Fix appstore publishing #632
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Artifact CI | |
on: | |
push: | |
env: | |
JAVA_VERSION: 22 | |
permissions: | |
contents: write | |
jobs: | |
build_bot_artifacts: | |
name: Build Discord Bot | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-java@v4 | |
with: | |
distribution: 'oracle' | |
java-version: ${{ env.JAVA_VERSION }} | |
- name: Setup Gradle | |
uses: gradle/actions/setup-gradle@v4 | |
- run: ./gradlew assembleBot | |
- name: Upload plugin artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: plugin | |
path: bot/build/plugin/*.zip | |
- name: Upload plugin bot | |
uses: actions/upload-artifact@v4 | |
with: | |
name: bot | |
path: bot/build/distributions/*.zip | |
build_desktop_app: | |
name: Build Desktop App | |
strategy: | |
matrix: | |
os: [ ubuntu-latest, macos-14, windows-latest ] | |
runs-on: ${{ matrix.os }} | |
steps: | |
- uses: actions/checkout@v4 | |
- name: 'Set up latest JDK code tool jextract' | |
uses: oracle-actions/setup-java@v1 | |
if: matrix.os == 'windows-latest' | |
with: | |
website: jdk.java.net | |
release: jextract | |
- uses: actions/setup-java@v4 | |
with: | |
distribution: 'oracle' | |
java-version: ${{env.JAVA_VERSION}} | |
- uses: actions-rust-lang/setup-rust-toolchain@v1 | |
if: matrix.os == 'windows-latest' | |
with: | |
cache-workspaces: app/desktop/uwp_helper | |
# https://docs.github.com/en/actions/deployment/deploying-xcode-applications/installing-an-apple-certificate-on-macos-runners-for-xcode-development#add-a-step-to-your-workflow | |
- name: Setup MacOS signing | |
if: matrix.os == 'macos-14' | |
env: | |
BUILD_CERTIFICATE_BASE64: ${{ secrets.MACOS_SIGNING_CERTIFICATE }} | |
P12_PASSWORD: ${{ secrets.MAC_SIGNING_PASSWORD }} | |
KEYCHAIN_PASSWORD: ${{ secrets.MAC_SIGNING_PASSWORD }} | |
PASSWORD: ${{ secrets.APPLE_PASSWORD }} | |
INSTALLER_CERTIFICATE_BASE64: ${{ secrets.APPLE_INSTALLER_KEY }} | |
run: | | |
# create variables | |
CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12 | |
INSTALLER_CERTIFICATE_PATH=$RUNNER_TEMP/installer_certificate.p12 | |
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db | |
# import certificate and provisioning profile from secrets | |
echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH | |
echo -n "$INSTALLER_CERTIFICATE_BASE64" | base64 --decode -o INSTALLER_CERTIFICATE_PATH | |
# create temporary keychain | |
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH | |
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
# import certificate to keychain | |
security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH | |
security import INSTALLER_CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH | |
security list-keychain -d user -s $KEYCHAIN_PATH | |
- name: Setup Gradle | |
uses: gradle/actions/setup-gradle@v4 | |
- run: ./gradlew packageReleaseDistributionForCurrentOS -Pcompose.desktop.mac.sign=true | |
shell: bash | |
- name: Package Linux Distribution | |
if: matrix.os == 'ubuntu-latest' | |
run: ./gradlew packageDistributable | |
- name: Setup MSbuild | |
if: matrix.os == 'windows-latest' | |
uses: microsoft/setup-msbuild@v2 | |
- name: Build MSIX | |
if: matrix.os == 'windows-latest' | |
run: | | |
& 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64/makeappx.exe' pack /d app/desktop/build/msix-workspace /p Tonbrett.msix | |
- name: Notarize MacOS installer | |
if: matrix.os == 'macos-14' && startsWith(github.ref, 'refs/tags/') | |
env: | |
NOTARIZATION_PASSWORD: ${{ secrets.NOTARIZATION_PASSWORD }} | |
run: ./gradlew notarizeReleasePkg -Pcompose.desktop.mac.sign=true | |
- name: Upload distributions | |
uses: actions/upload-artifact@v4 | |
id: upload-artifact | |
with: | |
name: desktopapp-${{ matrix.os }} | |
path: | | |
*.msix | |
app/desktop/build/compose/binaries/main-release/deb/*.deb | |
app/desktop/build/compose/binaries/main-release/pkg/*.pkg | |
app/desktop/build/distributions/*.tar.gz | |
- name: Upload MSIX workspace | |
uses: actions/upload-artifact@v4 | |
if: matrix.os == 'windows-latest' | |
with: | |
name: msstore-workspace | |
path: app/desktop/build/MSStore-msix-workspace/* | |
build_android_app: | |
runs-on: ubuntu-latest | |
name: Build Android App | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-java@v4 | |
with: | |
distribution: 'oracle' | |
java-version: ${{env.JAVA_VERSION}} | |
- name: Decode Keystore | |
uses: timheuer/base64-to-file@v1 | |
with: | |
fileName: 'android_keystore.jks' | |
fileDir: 'keystore' | |
encodedString: ${{ secrets.KEYSTORE }} | |
- name: Setup Gradle | |
uses: gradle/actions/setup-gradle@v4 | |
- env: | |
SIGNING_KEY_ALIAS: ${{ secrets.KEY_ALIAS }} | |
SIGNING_KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }} | |
SIGNING_STORE_PASSWORD: ${{ secrets.KEYSTORE_PASSWORD }} | |
run: ./gradlew :app:android:bundleRelease :app:android:assembleRelease | |
# https://github.com/r0adkll/sign-android-release/issues/84#issuecomment-1889636075 | |
- name: Setup build tool version variable | |
shell: bash | |
run: | | |
BUILD_TOOL_VERSION=$(ls /usr/local/lib/android/sdk/build-tools/ | tail -n 1) | |
echo "BUILD_TOOL_VERSION=$BUILD_TOOL_VERSION" >> $GITHUB_ENV | |
echo Last build tool version is: $BUILD_TOOL_VERSION | |
- uses: r0adkll/sign-android-release@v1 | |
id: sign_bundle | |
name: Sign AAB | |
with: | |
releaseDirectory: app/android/build/outputs/bundle/release/ | |
signingKeyBase64: ${{ secrets.KEYSTORE }} | |
alias: ${{ secrets.KEY_ALIAS }} | |
keyStorePassword: ${{ secrets.KEYSTORE_PASSWORD }} | |
keyPassword: ${{ secrets.KEY_PASSWORD }} | |
- uses: r0adkll/sign-android-release@v1 | |
id: sign_apk | |
name: Sign APK | |
env: | |
BUILD_TOOLS_VERSION: ${{ env.BUILD_TOOL_VERSION }} | |
with: | |
releaseDirectory: app/android/build/outputs/apk/release/ | |
signingKeyBase64: ${{ secrets.KEYSTORE }} | |
alias: ${{ secrets.KEY_ALIAS }} | |
keyStorePassword: ${{ secrets.KEYSTORE_PASSWORD }} | |
keyPassword: ${{ secrets.KEY_PASSWORD }} | |
- name: Upload APK | |
uses: actions/upload-artifact@v4 | |
with: | |
name: android-app | |
path: app/android/build/outputs/apk/release/*.apk | |
# https://github.com/r0adkll/upload-google-play/issues/188 | |
- uses: Abushawish/upload-google-play@master | |
name: Release on Play Store | |
if: startsWith(github.ref, 'refs/tags/') | |
with: | |
serviceAccountJsonPlainText: ${{ secrets.SERVICE_ACCOUNT_JSON }} | |
packageName: dev.schlaubi.tonbrett.android | |
status: completed | |
releaseFiles: app/android/build/outputs/bundle/release/tonbrett-app-release.aab | |
#mappingFile: app/android/build/outputs/mapping/release/mapping.txt | |
track: alpha | |
release_to_msstore: | |
name: Publish to MSStore | |
runs-on: windows-latest | |
needs: [ build_desktop_app ] | |
if: startsWith(github.ref, 'refs/tags/') | |
steps: | |
- uses: actions/download-artifact@v4 | |
name: Download Artifacts from Windows | |
with: | |
name: msstore-workspace | |
- name: Setup MSbuild | |
uses: microsoft/setup-msbuild@v2 | |
- name: Configure the Microsoft Store CLI | |
run: | | |
Install-Module -Name StoreBroker -Force | |
- name: Build MSIX | |
run: | | |
& 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64/makeappx.exe' pack /d . /p Tonbrett.msix | |
- name: Upload to MSStore | |
env: | |
CLIENT_ID: ${{ secrets.MS_CLIENT_ID }} | |
CLIENT_SECRET: ${{ secrets.MS_CLIENT_SECRET }} | |
run: | | |
# Login | |
$user = $Env:CLIENT_ID | |
$password = ConvertTo-SecureString $Env:CLIENT_SECRET -AsPlainText -Force | |
$Cred = New-Object System.Management.Automation.PSCredential($user, $password) | |
Set-StoreBrokerAuthentication -TenantId ${{ secrets.MS_TENANT_ID }} -Credential $Cred | |
$appId = "9P61S67DVWM2" | |
$global:SBDisableTelemetry = $true | |
# Create submission package | |
New-SubmissionPackage -ConfigPath .\submission.json -AppxPath .\Tonbrett.msix -OutPath out -OutName package | |
# Create new submission | |
$sub = New-ApplicationSubmission -AppId $appId -Force | |
# Parse submission meta | |
$json = (Get-Content out\package.json -Encoding UTF8) | ConvertFrom-Json | |
# Delete old packages | |
foreach ($package in $sub.applicationPackages) { | |
$package.fileStatus = "PendingDelete" | |
} | |
# add new packages | |
$sub.applicationPackages += $json.applicationPackages | |
# Upload submission meta | |
Set-ApplicationSubmission -AppId $appId -UpdatedSubmission $sub | |
# Upload submission package | |
Set-SubmissionPackage -PackagePath out\package.zip -UploadUrl ($sub.fileUploadUrl) | |
# Commit changes | |
Complete-ApplicationSubmission -AppId $appId -SubmissionId ($sub.id) | |
build_ios_app: | |
name: Deploy to test flight | |
runs-on: macos-14 | |
if: startsWith(github.ref, 'refs/tags/') | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: maxim-lobanov/setup-xcode@v1 | |
with: | |
xcode-version: '15.0' | |
- uses: ruby/setup-ruby@v1 | |
with: | |
ruby-version: '3.3' | |
bundler-cache: true | |
working-directory: 'app/ios' | |
- run: brew install xcodesorg/made/xcodes | |
- uses: actions/setup-java@v4 | |
with: | |
distribution: 'oracle' | |
java-version: ${{ env.JAVA_VERSION }} | |
- uses: olegtarasov/get-tag@v2 | |
env: | |
ACTIONS_ALLOW_UNSECURE_COMMANDS: true | |
id: tagName | |
- name: Setup Gradle | |
uses: gradle/actions/setup-gradle@v4 | |
- name: Cache Kotlin Toolchain | |
uses: actions/cache@v4 | |
with: | |
path: ~/.konan/dependencies/cache | |
key: kotlin-native-toolchain--${{ hashFiles('gradle/libs.versions.toml') }} | |
- run: ./gradlew :app:ios:podInstall :app:ios:linkPodReleaseFrameworkIosArm64 | |
- name: Deploy iOS Beta to TestFlight via Fastlane | |
uses: maierj/fastlane-action@v3.1.0 | |
with: | |
subdirectory: app/ios | |
lane: closed_beta | |
env: | |
APP_STORE_CONNECT_TEAM_ID: '${{ secrets.APP_STORE_CONNECT_TEAM_ID }}' | |
DEVELOPER_APP_ID: '${{ secrets.DEVELOPER_APP_ID }}' | |
DEVELOPER_APP_IDENTIFIER: '${{ secrets.DEVELOPER_APP_IDENTIFIER }}' | |
DEVELOPER_PORTAL_TEAM_ID: '${{ secrets.DEVELOPER_PORTAL_TEAM_ID }}' | |
FASTLANE_APPLE_ID: '${{ secrets.FASTLANE_APPLE_ID }}' | |
FASTLANE_APPLE_APPLICATION_SPECIFIC_PASSWORD: '${{ secrets.FASTLANE_APPLE_APPLICATION_SPECIFIC_PASSWORD }}' | |
MATCH_PASSWORD: '${{ secrets.MATCH_PASSWORD }}' | |
GIT_AUTHORIZATION: '${{ secrets.GH_CERT_TOKEN }}' | |
PROVISIONING_PROFILE_SPECIFIER: '${{ secrets.PROVISIONING_PROFILE_SPECIFIER }}' | |
TEMP_KEYCHAIN_PASSWORD: '${{ secrets.TEMP_KEYCHAIN_PASSWORD }}' | |
TEMP_KEYCHAIN_USER: '${{ secrets.TEMP_KEYCHAIN_USER }}' | |
APPLE_KEY_ID: '${{ secrets.APPLE_KEY_ID }}' | |
APPLE_ISSUER_ID: '${{ secrets.APPLE_ISSUER_ID }}' | |
APPLE_KEY_CONTENT: '${{ secrets.APPLE_KEY_CONTENT }}' | |
create_release: | |
name: Create Release | |
runs-on: windows-latest # for some weird reason this job does not get picked on ubuntu | |
needs: [ build_bot_artifacts, build_desktop_app, build_android_app ] | |
if: startsWith(github.ref, 'refs/tags/') | |
outputs: | |
release_id: ${{ steps.release.outputs.id }} | |
steps: | |
- uses: actions/download-artifact@v4 | |
name: Download Artifacts from Ubuntu | |
with: | |
name: desktopapp-ubuntu-latest | |
- uses: actions/download-artifact@v4 | |
name: Download Artifacts from MacOS | |
with: | |
name: desktopapp-macos-14 | |
- uses: actions/download-artifact@v4 | |
name: Download Bot | |
with: | |
name: bot | |
- uses: actions/download-artifact@v4 | |
name: Download Plugin | |
with: | |
name: plugin | |
- uses: actions/download-artifact@v4 | |
name: Download Android App | |
with: | |
name: android-app | |
- name: Release | |
uses: softprops/action-gh-release@v2 | |
with: | |
files: | | |
app/desktop/build/compose/binaries/main-release/deb/*.deb | |
app/desktop/build/compose/binaries/main-release/pkg/*.pkg | |
app/desktop/build/distributions/*.tar.gz | |
*.zip | |
*-signed.apk | |
sign_windows_binary: | |
runs-on: windows-latest | |
needs: [create_release, build_desktop_app] | |
steps: | |
- uses: actions/download-artifact@v4 | |
name: Download Artifacts from Windows | |
with: | |
name: desktopapp-windows-latest | |
path: artifact | |
- name: Upload Artifact | |
id: upload | |
uses: actions/upload-artifact@v4 | |
with: | |
name: windows-unsigned | |
path: artifact/*.msix | |
- uses: SignPath/github-action-submit-signing-request@v1 | |
with: | |
api-token: ${{ secrets.SIGNPATH_KEY }} | |
organization-id: e6101c42-2f2b-468e-9bf4-225c01ba183f | |
project-slug: tonbrett | |
signing-policy-slug: release-signing | |
artifact-configuration-slug: tonbrett | |
github-artifact-id: '${{ steps.upload.outputs.artifact-id }}' | |
wait-for-completion-timeout-in-seconds: 36288000 # SignPath needs to manually validate this, so let's give this a week | |
output-artifact-directory: signed | |
- name: Update Release | |
uses: softprops/action-gh-release@v2 | |
with: | |
files: signed/Tonbrett.msix | |
- name: Upload to winget | |
uses: ./.github/workflows/winget |