publish-nym-vpn-android #1094
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: publish-nym-vpn-android | |
| on: | |
| schedule: | |
| - cron: "4 3 * * *" | |
| workflow_dispatch: | |
| inputs: | |
| track: | |
| type: choice | |
| description: "Google play release track" | |
| options: | |
| - none | |
| - internal | |
| - alpha | |
| - beta | |
| - production | |
| default: alpha | |
| required: true | |
| publish-bundle: | |
| type: boolean | |
| default: false | |
| description: Skip app bundle | |
| publish-metadata: | |
| type: boolean | |
| default: true | |
| description: Skip app metadata | |
| publish-accrescent: | |
| type: boolean | |
| default: false | |
| description: Publish accrescent | |
| tag_name: | |
| description: "Tag name for release" | |
| required: false | |
| default: nym-vpn-android-nightly | |
| release_type: | |
| type: choice | |
| description: "GitHub release type" | |
| options: | |
| - none | |
| - prerelease | |
| - nightly | |
| - release | |
| default: release | |
| required: true | |
| push: | |
| tags: | |
| - "nym-vpn-android-v*.*.*" | |
| env: | |
| UPLOAD_DIR_ANDROID: android_artifacts | |
| RELEASE_NOTES: "" | |
| jobs: | |
| build-nym-vpn-android-apk: | |
| if: ${{ inputs.release_type != 'none' }} | |
| uses: ./.github/workflows/build-nym-vpn-android.yml | |
| secrets: inherit | |
| with: | |
| build_type: ${{ inputs.release_type == '' && 'nightly' || inputs.release_type }} | |
| build_format: apk | |
| build-nym-vpn-android-aab: | |
| if: ${{ github.event.inputs.publish-accrescent == 'true' }} | |
| needs: [build-nym-vpn-android-apk] | |
| uses: ./.github/workflows/build-nym-vpn-android.yml | |
| secrets: inherit | |
| with: | |
| build_type: release | |
| build_format: aab | |
| skip_crowdin: true | |
| publish-github: | |
| if: ${{ inputs.release_type != 'none' }} | |
| needs: | |
| - build-nym-vpn-android-apk | |
| runs-on: arc-linux-latest | |
| defaults: | |
| run: | |
| working-directory: nym-vpn-android | |
| env: | |
| # GH needed for gh cli | |
| GH_REPO: ${{ github.repository }} | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| - name: Install system dependencies | |
| run: | | |
| sudo apt update && sudo apt install -y gettext-base gh zip apksigner rsync | |
| - name: Get version code | |
| run: | | |
| version_code=$(grep "VERSION_CODE" ${{ github.workspace }}/nym-vpn-android/buildSrc/src/main/kotlin/Constants.kt | awk '{print $5}' | tr -d '\n') | |
| echo "VERSION_CODE=$version_code" >> $GITHUB_ENV | |
| - name: Set version release notes | |
| if: ${{ inputs.release_type == 'release' }} | |
| run: | | |
| RELEASE_NOTES="$(cat ${{ github.workspace }}/fastlane/metadata/android/en-US/changelogs/${{ env.VERSION_CODE }}.txt)" | |
| echo "RELEASE_NOTES<<EOF" >> $GITHUB_ENV | |
| echo "$RELEASE_NOTES" >> $GITHUB_ENV | |
| echo "EOF" >> $GITHUB_ENV | |
| # Setup TAG_NAME, which is used as a general "name" | |
| - if: github.event_name == 'workflow_dispatch' | |
| run: echo "TAG_NAME=${{ github.event.inputs.tag_name }}" >> $GITHUB_ENV | |
| - if: github.event_name == 'schedule' | |
| run: echo "TAG_NAME=nym-vpn-android-nightly" >> $GITHUB_ENV | |
| - if: github.event_name == 'push' | |
| run: echo "TAG_NAME=${{ github.ref_name }}" >> $GITHUB_ENV | |
| - name: On nightly release | |
| if: ${{ contains(env.TAG_NAME, 'nightly') }} | |
| run: | | |
| echo "RELEASE_NOTES=Nightly build of the latest development version of the android client." >> $GITHUB_ENV | |
| gh release delete nym-vpn-android-nightly --yes || true | |
| git push origin :nym-vpn-android-nightly || true | |
| - name: On prerelease release notes | |
| if: ${{ inputs.release_type == 'prerelease' }} | |
| run: | | |
| echo "RELEASE_NOTES=Testing version of the android app." >> $GITHUB_ENV | |
| gh release delete ${{ github.event.inputs.tag_name }} --yes || true | |
| - name: Make download dir | |
| run: mkdir ${{ github.workspace }}/temp | |
| - name: Download artifacts | |
| uses: actions/download-artifact@v8 | |
| with: | |
| name: ${{ env.UPLOAD_DIR_ANDROID }} | |
| path: ${{ github.workspace }}/temp | |
| - name: Get checksum | |
| id: checksum | |
| run: | | |
| file_path=$(find ${{ github.workspace }}/temp -type f -iname "*.apk" | tail -n1) | |
| echo "checksum=$(apksigner verify -print-certs $file_path | grep -Po "(?<=SHA-256 digest:) .*" | tr -d "[:blank:]")" >> $GITHUB_OUTPUT | |
| - name: Create release with fastlane changelog notes | |
| id: create_release | |
| uses: softprops/action-gh-release@v2 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| token: ${{ env.GITHUB_TOKEN }} | |
| body: ${{ env.RELEASE_NOTES }} | |
| tag_name: ${{ env.TAG_NAME }} | |
| name: ${{ env.TAG_NAME }} | |
| draft: false | |
| make_latest: ${{ inputs.release_type == 'release' }} | |
| prerelease: ${{ inputs.release_type != 'release' }} | |
| target_commitish: ${{ github.sha }} | |
| files: | | |
| ${{ github.workspace }}/temp/* | |
| - name: Append checksum | |
| id: append_checksum | |
| uses: softprops/action-gh-release@v2 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| body: | | |
| SHA-256 fingerprint for the 4096-bit signing certificate: | |
| ```sh | |
| ${{ steps.checksum.outputs.checksum }} | |
| ``` | |
| To verify fingerprint: | |
| ```sh | |
| apksigner verify --print-certs [path to APK file] | grep SHA-256 | |
| ``` | |
| token: ${{ env.GITHUB_TOKEN }} | |
| tag_name: ${{ env.TAG_NAME }} | |
| name: ${{ env.TAG_NAME }} | |
| draft: false | |
| prerelease: ${{ inputs.release_type != 'release' }} | |
| append_body: true | |
| - name: Compose Zulip message (Android) | |
| if: ${{ inputs.release_type == 'prerelease' || inputs.release_type == 'release' }} | |
| run: | | |
| set -euo pipefail | |
| TAG="${TAG_NAME}" | |
| BRANCH="${GITHUB_REF_NAME}" | |
| RELEASE_URL="${{ github.server_url }}/${{ github.repository }}/releases/tag/${TAG}" | |
| { | |
| echo "ZULIP_MESSAGE<<EOF" | |
| echo "**Tag name:** \`${TAG}\`" | |
| echo "**Android build type:** \`${{ inputs.release_type }}\`" | |
| echo "**Branch:** \`${BRANCH}\`" | |
| echo "**Link:** ${RELEASE_URL}" | |
| echo "EOF" | |
| } >> "$GITHUB_ENV" | |
| - name: Send Zulip message (Android) | |
| if: ${{ inputs.release_type == 'prerelease' || inputs.release_type == 'release' }} | |
| uses: zulip/github-actions-zulip/send-message@v1 | |
| with: | |
| api-key: ${{ secrets.ZULIP_BOT_ANDROID_API_KEY }} | |
| email: ${{ secrets.ZULIP_BOT_ANDROID_EMAIL }} | |
| organization-url: ${{ secrets.ZULIP_ORG_URL }} | |
| type: "stream" | |
| to: ${{ secrets.ZULIP_BOT_APPLE_CHANNEL }} | |
| topic: ${{ secrets.ZULIP_BOT_ANDROID_TOPIC }} | |
| content: ${{ env.ZULIP_MESSAGE }} | |
| publish-nym-fdroid: | |
| runs-on: arc-linux-latest | |
| needs: | |
| - publish-github | |
| if: inputs.release_type == 'release' | |
| steps: | |
| - name: Dispatch update for fdroid repo | |
| uses: peter-evans/repository-dispatch@v4 | |
| with: | |
| token: ${{ secrets.ANDROID_PAT }} | |
| repository: nymtech/fdroid | |
| event-type: fdroid-update | |
| publish-accrescent: | |
| runs-on: arc-linux-latest | |
| env: | |
| SIGNING_KEY_ALIAS: ${{ secrets.ANDROID_SIGNING_KEY_ALIAS }} | |
| SIGNING_KEY_PASSWORD: ${{ secrets.ANDROID_SIGNING_KEY_PASSWORD }} | |
| SIGNING_STORE_PASSWORD: ${{ secrets.ANDROID_SIGNING_STORE_PASSWORD }} | |
| if: ${{ github.event.inputs.publish-accrescent == 'true' }} | |
| needs: | |
| - build-nym-vpn-android-aab | |
| steps: | |
| - name: Set up JDK 21 | |
| uses: actions/setup-java@v5 | |
| with: | |
| java-version: "21" | |
| distribution: "temurin" | |
| - name: Make download dir | |
| run: mkdir ${{ github.workspace }}/temp | |
| - name: Download artifacts | |
| uses: actions/download-artifact@v8 | |
| with: | |
| name: ${{ env.UPLOAD_DIR_ANDROID }} | |
| path: ${{ github.workspace }}/temp | |
| - name: Get aab path | |
| run: | | |
| echo "AAB_FILE=$(ls ${{ github.workspace }}/temp/*.aab | head -n 1)" >> $GITHUB_ENV | |
| - name: Decode Keystore | |
| id: decode_keystore | |
| uses: timheuer/base64-to-file@v1.2 | |
| with: | |
| fileName: "android_keystore.jks" | |
| encodedString: ${{ secrets.ANDROID_KEYSTORE }} | |
| - name: Download bundletool | |
| run: | | |
| curl -L -o bundletool.jar https://github.com/google/bundletool/releases/download/1.18.1/bundletool-all-1.18.1.jar | |
| - name: Build APKs (no universal mode) | |
| run: | | |
| java -jar bundletool.jar build-apks \ | |
| --bundle ${{ env.AAB_FILE }} \ | |
| --output app-fdroid-release.apks \ | |
| --ks ${{ steps.decode_keystore.outputs.filePath }} \ | |
| --ks-pass 'pass:${{ env.SIGNING_STORE_PASSWORD }}' \ | |
| --ks-key-alias '${{ env.SIGNING_KEY_ALIAS }}' \ | |
| --key-pass 'pass:${{ env.SIGNING_KEY_PASSWORD }}' | |
| - name: Upload APKS artifact | |
| uses: actions/upload-artifact@v7 | |
| with: | |
| name: app-apks | |
| path: app-fdroid-release.apks | |
| if-no-files-found: error | |
| publish-play: | |
| needs: [build-nym-vpn-android-apk] | |
| if: ${{ always() && inputs.track != 'none' && inputs.track != '' && (needs.build-nym-vpn-android-apk.result == 'success' || needs.build-nym-vpn-android-apk.result == 'skipped') }} | |
| runs-on: arc-linux-latest | |
| defaults: | |
| run: | |
| working-directory: nym-vpn-android | |
| env: | |
| SIGNING_KEY_ALIAS: ${{ secrets.ANDROID_SIGNING_KEY_ALIAS }} | |
| SIGNING_KEY_PASSWORD: ${{ secrets.ANDROID_SIGNING_KEY_PASSWORD }} | |
| SIGNING_STORE_PASSWORD: ${{ secrets.ANDROID_SIGNING_STORE_PASSWORD }} | |
| SENTRY_DSN: ${{ secrets.ANDROID_SENTRY_DSN }} | |
| KEY_STORE_FILE: "android_keystore.jks" | |
| KEY_STORE_LOCATION: ${{ github.workspace }}/nym-vpn-android/app/keystore/ | |
| RUBYOPT: "-rresolv-replace" | |
| BUNDLE_TIMEOUT: "120" | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Setup ruby | |
| uses: ruby/setup-ruby@v1 | |
| with: | |
| ruby-version: "3.3" | |
| bundler-cache: true | |
| - name: Set up JDK 21 | |
| uses: actions/setup-java@v5 | |
| with: | |
| distribution: "temurin" | |
| java-version: "21" | |
| cache: gradle | |
| - name: Install deps | |
| run: | | |
| sudo apt-get update && sudo apt-get install -y libdbus-1-dev libmnl-dev libnftnl-dev protobuf-compiler git curl gcc g++ make unzip rsync | |
| - name: Setup Android SDK | |
| uses: android-actions/setup-android@v4 | |
| - name: Setup NDK | |
| uses: nttld/setup-ndk@v1 | |
| id: setup-ndk | |
| with: | |
| ndk-version: ${{ vars.REQUIRED_NDK_VERSION }} | |
| add-to-path: false | |
| - name: Set env | |
| shell: bash | |
| run: | | |
| echo "ANDROID_NDK_HOME=${{ steps.setup-ndk.outputs.ndk-path }}" >> $GITHUB_ENV | |
| echo "NDK_TOOLCHAIN_DIR=${{ steps.setup-ndk.outputs.ndk-path }}/toolchains/llvm/prebuilt/linux-x86_64/bin" >> $GITHUB_ENV | |
| - name: Grant execute permission for gradlew | |
| run: chmod +x gradlew | |
| - name: Install rust toolchain | |
| uses: dtolnay/rust-toolchain@master | |
| with: | |
| toolchain: ${{ vars.REQUIRED_RUSTC_VERSION }} | |
| targets: aarch64-linux-android,x86_64-linux-android | |
| - name: Install cargo-ndk | |
| uses: baptiste0928/cargo-install@v3 | |
| with: | |
| crate: cargo-ndk | |
| - name: Install cargo-license | |
| uses: baptiste0928/cargo-install@v3 | |
| with: | |
| crate: cargo-license | |
| - name: Decode Keystore | |
| id: decode_keystore | |
| uses: timheuer/base64-to-file@v1.2 | |
| with: | |
| fileName: ${{ env.KEY_STORE_FILE }} | |
| fileDir: ${{ env.KEY_STORE_LOCATION }} | |
| encodedString: ${{ secrets.ANDROID_KEYSTORE }} | |
| - name: Create keystore path env var | |
| run: | | |
| store_path=${{ env.KEY_STORE_LOCATION }}${{ env.KEY_STORE_FILE }} | |
| echo "KEY_STORE_PATH=$store_path" >> $GITHUB_ENV | |
| - name: Create service_account.json | |
| id: createServiceAccount | |
| run: echo '${{ secrets.ANDROID_SERVICE_ACCOUNT_JSON }}' > service_account.json | |
| - name: Get version code | |
| run: | | |
| version_code=$(grep "VERSION_CODE" ${{ github.workspace }}/nym-vpn-android/buildSrc/src/main/kotlin/Constants.kt | awk '{print $5}' | tr -d '\n') | |
| echo "VERSION_CODE=$version_code" >> $GITHUB_ENV | |
| - name: Distribute app to fastlane track 🚀 | |
| working-directory: ${{ github.workspace }} | |
| run: | | |
| bundle install | |
| bundle exec fastlane ${{ inputs.track }} skip_bundle:${{ github.event.inputs.publish-bundle == 'true' }} skip_metadata:${{ github.event.inputs.publish-metadata == 'true' }} | |
| env: | |
| ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }} |