Merge pull request #698 from radixdlt/bugfix/ABW-2644-lsu-details #708
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "App releases" | |
on: | |
push: | |
branches: | |
- "main" | |
release: | |
types: | |
- "published" | |
workflow_dispatch: | |
inputs: | |
track: | |
description: "Which track do you want to deploy to" | |
required: true | |
type: choice | |
options: | |
- 'Firebase Dev' | |
default: 'Firebase Dev' | |
jobs: | |
firebase_alpha: | |
if: > | |
( github.ref == 'refs/heads/main' && github.event_name == 'push' ) || | |
( github.event.inputs.track == 'Firebase Dev' && github.event_name == 'workflow_dispatch' ) | |
name: "Publish to Firebase Dev" | |
runs-on: ubuntu-latest | |
permissions: | |
id-token: write | |
contents: read | |
pull-requests: read | |
steps: | |
- name: Fetch Radixbot push commit token | |
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}' | |
app_name: 'wallet-android' | |
step_name: 'gpc-alpha-1' | |
secret_prefix: 'GH' | |
secret_name: "github-actions/radixdlt/babylon-wallet-android/push-pat-token" | |
parse_json: true | |
- uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 | |
with: | |
token: ${{ env.GH_RADIXBOT_PUSH_COMMIT_PAT_TOKEN }} | |
- name: Dump context | |
uses: RDXWorks-actions/ghaction-dump-context@master | |
- name: Download Ruby (action) | |
uses: ruby/setup-ruby@8575951200e472d5f2d95c625da0c7bec8217c42 | |
with: | |
ruby-version: '3.1.2' | |
bundler-cache: true | |
- uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0 | |
with: | |
distribution: 'zulu' # See 'Supported distributions' for available options | |
java-version: '17' | |
- name: Fetch Firebase App ID | |
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}' | |
app_name: 'babylon-wallet-android' | |
step_name: 'push-app-id' | |
secret_prefix: 'GH' | |
secret_name: "github-actions/radixdlt/babylon-wallet-android/firebase/secrets" | |
parse_json: true | |
- name: Decode Google Service account credentials | |
uses: RDXWorks-actions/base64-to-file@main | |
id: google_application_credentials | |
with: | |
fileName: "service_account.json" | |
encodedString: ${{ env.GH_GOOGLE_SERVICE_ACCOUNT_JSON_FILE_BASE64 }} | |
- name: Fetch GPR credentials | |
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}' | |
app_name: 'wallet-android' | |
step_name: 'firebase-dev' | |
secret_prefix: 'GH' | |
secret_name: "github-actions/radixdlt/babylon-wallet-android/gpr-credentials" | |
parse_json: true | |
- name: Distribute Alpha to Firebase | |
run: | | |
git config user.name $GIT_USER | |
git config user.email $GIT_USER | |
bundle exec fastlane deployFirebaseAlpha | |
echo "### Distributed to Firebase Dev! :rocket:" >> $GITHUB_STEP_SUMMARY | |
env: | |
FIREBASE_APP_ID: ${{ env.GH_FIREBASE_DEV_APP_ID }} | |
GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.google_application_credentials.outputs.filePath }} | |
GROUPS: "alpha-devs" | |
GIT_USER: ${{ env.GH_GPR_USER }} | |
GPR_USER: ${{ env.GH_GPR_USER }} | |
GPR_TOKEN: ${{ env.GH_GPR_TOKEN }} | |
google_play_alpha_release: | |
if: ${{ github.event_name == 'release' && github.event.release.prerelease == true }} | |
name: "Publish Google Play Alpha" | |
runs-on: ubuntu-latest | |
environment: pre-release | |
permissions: | |
id-token: write | |
contents: read | |
pull-requests: read | |
steps: | |
- name: Fetch Radixbot push commit token | |
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}' | |
app_name: 'wallet-android' | |
step_name: 'gpc-alpha-1' | |
secret_prefix: 'GH' | |
secret_name: "github-actions/radixdlt/babylon-wallet-android/push-pat-token" | |
parse_json: true | |
- uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 | |
with: | |
token: ${{ env.GH_RADIXBOT_PUSH_COMMIT_PAT_TOKEN }} | |
- name: Fetch GPR credentials | |
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}' | |
app_name: 'wallet-android' | |
step_name: 'gpc-alpha' | |
secret_prefix: 'GH' | |
secret_name: "github-actions/radixdlt/babylon-wallet-android/gpr-credentials" | |
parse_json: true | |
- uses: ./.github/actions/google-play-common | |
with: | |
gpc_track: "alpha" | |
secret_arn: "arn:aws:secretsmanager:eu-west-2:308190735829:secret:github-actions/radixdlt/babylon-wallet-android/google-play-console/secrets-OEmdRj" | |
radix_bot_username: ${{ env.GH_GPR_USER }} | |
gpr_user: ${{ env.GH_GPR_USER }} | |
gpr_token: ${{ env.GH_GPR_TOKEN }} | |
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}' | |
google_play_production_release: | |
if: ${{ github.event_name == 'release' && github.event.release.prerelease == false }} | |
name: "Publish Google Play Production" | |
runs-on: ubuntu-latest | |
environment: release | |
permissions: | |
id-token: write | |
contents: read | |
pull-requests: read | |
steps: | |
- name: Fetch Radixbot push commit token | |
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}' | |
app_name: 'wallet-android' | |
step_name: 'gpc-alpha-1' | |
secret_prefix: 'GH' | |
secret_name: "github-actions/radixdlt/babylon-wallet-android/push-pat-token" | |
parse_json: true | |
- uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 | |
with: | |
token: ${{ env.GH_RADIXBOT_PUSH_COMMIT_PAT_TOKEN }} | |
- name: Fetch GPR credentials | |
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}' | |
app_name: 'wallet-android' | |
step_name: 'gpc-alpha' | |
secret_prefix: 'GH' | |
secret_name: "github-actions/radixdlt/babylon-wallet-android/gpr-credentials" | |
parse_json: true | |
- uses: ./.github/actions/google-play-common | |
with: | |
gpc_track: "production" | |
secret_arn: "arn:aws:secretsmanager:eu-west-2:308190735829:secret:github-actions/radixdlt/babylon-wallet-android/google-play-console/secrets" | |
radix_bot_username: ${{ env.GH_GPR_USER }} | |
gpr_user: ${{ env.GH_GPR_USER }} | |
gpr_token: ${{ env.GH_GPR_TOKEN }} | |
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}' | |
publish_sbom: | |
runs-on: ubuntu-latest | |
if: ${{ github.event_name == 'release' }} | |
permissions: | |
id-token: write | |
contents: write | |
pull-requests: read | |
name: Publish SBOM | |
steps: | |
- uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 | |
- name: Fetch Snyk credentials | |
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: '${{ secrets.COMMON_SECRETS_READ_IAM_ROLE }}' | |
app_name: 'wallet-android' | |
step_name: 'snyk-sbom' | |
secret_prefix: 'SNYK' | |
secret_name: "github-actions/common/snyk-credentials" | |
parse_json: true | |
- name: Fetch Keystore credentials | |
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}' | |
app_name: 'babylon-wallet-android' | |
step_name: 'snyk-keystore' | |
secret_prefix: 'GH' | |
secret_name: "github-actions/radixdlt/babylon-wallet-android/google-play-console/secrets" | |
parse_json: true | |
- name: Fetch Google service account credentials | |
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}' | |
app_name: 'babylon-wallet-android-sa' | |
step_name: 'snyk-sa' | |
secret_prefix: 'GH_GOOGLE_SERVICE_ACCOUNT_JSON_FILE' | |
secret_name: "github-actions/radixdlt/babylon-wallet-android/google-play-console/service-account-json-file" | |
parse_json: false | |
- name: Fetch keystore.asc value | |
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}' | |
app_name: 'babylon-wallet-android-sa' | |
step_name: 'snyk-keystore-asc' | |
secret_prefix: 'GH_KEYSTORE_ENCRYPTED_BASE64' | |
secret_name: "github-actions/radixdlt/babylon-wallet-android/google-play-console/keystore-asc" | |
parse_json: false | |
- name: Decode release keystore credentials | |
shell: bash | |
run: | | |
mkdir config/signing/release | |
echo "${{ env.GH_KEYSTORE_ENCRYPTED_BASE64 }}" > keystore.asc | |
gpg -d --passphrase "${{ env.GH_KEYSTORE_PASSPHRASE }}" --batch keystore.asc > config/signing/release/keystore.jks | |
echo "keyAlias=${{ env.GH_KEYSTORE_ALIAS }}" > config/signing/release/keystore.properties | |
echo "keyPassword=${{ env.GH_KEYSTORE_KEY_PASSWORD }}" >> config/signing/release/keystore.properties | |
echo "storeFile=../config/signing/release/keystore.jks" >> config/signing/release/keystore.properties | |
echo "storePassword=${{ env.GH_KEYSTORE_PASSWORD }}" >> config/signing/release/keystore.properties | |
- name: Generate SBOM | |
uses: snyk/actions/gradle-jdk17@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0 | |
with: | |
args: --all-projects --org=${{ env.SNYK_COREAPPS_ORG_ID }} --format=cyclonedx1.4+json --json-file-output sbom.json | |
command: sbom | |
env: | |
SNYK_TOKEN: ${{ env.SNYK_TOKEN }} | |
RADIX_DEBUG_PREVIEW_KEYSTORE_FILE: config/signing/release/keystore.jks | |
- name: Upload SBOM | |
uses: RDXWorks-actions/upload-release-action@master | |
with: | |
repo_token: ${{ secrets.GITHUB_TOKEN }} | |
file: sbom.json | |
tag: ${{ github.ref }} | |
overwrite: true |