diff --git a/.github/workflows/build-and-release.yml b/.github/workflows/build-and-release.yml index a43a81a..88cdbcd 100644 --- a/.github/workflows/build-and-release.yml +++ b/.github/workflows/build-and-release.yml @@ -5,37 +5,77 @@ on: tags: - 'v*.*.*' +env: + APP_NAME: cidgravity_gateway + APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }} + APP_PUBLIC_CRT: ${{ secrets.APP_PUBLIC_CRT }} + jobs: build: runs-on: ubuntu-latest + name: "Release: build, sign, release and publish to store" + strategy: + matrix: + php-versions: ['8.1'] + node-versions: ['20'] steps: - name: Checkout code uses: actions/checkout@v4 - - name: Setup Node.js + - name: Setup Node uses: actions/setup-node@v4 with: - node-version: '20' + node-version: ${{ matrix.node-versions }} - - name: Install dependencies and build project - run: | - npm install - npm run build + - name: Setup PHP + uses: shivammathur/setup-php@2.31.1 + with: + php-version: ${{ matrix.php-versions }} + extensions: gd,zip + coverage: none + + - name: Build app + run: make - - name: Prepare zip folder + - name: Create signed release archive + run: make appstore + env: + app_private_key: ${{ secrets.APP_PRIVATE_KEY }} + app_public_crt: ${{ secrets.APP_PUBLIC_CRT }} + + - name: Generate signature + id: sign_archive run: | - mkdir cidgravity_gateway - rsync -av --progress . ./cidgravity_gateway --exclude node_modules --exclude .git --exclude cidgravity_gateway --exclude .github --exclude .vscode - zip -r cidgravity_gateway-${{ github.ref_name }}.zip cidgravity_gateway + echo "${{ secrets.APP_PRIVATE_KEY }}" > private_key.pem + signature=$(openssl dgst -sha512 -sign private_key.pem "build/artifacts/${{ env.APP_NAME }}.tar.gz" | openssl base64 -A) + echo "SIGNATURE=$signature" >> "$GITHUB_OUTPUT" - name: Create GitHub Release id: create_release uses: softprops/action-gh-release@v2 with: - files: cidgravity_gateway-${{ github.ref_name }}.zip tag_name: ${{ github.ref_name }} draft: false prerelease: false generate_release_notes: true + + - name: Upload signed archive to release + uses: svenstaro/upload-release-action@2.9.0 + id: attach_to_release + with: + repo_token: ${{ secrets.GITHUB_TOKEN }} + file: build/artifacts/${{ env.APP_NAME }}.tar.gz + asset_name: ${{ env.APP_NAME }}.tar.gz + tag: ${{ github.ref_name }} + overwrite: true + + - name: Publish to Nextcloud appstore + run: | + curl -X POST https://apps.nextcloud.com/api/v1/apps/releases \ + -H "Content-Type: application/json" \ + -d '{"download": "${{ steps.attach_to_release.outputs.browser_download_url }}", "signature": "${{ steps.sign_archive.outputs.SIGNATURE }}"}' + + - name: Clean certificates + run: rm -f ~/.nextcloud/certificates/* diff --git a/.github/workflows/publish-to-nextcloud.yml b/.github/workflows/publish-to-nextcloud.yml deleted file mode 100644 index bedfb91..0000000 --- a/.github/workflows/publish-to-nextcloud.yml +++ /dev/null @@ -1,57 +0,0 @@ -name: Build and publish app release - -on: - release: - types: [published] - -env: - APP_NAME: news - -jobs: - build_and_publish: - runs-on: ubuntu-latest - name: "Release: build, sign and upload the app" - strategy: - matrix: - php-versions: ['8.1'] - steps: - - name: Checkout - uses: actions/checkout@v4.2.2 - - - name: Setup PHP - uses: shivammathur/setup-php@2.31.1 - with: - php-version: ${{ matrix.php-versions }} - extensions: gd,zip - coverage: none - - - name: App build - run: make - - - name: Create signed release archive - run: make appstore - env: - app_private_key: ${{ secrets.APP_PRIVATE_KEY }} - app_public_crt: ${{ secrets.APP_PUBLIC_CRT }} - - - name: Upload app tarball to release - uses: svenstaro/upload-release-action@2.9.0 - id: attach_to_release - with: - repo_token: ${{ secrets.GITHUB_TOKEN }} - file: build/artifacts/${{ env.APP_NAME }}.tar.gz - asset_name: ${{ env.APP_NAME }}.tar.gz - tag: ${{ github.ref }} - overwrite: true - - - name: Upload app to Nextcloud appstore - uses: R0Wi/nextcloud-appstore-push-action@v1.0.3 - with: - app_name: ${{ env.APP_NAME }} - appstore_token: ${{ secrets.APPSTORE_TOKEN }} - download_url: ${{ steps.attach_to_release.outputs.browser_download_url }} - app_private_key: ${{ secrets.APP_PRIVATE_KEY }} - nightly: ${{ github.event.release.prerelease }} - - - name: Delete crt and key from local storage - run: rm -f ~/.nextcloud/certificates/* diff --git a/Makefile b/Makefile index 12720ea..c0ac8a4 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,5 @@ app_name=cidgravity_gateway -project_dir=$(CURDIR)/../$(app_name) +project_dir=$(CURDIR) build_dir=$(CURDIR)/build/artifacts appstore_dir=$(build_dir)/appstore source_dir=$(build_dir)/source @@ -85,6 +85,10 @@ appstore: --exclude=vendor \ --exclude=webpack.*.js \ $(project_dir)/ $(sign_dir)/$(app_name) + + php ./bin/tools/file_from_env.php "APP_PRIVATE_KEY" "$(cert_dir)/$(app_name).key" + php ./bin/tools/file_from_env.php "APP_PUBLIC_CRT" "$(cert_dir)/$(app_name).crt" + @if [ -f $(cert_dir)/$(app_name).key ]; then \ echo "Signing app files…"; \ php ../../occ integrity:sign-app \ diff --git a/bin/tools/file_from_env.php b/bin/tools/file_from_env.php new file mode 100644 index 0000000..c4b031e --- /dev/null +++ b/bin/tools/file_from_env.php @@ -0,0 +1,29 @@ +#!/usr/bin/env php + +* @copyright Benjamin Brahmer 2020 +*/ + +if ($argc < 2) { + echo "This script expects two parameters:\n"; + echo "./file_from_env.php ENV_VAR PATH_TO_FILE\n"; + exit(1); +} + +# Read environment variable +$content = getenv($argv[1]); + +if (!$content){ + echo "Variable was empty\n"; + exit(1); +} + +file_put_contents($argv[2], $content); + +echo "Done...\n"; \ No newline at end of file