π Stage #3
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json | |
| name: π Stage | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| DISPLAY_VERSION: | |
| description: Input display version | |
| required: true | |
| type: string | |
| PRE_RELEASE: | |
| description: This is a pre-release | |
| required: false | |
| type: string | |
| SIGN_RUN_ID: | |
| description: Sign workflow run id to pull artifacts from | |
| required: true | |
| type: string | |
| manual_stage: | |
| description: Force "manual stage" mode (use GitHub App token to download artifacts from a separate run) | |
| required: false | |
| default: 'true' | |
| type: string | |
| workflow_call: | |
| inputs: | |
| DISPLAY_VERSION: | |
| description: Input display version | |
| required: true | |
| type: string | |
| PRE_RELEASE: | |
| description: This is a pre-release | |
| required: false | |
| type: string | |
| SIGN_RUN_ID: | |
| description: Sign workflow run id to pull artifacts from | |
| required: true | |
| type: string | |
| manual_stage: | |
| description: Force "manual stage" mode (use GitHub App token to download artifacts from a separate run) | |
| required: false | |
| default: 'false' | |
| type: string | |
| outputs: | |
| versiondisplay: | |
| description: Output display version | |
| value: '${{ jobs.stage.outputs.versionout }}' | |
| secrets: | |
| AWS_ACCESS_KEY_ID: | |
| required: false | |
| AWS_SECRET_ACCESS_KEY: | |
| required: false | |
| CF_ACCESS_KEY_ID: | |
| required: false | |
| CF_ACCESS_KEY_SECRET: | |
| required: false | |
| CF_ENDPOINT: | |
| required: true | |
| ARTIFACTS_APP_ID: | |
| required: false | |
| ARTIFACTS_APP_PRIVATE_KEY: | |
| required: false | |
| permissions: | |
| contents: read | |
| actions: read | |
| env: | |
| PRE_RELEASE: '${{ inputs.PRE_RELEASE }}' | |
| RCLONE_S3_ACCESS_KEY_ID: '${{ secrets.AWS_ACCESS_KEY_ID || secrets.CF_ACCESS_KEY_ID }}' | |
| RCLONE_S3_ACL: private | |
| RCLONE_S3_ENDPOINT: '${{ secrets.CF_ENDPOINT }}' | |
| RCLONE_S3_PROVIDER: Cloudflare | |
| RCLONE_S3_SECRET_ACCESS_KEY: '${{ secrets.AWS_SECRET_ACCESS_KEY || secrets.CF_ACCESS_KEY_SECRET }}' | |
| jobs: | |
| stage: | |
| name: π Multi-platform | |
| runs-on: ubuntu-slim | |
| outputs: | |
| versionout: '${{ steps.versionexport.outputs.version }}' | |
| steps: | |
| - name: π£ Output VERSION_DISPLAY | |
| id: versionexport | |
| run: echo "version=$(echo ${{ inputs.DISPLAY_VERSION }})" >> $GITHUB_OUTPUT | |
| - name: π£ Export CHANNEL | |
| run: | | |
| if [[ $PRE_RELEASE == 'true' ]]; then | |
| echo "CHANNEL=beta" >> $GITHUB_ENV | |
| else | |
| echo "CHANNEL=release" >> $GITHUB_ENV | |
| fi | |
| - name: πΏ Setup rclone | |
| run: 'curl https://rclone.org/install.sh | sudo bash' | |
| - name: π Require GitHub App credentials for manual stage | |
| if: ${{ inputs.manual_stage == 'true' }} | |
| env: | |
| ARTIFACTS_APP_ID: ${{ secrets.ARTIFACTS_APP_ID }} | |
| ARTIFACTS_APP_PRIVATE_KEY: ${{ secrets.ARTIFACTS_APP_PRIVATE_KEY }} | |
| run: | | |
| if [[ -z "$ARTIFACTS_APP_ID" || -z "$ARTIFACTS_APP_PRIVATE_KEY" ]]; then | |
| echo "Missing required secrets for manual stage: ARTIFACTS_APP_ID and/or ARTIFACTS_APP_PRIVATE_KEY" >&2 | |
| exit 1 | |
| fi | |
| - name: π Create GitHub App token (manual stage) | |
| if: ${{ inputs.manual_stage == 'true' }} | |
| id: app_token | |
| uses: actions/create-github-app-token@v1 | |
| with: | |
| app-id: ${{ secrets.ARTIFACTS_APP_ID }} | |
| private-key: ${{ secrets.ARTIFACTS_APP_PRIVATE_KEY }} | |
| - name: β Download Windows artifact (manual stage) | |
| if: ${{ inputs.manual_stage == 'true' }} | |
| uses: actions/download-artifact@v7 | |
| with: | |
| github-token: ${{ steps.app_token.outputs.token }} | |
| name: windows-signed | |
| run-id: ${{ inputs.SIGN_RUN_ID }} | |
| path: win/ | |
| - name: β Download Windows artifact | |
| if: ${{ inputs.manual_stage != 'true' }} | |
| uses: actions/download-artifact@v7 | |
| with: | |
| name: windows-signed | |
| run-id: ${{ inputs.SIGN_RUN_ID }} | |
| path: win/ | |
| - name: π Stage Windows | |
| run: > | |
| rclone copyto win/Waterfox\ Setup\ ${{ inputs.DISPLAY_VERSION }}.exe | |
| :s3:cdn/waterfox/staging/${{ inputs.DISPLAY_VERSION }}/WINNT_x86_64/Waterfox\ Setup\ ${{ inputs.DISPLAY_VERSION }}.exe | |
| rclone copyto win/Waterfox\ Setup\ ${{ inputs.DISPLAY_VERSION }}.exe.sha512 | |
| :s3:cdn/waterfox/staging/${{ inputs.DISPLAY_VERSION }}/WINNT_x86_64/Waterfox\ Setup\ ${{ inputs.DISPLAY_VERSION }}.exe.sha512 | |
| rclone copyto win/Install\ Waterfox.exe :s3:cdn/waterfox/staging/${{ inputs.DISPLAY_VERSION }}/WINNT_x86_64/Install\ Waterfox.exe | |
| rclone copyto win/waterfox-${{ inputs.DISPLAY_VERSION }}.complete.mar | |
| :s3:cdn/waterfox/staging/${{ inputs.DISPLAY_VERSION }}/update/WINNT_x86_64/waterfox-${{ inputs.DISPLAY_VERSION }}.complete.mar | |
| rclone copyto win/update.xml :s3:aus/update/staging/${{ env.CHANNEL }}/${{ inputs.DISPLAY_VERSION }}/WINNT_x86_64/update.xml | |
| - name: β Download macOS artifact (manual stage) | |
| if: ${{ inputs.manual_stage == 'true' }} | |
| uses: actions/download-artifact@v7 | |
| with: | |
| github-token: ${{ steps.app_token.outputs.token }} | |
| name: macos-signed | |
| run-id: ${{ inputs.SIGN_RUN_ID }} | |
| path: mac/ | |
| - name: β Download macOS artifact | |
| if: ${{ inputs.manual_stage != 'true' }} | |
| uses: actions/download-artifact@v7 | |
| with: | |
| name: macos-signed | |
| run-id: ${{ inputs.SIGN_RUN_ID }} | |
| path: mac/ | |
| - name: π Stage macOS | |
| run: > | |
| rclone copyto mac/Waterfox\ ${{ inputs.DISPLAY_VERSION }}.dmg | |
| :s3:cdn/waterfox/staging/${{ inputs.DISPLAY_VERSION }}/Darwin_x86_64-aarch64/Waterfox\ ${{ inputs.DISPLAY_VERSION }}.dmg | |
| rclone copyto mac/Waterfox\ ${{ inputs.DISPLAY_VERSION }}.dmg.sha512 | |
| :s3:cdn/waterfox/staging/${{ inputs.DISPLAY_VERSION }}/Darwin_x86_64-aarch64/Waterfox\ ${{ inputs.DISPLAY_VERSION }}.dmg.sha512 | |
| rclone copyto mac/waterfox-${{ inputs.DISPLAY_VERSION }}.complete.mar | |
| :s3:cdn/waterfox/staging/${{ inputs.DISPLAY_VERSION }}/update/Darwin_x86_64-aarch64/waterfox-${{ inputs.DISPLAY_VERSION }}.complete.mar | |
| rclone copyto mac/update.xml :s3:aus/update/staging/${{ env.CHANNEL }}/${{ inputs.DISPLAY_VERSION }}/Darwin_x86_64-aarch64/update.xml | |
| - name: β Download Linux artifact (manual stage) | |
| if: ${{ inputs.manual_stage == 'true' }} | |
| uses: actions/download-artifact@v7 | |
| with: | |
| github-token: ${{ steps.app_token.outputs.token }} | |
| name: linux-signed | |
| run-id: ${{ inputs.SIGN_RUN_ID }} | |
| path: lin/ | |
| - name: β Download Linux artifact | |
| if: ${{ inputs.manual_stage != 'true' }} | |
| uses: actions/download-artifact@v7 | |
| with: | |
| name: linux-signed | |
| run-id: ${{ inputs.SIGN_RUN_ID }} | |
| path: lin/ | |
| - name: π Stage Linux | |
| run: > | |
| rclone copyto lin/waterfox-${{ inputs.DISPLAY_VERSION }}.tar.bz2 :s3:cdn/waterfox/staging/${{ inputs.DISPLAY_VERSION }}/Linux_x86_64/waterfox-${{ inputs.DISPLAY_VERSION }}.tar.bz2 | |
| rclone copyto lin/waterfox-${{ inputs.DISPLAY_VERSION }}.tar.bz2.sha512 :s3:cdn/waterfox/staging/${{ inputs.DISPLAY_VERSION }}/Linux_x86_64/waterfox-${{ inputs.DISPLAY_VERSION }}.tar.bz2.sha512 | |
| rclone copyto lin/waterfox-${{ inputs.DISPLAY_VERSION }}.complete.mar | |
| :s3:cdn/waterfox/staging/${{ inputs.DISPLAY_VERSION }}/update/Linux_x86_64/waterfox-${{ inputs.DISPLAY_VERSION }}.complete.mar | |
| rclone copyto lin/update.xml :s3:aus/update/staging/${{ env.CHANNEL }}/${{ inputs.DISPLAY_VERSION }}/Linux_x86_64/update.xml |