publish-nym-vpn-android #788

Workflow file for this run

.github/workflows/publish-nym-vpn-android.yml at 2b778e7

	name: publish-nym-vpn-android

	on:
	schedule:
	- cron: "4 3 * * *"
	workflow_dispatch:
	inputs:
	track:
	type: choice
	description: "Google play release track"
	options:
	- none
	- internal
	- alpha
	- beta
	- production
	default: alpha
	required: true
	publish-bundle:
	type: boolean
	default: false
	description: Skip app bundle
	publish-metadata:
	type: boolean
	default: true
	description: Skip app metadata
	publish-accrescent:
	type: boolean
	default: false
	description: Publish accrescent
	tag_name:
	description: "Tag name for release"
	required: false
	default: nym-vpn-android-nightly
	release_type:
	type: choice
	description: "GitHub release type"
	options:
	- none
	- prerelease
	- nightly
	- release
	default: release
	required: true

	push:
	tags:
	- "nym-vpn-android-v..*"
	env:
	UPLOAD_DIR_ANDROID: android_artifacts
	RELEASE_NOTES: ""

	jobs:
	build-nym-vpn-android-apk:
	if: ${{ inputs.release_type != 'none' }}
	uses: ./.github/workflows/build-nym-vpn-android.yml
	secrets: inherit
	with:
	build_type: ${{ inputs.release_type == '' && 'nightly' \|\| inputs.release_type }}
	build_format: apk

	build-nym-vpn-android-aab:
	if: ${{github.event.inputs.publish-accrescent == 'true'}}
	uses: ./.github/workflows/build-nym-vpn-android.yml
	secrets: inherit
	with:
	build_type: release
	build_format: aab

	publish-github:
	if: ${{ inputs.release_type != 'none' }}
	needs:
	- build-nym-vpn-android-apk
	runs-on: arc-linux-latest
	defaults:
	run:
	working-directory: nym-vpn-android
	env:
	# GH needed for gh cli
	GH_REPO: ${{ github.repository }}
	GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Install system dependencies
	run: \|
	sudo apt update && sudo apt install -y gettext-base gh zip apksigner rsync

	- name: Get version code
	run: \|
	version_code=$(grep "VERSION_CODE" ${{ github.workspace }}/nym-vpn-android/buildSrc/src/main/kotlin/Constants.kt \| awk '{print $5}' \| tr -d '\n')
	echo "VERSION_CODE=$version_code" >> $GITHUB_ENV

	- name: Set version release notes
	if: ${{ inputs.release_type == 'release' }}
	run: \|
	RELEASE_NOTES="$(cat ${{ github.workspace }}/fastlane/metadata/android/en-US/changelogs/${{ env.VERSION_CODE }}.txt)"
	echo "RELEASE_NOTES<<EOF" >> $GITHUB_ENV
	echo "$RELEASE_NOTES" >> $GITHUB_ENV
	echo "EOF" >> $GITHUB_ENV

	# Setup TAG_NAME, which is used as a general "name"
	- if: github.event_name == 'workflow_dispatch'
	run: echo "TAG_NAME=${{ github.event.inputs.tag_name }}" >> $GITHUB_ENV
	- if: github.event_name == 'schedule'
	run: echo "TAG_NAME=nym-vpn-android-nightly" >> $GITHUB_ENV
	- if: github.event_name == 'push'
	run: echo "TAG_NAME=${{ github.ref_name }}" >> $GITHUB_ENV

	- name: On nightly release
	if: ${{ contains(env.TAG_NAME, 'nightly') }}
	run: \|
	echo "RELEASE_NOTES=Nightly build of the latest development version of the android client." >> $GITHUB_ENV
	gh release delete nym-vpn-android-nightly --yes \|\| true
	git push origin :nym-vpn-android-nightly \|\| true

	- name: On prerelease release notes
	if: ${{ inputs.release_type == 'prerelease' }}
	run: \|
	echo "RELEASE_NOTES=Testing version of the android app." >> $GITHUB_ENV
	gh release delete ${{ github.event.inputs.tag_name }} --yes \|\| true

	- name: Make download dir
	run: mkdir ${{ github.workspace }}/temp

	- name: Download artifacts
	uses: actions/download-artifact@v5
	with:
	name: ${{ env.UPLOAD_DIR_ANDROID }}
	path: ${{ github.workspace }}/temp

	- name: Get checksum
	id: checksum
	run: \|
	file_path=$(find ${{ github.workspace }}/temp -type f -iname "*.apk" \| tail -n1)
	echo "checksum=$(apksigner verify -print-certs $file_path \| grep -Po "(?<=SHA-256 digest:) .*" \| tr -d "[:blank:]")" >> $GITHUB_OUTPUT

	- name: Create release with fastlane changelog notes
	id: create_release
	uses: softprops/action-gh-release@v2
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	with:
	token: ${{ env.GITHUB_TOKEN }}
	body: ${{ env.RELEASE_NOTES }}
	tag_name: ${{ env.TAG_NAME }}
	name: ${{ env.TAG_NAME }}
	draft: false
	make_latest: ${{ inputs.release_type == 'release' }}
	prerelease: ${{ inputs.release_type != 'release' }}
	target_commitish: ${{ github.sha }}
	files: \|
	${{ github.workspace }}/temp/*

	- name: Append checksum
	id: append_checksum
	uses: softprops/action-gh-release@v2
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	with:
	body: \|

	SHA-256 fingerprint for the 4096-bit signing certificate:
	```sh
	${{ steps.checksum.outputs.checksum }}
	```

	To verify fingerprint:
	```sh
	apksigner verify --print-certs [path to APK file] \| grep SHA-256
	```
	token: ${{ env.GITHUB_TOKEN }}
	tag_name: ${{ env.TAG_NAME }}
	name: ${{ env.TAG_NAME }}
	draft: false
	prerelease: ${{ inputs.release_type != 'release' }}
	append_body: true

	publish-nym-fdroid:
	runs-on: arc-linux-latest
	needs:
	- publish-github
	if: inputs.release_type == 'release'
	steps:
	- name: Dispatch update for fdroid repo
	uses: peter-evans/repository-dispatch@v4
	with:
	token: ${{ secrets.ANDROID_PAT }}
	repository: nymtech/fdroid
	event-type: fdroid-update

	publish-accrescent:
	runs-on: arc-linux-latest
	env:
	SIGNING_KEY_ALIAS: ${{ secrets.ANDROID_SIGNING_KEY_ALIAS }}
	SIGNING_KEY_PASSWORD: ${{ secrets.ANDROID_SIGNING_KEY_PASSWORD }}
	SIGNING_STORE_PASSWORD: ${{ secrets.ANDROID_SIGNING_STORE_PASSWORD }}
	if: ${{ github.event.inputs.publish-accrescent == 'true' }}
	needs:
	- build-nym-vpn-android-aab
	steps:
	- name: Set up JDK 17
	uses: actions/setup-java@v4
	with:
	java-version: "17"
	distribution: "temurin"

	- name: Make download dir
	run: mkdir ${{ github.workspace }}/temp

	- name: Download artifacts
	uses: actions/download-artifact@v5
	with:
	name: ${{ env.UPLOAD_DIR_ANDROID }}
	path: ${{ github.workspace }}/temp

	- name: Get aab path
	run: \|
	echo "AAB_FILE=$(ls ${{ github.workspace }}/temp/*.aab \| head -n 1)" >> $GITHUB_ENV

	- name: Decode Keystore
	id: decode_keystore
	uses: timheuer/[email protected]
	with:
	fileName: "android_keystore.jks"
	encodedString: ${{ secrets.ANDROID_KEYSTORE }}

	- name: Download bundletool
	run: \|
	curl -L -o bundletool.jar https://github.com/google/bundletool/releases/download/1.18.1/bundletool-all-1.18.1.jar

	- name: Build APKs (no universal mode)
	run: \|
	java -jar bundletool.jar build-apks \
	--bundle ${{ env.AAB_FILE }} \
	--output app-fdroid-release.apks \
	--ks ${{ steps.decode_keystore.outputs.filePath }} \
	--ks-pass 'pass:${{ env.SIGNING_STORE_PASSWORD }}' \
	--ks-key-alias '${{ env.SIGNING_KEY_ALIAS }}' \
	--key-pass 'pass:${{ env.SIGNING_KEY_PASSWORD }}'

	- name: Upload APKS artifact
	uses: actions/upload-artifact@v4
	with:
	name: app-apks
	path: app-fdroid-release.apks
	if-no-files-found: error

	publish-play:
	if: ${{ inputs.track != 'none' && inputs.track != '' }}
	# issue here: https://github.com/ruby/setup-ruby?tab=readme-ov-file#using-self-hosted-runners
	runs-on: arc-linux-latest
	defaults:
	run:
	working-directory: nym-vpn-android
	env:
	SIGNING_KEY_ALIAS: ${{ secrets.ANDROID_SIGNING_KEY_ALIAS }}
	SIGNING_KEY_PASSWORD: ${{ secrets.ANDROID_SIGNING_KEY_PASSWORD }}
	SIGNING_STORE_PASSWORD: ${{ secrets.ANDROID_SIGNING_STORE_PASSWORD }}
	SENTRY_DSN: ${{ secrets.ANDROID_SENTRY_DSN }}
	KEY_STORE_FILE: "android_keystore.jks"
	KEY_STORE_LOCATION: ${{ github.workspace }}/nym-vpn-android/app/keystore/
	steps:
	- name: Setup ruby
	uses: ruby/setup-ruby@v1
	with:
	ruby-version: "3.2" # Not needed with a .ruby-version file
	bundler-cache: true

	- uses: actions/checkout@v4

	- name: Set up JDK 17
	uses: actions/setup-java@v4
	with:
	distribution: "temurin"
	java-version: "17"
	cache: gradle

	- name: Install deps
	run: \|
	sudo apt-get update && sudo apt-get install -y libdbus-1-dev libmnl-dev libnftnl-dev protobuf-compiler git curl gcc g++ make unzip rsync

	- name: Setup Android SDK
	uses: android-actions/setup-android@v3

	- name: Setup NDK
	uses: nttld/setup-ndk@v1
	id: setup-ndk
	with:
	ndk-version: ${{ vars.REQUIRED_NDK_VERSION }}
	add-to-path: false

	- name: Set env
	shell: bash
	run: \|
	echo "ANDROID_NDK_HOME=${{ steps.setup-ndk.outputs.ndk-path }}" >> $GITHUB_ENV
	echo "NDK_TOOLCHAIN_DIR=${{ steps.setup-ndk.outputs.ndk-path }}/toolchains/llvm/prebuilt/linux-x86_64/bin" >> $GITHUB_ENV

	- name: Grant execute permission for gradlew
	run: chmod +x gradlew

	- name: Install rust toolchain
	uses: dtolnay/rust-toolchain@master
	with:
	toolchain: ${{ vars.REQUIRED_RUSTC_VERSION }}
	targets: aarch64-linux-android

	- name: Install cargo-ndk
	uses: baptiste0928/cargo-install@v3
	with:
	crate: cargo-ndk

	- name: Install cargo-license
	uses: baptiste0928/cargo-install@v3
	with:
	crate: cargo-license

	# Here we need to decode keystore.jks from base64 string and place it
	# in the folder specified in the release signing configuration
	- name: Decode Keystore
	id: decode_keystore
	uses: timheuer/[email protected]
	with:
	fileName: ${{ env.KEY_STORE_FILE }}
	fileDir: ${{ env.KEY_STORE_LOCATION }}
	encodedString: ${{ secrets.ANDROID_KEYSTORE }}

	# create keystore path for gradle to read
	- name: Create keystore path env var
	run: \|
	store_path=${{ env.KEY_STORE_LOCATION }}${{ env.KEY_STORE_FILE }}
	echo "KEY_STORE_PATH=$store_path" >> $GITHUB_ENV

	- name: Create service_account.json
	id: createServiceAccount
	run: echo '${{ secrets.ANDROID_SERVICE_ACCOUNT_JSON }}' > service_account.json

	- name: Get version code
	run: \|
	version_code=$(grep "VERSION_CODE" ${{ github.workspace }}/nym-vpn-android/buildSrc/src/main/kotlin/Constants.kt \| awk '{print $5}' \| tr -d '\n')
	echo "VERSION_CODE=$version_code" >> $GITHUB_ENV

	- name: Distribute app to fastlane track 🚀
	working-directory: ${{ github.workspace }}
	run: \|
	bundle install
	bundle exec fastlane ${{ inputs.track }} skip_bundle:${{github.event.inputs.publish-bundle == 'true'}} skip_metadata:${{github.event.inputs.publish-metadata == 'true'}}
	env:
	ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

publish-nym-vpn-android #788

Workflow file

publish-nym-vpn-android #788

Uh oh!

Jobs

Run details

Workflow file for this run