mirror of
https://github.com/we-promise/sure.git
synced 2026-06-01 08:49:01 +00:00
956c27df6b
* chore(ci): pin GitHub Actions to commit SHAs (#1811) Follow-up to #1810. The Node-24 upgrade left every workflow on mutable tag refs (`actions/checkout@v5`, `actions/download-artifact@v7`, etc.) which superagent-security[bot] flagged on the ci.yml + publish.yml reviews. Pin all 18 external actions to the commit SHA they currently resolve to and add a trailing `# vMAJOR.MINOR.PATCH` comment so reviewers can see the version. Local reusable-workflow refs (`uses: ./.github/...`) are left alone — pinning those would defeat the point. Closes #1811 * chore(ci): address review — persist-credentials + setup-node consistency (#1811) Two pieces of follow-up feedback on the SHA-pinning PR: - @coderabbitai (P1 nitpicks) + @JSONbored: add 'persist-credentials: false' to checkout steps in jobs that don't perform authenticated git operations. Adds the line to 17 read-only checkouts across 9 workflows (chart-ci, ci, flutter-build, helm-publish, ios-testflight, llm-evals, preview-cleanup, preview-deploy, publish:build). Checkouts inside jobs that 'git push' (chart-release, mobile-build, mobile-release, helm-publish:second-checkout, publish:bump-pre_release) are intentionally left alone so they keep their token. - @jjmata: preview-deploy.yml was the only workflow on actions/setup-node v6.4.0; everywhere else pinned v5.0.0. Standardise on v5.0.0 to match. Dependabot config already has a github-actions ecosystem entry with a weekly schedule, so no addition needed for that point. * chore(ci): document intentional setup-node v6→5 normalization (#1811) @superagent-security flagged the v6.4.0 -> v5.0.0 change in preview-deploy.yml as a possible unintended downgrade. The downgrade was deliberate, per @jjmata's review request to normalize setup-node across all workflows. Add an inline YAML comment next to the line so future scans don't re-flag it. --------- Signed-off-by: Juan José Mata <juanjo.mata@gmail.com> Co-authored-by: jeffrey701 <jeffrey701@users.noreply.github.com> Co-authored-by: Juan José Mata <juanjo.mata@gmail.com>
109 lines
3.7 KiB
YAML
109 lines
3.7 KiB
YAML
name: Google Play Upload
|
|
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
notes:
|
|
description: "Google Play release notes"
|
|
required: false
|
|
type: string
|
|
track:
|
|
description: "Google Play track (internal, alpha, beta, production)"
|
|
required: false
|
|
default: "internal"
|
|
type: string
|
|
secrets:
|
|
GOOGLE_PLAY_SERVICE_ACCOUNT_JSON_BASE64:
|
|
required: false
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
upload:
|
|
name: Upload Android AAB to Google Play
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 30
|
|
|
|
steps:
|
|
- name: Check Google Play credentials
|
|
id: check_prereqs
|
|
env:
|
|
GOOGLE_PLAY_SERVICE_ACCOUNT_JSON_BASE64: ${{ secrets.GOOGLE_PLAY_SERVICE_ACCOUNT_JSON_BASE64 }}
|
|
run: |
|
|
set -eu
|
|
|
|
missing=()
|
|
if [ -z "${GOOGLE_PLAY_SERVICE_ACCOUNT_JSON_BASE64-}" ]; then
|
|
missing+=("GOOGLE_PLAY_SERVICE_ACCOUNT_JSON_BASE64")
|
|
fi
|
|
|
|
if [ "${#missing[@]}" -eq 0 ]; then
|
|
echo "enabled=true" >> "$GITHUB_OUTPUT"
|
|
exit 0
|
|
fi
|
|
|
|
echo "enabled=false" >> "$GITHUB_OUTPUT"
|
|
{
|
|
echo "Missing required Google Play secrets:"
|
|
printf " - %s\n" "${missing[@]}"
|
|
} >> "$GITHUB_STEP_SUMMARY"
|
|
|
|
- name: Skip Google Play upload
|
|
if: ${{ steps.check_prereqs.outputs.enabled != 'true' }}
|
|
run: |
|
|
echo "Skipping Google Play upload because required credentials are not configured."
|
|
|
|
- name: Download Android AAB artifact
|
|
if: ${{ steps.check_prereqs.outputs.enabled == 'true' }}
|
|
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
|
|
with:
|
|
name: app-release-aab
|
|
path: ${{ runner.temp }}/android-aab
|
|
|
|
- name: Prepare Google Play credentials
|
|
id: play_creds
|
|
if: ${{ steps.check_prereqs.outputs.enabled == 'true' }}
|
|
env:
|
|
GOOGLE_PLAY_SERVICE_ACCOUNT_JSON_BASE64: ${{ secrets.GOOGLE_PLAY_SERVICE_ACCOUNT_JSON_BASE64 }}
|
|
run: |
|
|
set -euo pipefail
|
|
CREDENTIALS_PATH="$RUNNER_TEMP/google-play-service-account.json"
|
|
echo "$GOOGLE_PLAY_SERVICE_ACCOUNT_JSON_BASE64" | base64 --decode > "$CREDENTIALS_PATH"
|
|
echo "credentials-path=$CREDENTIALS_PATH" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Resolve AAB path
|
|
id: aab
|
|
if: ${{ steps.check_prereqs.outputs.enabled == 'true' }}
|
|
run: |
|
|
set -euo pipefail
|
|
AAB_PATH="$(find "${{ runner.temp }}/android-aab" -name '*.aab' | head -n 1)"
|
|
if [ -z "$AAB_PATH" ]; then
|
|
echo "::error::No Android App Bundle (.aab) found in downloaded artifacts"
|
|
exit 1
|
|
fi
|
|
echo "aab-path=$AAB_PATH" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Create release notes file
|
|
id: notes
|
|
if: ${{ steps.check_prereqs.outputs.enabled == 'true' && inputs.notes != '' }}
|
|
env:
|
|
NOTES: ${{ inputs.notes }}
|
|
run: |
|
|
set -euo pipefail
|
|
NOTES_DIR="$RUNNER_TEMP/google-play-whatsnew"
|
|
mkdir -p "$NOTES_DIR"
|
|
printf '%s\n' "$NOTES" > "$NOTES_DIR/whatsnew-en-US"
|
|
echo "notes-dir=$NOTES_DIR" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Upload to Google Play
|
|
if: ${{ steps.check_prereqs.outputs.enabled == 'true' }}
|
|
uses: r0adkll/upload-google-play@e738b9dd8f2476ea806d921b64aacd24f34515a5 # v1.1.5
|
|
with:
|
|
serviceAccountJson: ${{ steps.play_creds.outputs.credentials-path }}
|
|
packageName: am.sure.mobile
|
|
releaseFiles: ${{ steps.aab.outputs.aab-path }}
|
|
tracks: ${{ inputs.track }}
|
|
status: completed
|
|
whatsNewDirectory: ${{ steps.notes.outputs.notes-dir }}
|