-
Notifications
You must be signed in to change notification settings - Fork 3
ci: add release workflows #959
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
ovitrif
wants to merge
12
commits into
master
Choose a base branch
from
feat/reproducible-builds
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
12 commits
Select commit
Hold shift + click to select a range
1296607
ci: add release workflows
ovitrif 4c1b820
chore: add dummy google-services.json
ovitrif e3e8a7a
ci: add reproducible release workflow
ovitrif 5d368ac
ci: fix reproducible workflow checks
ovitrif 602ee4c
ci: add aapt2 verification metadata
ovitrif bf45354
ci: rename release workflow
ovitrif 3b24fd1
ci: select latest release bundle
ovitrif c02a77f
ci: add ksp verification metadata
ovitrif 26f4f24
ci: fix comparison artifact flow
ovitrif 56cc5b3
ci: use debug firebase config paths
ovitrif a12664b
ci: remove verification metadata
ovitrif 02bd93f
ci: address release review comments
ovitrif File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,87 @@ | ||
| name: Release Internal | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
| push: | ||
| tags: | ||
| - 'v*' | ||
|
|
||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.ref }} | ||
| cancel-in-progress: false | ||
|
|
||
| env: | ||
| TERM: xterm-256color | ||
| FORCE_COLOR: 1 | ||
|
|
||
| jobs: | ||
| build-internal: | ||
| if: github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/heads/release-') || startsWith(github.ref, 'refs/tags/v') | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 45 | ||
| environment: release-internal | ||
|
|
||
| permissions: | ||
| contents: read | ||
| packages: read | ||
|
|
||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v6 | ||
|
|
||
| - name: Setup Java | ||
| uses: actions/setup-java@v5 | ||
| with: | ||
| java-version: '17' | ||
| distribution: 'adopt' | ||
|
|
||
| - name: Setup Gradle | ||
| uses: gradle/actions/setup-gradle@v5 | ||
|
|
||
| - name: Decode mainnet release google-services.json | ||
| env: | ||
| MAINNET_RELEASE_GOOGLE_SERVICES_JSON_BASE64: ${{ secrets.MAINNET_RELEASE_GOOGLE_SERVICES_JSON_BASE64 }} | ||
| run: | | ||
| set -euo pipefail | ||
| test -n "$MAINNET_RELEASE_GOOGLE_SERVICES_JSON_BASE64" | ||
| mkdir -p app/src/mainnetRelease | ||
| printf '%s' "$MAINNET_RELEASE_GOOGLE_SERVICES_JSON_BASE64" | base64 --decode > app/src/mainnetRelease/google-services.json | ||
|
|
||
| - name: Decode internal keystore | ||
| env: | ||
| INTERNAL_KEYSTORE_BASE64: ${{ secrets.INTERNAL_KEYSTORE_BASE64 }} | ||
| run: | | ||
| set -euo pipefail | ||
| test -n "$INTERNAL_KEYSTORE_BASE64" | ||
| umask 077 | ||
| keystore_path="$RUNNER_TEMP/internal.keystore" | ||
| printf '%s' "$INTERNAL_KEYSTORE_BASE64" | base64 --decode > "$keystore_path" | ||
| echo "KEYSTORE_FILE=$keystore_path" >> "$GITHUB_ENV" | ||
|
|
||
| - name: Build internal release APK | ||
| env: | ||
| GPR_USER: ${{ secrets.GPR_USER || github.actor }} | ||
| GPR_TOKEN: ${{ secrets.GPR_TOKEN || github.token }} | ||
| GITHUB_TOKEN: ${{ secrets.GPR_TOKEN || github.token }} | ||
| KEYSTORE_PASSWORD: ${{ secrets.INTERNAL_KEYSTORE_PASSWORD }} | ||
| KEY_ALIAS: ${{ secrets.INTERNAL_KEY_ALIAS }} | ||
| KEY_PASSWORD: ${{ secrets.INTERNAL_KEY_PASSWORD }} | ||
| run: ./gradlew assembleMainnetRelease --no-daemon --stacktrace | ||
|
|
||
| - name: Collect internal artifacts | ||
| id: artifacts | ||
| run: | | ||
| set -euo pipefail | ||
| artifact_dir="$RUNNER_TEMP/internal-release" | ||
| mkdir -p "$artifact_dir" | ||
| find app/build/outputs/apk/mainnet/release -name 'bitkit-mainnet-release-*.apk' -print0 | | ||
| xargs -0 -I {} cp {} "$artifact_dir/" | ||
| (cd "$artifact_dir" && sha256sum *.apk > SHA256SUMS.txt) | ||
| echo "artifact_dir=$artifact_dir" >> "$GITHUB_OUTPUT" | ||
|
|
||
| - name: Upload internal artifacts | ||
| uses: actions/upload-artifact@v6 | ||
| with: | ||
| name: bitkit-internal-release-${{ github.run_number }} | ||
| path: ${{ steps.artifacts.outputs.artifact_dir }} | ||
| retention-days: 30 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,89 @@ | ||
| name: Release | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
| push: | ||
| tags: | ||
| - 'v*' | ||
|
|
||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.ref }} | ||
| cancel-in-progress: false | ||
|
|
||
| env: | ||
| TERM: xterm-256color | ||
| FORCE_COLOR: 1 | ||
|
|
||
| jobs: | ||
| build-release: | ||
| if: github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/heads/release-') || startsWith(github.ref, 'refs/tags/v') | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 45 | ||
| environment: release | ||
|
|
||
| permissions: | ||
| contents: read | ||
| packages: read | ||
|
|
||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v6 | ||
|
|
||
| - name: Setup Java | ||
| uses: actions/setup-java@v5 | ||
| with: | ||
| java-version: '17' | ||
| distribution: 'adopt' | ||
|
|
||
| - name: Setup Gradle | ||
| uses: gradle/actions/setup-gradle@v5 | ||
|
|
||
| - name: Decode mainnet release google-services.json | ||
| env: | ||
| MAINNET_RELEASE_GOOGLE_SERVICES_JSON_BASE64: ${{ secrets.MAINNET_RELEASE_GOOGLE_SERVICES_JSON_BASE64 }} | ||
| run: | | ||
| set -euo pipefail | ||
| test -n "$MAINNET_RELEASE_GOOGLE_SERVICES_JSON_BASE64" | ||
| mkdir -p app/src/mainnetRelease | ||
| printf '%s' "$MAINNET_RELEASE_GOOGLE_SERVICES_JSON_BASE64" | base64 --decode > app/src/mainnetRelease/google-services.json | ||
|
|
||
| - name: Decode release keystore | ||
| env: | ||
| BITKIT_KEYSTORE_BASE64: ${{ secrets.BITKIT_KEYSTORE_BASE64 }} | ||
| run: | | ||
| set -euo pipefail | ||
| test -n "$BITKIT_KEYSTORE_BASE64" | ||
| umask 077 | ||
| keystore_path="$RUNNER_TEMP/bitkit.keystore" | ||
| printf '%s' "$BITKIT_KEYSTORE_BASE64" | base64 --decode > "$keystore_path" | ||
| echo "KEYSTORE_FILE=$keystore_path" >> "$GITHUB_ENV" | ||
|
|
||
| - name: Build release artifacts | ||
| env: | ||
| GPR_USER: ${{ secrets.GPR_USER || github.actor }} | ||
| GPR_TOKEN: ${{ secrets.GPR_TOKEN || github.token }} | ||
| GITHUB_TOKEN: ${{ secrets.GPR_TOKEN || github.token }} | ||
| KEYSTORE_PASSWORD: ${{ secrets.BITKIT_KEYSTORE_PASSWORD }} | ||
| KEY_ALIAS: ${{ secrets.BITKIT_KEY_ALIAS }} | ||
| KEY_PASSWORD: ${{ secrets.BITKIT_KEY_PASSWORD }} | ||
| run: ./gradlew assembleMainnetRelease bundleMainnetRelease --no-daemon --stacktrace | ||
|
|
||
| - name: Collect release artifacts | ||
| id: artifacts | ||
| run: | | ||
| set -euo pipefail | ||
| artifact_dir="$RUNNER_TEMP/release" | ||
| mkdir -p "$artifact_dir" | ||
| find app/build/outputs/bundle/mainnetRelease -name 'bitkit-mainnet-release-*.aab' -print0 | | ||
| xargs -0 -I {} cp {} "$artifact_dir/" | ||
| find app/build/outputs/apk/mainnet/release -name 'bitkit-mainnet-release-*.apk' -print0 | | ||
| xargs -0 -I {} cp {} "$artifact_dir/" | ||
| (cd "$artifact_dir" && sha256sum *.aab *.apk > SHA256SUMS.txt) | ||
| echo "artifact_dir=$artifact_dir" >> "$GITHUB_OUTPUT" | ||
|
|
||
| - name: Upload release artifacts | ||
| uses: actions/upload-artifact@v6 | ||
| with: | ||
| name: bitkit-release-${{ github.run_number }} | ||
| path: ${{ steps.artifacts.outputs.artifact_dir }} | ||
| retention-days: 30 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,119 @@ | ||
| name: Reproducible Release | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
| inputs: | ||
| comparison_artifact_name: | ||
| description: Optional artifact name to compare against with diffoscope | ||
| required: false | ||
| default: '' | ||
| comparison_run_id: | ||
| description: Workflow run id that produced the comparison artifact | ||
| required: false | ||
| default: '' | ||
| push: | ||
| tags: | ||
| - 'v*' | ||
|
|
||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.ref }} | ||
| cancel-in-progress: false | ||
|
|
||
| env: | ||
| TERM: xterm-256color | ||
| FORCE_COLOR: 1 | ||
|
|
||
| jobs: | ||
| reproduce-mainnet: | ||
| if: github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/heads/release-') || startsWith(github.ref, 'refs/tags/v') | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 60 | ||
| environment: release | ||
|
|
||
| permissions: | ||
| actions: read | ||
| contents: read | ||
| packages: read | ||
|
|
||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v6 | ||
|
|
||
| - name: Setup Java | ||
| uses: actions/setup-java@v5 | ||
| with: | ||
| java-version: '17' | ||
| distribution: 'adopt' | ||
|
|
||
| - name: Setup Gradle | ||
| uses: gradle/actions/setup-gradle@v5 | ||
|
|
||
| - name: Decode mainnet release google-services.json | ||
| env: | ||
| MAINNET_RELEASE_GOOGLE_SERVICES_JSON_BASE64: ${{ secrets.MAINNET_RELEASE_GOOGLE_SERVICES_JSON_BASE64 }} | ||
| run: | | ||
| set -euo pipefail | ||
| test -n "$MAINNET_RELEASE_GOOGLE_SERVICES_JSON_BASE64" | ||
| mkdir -p app/src/mainnetRelease | ||
| printf '%s' "$MAINNET_RELEASE_GOOGLE_SERVICES_JSON_BASE64" | base64 --decode > app/src/mainnetRelease/google-services.json | ||
|
|
||
| - name: Decode release keystore | ||
| env: | ||
| BITKIT_KEYSTORE_BASE64: ${{ secrets.BITKIT_KEYSTORE_BASE64 }} | ||
| run: | | ||
| set -euo pipefail | ||
| test -n "$BITKIT_KEYSTORE_BASE64" | ||
| umask 077 | ||
| keystore_path="$RUNNER_TEMP/bitkit.keystore" | ||
| printf '%s' "$BITKIT_KEYSTORE_BASE64" | base64 --decode > "$keystore_path" | ||
| echo "KEYSTORE_FILE=$keystore_path" >> "$GITHUB_ENV" | ||
|
|
||
| - name: Validate comparison inputs | ||
| if: ${{ github.event_name == 'workflow_dispatch' && inputs.comparison_artifact_name != '' }} | ||
| env: | ||
| COMPARISON_RUN_ID: ${{ inputs.comparison_run_id }} | ||
| run: | | ||
| set -euo pipefail | ||
| test -n "$COMPARISON_RUN_ID" | ||
|
|
||
| - name: Download comparison artifact | ||
| if: ${{ github.event_name == 'workflow_dispatch' && inputs.comparison_artifact_name != '' }} | ||
| uses: actions/download-artifact@v6 | ||
| with: | ||
| name: ${{ inputs.comparison_artifact_name }} | ||
| path: ${{ runner.temp }}/comparison | ||
| github-token: ${{ github.token }} | ||
|
ovitrif marked this conversation as resolved.
|
||
| repository: ${{ github.repository }} | ||
| run-id: ${{ inputs.comparison_run_id }} | ||
|
|
||
| - name: Install diffoscope | ||
| if: ${{ github.event_name == 'workflow_dispatch' && inputs.comparison_artifact_name != '' }} | ||
| run: | | ||
| set -euo pipefail | ||
| sudo apt-get update | ||
| sudo apt-get install -y diffoscope | ||
|
|
||
| - name: Build reproducibility artifacts | ||
| env: | ||
| GPR_USER: ${{ secrets.GPR_USER || github.actor }} | ||
| GPR_TOKEN: ${{ secrets.GPR_TOKEN || github.token }} | ||
| GITHUB_TOKEN: ${{ secrets.GPR_TOKEN || github.token }} | ||
| KEYSTORE_PASSWORD: ${{ secrets.BITKIT_KEYSTORE_PASSWORD }} | ||
| KEY_ALIAS: ${{ secrets.BITKIT_KEY_ALIAS }} | ||
| KEY_PASSWORD: ${{ secrets.BITKIT_KEY_PASSWORD }} | ||
| OUTPUT_DIR: ${{ runner.temp }}/reproducible-release | ||
| run: | | ||
| set -euo pipefail | ||
| if [ -d "$RUNNER_TEMP/comparison/extracted-apks" ]; then | ||
| export DIFFOSCOPE_COMPARE_DIR="$RUNNER_TEMP/comparison/extracted-apks" | ||
| elif [ -d "$RUNNER_TEMP/comparison" ]; then | ||
| export DIFFOSCOPE_COMPARE_DIR="$RUNNER_TEMP/comparison" | ||
|
ovitrif marked this conversation as resolved.
|
||
| fi | ||
| scripts/reproduce-release.sh | ||
|
|
||
| - name: Upload reproducibility artifacts | ||
| uses: actions/upload-artifact@v6 | ||
| with: | ||
| name: bitkit-reproducible-release-${{ github.run_number }} | ||
| path: ${{ runner.temp }}/reproducible-release | ||
| retention-days: 30 | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.