO: Remove when https://github.com/fastlane/fastlane/pull/21950 gets released
APP_STORE_API_KEY_ID: ${{secrets.APP_STORE_API_KEY_ID}}
APP_STORE_API_PRIVATE_KEY: ${{secrets.APP_STORE_API_PRIVATE_KEY}}
APP_STORE_API_KEY_ISSUER_ID: ${{secrets.APP_STORE_API_KEY_ISSUER_ID}}
ITMSTRANSPORTER_FORCE_ITMS_PACKAGE_UPLOAD: ${{secrets.ITMSTRANSPORTER_FORCE_ITMS_PACKAGE_UPLOAD}}
MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }}
- id: upload-dsym-files
# Sometimes the build-upload-app-store step fails for timeout,
# in this case we want to upload the dSYM files anyway
if: ${{ always() }}
# We don't want to fail whole job if the dSYM upload step fails
continue-on-error: true
uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.0.3
with:
name: IO.app.dSYM.zip
path: ios/IO.app.dSYM.zip
- id: upload-ipa
# We don't want to fail whole job if the IPA upload step fails
continue-on-error: true
uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8
with:
name: IO.ipa
path: ios/IO.ipa
- id: upload-ipa-release
continue-on-error: true
run: |
APP_VERSION=$(node -p -e "require('./package.json').version")
gh release upload $APP_VERSION ios/IO.ipa#IO-canary-iOS.ipa
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
notify-new-version:
runs-on: ubuntu-latest
needs:
- prepare-canary-release
- release-android
- release-ios
steps:
- id: checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab #v3.5.2
- id: comment-process-end
if: github.event.issue.number
run: |
gh issue comment ${{ github.event.issue.number }} -b "Release correctly created, [${{ needs.prepare-canary-release.outputs.canaryVersion }}](https://github.com/pagopa/io-app/releases/tag/${{ needs.prepare-canary-release.outputs.canaryVersion }})"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}