fixup! only upload to Apple upon releases #69
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CD | |
on: | |
push: | |
branches: [appstore-release-only] | |
schedule: | |
- cron: '32 1 * * *' | |
workflow_dispatch: | |
release: | |
types: [published] | |
env: | |
LIBKIWIX_VERSION: "13.0.0" | |
KEYCHAIN: /Users/runner/build.keychain-db | |
KEYCHAIN_PASSWORD: mysecretpassword | |
KEYCHAIN_PROFILE: build-profile | |
SSH_KEY: /tmp/id_rsa | |
APPLE_STORE_AUTH_KEY_PATH: /tmp/authkey.p8 | |
jobs: | |
build_and_deploy: | |
strategy: | |
fail-fast: false | |
matrix: | |
destination: | |
- platform: macOS | |
uploadto: dmg | |
- platform: macOS | |
uploadto: app-store | |
- platform: iOS | |
uploadto: ipa | |
xcode_extra: -sdk iphoneos | |
- platform: iOS | |
uploadto: app-store | |
xcode_extra: -sdk iphoneos | |
runs-on: macos-13 | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v3 | |
- name: Decide whether building nightly or release | |
env: | |
PLATFORM: ${{ matrix.destination.platform }} | |
UPLOAD_TO: ${{ matrix.destination.uploadto }} | |
EXTRA_XCODEBUILD: ${{ matrix.destination.xcode_extra }} | |
APPLE_STORE_AUTH_KEY_PATH: ${{ env.APPLE_STORE_AUTH_KEY_PATH }} | |
APPLE_STORE_AUTH_KEY_ID: ${{ secrets.APPLE_STORE_AUTH_KEY_ID }} | |
APPLE_STORE_AUTH_KEY_ISSUER_ID: ${{ secrets.APPLE_STORE_AUTH_KEY_ISSUER_ID }} | |
shell: python | |
run: | | |
import datetime | |
import os | |
if os.getenv("GITHUB_EVENT_NAME", "") == "release": | |
is_release = True | |
version = os.getenv("GITHUB_REF_NAME") | |
upload_folder = f"release/{version}" | |
else: | |
is_release = False | |
version = str(datetime.date.today()) | |
upload_folder = f"nightly/{version}" | |
export_method = "developer-id" if os.getenv("UPLOAD_TO") == "dmg" else "app-store" | |
upload_to_apple = export_method == "dmg" or (is_release and export_method == "app-store") | |
extra_xcode = os.getenv("EXTRA_XCODEBUILD", "") | |
if os.getenv("PLATFORM") == "iOS": | |
extra_xcode += f" -authenticationKeyPath {os.getenv('APPLE_STORE_AUTH_KEY_PATH')}" | |
extra_xcode += f" -authenticationKeyID {os.getenv('APPLE_STORE_AUTH_KEY_ID')}" | |
extra_xcode += f" -authenticationKeyIssuerID {os.getenv('APPLE_STORE_AUTH_KEY_ISSUER_ID')}" | |
with open(os.getenv("GITHUB_ENV"), "a") as fh: | |
fh.write(f"VERSION={version}\n") | |
fh.write(f"ISRELEASE={'yes' if is_release else ''}\n") | |
fh.write(f"EXPORT_METHOD={export_method}\n") | |
fh.write(f"UPLOAD_FOLDER={upload_folder}\n") | |
fh.write(f"EXTRA_XCODEBUILD={extra_xcode}\n") | |
fh.write(f"UPLOAD_TO_APPLE={'yes' if upload_to_apple else ''}\n") | |
- name: Prepare use of Developper ID Certificate | |
if: ${{ matrix.destination.uploadto == 'dmg' }} | |
shell: bash | |
env: | |
APPLE_DEVELOPER_ID_SIGNING_CERTIFICATE: ${{ secrets.APPLE_DEVELOPER_ID_SIGNING_CERTIFICATE }} | |
APPLE_DEVELOPER_ID_SIGNING_P12_PASSWORD: ${{ secrets.APPLE_DEVELOPER_ID_SIGNING_P12_PASSWORD }} | |
APPLE_DEVELOPER_ID_SIGNING_IDENTITY: ${{ secrets.APPLE_DEVELOPER_ID_SIGNING_IDENTITY }} | |
run: | | |
echo "SIGNING_CERTIFICATE=${APPLE_DEVELOPER_ID_SIGNING_CERTIFICATE}" >> "$GITHUB_ENV" | |
echo "SIGNING_CERTIFICATE_P12_PASSWORD=${APPLE_DEVELOPER_ID_SIGNING_P12_PASSWORD}" >> "$GITHUB_ENV" | |
echo "SIGNING_IDENTITY=${APPLE_DEVELOPER_ID_SIGNING_IDENTITY}" >> "$GITHUB_ENV" | |
- name: Prepare use of Apple Development Certificate | |
if: ${{ matrix.destination.uploadto == 'ipa' }} | |
shell: bash | |
env: | |
APPLE_DEVELOPMENT_SIGNING_CERTIFICATE: ${{ secrets.APPLE_DEVELOPMENT_SIGNING_CERTIFICATE }} | |
APPLE_DEVELOPMENT_SIGNING_P12_PASSWORD: ${{ secrets.APPLE_DEVELOPMENT_SIGNING_P12_PASSWORD }} | |
APPLE_DEVELOPMENT_SIGNING_IDENTITY: ${{ secrets.APPLE_DEVELOPMENT_SIGNING_IDENTITY }} | |
run: | | |
echo "SIGNING_CERTIFICATE=${APPLE_DEVELOPMENT_SIGNING_CERTIFICATE}" >> "$GITHUB_ENV" | |
echo "SIGNING_CERTIFICATE_P12_PASSWORD=${APPLE_DEVELOPMENT_SIGNING_P12_PASSWORD}" >> "$GITHUB_ENV" | |
echo "SIGNING_IDENTITY=${APPLE_DEVELOPMENT_SIGNING_IDENTITY}" >> "$GITHUB_ENV" | |
- name: Prepare use of Apple Distribution Certificate | |
if: ${{ matrix.destination.uploadto == 'app-store' }} | |
shell: bash | |
env: | |
APPLE_DISTRIBUTION_SIGNING_CERTIFICATE: ${{ secrets.APPLE_DISTRIBUTION_SIGNING_CERTIFICATE }} | |
APPLE_DISTRIBUTION_SIGNING_P12_PASSWORD: ${{ secrets.APPLE_DISTRIBUTION_SIGNING_P12_PASSWORD }} | |
APPLE_DEVELOPMENT_SIGNING_IDENTITY: ${{ secrets.APPLE_DEVELOPMENT_SIGNING_IDENTITY }} | |
run: | | |
echo "SIGNING_CERTIFICATE=${APPLE_DISTRIBUTION_SIGNING_CERTIFICATE}" >> "$GITHUB_ENV" | |
echo "SIGNING_CERTIFICATE_P12_PASSWORD=${APPLE_DISTRIBUTION_SIGNING_P12_PASSWORD}" >> "$GITHUB_ENV" | |
echo "SIGNING_IDENTITY=${APPLE_DEVELOPMENT_SIGNING_IDENTITY}" >> "$GITHUB_ENV" | |
- name: Add Apple Store Key | |
env: | |
APPLE_STORE_AUTH_KEY_PATH: ${{ env.APPLE_STORE_AUTH_KEY_PATH }} | |
APPLE_STORE_AUTH_KEY: ${{ secrets.APPLE_STORE_AUTH_KEY }} | |
shell: bash | |
run: echo "${APPLE_STORE_AUTH_KEY}" | base64 --decode -o $APPLE_STORE_AUTH_KEY_PATH | |
- name: Build xcarchive | |
uses: ./.github/actions/xcbuild | |
with: | |
action: archive | |
xc-destination: generic/platform=${{ matrix.destination.platform }} | |
upload-to: ${{ matrix.destination.uploadto }} | |
libkiwix-version: ${{ env.LIBKIWIX_VERSION }} | |
version: ${{ env.VERSION }} | |
APPLE_DEVELOPMENT_SIGNING_CERTIFICATE: ${{ secrets.APPLE_DEVELOPMENT_SIGNING_CERTIFICATE }} | |
APPLE_DEVELOPMENT_SIGNING_P12_PASSWORD: ${{ secrets.APPLE_DEVELOPMENT_SIGNING_P12_PASSWORD }} | |
DEPLOYMENT_SIGNING_CERTIFICATE: ${{ env.SIGNING_CERTIFICATE }} | |
DEPLOYMENT_SIGNING_CERTIFICATE_P12_PASSWORD: ${{ env.SIGNING_CERTIFICATE_P12_PASSWORD }} | |
KEYCHAIN: ${{ env.KEYCHAIN }} | |
KEYCHAIN_PASSWORD: ${{ env.KEYCHAIN_PASSWORD }} | |
KEYCHAIN_PROFILE: ${{ env.KEYCHAIN_PROFILE }} | |
EXTRA_XCODEBUILD: ${{ env.EXTRA_XCODEBUILD }} | |
- name: Add altool credentials to Keychain | |
shell: bash | |
env: | |
APPLE_SIGNING_ALTOOL_USERNAME: ${{ secrets.APPLE_SIGNING_ALTOOL_USERNAME }} | |
APPLE_SIGNING_ALTOOL_PASSWORD: ${{ secrets.APPLE_SIGNING_ALTOOL_PASSWORD }} | |
APPLE_SIGNING_TEAM: ${{ secrets.APPLE_SIGNING_TEAM }} | |
run: | | |
security find-identity -v $KEYCHAIN | |
security unlock-keychain -p $KEYCHAIN_PASSWORD $KEYCHAIN | |
xcrun notarytool store-credentials \ | |
--apple-id "${APPLE_SIGNING_ALTOOL_USERNAME}" \ | |
--password "${APPLE_SIGNING_ALTOOL_PASSWORD}" \ | |
--team-id "${APPLE_SIGNING_TEAM}" \ | |
--validate \ | |
--keychain $KEYCHAIN \ | |
$KEYCHAIN_PROFILE | |
- name: Prepare export for ${{ env.EXPORT_METHOD }} | |
if: ${{ matrix.destination.uploadto != 'ipa' }} | |
run: | | |
plutil -create xml1 ./export.plist | |
plutil -insert destination -string upload ./export.plist | |
plutil -insert method -string $EXPORT_METHOD ./export.plist | |
- name: Prepare export for IPA | |
if: ${{ matrix.destination.uploadto == 'ipa' }} | |
run: | | |
plutil -create xml1 ./export.plist | |
plutil -insert method -string ad-hoc ./export.plist | |
plutil -insert provisioningProfiles -dictionary ./export.plist | |
plutil -replace provisioningProfiles -json '{ "self.Kiwix" : "iOS Team Provisioning Profile" }' ./export.plist | |
- name: Upload Archive to Apple (App Store or Notarization) | |
if: ${{ env.UPLOAD_TO_APPLE }} | |
env: | |
APPLE_STORE_AUTH_KEY_PATH: ${{ env.APPLE_STORE_AUTH_KEY_PATH }} | |
APPLE_STORE_AUTH_KEY_ID: ${{ secrets.APPLE_STORE_AUTH_KEY_ID }} | |
APPLE_STORE_AUTH_KEY_ISSUER_ID: ${{ secrets.APPLE_STORE_AUTH_KEY_ISSUER_ID }} | |
run: python .github/retry-if-retcode.py --sleep 60 --attempts 5 --retcode 70 xcrun xcodebuild -exportArchive -archivePath $PWD/Kiwix-$VERSION.xcarchive -exportPath $PWD/export/ -exportOptionsPlist export.plist -authenticationKeyPath $APPLE_STORE_AUTH_KEY_PATH -allowProvisioningUpdates -authenticationKeyID $APPLE_STORE_AUTH_KEY_ID -authenticationKeyIssuerID $APPLE_STORE_AUTH_KEY_ISSUER_ID | |
- name: Export notarized App from archive | |
if: ${{ matrix.destination.uploadto == 'dmg' }} | |
env: | |
APPLE_STORE_AUTH_KEY_PATH: ${{ env.APPLE_STORE_AUTH_KEY_PATH }} | |
APPLE_STORE_AUTH_KEY_ID: ${{ secrets.APPLE_STORE_AUTH_KEY_ID }} | |
APPLE_STORE_AUTH_KEY_ISSUER_ID: ${{ secrets.APPLE_STORE_AUTH_KEY_ISSUER_ID }} | |
run: python .github/retry-if-retcode.py --sleep 60 --attempts 20 --retcode 65 xcrun xcodebuild -exportNotarizedApp -archivePath $PWD/Kiwix-$VERSION.xcarchive -exportPath $PWD/export/ -authenticationKeyPath $APPLE_STORE_AUTH_KEY_PATH -allowProvisioningUpdates -authenticationKeyID $APPLE_STORE_AUTH_KEY_ID -authenticationKeyIssuerID $APPLE_STORE_AUTH_KEY_ISSUER_ID | |
- name: Create DMG | |
if: ${{ matrix.destination.uploadto == 'dmg' }} | |
run: | | |
pip install dmgbuild | |
dmgbuild -s .github/dmg-settings.py -Dapp=$PWD/export/Kiwix.app -Dbg=.github/dmg-bg.png "Kiwix-$VERSION" $PWD/kiwix-$VERSION.dmg | |
- name: Notarize DMG | |
if: ${{ matrix.destination.uploadto == 'dmg' }} | |
run: | | |
xcrun notarytool submit --keychain $KEYCHAIN --keychain-profile $KEYCHAIN_PROFILE --wait $PWD/kiwix-$VERSION.dmg | |
xcrun stapler staple $PWD/kiwix-$VERSION.dmg | |
- name: Add SSH_KEY to filesystem | |
shell: bash | |
env: | |
PRIVATE_KEY: ${{ secrets.SSH_KEY }} | |
run: | | |
echo "${PRIVATE_KEY}" > $SSH_KEY | |
chmod 600 $SSH_KEY | |
- name: Upload DMG | |
if: ${{ matrix.destination.uploadto == 'dmg' }} | |
run: python .github/upload_file.py --src ${PWD}/kiwix-${VERSION}.dmg --dest [email protected]:30022/data/download/${UPLOAD_FOLDER} --ssh-key ${SSH_KEY} | |
- name: Upload IPA | |
if: ${{ matrix.destination.uploadto == 'ipa' }} | |
run: | | |
mv ${PWD}/export/Kiwix.ipa ${PWD}/export/kiwix-${VERSION}.ipa | |
python .github/upload_file.py --src ${PWD}/export/kiwix-${VERSION}.ipa --dest [email protected]:30022/data/download/${UPLOAD_FOLDER} --ssh-key ${SSH_KEY} |