Skip to content

Fix windows signing #237

Fix windows signing

Fix windows signing #237

Workflow file for this run

name: Artifact CI
on:
push:
env:
JAVA_VERSION: 20
permissions:
contents: write
jobs:
build_bot_artifacts:
name: Build Discord Bot
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-java@v3
with:
distribution: 'temurin'
java-version: ${{ env.JAVA_VERSION }}
- name: Build plugin
uses: gradle/gradle-build-action@v2
with:
arguments: assembleBot
- name: Upload plugin artifact
uses: actions/upload-artifact@v3
with:
name: plugin
path: bot/build/plugin/*.zip
- name: Upload plugin bot
uses: actions/upload-artifact@v3
with:
name: bot
path: bot/build/bot/*.zip
build_desktop_app:
name: Build Desktop App
strategy:
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v3
- uses: actions/setup-java@v3
with:
distribution: 'temurin'
java-version: ${{env.JAVA_VERSION}}
- uses: actions-rs/toolchain@v1
if: matrix.os == 'windows-latest'
with:
toolchain: 'stable'
- name: Setup jextract
if: matrix.os == 'windows-latest'
shell: powershell
run: |
Invoke-WebRequest https://download.java.net/java/early_access/jextract/1/openjdk-20-jextract+1-2_windows-x64_bin.tar.gz -OutFile jextract.tar.gz
tar xzvf jextract.tar.gz
- name: Setup MacOS signing
if: matrix.os == 'macos-latest'
env:
BUILD_CERTIFICATE_BASE64: ${{ secrets.MACOS_SIGNING_CERTIFICATE }}
P12_PASSWORD: ${{ secrets.MAC_SIGNING_PASSWORD }}
KEYCHAIN_PASSWORD: ${{ secrets.MAC_SIGNING_PASSWORD }}
PASSWORD: ${{ secrets.APPLE_PASSWORD }}
INSTALLER_CERTIFICATE_BASE64: ${{ secrets.APPLE_INSTALLER_KEY }}
run: |
# create variables
CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
INSTALLER_CERTIFICATE_PATH=$RUNNER_TEMP/installer_certificate.p12
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
# import certificate and provisioning profile from secrets
echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH
echo -n "$INSTALLER_CERTIFICATE_BASE64" | base64 --decode -o INSTALLER_CERTIFICATE_PATH
# create temporary keychain
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
# import certificate to keychain
security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security import INSTALLER_CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security list-keychain -d user -s $KEYCHAIN_PATH
- name: Build App Distribution
uses: gradle/gradle-build-action@v2
with:
arguments: packageReleaseDistributionForCurrentOS -Pcompose.desktop.mac.sign=true --stacktrace
- name: Package Linux Distribution
uses: gradle/gradle-build-action@v2
if: matrix.os == 'ubuntu-latest'
with:
arguments: packageDistributable
- name: Setup MSbuild
if: matrix.os == 'windows-latest'
uses: microsoft/[email protected]
- name: Build MSIX
if: matrix.os == 'windows-latest'
run: |
& 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64/makeappx.exe' pack /d app/desktop/build/msix-workspace /p Tonbrett.msix
- name: Notarize MacOS installer
#if: matrix.os == 'macos-latest'
# waiting for https://github.com/JetBrains/compose-multiplatform/issues/3208
if: false
uses: gradle/gradle-build-action@v2
env:
NOTARIZATION_PASSWORD: ${{ secrets.NOTARIZATION_PASSWORD }}
with:
arguments: notarizeReleasePkg -Pcompose.desktop.mac.sign=true
- name: Upload distributions
uses: actions/upload-artifact@v3
with:
name: desktopapp-${{ matrix.os }}
path: |
*.msix
app/desktop/build/compose/binaries/main-release/deb/*.deb
app/desktop/build/compose/binaries/main-release/pkg/*.pkg
app/desktop/build/distributions/*.tar.gz
build_android_app:
runs-on: ubuntu-latest
name: Build Android App
steps:
- uses: actions/checkout@v3
- uses: actions/setup-java@v3
with:
distribution: 'temurin'
java-version: ${{env.JAVA_VERSION}}
- name: Decode Keystore
uses: timheuer/[email protected]
with:
fileName: 'android_keystore.jks'
fileDir: 'keystore'
encodedString: ${{ secrets.KEYSTORE }}
- name: Build App Distribution
uses: gradle/gradle-build-action@v2
env:
SIGNING_KEY_ALIAS: ${{ secrets.KEY_ALIAS }}
SIGNING_KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}
SIGNING_STORE_PASSWORD: ${{ secrets.KEYSTORE_PASSWORD }}
with:
arguments: :app:android:bundleRelease :app:android:assembleRelease
- uses: r0adkll/sign-android-release@v1
id: sign_bundle
name: Sign AAB
with:
releaseDirectory: app/android/build/outputs/bundle/release/
signingKeyBase64: ${{ secrets.KEYSTORE }}
alias: ${{ secrets.KEY_ALIAS }}
keyStorePassword: ${{ secrets.KEYSTORE_PASSWORD }}
keyPassword: ${{ secrets.KEY_PASSWORD }}
- uses: r0adkll/sign-android-release@v1
id: sign_apk
name: Sign APK
with:
releaseDirectory: app/android/build/outputs/apk/release/
signingKeyBase64: ${{ secrets.KEYSTORE }}
alias: ${{ secrets.KEY_ALIAS }}
keyStorePassword: ${{ secrets.KEYSTORE_PASSWORD }}
keyPassword: ${{ secrets.KEY_PASSWORD }}
- name: Upload APK
uses: actions/upload-artifact@v3
with:
name: android-app
path: app/android/build/outputs/apk/release/*.apk
- uses: r0adkll/upload-google-play@v1
name: Release on Play Store
if: startsWith(github.ref, 'refs/tags/')
with:
serviceAccountJsonPlainText: ${{ secrets.SERVICE_ACCOUNT_JSON }}
packageName: dev.schlaubi.tonbrett.android
status: draft
releaseFiles: app/android/build/outputs/bundle/release/tonbrett-app-release.aab
mappingFile: app/android/build/outputs/mapping/release/mapping.txt
track: internal
sign_windows_installer:
name: Sign windows installer
runs-on: windows-signing
needs: build_desktop_app
if: startsWith(github.ref, 'refs/tags/')
steps:
- uses: actions/download-artifact@v3
name: Download Artifacts from Windows
with:
name: desktopapp-windows-latest
- name: Code Sign 2021
run: |
& 'C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe' sign /fd SHA256 /n "Open Source Developer, Michael Rittmeister" /t http://time.certum.pl/ /d Tonbrett Tonbrett.msix
- name: Upload distributions
uses: actions/upload-artifact@v3
with:
name: desktopapp-windows-signed
path: "*.msix"
create_release:
name: Create Release
runs-on: windows-latest # for some weird reason this job does not get picked on ubuntu
needs: [build_bot_artifacts, build_desktop_app, build_android_app, sign_windows_installer]
if: startsWith(github.ref, 'refs/tags/')
steps:
- uses: actions/download-artifact@v3
name: Download Artifacts from Ubuntu
with:
name: desktopapp-ubuntu-latest
- uses: actions/download-artifact@v3
name: Download Artifacts from MacOS
with:
name: desktopapp-macos-latest
- uses: actions/download-artifact@v3
name: Download Artifacts from Windows
with:
name: desktopapp-windows-signed
- uses: actions/download-artifact@v3
name: Download Bot
with:
name: bot
- uses: actions/download-artifact@v3
name: Download Plugin
with:
name: plugin
- uses: actions/download-artifact@v3
name: Download Android App
with:
name: android-app
- name: Release
uses: softprops/action-gh-release@v1
with:
files: |
app/desktop/build/compose/binaries/main-release/deb/*.deb
app/desktop/build/compose/binaries/main-release/pkg/*.pkg
app/desktop/build/distributions/*.tar.gz
*.msix
*.zip
*-signed.apk