CD #65

Workflow file for this run

	name: CD

	on:
	schedule:
	- cron: '32 1 * * *'
	workflow_dispatch:
	release:
	types: [published]

	env:
	LIBKIWIX_VERSION: "13.0.0"
	KEYCHAIN: /Users/runner/build.keychain-db
	KEYCHAIN_PASSWORD: mysecretpassword
	KEYCHAIN_PROFILE: build-profile
	SSH_KEY: /tmp/id_rsa
	APPLE_STORE_AUTH_KEY_PATH: /tmp/authkey.p8

	jobs:
	build_and_deploy:
	strategy:
	fail-fast: false
	matrix:
	destination:
	- platform: macOS
	uploadto: dmg
	- platform: macOS
	uploadto: app-store
	- platform: iOS
	uploadto: ipa
	xcode_extra: -sdk iphoneos
	- platform: iOS
	uploadto: app-store
	xcode_extra: -sdk iphoneos
	runs-on: macos-13
	steps:
	- name: Checkout code
	uses: actions/checkout@v3
	- name: Decide whether building nightly or release
	env:
	PLATFORM: ${{ matrix.destination.platform }}
	UPLOAD_TO: ${{ matrix.destination.uploadto }}
	EXTRA_XCODEBUILD: ${{ matrix.destination.xcode_extra }}
	APPLE_STORE_AUTH_KEY_PATH: ${{ env.APPLE_STORE_AUTH_KEY_PATH }}
	APPLE_STORE_AUTH_KEY_ID: ${{ secrets.APPLE_STORE_AUTH_KEY_ID }}
	APPLE_STORE_AUTH_KEY_ISSUER_ID: ${{ secrets.APPLE_STORE_AUTH_KEY_ISSUER_ID }}
	shell: python
	run: \|
	import datetime
	import os
	if os.getenv("GITHUB_EVENT_NAME", "") == "release":
	is_release = True
	version = os.getenv("GITHUB_REF_NAME")
	upload_folder = f"release/{version}"
	else:
	is_release = False
	version = str(datetime.date.today())
	upload_folder = f"nightly/{version}"

	export_method = "developer-id" if os.getenv("UPLOAD_TO") == "dmg" else "app-store"

	extra_xcode = os.getenv("EXTRA_XCODEBUILD", "")
	if os.getenv("PLATFORM") == "iOS":
	extra_xcode += f" -authenticationKeyPath {os.getenv('APPLE_STORE_AUTH_KEY_PATH')}"
	extra_xcode += f" -authenticationKeyID {os.getenv('APPLE_STORE_AUTH_KEY_ID')}"
	extra_xcode += f" -authenticationKeyIssuerID {os.getenv('APPLE_STORE_AUTH_KEY_ISSUER_ID')}"

	with open(os.getenv("GITHUB_ENV"), "a") as fh:
	fh.write(f"VERSION={version}\n")
	fh.write(f"ISRELEASE={'yes' if is_release else ''}\n")
	fh.write(f"EXPORT_METHOD={export_method}\n")
	fh.write(f"UPLOAD_FOLDER={upload_folder}\n")
	fh.write(f"EXTRA_XCODEBUILD={extra_xcode}\n")

	- name: Prepare use of Developper ID Certificate
	if: ${{ matrix.destination.uploadto == 'dmg' }}
	shell: bash
	env:
	APPLE_DEVELOPER_ID_SIGNING_CERTIFICATE: ${{ secrets.APPLE_DEVELOPER_ID_SIGNING_CERTIFICATE }}
	APPLE_DEVELOPER_ID_SIGNING_P12_PASSWORD: ${{ secrets.APPLE_DEVELOPER_ID_SIGNING_P12_PASSWORD }}
	APPLE_DEVELOPER_ID_SIGNING_IDENTITY: ${{ secrets.APPLE_DEVELOPER_ID_SIGNING_IDENTITY }}
	run: \|
	echo "SIGNING_CERTIFICATE=${APPLE_DEVELOPER_ID_SIGNING_CERTIFICATE}" >> "$GITHUB_ENV"
	echo "SIGNING_CERTIFICATE_P12_PASSWORD=${APPLE_DEVELOPER_ID_SIGNING_P12_PASSWORD}" >> "$GITHUB_ENV"
	echo "SIGNING_IDENTITY=${APPLE_DEVELOPER_ID_SIGNING_IDENTITY}" >> "$GITHUB_ENV"

	- name: Prepare use of Apple Development Certificate
	if: ${{ matrix.destination.uploadto == 'ipa' }}
	shell: bash
	env:
	APPLE_DEVELOPMENT_SIGNING_CERTIFICATE: ${{ secrets.APPLE_DEVELOPMENT_SIGNING_CERTIFICATE }}
	APPLE_DEVELOPMENT_SIGNING_P12_PASSWORD: ${{ secrets.APPLE_DEVELOPMENT_SIGNING_P12_PASSWORD }}
	APPLE_DEVELOPMENT_SIGNING_IDENTITY: ${{ secrets.APPLE_DEVELOPMENT_SIGNING_IDENTITY }}
	run: \|
	echo "SIGNING_CERTIFICATE=${APPLE_DEVELOPMENT_SIGNING_CERTIFICATE}" >> "$GITHUB_ENV"
	echo "SIGNING_CERTIFICATE_P12_PASSWORD=${APPLE_DEVELOPMENT_SIGNING_P12_PASSWORD}" >> "$GITHUB_ENV"
	echo "SIGNING_IDENTITY=${APPLE_DEVELOPMENT_SIGNING_IDENTITY}" >> "$GITHUB_ENV"

	- name: Prepare use of Apple Distribution Certificate
	if: ${{ matrix.destination.uploadto == 'app-store' }}
	shell: bash
	env:
	APPLE_DISTRIBUTION_SIGNING_CERTIFICATE: ${{ secrets.APPLE_DISTRIBUTION_SIGNING_CERTIFICATE }}
	APPLE_DISTRIBUTION_SIGNING_P12_PASSWORD: ${{ secrets.APPLE_DISTRIBUTION_SIGNING_P12_PASSWORD }}
	APPLE_DEVELOPMENT_SIGNING_IDENTITY: ${{ secrets.APPLE_DEVELOPMENT_SIGNING_IDENTITY }}
	run: \|
	echo "SIGNING_CERTIFICATE=${APPLE_DISTRIBUTION_SIGNING_CERTIFICATE}" >> "$GITHUB_ENV"
	echo "SIGNING_CERTIFICATE_P12_PASSWORD=${APPLE_DISTRIBUTION_SIGNING_P12_PASSWORD}" >> "$GITHUB_ENV"
	echo "SIGNING_IDENTITY=${APPLE_DEVELOPMENT_SIGNING_IDENTITY}" >> "$GITHUB_ENV"

	- name: Add Apple Store Key
	env:
	APPLE_STORE_AUTH_KEY_PATH: ${{ env.APPLE_STORE_AUTH_KEY_PATH }}
	APPLE_STORE_AUTH_KEY: ${{ secrets.APPLE_STORE_AUTH_KEY }}
	shell: bash
	run: echo "${APPLE_STORE_AUTH_KEY}" \| base64 --decode -o $APPLE_STORE_AUTH_KEY_PATH

	- name: Build xcarchive
	uses: ./.github/actions/xcbuild
	with:
	action: archive
	xc-destination: generic/platform=${{ matrix.destination.platform }}
	upload-to: ${{ matrix.destination.uploadto }}
	libkiwix-version: ${{ env.LIBKIWIX_VERSION }}
	version: ${{ env.VERSION }}
	APPLE_DEVELOPMENT_SIGNING_CERTIFICATE: ${{ secrets.APPLE_DEVELOPMENT_SIGNING_CERTIFICATE }}
	APPLE_DEVELOPMENT_SIGNING_P12_PASSWORD: ${{ secrets.APPLE_DEVELOPMENT_SIGNING_P12_PASSWORD }}
	DEPLOYMENT_SIGNING_CERTIFICATE: ${{ env.SIGNING_CERTIFICATE }}
	DEPLOYMENT_SIGNING_CERTIFICATE_P12_PASSWORD: ${{ env.SIGNING_CERTIFICATE_P12_PASSWORD }}
	KEYCHAIN: ${{ env.KEYCHAIN }}
	KEYCHAIN_PASSWORD: ${{ env.KEYCHAIN_PASSWORD }}
	KEYCHAIN_PROFILE: ${{ env.KEYCHAIN_PROFILE }}
	EXTRA_XCODEBUILD: ${{ env.EXTRA_XCODEBUILD }}

	- name: Add altool credentials to Keychain
	shell: bash
	env:
	APPLE_SIGNING_ALTOOL_USERNAME: ${{ secrets.APPLE_SIGNING_ALTOOL_USERNAME }}
	APPLE_SIGNING_ALTOOL_PASSWORD: ${{ secrets.APPLE_SIGNING_ALTOOL_PASSWORD }}
	APPLE_SIGNING_TEAM: ${{ secrets.APPLE_SIGNING_TEAM }}
	run: \|
	security find-identity -v $KEYCHAIN
	security unlock-keychain -p $KEYCHAIN_PASSWORD $KEYCHAIN
	xcrun notarytool store-credentials \
	--apple-id "${APPLE_SIGNING_ALTOOL_USERNAME}" \
	--password "${APPLE_SIGNING_ALTOOL_PASSWORD}" \
	--team-id "${APPLE_SIGNING_TEAM}" \
	--validate \
	--keychain $KEYCHAIN \
	$KEYCHAIN_PROFILE

	- name: Prepare export for ${{ env.EXPORT_METHOD }}
	if: ${{ matrix.destination.uploadto != 'ipa' }}
	run: \|
	plutil -create xml1 ./export.plist
	plutil -insert destination -string upload ./export.plist
	plutil -insert method -string $EXPORT_METHOD ./export.plist

	- name: Prepare export for IPA
	if: ${{ matrix.destination.uploadto == 'ipa' }}
	run: \|
	plutil -create xml1 ./export.plist
	plutil -insert method -string ad-hoc ./export.plist
	plutil -insert provisioningProfiles -dictionary ./export.plist
	plutil -replace provisioningProfiles -json '{ "self.Kiwix" : "iOS Team Provisioning Profile" }' ./export.plist

	- name: Upload Archive to Apple (App Store or Notarization)
	env:
	APPLE_STORE_AUTH_KEY_PATH: ${{ env.APPLE_STORE_AUTH_KEY_PATH }}
	APPLE_STORE_AUTH_KEY_ID: ${{ secrets.APPLE_STORE_AUTH_KEY_ID }}
	APPLE_STORE_AUTH_KEY_ISSUER_ID: ${{ secrets.APPLE_STORE_AUTH_KEY_ISSUER_ID }}
	run: python .github/retry-if-retcode.py --sleep 60 --attempts 5 --retcode 70 xcrun xcodebuild -exportArchive -archivePath $PWD/Kiwix-$VERSION.xcarchive -exportPath $PWD/export/ -exportOptionsPlist export.plist -authenticationKeyPath $APPLE_STORE_AUTH_KEY_PATH -allowProvisioningUpdates -authenticationKeyID $APPLE_STORE_AUTH_KEY_ID -authenticationKeyIssuerID $APPLE_STORE_AUTH_KEY_ISSUER_ID

	- name: Export notarized App from archive
	if: ${{ matrix.destination.uploadto == 'dmg' }}
	env:
	APPLE_STORE_AUTH_KEY_PATH: ${{ env.APPLE_STORE_AUTH_KEY_PATH }}
	APPLE_STORE_AUTH_KEY_ID: ${{ secrets.APPLE_STORE_AUTH_KEY_ID }}
	APPLE_STORE_AUTH_KEY_ISSUER_ID: ${{ secrets.APPLE_STORE_AUTH_KEY_ISSUER_ID }}
	run: python .github/retry-if-retcode.py --sleep 60 --attempts 20 --retcode 65 xcrun xcodebuild -exportNotarizedApp -archivePath $PWD/Kiwix-$VERSION.xcarchive -exportPath $PWD/export/ -authenticationKeyPath $APPLE_STORE_AUTH_KEY_PATH -allowProvisioningUpdates -authenticationKeyID $APPLE_STORE_AUTH_KEY_ID -authenticationKeyIssuerID $APPLE_STORE_AUTH_KEY_ISSUER_ID

	- name: Create DMG
	if: ${{ matrix.destination.uploadto == 'dmg' }}
	run: \|
	pip install dmgbuild
	dmgbuild -s .github/dmg-settings.py -Dapp=$PWD/export/Kiwix.app -Dbg=.github/dmg-bg.png "Kiwix-$VERSION" $PWD/Kiwix-$VERSION.dmg

	- name: Notarize DMG
	if: ${{ matrix.destination.uploadto == 'dmg' }}
	run: \|
	xcrun notarytool submit --keychain $KEYCHAIN --keychain-profile $KEYCHAIN_PROFILE --wait $PWD/Kiwix-$VERSION.dmg
	xcrun stapler staple $PWD/Kiwix-$VERSION.dmg

	- name: Add SSH_KEY to filesystem
	shell: bash
	env:
	PRIVATE_KEY: ${{ secrets.SSH_KEY }}
	run: \|
	echo "${PRIVATE_KEY}" > $SSH_KEY
	chmod 600 $SSH_KEY

	- name: Upload DMG
	if: ${{ matrix.destination.uploadto == 'dmg' }}
	run: python .github/upload_file.py --src ${PWD}/Kiwix-${VERSION}.dmg --dest [email protected]:30022/data/download/${UPLOAD_FOLDER} --ssh-key ${SSH_KEY}

	- name: Upload IPA
	if: ${{ matrix.destination.uploadto == 'ipa' }}
	run: \|
	mv ${PWD}/export/Kiwix.ipa ${PWD}/export/Kiwix-${VERSION}.ipa
	python .github/upload_file.py --src ${PWD}/export/Kiwix-${VERSION}.ipa --dest [email protected]:30022/data/download/${UPLOAD_FOLDER} --ssh-key ${SSH_KEY}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CD #65

Workflow file

CD #65

Jobs

Run details

Workflow file for this run