Skip to content

Commit 1cb6f93

Browse files
MrAlex94MrAlex94
committed
refactor: test updated workflow
1 parent 4855af7 commit 1cb6f93

File tree

8 files changed

+1041
-649
lines changed

8 files changed

+1041
-649
lines changed

.github/workflows/build.yml

Lines changed: 208 additions & 569 deletions
Large diffs are not rendered by default.

.github/workflows/pipeline.yml

Lines changed: 29 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
1-
name: Deployment
2-
'on':
1+
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
2+
name: 🚀 Deployment
3+
on:
34
workflow_dispatch:
45
inputs:
56
date:
@@ -14,10 +15,28 @@ name: Deployment
1415
description: Tag a release
1516
required: true
1617
type: string
18+
permissions:
19+
contents: read
20+
actions: read
1721
jobs:
1822
build:
19-
name: Build
23+
name: 🏗 Build
2024
uses: ./.github/workflows/build.yml
25+
secrets:
26+
MOZ_API_KEY: '${{ secrets.MOZ_API_KEY }}'
27+
with:
28+
MOZ_BUILD_DATE: '${{ github.event.inputs.date }}'
29+
PRE_RELEASE: '${{ github.event.inputs.prerelease }}'
30+
TAG_VERSION: '${{ github.event.inputs.tags }}'
31+
TRIGGER_EVENT: '${{ github.event_name }}'
32+
sign:
33+
name: ✍ Sign
34+
uses: ./.github/workflows/sign.yml
35+
needs: build
36+
permissions:
37+
actions: read
38+
contents: read
39+
id-token: write
2140
secrets:
2241
AWS_ACCESS_KEY_ID: '${{ secrets.CF_ACCESS_KEY_ID }}'
2342
AWS_SECRET_ACCESS_KEY: '${{ secrets.CF_ACCESS_KEY_SECRET }}'
@@ -28,42 +47,25 @@ jobs:
2847
AZURE_VAULT_ID: '${{ secrets.AZURE_VAULT_ID }}'
2948
CF_ENDPOINT: '${{ secrets.CF_ENDPOINT }}'
3049
MACOS_CERTIFICATE: '${{ secrets.MACOS_CERTIFICATE }}'
31-
MACOS_CERTIFICATE_NAME: '${{ secrets.MACOS_CERTIFICATE_NAME }}'
3250
MACOS_CERTIFICATE_PWD: '${{ secrets.MACOS_CERTIFICATE_PWD }}'
3351
MACOS_CI_KEYCHAIN_PWD: '${{ secrets.MACOS_CI_KEYCHAIN_PWD }}'
3452
MACOS_NOTARIZATION_APPLE_ID: '${{ secrets.MACOS_NOTARIZATION_APPLE_ID }}'
3553
MACOS_NOTARIZATION_PWD: '${{ secrets.MACOS_NOTARIZATION_PWD }}'
3654
MACOS_NOTARIZATION_TEAM_ID: '${{ secrets.MACOS_NOTARIZATION_TEAM_ID }}'
37-
MOZ_API_KEY: '${{ secrets.MOZ_API_KEY }}'
3855
ONE_PEM: '${{ secrets.ONE_PEM }}'
3956
SIGN_BASE64: '${{ secrets.SIGN_BASE64 }}'
4057
with:
41-
MOZ_BUILD_DATE: '${{ github.event.inputs.date }}'
42-
PRE_RELEASE: '${{ github.event.inputs.prerelease }}'
43-
TAG_VERSION: '${{ github.event.inputs.tags }}'
44-
TRIGGER_EVENT: '${{ github.event_name }}'
45-
stage:
46-
name: Deploy to Staging
47-
uses: ./.github/workflows/stage.yml
48-
needs: build
49-
secrets:
50-
AWS_ACCESS_KEY_ID: '${{ secrets.CF_ACCESS_KEY_ID }}'
51-
AWS_SECRET_ACCESS_KEY: '${{ secrets.CF_ACCESS_KEY_SECRET }}'
52-
CF_ENDPOINT: '${{ secrets.CF_ENDPOINT }}'
53-
with:
54-
DISPLAY_VERSION: '${{ github.event.inputs.tags }}'
55-
PRE_RELEASE: '${{ github.event.inputs.prerelease }}'
56-
production:
57-
name: Deploy to Production
58-
uses: ./.github/workflows/production.yml
59-
needs: stage
58+
build_run_id: '${{ needs.build.outputs.run_id }}'
59+
manual_resign: 'false'
60+
publish:
61+
name: 🚀 Publish
62+
uses: ./.github/workflows/publish.yml
63+
needs: sign
6064
secrets:
6165
AWS_ACCESS_KEY_ID: '${{ secrets.CF_ACCESS_KEY_ID }}'
6266
AWS_SECRET_ACCESS_KEY: '${{ secrets.CF_ACCESS_KEY_SECRET }}'
6367
CF_AUTH: '${{ secrets.BULK_REDIRECT_TOKEN }}'
6468
CF_ENDPOINT: '${{ secrets.CF_ENDPOINT }}'
6569
CF_ZONE_ID: '${{ secrets.CF_ZONE_ID }}'
6670
with:
67-
COMMIT_SHA: '${{ github.sha }}'
68-
PRE_RELEASE: '${{ github.event.inputs.prerelease }}'
69-
DISPLAY_VERSION: '${{ github.event.inputs.tags }}'
71+
sign_run_id: '${{ needs.sign.outputs.sign_run_id }}'

.github/workflows/pr.yml

Lines changed: 0 additions & 15 deletions
This file was deleted.

.github/workflows/production.yml

Lines changed: 18 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
1-
name: Production
2-
'on':
1+
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
2+
name: 🚀 Production
3+
on:
34
workflow_call:
45
inputs:
56
COMMIT_SHA:
@@ -33,27 +34,27 @@ env:
3334
RCLONE_S3_DECOMPRESS: true
3435
jobs:
3536
soft-release:
36-
name: "\U0001F313 Soft Release"
37+
name: 🌓 Soft Release
3738
environment: Approval
38-
runs-on: ubuntu-24.04
39+
runs-on: ubuntu-slim
3940
steps:
40-
- name: Create GitHub release
41+
- name: 🏷️ Create GitHub release
4142
uses: ncipollo/release-action@v1
4243
with:
4344
allowUpdates: true
4445
commit: '${{ inputs.COMMIT_SHA }}'
4546
prerelease: '${{ inputs.PRE_RELEASE }}'
4647
tag: '${{ inputs.DISPLAY_VERSION }}'
47-
- name: "\U0001F4BF Setup rclone"
48+
- name: 💿 Setup rclone
4849
run: 'curl https://rclone.org/install.sh | sudo bash'
49-
- name: "\U0001F4E3 Export CHANNEL"
50+
- name: 📣 Export CHANNEL
5051
run: |
5152
if [[ $PRE_RELEASE == 'true' ]]; then
5253
echo "CHANNEL=beta" >> $GITHUB_ENV
5354
else
5455
echo "CHANNEL=release" >> $GITHUB_ENV
5556
fi
56-
- name: "\U0001F9EA Dry run AUS"
57+
- name: 🧪 Dry run AUS
5758
run: |
5859
OSA=(WINNT_x86_64 Linux_x86_64 Darwin_x86_64-aarch64)
5960
for OS in "${OSA[@]}"
@@ -81,10 +82,10 @@ jobs:
8182
<?xml version="1.0"?>
8283
<updates>
8384
</updates>
84-
END
85-
rclone moveto ./update.xml :s3:aus/update/production/${{ env.CHANNEL }}/${{ inputs.DISPLAY_VERSION }}/"$OS"/update.xml --log-level DEBUG --dry-run
85+
END
86+
rclone moveto ./update.xml :s3:aus/update/production/${{ env.CHANNEL }}/${{ inputs.DISPLAY_VERSION }}/"$OS"/update.xml --log-level DEBUG --dry-run
8687
done
87-
- name: "\U0001F9EA Move installers from staging to production"
88+
- name: 🧪 Move installers from staging to production
8889
run: >
8990
rclone moveto :s3:cdn/waterfox/staging/${{ inputs.DISPLAY_VERSION }}/WINNT_x86_64/Waterfox\ Setup\ ${{ inputs.DISPLAY_VERSION }}.exe
9091
:s3:cdn/waterfox/releases/${{ inputs.DISPLAY_VERSION }}/WINNT_x86_64/Waterfox\ Setup\ ${{ inputs.DISPLAY_VERSION }}.exe
@@ -161,29 +162,29 @@ jobs:
161162
}
162163
]'
163164
hard-release:
164-
name: "\U0001F315 Hard Release"
165+
name: 🌕 Hard Release
165166
needs:
166167
- soft-release
167168
environment: Approval
168-
runs-on: ubuntu-24.04
169+
runs-on: ubuntu-slim
169170
steps:
170-
- name: "\U0001F4BF Setup rclone"
171+
- name: 💿 Setup rclone
171172
run: 'curl https://rclone.org/install.sh | sudo bash'
172-
- name: "\U0001F4E3 Export CHANNEL"
173+
- name: 📣 Export CHANNEL
173174
run: |
174175
if [[ $PRE_RELEASE == 'true' ]]; then
175176
echo "CHANNEL=beta" >> $GITHUB_ENV
176177
else
177178
echo "CHANNEL=release" >> $GITHUB_ENV
178179
fi
179-
- name: "\U0001F69A Move MARs from staging"
180+
- name: 🚚 Move MARs from staging
180181
run: >
181182
rclone moveto :s3:cdn/waterfox/staging/${{ inputs.DISPLAY_VERSION }}/update/WINNT_x86_64/waterfox-${{ inputs.DISPLAY_VERSION }}.complete.mar :s3:cdn/waterfox/releases/${{ inputs.DISPLAY_VERSION }}/update/WINNT_x86_64/waterfox-${{ inputs.DISPLAY_VERSION }}.complete.mar
182183
183184
rclone moveto :s3:cdn/waterfox/staging/${{ inputs.DISPLAY_VERSION }}/update/Darwin_x86_64-aarch64/waterfox-${{ inputs.DISPLAY_VERSION }}.complete.mar :s3:cdn/waterfox/releases/${{ inputs.DISPLAY_VERSION }}/update/Darwin_x86_64-aarch64/waterfox-${{ inputs.DISPLAY_VERSION }}.complete.mar
184185
185186
rclone moveto :s3:cdn/waterfox/staging/${{ inputs.DISPLAY_VERSION }}/update/Linux_x86_64/waterfox-${{ inputs.DISPLAY_VERSION }}.complete.mar :s3:cdn/waterfox/releases/${{ inputs.DISPLAY_VERSION }}/update/Linux_x86_64/waterfox-${{ inputs.DISPLAY_VERSION }}.complete.mar
186-
- name: "🚚 Move update XMLs from staging"
187+
- name: 🚚 Move update XMLs from staging
187188
run: |
188189
OSA=(WINNT_x86_64 Linux_x86_64 Darwin_x86_64-aarch64)
189190
for OS in "${OSA[@]}"

.github/workflows/publish.yml

Lines changed: 134 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,134 @@
1+
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
2+
name: 🚀 Publish
3+
on:
4+
workflow_dispatch:
5+
inputs:
6+
sign_run_id:
7+
description: Sign workflow run id to publish from (defaults to latest successful run)
8+
required: false
9+
type: string
10+
workflow_call:
11+
inputs:
12+
sign_run_id:
13+
required: false
14+
type: string
15+
secrets:
16+
AWS_ACCESS_KEY_ID:
17+
required: true
18+
AWS_SECRET_ACCESS_KEY:
19+
required: true
20+
CF_AUTH:
21+
required: true
22+
CF_ENDPOINT:
23+
required: true
24+
CF_ZONE_ID:
25+
required: true
26+
ARTIFACTS_APP_ID:
27+
required: false
28+
ARTIFACTS_APP_PRIVATE_KEY:
29+
required: false
30+
permissions:
31+
contents: read
32+
actions: read
33+
jobs:
34+
prepare:
35+
name: 🧭 Resolve sign metadata
36+
runs-on: ubuntu-slim
37+
outputs:
38+
sign_run_id: "${{ steps.resolve.outputs.sign_run_id }}"
39+
display_version: "${{ steps.meta.outputs.VERSION_DISPLAY }}"
40+
pre_release: "${{ steps.meta.outputs.PRE_RELEASE }}"
41+
commit_sha: "${{ steps.meta.outputs.COMMIT_SHA }}"
42+
steps:
43+
- name: 🧭 Resolve sign run
44+
id: resolve
45+
uses: actions/github-script@v8
46+
env:
47+
SIGN_RUN_ID_INPUT: "${{ inputs.sign_run_id }}"
48+
with:
49+
script: |
50+
const provided = process.env.SIGN_RUN_ID_INPUT;
51+
if (provided) {
52+
core.setOutput('sign_run_id', provided.trim());
53+
return;
54+
}
55+
const runs = await github.paginate(github.rest.actions.listWorkflowRuns, {
56+
owner: context.repo.owner,
57+
repo: context.repo.repo,
58+
workflow_id: 'sign.yml',
59+
status: 'success',
60+
per_page: 1,
61+
});
62+
if (!runs.length) {
63+
throw new Error('No successful sign workflow runs found to publish.');
64+
}
65+
core.setOutput('sign_run_id', `${runs[0].id}`);
66+
- name: 🛑 Require GitHub App credentials for manual publish
67+
if: ${{ github.event_name == 'workflow_dispatch' }}
68+
env:
69+
ARTIFACTS_APP_ID: ${{ secrets.ARTIFACTS_APP_ID }}
70+
ARTIFACTS_APP_PRIVATE_KEY: ${{ secrets.ARTIFACTS_APP_PRIVATE_KEY }}
71+
run: |
72+
if [[ -z "$ARTIFACTS_APP_ID" || -z "$ARTIFACTS_APP_PRIVATE_KEY" ]]; then
73+
echo "Missing required secrets for manual publish: ARTIFACTS_APP_ID and/or ARTIFACTS_APP_PRIVATE_KEY" >&2
74+
exit 1
75+
fi
76+
- name: 🔑 Create GitHub App token (manual publish)
77+
if: ${{ github.event_name == 'workflow_dispatch' }}
78+
id: app_token
79+
uses: actions/create-github-app-token@v1
80+
with:
81+
app-id: ${{ secrets.ARTIFACTS_APP_ID }}
82+
private-key: ${{ secrets.ARTIFACTS_APP_PRIVATE_KEY }}
83+
- name: ↓ Download sign metadata (manual publish)
84+
if: ${{ github.event_name == 'workflow_dispatch' }}
85+
uses: actions/download-artifact@v7
86+
with:
87+
github-token: ${{ steps.app_token.outputs.token }}
88+
name: sign-metadata
89+
path: sign-metadata
90+
run-id: "${{ steps.resolve.outputs.sign_run_id }}"
91+
- name: ↓ Download sign metadata
92+
if: ${{ github.event_name != 'workflow_dispatch' }}
93+
uses: actions/download-artifact@v7
94+
with:
95+
name: sign-metadata
96+
path: sign-metadata
97+
run-id: "${{ steps.resolve.outputs.sign_run_id }}"
98+
- name: 📄 Load sign metadata
99+
id: meta
100+
run: |
101+
cat sign-metadata/build-metadata.env >> "$GITHUB_ENV"
102+
while IFS='=' read -r key value; do
103+
if [[ -n "$key" ]]; then
104+
echo "$key=$value" >> "$GITHUB_OUTPUT"
105+
fi
106+
done < sign-metadata/build-metadata.env
107+
stage:
108+
name: 🎭 Deploy to Staging
109+
needs:
110+
- prepare
111+
uses: ./.github/workflows/stage.yml
112+
with:
113+
DISPLAY_VERSION: "${{ needs.prepare.outputs.display_version }}"
114+
PRE_RELEASE: "${{ needs.prepare.outputs.pre_release }}"
115+
SIGN_RUN_ID: "${{ needs.prepare.outputs.sign_run_id }}"
116+
secrets:
117+
AWS_ACCESS_KEY_ID: "${{ secrets.AWS_ACCESS_KEY_ID }}"
118+
AWS_SECRET_ACCESS_KEY: "${{ secrets.AWS_SECRET_ACCESS_KEY }}"
119+
CF_ENDPOINT: "${{ secrets.CF_ENDPOINT }}"
120+
production:
121+
name: 🚀 Deploy to Production
122+
needs:
123+
- stage
124+
uses: ./.github/workflows/production.yml
125+
with:
126+
COMMIT_SHA: "${{ needs.prepare.outputs.commit_sha }}"
127+
PRE_RELEASE: "${{ needs.prepare.outputs.pre_release }}"
128+
DISPLAY_VERSION: "${{ needs.prepare.outputs.display_version }}"
129+
secrets:
130+
AWS_ACCESS_KEY_ID: "${{ secrets.AWS_ACCESS_KEY_ID }}"
131+
AWS_SECRET_ACCESS_KEY: "${{ secrets.AWS_SECRET_ACCESS_KEY }}"
132+
CF_AUTH: "${{ secrets.CF_AUTH }}"
133+
CF_ENDPOINT: "${{ secrets.CF_ENDPOINT }}"
134+
CF_ZONE_ID: "${{ secrets.CF_ZONE_ID }}"

0 commit comments

Comments
 (0)