Merge pull request #517 from slovensko-digital/session-timeout #666
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Package | |
on: | |
push: | |
tags: | |
- "v[0-9]+.[0-9]+.[0-9]+" | |
jobs: | |
linux-deb: | |
environment: packaging | |
runs-on: ubuntu-latest | |
container: "debian:latest" | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
steps: | |
- name: Setup dependencies | |
run: | | |
apt-get -q update && apt-get -q upgrade -y | |
apt-get -q install -y openjdk-17-jdk maven binutils fakeroot wget git | |
- uses: actions/checkout@v4 | |
- name: Build artifact | |
run: | | |
git config --global --add safe.directory ${GITHUB_WORKSPACE} | |
./mvnw versions:set -DnewVersion=$(git describe --tags --abbrev=0 | sed -r 's/^v//g') | |
./mvnw -B -C -V package | |
ls -lah ./target | |
- name: Create release if tag pushed | |
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 | |
if: startsWith(github.ref, 'refs/tags/') | |
with: | |
draft: true | |
prerelease: true | |
files: | | |
target/*.deb | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
linux-rpm: | |
environment: packaging | |
runs-on: ubuntu-latest | |
container: "fedora:latest" | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
steps: | |
- name: Setup dependencies | |
run: | | |
dnf -q install -y java-17-openjdk maven-openjdk17 rpm-build git | |
- uses: actions/checkout@v4 | |
- name: Build artifact | |
run: | | |
git config --global --add safe.directory ${GITHUB_WORKSPACE} | |
./mvnw versions:set -DnewVersion=$(git describe --tags --abbrev=0 | sed -r 's/^v//g') | |
./mvnw -B -C -V package | |
ls -lah ./target | |
- name: Create release if tag pushed | |
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 | |
if: startsWith(github.ref, 'refs/tags/') | |
with: | |
draft: true | |
prerelease: true | |
files: | | |
target/*.rpm | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
macos: | |
environment: packaging | |
runs-on: macos-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/download-artifact@v4 | |
with: | |
merge-multiple: true | |
path: target | |
- name: Update version in pom if tag pushed | |
if: startsWith(github.ref, 'refs/tags/') | |
run: ./mvnw versions:set -DnewVersion=$(git describe --tags --abbrev=0 | sed -r 's/^v//g') | |
shell: bash | |
- name: Set up JDK | |
uses: actions/setup-java@v3 | |
with: | |
java-version: "17.0.7+7" | |
distribution: "liberica" | |
java-package: "jdk+fx" | |
- name: Cache local Maven repository and JDK cache | |
uses: actions/cache@v3 | |
with: | |
path: | | |
~/.m2/repository | |
target/jdkCache | |
key: macos-maven-${{ hashFiles('**/pom.xml') }} | |
restore-keys: | | |
macos-maven- | |
- name: Install an Apple keychain (MacOS) | |
# based on https://docs.github.com/en/actions/deployment/deploying-xcode-applications/installing-an-apple-certificate-on-macos-runners-for-xcode-development#add-a-step-to-your-workflow | |
env: | |
APPLE_KEYCHAIN_BASE64: ${{ secrets.APPLE_KEYCHAIN_BASE64 }} | |
APPLE_KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }} | |
APPLE_DEVELOPER_IDENTITY: ${{ secrets.APPLE_DEVELOPER_IDENTITY }} | |
shell: bash | |
run: | | |
# create variables | |
APPLE_KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db | |
# share to rest of steps | |
echo "APPLE_KEYCHAIN_PATH=$APPLE_KEYCHAIN_PATH" >> "$GITHUB_ENV" | |
# import keychain from secrets | |
echo -n "$APPLE_KEYCHAIN_BASE64" | base64 --decode -o $APPLE_KEYCHAIN_PATH | |
set -x | |
# unlock, set timeout and set as used keychain | |
security unlock-keychain -p "$APPLE_KEYCHAIN_PASSWORD" $APPLE_KEYCHAIN_PATH | |
#security set-keychain-settings -lut 21600 $APPLE_KEYCHAIN_PATH | |
security list-keychain -d user -s $APPLE_KEYCHAIN_PATH | |
security default-keychain -s $APPLE_KEYCHAIN_PATH | |
- name: Package with Maven | |
run: ./mvnw -B -C -V package | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
APPLE_KEYCHAIN_PATH: ${{ env.APPLE_KEYCHAIN_PATH }} | |
APPLE_DEVELOPER_IDENTITY: ${{ secrets.APPLE_DEVELOPER_IDENTITY }} | |
- name: Notarize release with Apple (MacOS) | |
env: | |
APPLE_KEYCHAIN_PATH: ${{ env.APPLE_KEYCHAIN_PATH }} | |
shell: bash | |
run: | | |
set -x | |
# run notarization | |
xcrun notarytool submit --keychain-profile "autogram" --keychain $APPLE_KEYCHAIN_PATH --wait target/Autogram-*.pkg | |
# staple | |
xcrun stapler staple target/Autogram-*.pkg | |
# lock all keychains | |
security lock-keychain -a | |
- name: Create release if tag pushed | |
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 | |
if: startsWith(github.ref, 'refs/tags/') | |
with: | |
draft: true | |
prerelease: true | |
files: | | |
target/*.pkg | |
target/*.dmg | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
windows: | |
environment: packaging | |
runs-on: windows-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/download-artifact@v4 | |
with: | |
merge-multiple: true | |
path: target | |
- name: Update version in pom if tag pushed | |
if: startsWith(github.ref, 'refs/tags/') | |
run: ./mvnw versions:set -DnewVersion=$(git describe --tags --abbrev=0 | sed -r 's/^v//g') | |
shell: bash | |
- name: Set up JDK | |
uses: actions/setup-java@v3 | |
with: | |
java-version: "17.0.7+7" | |
distribution: "liberica" | |
java-package: "jdk+fx" | |
- name: Cache local Maven repository and JDK cache | |
uses: actions/cache@v3 | |
with: | |
path: | | |
~/.m2/repository | |
target/jdkCache | |
key: windows-maven-${{ hashFiles('**/pom.xml') }} | |
restore-keys: | | |
windows-maven- | |
- name: Package with Maven | |
run: ./mvnw -B -C -V package | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Sign on Azure | |
shell: bash | |
run: | | |
dotnet tool install --global AzureSignTool | |
AzureSignTool sign --description "Autogram" -kvu "${{ secrets.AZURE_KEY_VAULT_URI }}" -kvi "${{ secrets.AZURE_CLIENT_ID }}" -kvt "${{ secrets.AZURE_TENANT_ID }}" -kvs "${{ secrets.AZURE_CLIENT_SECRET }}" -kvc ${{ secrets.AZURE_CERT_NAME }} -tr http://timestamp.digicert.com -v target/*.msi | |
- name: Create release if tag pushed | |
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 | |
if: startsWith(github.ref, 'refs/tags/') | |
with: | |
draft: true | |
prerelease: true | |
files: | | |
target/*.exe | |
target/*.msi | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |