Simplify CD steps

2025-09-29 06:56:46 -04:00 · 2024-02-04 13:20:22 +01:00 · 2024-02-04 13:20:22 +01:00 · 4ec16d3f0f
commit 4ec16d3f0f
parent 88b8fe5fab
1 changed files with 34 additions and 63 deletions
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@ -26,22 +26,24 @@ jobs:
            uploadto: app-store
          - platform: iOS
            uploadto: ipa
            xcode_extra: -sdk iphoneos
          - platform: iOS
            uploadto: app-store
            xcode_extra: -sdk iphoneos
    runs-on: macos-13
    env:
      APPLE_AUTH_PARAMS: "-authenticationKeyPath ${{ env.APPLE_STORE_AUTH_KEY_PATH }} -authenticationKeyID ${{ secrets.APPLE_STORE_AUTH_KEY_ID }} -authenticationKeyIssuerID ${{ secrets.APPLE_STORE_AUTH_KEY_ISSUER_ID }}"
      EXTRA_XCODEBUILD: ""
    steps:
    - name: Checkout code
      uses: actions/checkout@v3
    - name: Set iOS extra xcode params
      if: matrix.destination.platform == 'iOS'
      run: echo "EXTRA_XCODEBUILD=-sdk iphoneos ${{ env.APPLE_AUTH_PARAMS }}" 
    - name: Decide whether building nightly or release
      env:
        PLATFORM: ${{ matrix.destination.platform }}
        UPLOAD_TO: ${{ matrix.destination.uploadto }}
        EXTRA_XCODEBUILD: ${{ matrix.destination.xcode_extra }}
        APPLE_STORE_AUTH_KEY_PATH: ${{ env.APPLE_STORE_AUTH_KEY_PATH }}
        APPLE_STORE_AUTH_KEY_ID: ${{ secrets.APPLE_STORE_AUTH_KEY_ID }}
        APPLE_STORE_AUTH_KEY_ISSUER_ID: ${{ secrets.APPLE_STORE_AUTH_KEY_ISSUER_ID }}
      shell: python
      run: |
        import datetime
@ -61,61 +63,41 @@ jobs:
        if not is_release and upload_to == "app-store":
          upload_to_apple = False
        extra_xcode = os.getenv("EXTRA_XCODEBUILD", "")
        if os.getenv("PLATFORM") == "iOS":
          extra_xcode += f" -authenticationKeyPath {os.getenv('APPLE_STORE_AUTH_KEY_PATH')}"
          extra_xcode += f" -authenticationKeyID {os.getenv('APPLE_STORE_AUTH_KEY_ID')}"
          extra_xcode += f" -authenticationKeyIssuerID {os.getenv('APPLE_STORE_AUTH_KEY_ISSUER_ID')}"
        with open(os.getenv("GITHUB_ENV"), "a") as fh:
          fh.write(f"VERSION={version}\n")
          fh.write(f"ISRELEASE={'yes' if is_release else ''}\n")
          fh.write(f"EXPORT_METHOD={export_method}\n")
          fh.write(f"UPLOAD_FOLDER={upload_folder}\n")
          fh.write(f"EXTRA_XCODEBUILD={extra_xcode}\n")
          fh.write(f"UPLOAD_TO_APPLE={'yes' if upload_to_apple else ''}\n")
    - name: Prepare use of Developper ID Certificate
-      if: ${{ matrix.destination.uploadto == 'dmg' }}
+      if: matrix.destination.uploadto == 'dmg'
      shell: bash
      env:
-        APPLE_DEVELOPER_ID_SIGNING_CERTIFICATE: ${{ secrets.APPLE_DEVELOPER_ID_SIGNING_CERTIFICATE }}
+        SIGNING_CERTIFICATE: ${{ secrets.APPLE_DEVELOPER_ID_SIGNING_CERTIFICATE }}
-        APPLE_DEVELOPER_ID_SIGNING_P12_PASSWORD: ${{ secrets.APPLE_DEVELOPER_ID_SIGNING_P12_PASSWORD }}
+        SIGNING_CERTIFICATE_P12_PASSWORD: ${{ secrets.APPLE_DEVELOPER_ID_SIGNING_P12_PASSWORD }}
-        APPLE_DEVELOPER_ID_SIGNING_IDENTITY: ${{ secrets.APPLE_DEVELOPER_ID_SIGNING_IDENTITY }}
+        SIGNING_IDENTITY: ${{ secrets.APPLE_DEVELOPER_ID_SIGNING_IDENTITY }}
-      run: |
+      run: echo ""
        echo "SIGNING_CERTIFICATE=${APPLE_DEVELOPER_ID_SIGNING_CERTIFICATE}" >> "$GITHUB_ENV"
        echo "SIGNING_CERTIFICATE_P12_PASSWORD=${APPLE_DEVELOPER_ID_SIGNING_P12_PASSWORD}" >> "$GITHUB_ENV"
        echo "SIGNING_IDENTITY=${APPLE_DEVELOPER_ID_SIGNING_IDENTITY}" >> "$GITHUB_ENV"
    - name: Prepare use of Apple Development Certificate
-      if: ${{ matrix.destination.uploadto == 'ipa' }}
+      if: matrix.destination.uploadto == 'ipa'
      shell: bash
      env:
-        APPLE_DEVELOPMENT_SIGNING_CERTIFICATE: ${{ secrets.APPLE_DEVELOPMENT_SIGNING_CERTIFICATE }}
+        SIGNING_CERTIFICATE: ${{ secrets.APPLE_DEVELOPMENT_SIGNING_CERTIFICATE }}
-        APPLE_DEVELOPMENT_SIGNING_P12_PASSWORD: ${{ secrets.APPLE_DEVELOPMENT_SIGNING_P12_PASSWORD }}
+        SIGNING_CERTIFICATE_P12_PASSWORD: ${{ secrets.APPLE_DEVELOPMENT_SIGNING_P12_PASSWORD }}
-        APPLE_DEVELOPMENT_SIGNING_IDENTITY: ${{ secrets.APPLE_DEVELOPMENT_SIGNING_IDENTITY }}
+        SIGNING_IDENTITY: ${{ secrets.APPLE_DEVELOPMENT_SIGNING_IDENTITY }}
-      run: |
+      run: echo ""
        echo "SIGNING_CERTIFICATE=${APPLE_DEVELOPMENT_SIGNING_CERTIFICATE}" >> "$GITHUB_ENV"
        echo "SIGNING_CERTIFICATE_P12_PASSWORD=${APPLE_DEVELOPMENT_SIGNING_P12_PASSWORD}" >> "$GITHUB_ENV"
        echo "SIGNING_IDENTITY=${APPLE_DEVELOPMENT_SIGNING_IDENTITY}" >> "$GITHUB_ENV"
    - name: Prepare use of Apple Distribution Certificate
-      if: ${{ matrix.destination.uploadto == 'app-store' }}
+      if: matrix.destination.uploadto == 'app-store'
      shell: bash
      env:
-        APPLE_DISTRIBUTION_SIGNING_CERTIFICATE: ${{ secrets.APPLE_DISTRIBUTION_SIGNING_CERTIFICATE }}
+        SIGNING_CERTIFICATE: ${{ secrets.APPLE_DISTRIBUTION_SIGNING_CERTIFICATE }}
-        APPLE_DISTRIBUTION_SIGNING_P12_PASSWORD: ${{ secrets.APPLE_DISTRIBUTION_SIGNING_P12_PASSWORD }}
+        SIGNING_CERTIFICATE_P12_PASSWORD: ${{ secrets.APPLE_DISTRIBUTION_SIGNING_P12_PASSWORD }}
-        APPLE_DEVELOPMENT_SIGNING_IDENTITY: ${{ secrets.APPLE_DEVELOPMENT_SIGNING_IDENTITY }}
+        SIGNING_IDENTITY: ${{ secrets.APPLE_DEVELOPMENT_SIGNING_IDENTITY }}
-      run: |
+      run: echo ""
        echo "SIGNING_CERTIFICATE=${APPLE_DISTRIBUTION_SIGNING_CERTIFICATE}" >> "$GITHUB_ENV"
        echo "SIGNING_CERTIFICATE_P12_PASSWORD=${APPLE_DISTRIBUTION_SIGNING_P12_PASSWORD}" >> "$GITHUB_ENV"
        echo "SIGNING_IDENTITY=${APPLE_DEVELOPMENT_SIGNING_IDENTITY}" >> "$GITHUB_ENV"
    - name: Add Apple Store Key
      env:
        APPLE_STORE_AUTH_KEY_PATH: ${{ env.APPLE_STORE_AUTH_KEY_PATH }}
        APPLE_STORE_AUTH_KEY: ${{ secrets.APPLE_STORE_AUTH_KEY }}
      shell: bash
      run: echo "${APPLE_STORE_AUTH_KEY}" | base64 --decode -o $APPLE_STORE_AUTH_KEY_PATH
    - name: Build xcarchive
@ -135,7 +117,6 @@ jobs:
        EXTRA_XCODEBUILD: ${{ env.EXTRA_XCODEBUILD }}
    - name: Add altool credentials to Keychain
      shell: bash
      env:
        APPLE_SIGNING_ALTOOL_USERNAME: ${{ secrets.APPLE_SIGNING_ALTOOL_USERNAME }}
        APPLE_SIGNING_ALTOOL_PASSWORD: ${{ secrets.APPLE_SIGNING_ALTOOL_PASSWORD }}
@ -152,14 +133,14 @@ jobs:
            $KEYCHAIN_PROFILE
    - name: Prepare export for ${{ env.EXPORT_METHOD }}
-      if: ${{ matrix.destination.uploadto != 'ipa' }}
+      if: matrix.destination.uploadto != 'ipa'
      run: |
        plutil -create xml1 ./export.plist
        plutil -insert destination -string upload ./export.plist
        plutil -insert method -string $EXPORT_METHOD ./export.plist
    - name: Prepare export for IPA
-      if: ${{ matrix.destination.uploadto == 'ipa' }}
+      if: matrix.destination.uploadto == 'ipa'
      run: |
        plutil -create xml1 ./export.plist
        plutil -insert method -string ad-hoc ./export.plist
@ -168,47 +149,37 @@ jobs:
    - name: Upload Archive to Apple (App Store or Notarization)
      if: ${{ env.UPLOAD_TO_APPLE }}
-      env:
+      run: python .github/retry-if-retcode.py --sleep 60 --attempts 5 --retcode 70 xcrun xcodebuild -exportArchive -archivePath $PWD/Kiwix-$VERSION.xcarchive -exportPath $PWD/export/ -exportOptionsPlist export.plist -allowProvisioningUpdates $APPLE_AUTH_PARAMS
        APPLE_STORE_AUTH_KEY_PATH: ${{ env.APPLE_STORE_AUTH_KEY_PATH }}
        APPLE_STORE_AUTH_KEY_ID: ${{ secrets.APPLE_STORE_AUTH_KEY_ID }}
        APPLE_STORE_AUTH_KEY_ISSUER_ID: ${{ secrets.APPLE_STORE_AUTH_KEY_ISSUER_ID }}
      run: python .github/retry-if-retcode.py --sleep 60 --attempts 5 --retcode 70 xcrun xcodebuild -exportArchive -archivePath $PWD/Kiwix-$VERSION.xcarchive -exportPath $PWD/export/ -exportOptionsPlist export.plist -authenticationKeyPath $APPLE_STORE_AUTH_KEY_PATH -allowProvisioningUpdates -authenticationKeyID $APPLE_STORE_AUTH_KEY_ID -authenticationKeyIssuerID $APPLE_STORE_AUTH_KEY_ISSUER_ID
    - name: Export notarized App from archive
-      if: ${{ matrix.destination.uploadto == 'dmg' }}
+      if: matrix.destination.uploadto == 'dmg'
-      env:
+      run: python .github/retry-if-retcode.py --sleep 60 --attempts 20 --retcode 65 xcrun xcodebuild -exportNotarizedApp -archivePath $PWD/Kiwix-$VERSION.xcarchive -exportPath $PWD/export/ -allowProvisioningUpdates $APPLE_AUTH_PARAMS
        APPLE_STORE_AUTH_KEY_PATH: ${{ env.APPLE_STORE_AUTH_KEY_PATH }}
        APPLE_STORE_AUTH_KEY_ID: ${{ secrets.APPLE_STORE_AUTH_KEY_ID }}
        APPLE_STORE_AUTH_KEY_ISSUER_ID: ${{ secrets.APPLE_STORE_AUTH_KEY_ISSUER_ID }}
      run: python .github/retry-if-retcode.py --sleep 60 --attempts 20 --retcode 65 xcrun xcodebuild -exportNotarizedApp -archivePath $PWD/Kiwix-$VERSION.xcarchive -exportPath $PWD/export/ -authenticationKeyPath $APPLE_STORE_AUTH_KEY_PATH -allowProvisioningUpdates -authenticationKeyID $APPLE_STORE_AUTH_KEY_ID -authenticationKeyIssuerID $APPLE_STORE_AUTH_KEY_ISSUER_ID
    - name: Create DMG
-      if: ${{ matrix.destination.uploadto == 'dmg' }}
+      if: matrix.destination.uploadto == 'dmg'
      run: |
        pip install dmgbuild
        dmgbuild -s .github/dmg-settings.py -Dapp=$PWD/export/Kiwix.app -Dbg=.github/dmg-bg.png "Kiwix-$VERSION" $PWD/kiwix-$VERSION.dmg
    - name: Notarize DMG
-      if: ${{ matrix.destination.uploadto == 'dmg' }}
+      if: matrix.destination.uploadto == 'dmg'
      run: |
        xcrun notarytool submit --keychain $KEYCHAIN --keychain-profile $KEYCHAIN_PROFILE --wait $PWD/kiwix-$VERSION.dmg
        xcrun stapler staple $PWD/kiwix-$VERSION.dmg
    - name: Add SSH_KEY to filesystem
-      if: ${{ matrix.destination.uploadto == 'dmg' || matrix.destination.uploadto == 'ipa' }}
+      if: matrix.destination.uploadto == 'dmg' || matrix.destination.uploadto == 'ipa'
      shell: bash
      env:
        PRIVATE_KEY: ${{ secrets.SSH_KEY }}
      run: |
-        echo "${PRIVATE_KEY}" > $SSH_KEY
+        echo "${{ secrets.SSH_KEY }}" > $SSH_KEY
        chmod 600 $SSH_KEY
    - name: Upload DMG
-      if: ${{ matrix.destination.uploadto == 'dmg' }}
+      if: matrix.destination.uploadto == 'dmg'
      run: python .github/upload_file.py --src ${PWD}/kiwix-${VERSION}.dmg --dest ci@master.download.kiwix.org:30022/data/download/${UPLOAD_FOLDER} --ssh-key ${SSH_KEY}
    - name: Upload IPA
-      if: ${{ matrix.destination.uploadto == 'ipa' }}
+      if: matrix.destination.uploadto == 'ipa'
      run: |
        mv ${PWD}/export/Kiwix.ipa ${PWD}/export/kiwix-${VERSION}.ipa
        python .github/upload_file.py --src ${PWD}/export/kiwix-${VERSION}.ipa --dest ci@master.download.kiwix.org:30022/data/download/${UPLOAD_FOLDER} --ssh-key ${SSH_KEY}