Instead of accepting `pull_request` event which doesn't passes secrets,
we are now using `pull_request_target` event which does.
To prevent leaking secrets, we are using an initial job that sets the `environment`
dynamically based on the event.
If it's an external PR, then it deploys to `external` environment.
This `external` environment has been created, includes required secrets and mandates approval by automactic, kelson or rgaudin
Because `pull_request_target` is meant to run on `main` code and not PR's one, we also change the checkout ref.
With this setup, CI runs unattended for pushes on main or PRs from our own repo but requires validation for external ones
Note: this is based on April 2023 instructions at
https://iterative.ai/blog/testing-external-contributions-using-github-actions-secrets
Automatically building and deploying in Github Actions for Nightlies and Releases.
Triggered by the following:
- every day at 01:32am (nightly mode)
- manualy (nightly mode)
- on release publication (release mode)
This workflow makes extensive use of secrets with no additional safe-guard, given:
- `schedule` (nightly) runs only off `main` branch.
- `workflow_dispatch` (manual) can run on any in-repo branch (but uses the workflow from `main`)
- Release publication requires push access to repo.
There are thus two *modes*: Release and Nightly (also used on manual dispatch).
The mode sets the `VERSION` either to the YYYY-MM-DD date for nightly or the tag-name for the release.
It has four *targets*: `macOS dmg`, `macOS app-store`, `iOS ipa` and `iOS app-store`
- **macOS dmg**: universal notarized macOS App in a dmg uploaded to `Kiwix-$VERSION.dmg`
- **macOS app-store**: universal notarized macOS App uploaded to the App Store.
- **iOS ipa**: iOS App uploaded to `Kiwix-$VERSION.ipa`
- **iOS app-store**: iOS App uploaded to the App Store
Code Signing is *automatic* (xcode decides which one to use based on availability).
We use Apple Distribution one for the app-store targets. IPA uses Apple Development
and dmg uses Developer ID.
⚠️ This allows updates CI workflow to make use of the shared xcbuild action
