Merge pull request #774 from radixdlt/fix/ABW-2846-guarantees #791

Workflow file for this run

.github/workflows/publish_releases.yml at c44540b

	name: "App releases"

	on:
	push:
	branches:
	- "main"
	release:
	types:
	- "published"
	workflow_dispatch:
	inputs:
	track:
	description: "Which track do you want to deploy to"
	required: true
	type: choice
	options:
	- 'Firebase Dev'
	- 'Firebase Release'
	default: 'Firebase Dev'

	jobs:

	firebase_alpha:
	if: >
	( github.ref == 'refs/heads/main' && github.event_name == 'push' ) \|\|
	( github.event.inputs.track == 'Firebase Dev' && github.event_name == 'workflow_dispatch' )
	name: "Publish to Firebase Dev"
	runs-on: ubuntu-latest
	permissions:
	id-token: write
	contents: read
	pull-requests: read
	steps:
	- name: Fetch Radixbot push commit token
	uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
	with:
	role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
	app_name: 'wallet-android'
	step_name: 'gpc-alpha-1'
	secret_prefix: 'GH'
	secret_name: "github-actions/radixdlt/babylon-wallet-android/push-pat-token"
	parse_json: true

	- uses: RDXWorks-actions/checkout@main
	with:
	token: ${{ env.GH_RADIXBOT_PUSH_COMMIT_PAT_TOKEN }}

	- name: Dump context
	uses: RDXWorks-actions/ghaction-dump-context@master

	- name: Download Ruby (action)
	uses: RDXWorks-actions/setup-ruby@master
	with:
	ruby-version: '3.1.2'
	bundler-cache: true

	- uses: RDXWorks-actions/setup-java@main
	with:
	distribution: 'zulu' # See 'Supported distributions' for available options
	java-version: '17'

	- name: Fetch Firebase App ID
	uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
	with:
	role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
	app_name: 'babylon-wallet-android'
	step_name: 'push-app-id'
	secret_prefix: 'GH'
	secret_name: "github-actions/radixdlt/babylon-wallet-android/firebase/secrets"
	parse_json: true

	- name: Decode Google Service account credentials
	uses: RDXWorks-actions/base64-to-file@main
	id: google_application_credentials
	with:
	fileName: "service_account.json"
	encodedString: ${{ env.GH_GOOGLE_SERVICE_ACCOUNT_JSON_FILE_BASE64 }}

	- name: Decode Firebase Crashlytics json
	uses: timheuer/base64-to-file@48657ba25c726c2e3dcf02efa3639fff9b3d587e
	id: crashlytics_credentials
	with:
	fileName: "google-services.json"
	fileDir: "app/"
	encodedString: ${{ env.GH_CRASHLYTICS_GOOGLE_SERVICES_JSON_FILE_BASE64 }}

	- name: Fetch GPR credentials
	uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
	with:
	role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
	app_name: 'wallet-android'
	step_name: 'firebase-dev'
	secret_prefix: 'GH'
	secret_name: "github-actions/radixdlt/babylon-wallet-android/gpr-credentials"
	parse_json: true

	- name: Distribute Alpha to Firebase
	run: \|
	git config user.name $GIT_USER
	git config user.email $GIT_USER
	bundle exec fastlane deployFirebaseAlpha
	echo "### Distributed to Firebase Dev! :rocket:" >> $GITHUB_STEP_SUMMARY
	env:
	FIREBASE_APP_ID: ${{ env.GH_FIREBASE_DEV_APP_ID }}
	GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.google_application_credentials.outputs.filePath }}
	GROUPS: "alpha-devs"
	GIT_USER: ${{ env.GH_GPR_USER }}
	GPR_USER: ${{ env.GH_GPR_USER }}
	GPR_TOKEN: ${{ env.GH_GPR_TOKEN }}

	firebase_release:
	if: >
	( github.event_name == 'release' && github.event.release.prerelease == false ) \|\|
	( github.event.inputs.track == 'Firebase Release' && github.event_name == 'workflow_dispatch' )
	name: "Publish to Firebase Release"
	runs-on: ubuntu-latest
	permissions:
	id-token: write
	contents: read
	pull-requests: read
	steps:
	- name: Fetch Radixbot push commit token
	uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
	with:
	role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
	app_name: 'wallet-android'
	step_name: 'gpc-release-1'
	secret_prefix: 'GH'
	secret_name: "github-actions/radixdlt/babylon-wallet-android/push-pat-token"
	parse_json: true

	- uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
	with:
	token: ${{ env.GH_RADIXBOT_PUSH_COMMIT_PAT_TOKEN }}

	- name: Dump context
	uses: RDXWorks-actions/ghaction-dump-context@master

	- name: Download Ruby (action)
	uses: ruby/setup-ruby@8575951200e472d5f2d95c625da0c7bec8217c42
	with:
	ruby-version: '3.1.2'
	bundler-cache: true

	- uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0
	with:
	distribution: 'zulu' # See 'Supported distributions' for available options
	java-version: '17'

	- name: Fetch Firebase Release App ID
	uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
	with:
	role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
	app_name: 'babylon-wallet-android'
	step_name: 'fetch-app-id'
	secret_prefix: 'GH'
	secret_name: "github-actions/radixdlt/babylon-wallet-android/firebase/secrets"
	parse_json: true

	- name: Decode Google Service account credentials
	uses: RDXWorks-actions/base64-to-file@main
	id: google_application_credentials
	with:
	fileName: "service_account.json"
	encodedString: ${{ env.GH_GOOGLE_SERVICE_ACCOUNT_JSON_FILE_BASE64 }}

	- name: Fetch GPR credentials
	uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
	with:
	role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
	app_name: 'wallet-android'
	step_name: 'firebase-release'
	secret_prefix: 'GH'
	secret_name: "github-actions/radixdlt/babylon-wallet-android/gpr-credentials"
	parse_json: true

	- name: Fetch Keystore credentials
	uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
	with:
	role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
	app_name: 'babylon-wallet-android'
	step_name: 'snyk-keystore'
	secret_prefix: 'GH'
	secret_name: "github-actions/radixdlt/babylon-wallet-android/google-play-console/secrets"
	parse_json: true

	- name: Fetch keystore.asc value
	uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
	with:
	role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
	app_name: 'babylon-wallet-android-sa'
	step_name: 'snyk-keystore-asc'
	secret_prefix: 'GH_KEYSTORE_ENCRYPTED_BASE64'
	secret_name: "github-actions/radixdlt/babylon-wallet-android/google-play-console/keystore-asc"
	parse_json: false

	- name: Decode release keystore credentials
	shell: bash
	run: \|
	mkdir config/signing/release
	echo "${{ env.GH_KEYSTORE_ENCRYPTED_BASE64 }}" > keystore.asc
	gpg -d --passphrase "${{ env.GH_KEYSTORE_PASSPHRASE }}" --batch keystore.asc > config/signing/release/keystore.jks

	echo "keyAlias=${{ env.GH_KEYSTORE_ALIAS }}" > config/signing/release/keystore.properties
	echo "keyPassword=${{ env.GH_KEYSTORE_KEY_PASSWORD }}" >> config/signing/release/keystore.properties
	echo "storeFile=../config/signing/release/keystore.jks" >> config/signing/release/keystore.properties
	echo "storePassword=${{ env.GH_KEYSTORE_PASSWORD }}" >> config/signing/release/keystore.properties

	- name: Distribute Release to Firebase
	run: \|
	git config user.name $GIT_USER
	git config user.email $GIT_USER
	bundle exec fastlane deployFirebaseRelease
	echo "### Distributed to Firebase Release! :rocket:" >> $GITHUB_STEP_SUMMARY
	env:
	FIREBASE_APP_ID: ${{ env.GH_FIREBASE_RELEASE_APP_ID }}
	GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.google_application_credentials.outputs.filePath }}
	GROUPS: "alpha-devs"
	GIT_USER: ${{ env.GH_GPR_USER }}
	GPR_USER: ${{ env.GH_GPR_USER }}
	GPR_TOKEN: ${{ env.GH_GPR_TOKEN }}

	google_play_alpha_release:
	if: ${{ github.event_name == 'release' && github.event.release.prerelease == true }}
	name: "Publish Google Play Alpha"
	runs-on: ubuntu-latest
	environment: pre-release
	permissions:
	id-token: write
	contents: read
	pull-requests: read
	steps:
	- name: Fetch Radixbot push commit token
	uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
	with:
	role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
	app_name: 'wallet-android'
	step_name: 'gpc-alpha-1'
	secret_prefix: 'GH'
	secret_name: "github-actions/radixdlt/babylon-wallet-android/push-pat-token"
	parse_json: true

	- uses: RDXWorks-actions/checkout@main
	with:
	token: ${{ env.GH_RADIXBOT_PUSH_COMMIT_PAT_TOKEN }}

	- name: Fetch GPR credentials
	uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
	with:
	role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
	app_name: 'wallet-android'
	step_name: 'gpc-alpha'
	secret_prefix: 'GH'
	secret_name: "github-actions/radixdlt/babylon-wallet-android/gpr-credentials"
	parse_json: true

	- name: Fetch Crashlytics info
	uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
	with:
	role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
	app_name: 'wallet-android'
	step_name: 'gplay-crash'
	secret_prefix: 'GH'
	secret_name: "github-actions/radixdlt/babylon-wallet-android/crashlytics"
	parse_json: true

	- name: Decode Firebase Crashlytics json
	uses: timheuer/base64-to-file@48657ba25c726c2e3dcf02efa3639fff9b3d587e
	id: crashlytics_credentials
	with:
	fileName: "google-services.json"
	fileDir: "app/"
	encodedString: ${{ env.GH_CRASHLYTICS_GOOGLE_SERVICES_JSON_FILE_BASE64 }}

	- uses: ./.github/actions/google-play-common
	with:
	gpc_track: "alpha"
	secret_arn: "arn:aws:secretsmanager:eu-west-2:308190735829:secret:github-actions/radixdlt/babylon-wallet-android/google-play-console/secrets-OEmdRj"
	radix_bot_username: ${{ env.GH_GPR_USER }}
	gpr_user: ${{ env.GH_GPR_USER }}
	gpr_token: ${{ env.GH_GPR_TOKEN }}
	role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'

	google_play_production_release:
	if: ${{ github.event_name == 'release' && github.event.release.prerelease == false }}
	name: "Publish Google Play Production"
	runs-on: ubuntu-latest
	environment: release
	permissions:
	id-token: write
	contents: read
	pull-requests: read
	steps:
	- name: Fetch Radixbot push commit token
	uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
	with:
	role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
	app_name: 'wallet-android'
	step_name: 'gpc-alpha-1'
	secret_prefix: 'GH'
	secret_name: "github-actions/radixdlt/babylon-wallet-android/push-pat-token"
	parse_json: true

	- uses: RDXWorks-actions/checkout@main
	with:
	token: ${{ env.GH_RADIXBOT_PUSH_COMMIT_PAT_TOKEN }}

	- name: Fetch GPR credentials
	uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
	with:
	role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
	app_name: 'wallet-android'
	step_name: 'gpc-alpha'
	secret_prefix: 'GH'
	secret_name: "github-actions/radixdlt/babylon-wallet-android/gpr-credentials"
	parse_json: true

	- name: Fetch Crashlytics info
	uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
	with:
	role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
	app_name: 'wallet-android'
	step_name: 'gplay-crash'
	secret_prefix: 'GH'
	secret_name: "github-actions/radixdlt/babylon-wallet-android/crashlytics"
	parse_json: true

	- name: Decode Firebase Crashlytics json
	uses: timheuer/base64-to-file@48657ba25c726c2e3dcf02efa3639fff9b3d587e
	id: crashlytics_credentials
	with:
	fileName: "google-services.json"
	fileDir: "app/"
	encodedString: ${{ env.GH_CRASHLYTICS_GOOGLE_SERVICES_JSON_FILE_BASE64 }}

	- uses: ./.github/actions/google-play-common
	with:
	gpc_track: "production"
	secret_arn: "arn:aws:secretsmanager:eu-west-2:308190735829:secret:github-actions/radixdlt/babylon-wallet-android/google-play-console/secrets"
	radix_bot_username: ${{ env.GH_GPR_USER }}
	gpr_user: ${{ env.GH_GPR_USER }}
	gpr_token: ${{ env.GH_GPR_TOKEN }}
	role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'

	publish_sbom:
	runs-on: ubuntu-latest
	if: ${{ github.event_name == 'release' }}
	permissions:
	id-token: write
	contents: write
	pull-requests: read
	name: Publish SBOM
	steps:
	- uses: RDXWorks-actions/checkout@main

	- name: Fetch Snyk credentials
	uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
	with:
	role_name: '${{ secrets.COMMON_SECRETS_READ_IAM_ROLE }}'
	app_name: 'wallet-android'
	step_name: 'snyk-sbom'
	secret_prefix: 'SNYK'
	secret_name: "github-actions/common/snyk-credentials"
	parse_json: true

	- name: Fetch Keystore credentials
	uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
	with:
	role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
	app_name: 'babylon-wallet-android'
	step_name: 'snyk-keystore'
	secret_prefix: 'GH'
	secret_name: "github-actions/radixdlt/babylon-wallet-android/google-play-console/secrets"
	parse_json: true

	- name: Fetch Google service account credentials
	uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
	with:
	role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
	app_name: 'babylon-wallet-android-sa'
	step_name: 'snyk-sa'
	secret_prefix: 'GH_GOOGLE_SERVICE_ACCOUNT_JSON_FILE'
	secret_name: "github-actions/radixdlt/babylon-wallet-android/google-play-console/service-account-json-file"
	parse_json: false

	- name: Fetch keystore.asc value
	uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
	with:
	role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
	app_name: 'babylon-wallet-android-sa'
	step_name: 'snyk-keystore-asc'
	secret_prefix: 'GH_KEYSTORE_ENCRYPTED_BASE64'
	secret_name: "github-actions/radixdlt/babylon-wallet-android/google-play-console/keystore-asc"
	parse_json: false

	- name: Fetch Crashlytics info
	uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
	with:
	role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
	app_name: 'wallet-android'
	step_name: 'gplay-crash'
	secret_prefix: 'GH'
	secret_name: "github-actions/radixdlt/babylon-wallet-android/crashlytics"
	parse_json: true

	- name: Decode Firebase Crashlytics json
	uses: timheuer/base64-to-file@48657ba25c726c2e3dcf02efa3639fff9b3d587e
	id: crashlytics_credentials
	with:
	fileName: "google-services.json"
	fileDir: "app/"
	encodedString: ${{ env.GH_CRASHLYTICS_GOOGLE_SERVICES_JSON_FILE_BASE64 }}

	- name: Decode release keystore credentials
	shell: bash
	run: \|
	mkdir config/signing/release
	echo "${{ env.GH_KEYSTORE_ENCRYPTED_BASE64 }}" > keystore.asc
	gpg -d --passphrase "${{ env.GH_KEYSTORE_PASSPHRASE }}" --batch keystore.asc > config/signing/release/keystore.jks

	echo "keyAlias=${{ env.GH_KEYSTORE_ALIAS }}" > config/signing/release/keystore.properties
	echo "keyPassword=${{ env.GH_KEYSTORE_KEY_PASSWORD }}" >> config/signing/release/keystore.properties
	echo "storeFile=../config/signing/release/keystore.jks" >> config/signing/release/keystore.properties
	echo "storePassword=${{ env.GH_KEYSTORE_PASSWORD }}" >> config/signing/release/keystore.properties

	- name: Generate SBOM
	uses: RDXWorks-actions/snyk-actions/gradle-jdk17@master
	with:
	args: --all-projects --org=${{ env.SNYK_COREAPPS_ORG_ID }} --format=cyclonedx1.4+json --json-file-output sbom.json
	command: sbom
	env:
	SNYK_TOKEN: ${{ env.SNYK_TOKEN }}
	RADIX_DEBUG_PREVIEW_KEYSTORE_FILE: config/signing/release/keystore.jks
	- name: Upload SBOM
	uses: RDXWorks-actions/upload-release-action@master
	with:
	repo_token: ${{ secrets.GITHUB_TOKEN }}
	file: sbom.json
	tag: ${{ github.ref }}
	overwrite: true

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Merge pull request #774 from radixdlt/fix/ABW-2846-guarantees #791

Workflow file

Merge pull request #774 from radixdlt/fix/ABW-2846-guarantees #791

Jobs

Run details

Workflow file for this run