Skip to content

Merge pull request #392 from slovensko-digital/fix/t-level-signature-… #656

Merge pull request #392 from slovensko-digital/fix/t-level-signature-…

Merge pull request #392 from slovensko-digital/fix/t-level-signature-… #656

Workflow file for this run

name: Package
on:
push:
tags:
- "v[0-9]+.[0-9]+.[0-9]+"
jobs:
linux-deb:
environment: packaging
runs-on: ubuntu-latest
container: "debian:latest"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
steps:
- name: Setup dependencies
run: |
apt-get -q update && apt-get -q upgrade -y
apt-get -q install -y openjdk-17-jdk maven binutils fakeroot wget git
- uses: actions/checkout@v4
- name: Build artifact
run: |
git config --global --add safe.directory ${GITHUB_WORKSPACE}
./mvnw versions:set -DnewVersion=$(git describe --tags --abbrev=0 | sed -r 's/^v//g')
./mvnw -B -C -V package
ls -lah ./target
- name: Create release if tag pushed
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844
if: startsWith(github.ref, 'refs/tags/')
with:
draft: true
prerelease: true
files: |
target/*.deb
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
linux-rpm:
environment: packaging
runs-on: ubuntu-latest
container: "fedora:latest"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
steps:
- name: Setup dependencies
run: |
dnf -q install -y java-17-openjdk maven rpm-build git
- uses: actions/checkout@v4
- name: Build artifact
run: |
git config --global --add safe.directory ${GITHUB_WORKSPACE}
./mvnw versions:set -DnewVersion=$(git describe --tags --abbrev=0 | sed -r 's/^v//g')
./mvnw -B -C -V package
ls -lah ./target
- name: Create release if tag pushed
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844
if: startsWith(github.ref, 'refs/tags/')
with:
draft: true
prerelease: true
files: |
target/*.rpm
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
macos:
environment: packaging
runs-on: macos-latest
steps:
- uses: actions/checkout@v4
- uses: actions/download-artifact@v4
with:
merge-multiple: true
path: target
- name: Update version in pom if tag pushed
if: startsWith(github.ref, 'refs/tags/')
run: ./mvnw versions:set -DnewVersion=$(git describe --tags --abbrev=0 | sed -r 's/^v//g')
shell: bash
- name: Set up JDK
uses: actions/setup-java@v3
with:
java-version: "17.0.7+7"
distribution: "liberica"
java-package: "jdk+fx"
- name: Cache local Maven repository and JDK cache
uses: actions/cache@v3
with:
path: |
~/.m2/repository
target/jdkCache
key: macos-maven-${{ hashFiles('**/pom.xml') }}
restore-keys: |
macos-maven-
- name: Install an Apple keychain (MacOS)
# based on https://docs.github.com/en/actions/deployment/deploying-xcode-applications/installing-an-apple-certificate-on-macos-runners-for-xcode-development#add-a-step-to-your-workflow
env:
APPLE_KEYCHAIN_BASE64: ${{ secrets.APPLE_KEYCHAIN_BASE64 }}
APPLE_KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }}
APPLE_DEVELOPER_IDENTITY: ${{ secrets.APPLE_DEVELOPER_IDENTITY }}
shell: bash
run: |
# create variables
APPLE_KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
# share to rest of steps
echo "APPLE_KEYCHAIN_PATH=$APPLE_KEYCHAIN_PATH" >> "$GITHUB_ENV"
# import keychain from secrets
echo -n "$APPLE_KEYCHAIN_BASE64" | base64 --decode -o $APPLE_KEYCHAIN_PATH
set -x
# unlock, set timeout and set as used keychain
security unlock-keychain -p "$APPLE_KEYCHAIN_PASSWORD" $APPLE_KEYCHAIN_PATH
#security set-keychain-settings -lut 21600 $APPLE_KEYCHAIN_PATH
security list-keychain -d user -s $APPLE_KEYCHAIN_PATH
security default-keychain -s $APPLE_KEYCHAIN_PATH
- name: Package with Maven
run: ./mvnw -B -C -V package
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
APPLE_KEYCHAIN_PATH: ${{ env.APPLE_KEYCHAIN_PATH }}
APPLE_DEVELOPER_IDENTITY: ${{ secrets.APPLE_DEVELOPER_IDENTITY }}
- name: Notarize release with Apple (MacOS)
env:
APPLE_KEYCHAIN_PATH: ${{ env.APPLE_KEYCHAIN_PATH }}
shell: bash
run: |
set -x
# run notarization
xcrun notarytool submit --keychain-profile "autogram" --keychain $APPLE_KEYCHAIN_PATH --wait target/Autogram-*.pkg
# staple
xcrun stapler staple target/Autogram-*.pkg
# lock all keychains
security lock-keychain -a
- name: Create release if tag pushed
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844
if: startsWith(github.ref, 'refs/tags/')
with:
draft: true
prerelease: true
files: |
target/*.pkg
target/*.dmg
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
windows:
environment: packaging
runs-on: windows-latest
steps:
- uses: actions/checkout@v4
- uses: actions/download-artifact@v4
with:
merge-multiple: true
path: target
- name: Update version in pom if tag pushed
if: startsWith(github.ref, 'refs/tags/')
run: ./mvnw versions:set -DnewVersion=$(git describe --tags --abbrev=0 | sed -r 's/^v//g')
shell: bash
- name: Set up JDK
uses: actions/setup-java@v3
with:
java-version: "17.0.7+7"
distribution: "liberica"
java-package: "jdk+fx"
- name: Cache local Maven repository and JDK cache
uses: actions/cache@v3
with:
path: |
~/.m2/repository
target/jdkCache
key: windows-maven-${{ hashFiles('**/pom.xml') }}
restore-keys: |
windows-maven-
- name: Package with Maven
run: ./mvnw -B -C -V package
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Sign on Azure
shell: bash
run: |
dotnet tool install --global AzureSignTool
AzureSignTool sign --description "Autogram" -kvu "${{ secrets.AZURE_KEY_VAULT_URI }}" -kvi "${{ secrets.AZURE_CLIENT_ID }}" -kvt "${{ secrets.AZURE_TENANT_ID }}" -kvs "${{ secrets.AZURE_CLIENT_SECRET }}" -kvc ${{ secrets.AZURE_CERT_NAME }} -tr http://timestamp.digicert.com -v target/*.msi
- name: Create release if tag pushed
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844
if: startsWith(github.ref, 'refs/tags/')
with:
draft: true
prerelease: true
files: |
target/*.exe
target/*.msi
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}