Generate Releases #343

Workflow file for this run

.github/workflows/release.yml at 04a3835

	name: "Generate Releases"

	on:
	release:
	types: [ published ]
	schedule:
	- cron: '0 12 1,15 * *' # On the 1st and 15th of the month at noon
	## To test this workflow without creating a release, uncomment the following and add a branch name (making sure "push"
	## is at the same indent level as "release":
	# push:
	# branches:
	# - 'branch-name'

	jobs:
	release:
	runs-on: ${{ matrix.os }}
	strategy:
	matrix:
	os: [ ubuntu-latest, windows-latest, macos-13, macos-latest ] # -13 is intel; -latest is ARM
	steps:
	- name: "Create base filename for all artifacts"
	id: basefn
	shell: bash
	run: \|
	FILEPATH=$(echo rctab_${{ github.ref_name }}_${{ runner.os }}_${{ runner.arch }} \| sed -e 's/\//_/g')
	echo "FILEPATH=$FILEPATH" >> $GITHUB_OUTPUT

	# Normalize platform-specific filepaths generated by gradle
	- name: "Create .zip filename"
	id: zipfn
	shell: bash
	run: echo "FILEPATH=build/${{ steps.basefn.outputs.FILEPATH }}.zip" >> $GITHUB_OUTPUT
	- name: "Get extension"
	id: ext
	shell: bash
	run: \|
	if [ ${{ runner.os }} == 'Windows' ]; then
	echo "EXT=.exe" >> $GITHUB_OUTPUT
	elif [ ${{ runner.os }} == 'Linux' ]; then
	echo "EXT=.deb" >> $GITHUB_OUTPUT
	else
	echo "EXT=.dmg" >> $GITHUB_OUTPUT
	fi
	- name: "Get jpackage output filepath"
	id: jpackagefn
	shell: bash
	run: \|
	# TODO Sync version number with Main.java and build.gradle (github.com/BrightSpots/rcv/issues/662)
	# The version numbers are hardcoded because the files below include the version number in them,
	# and while we could use some regex to figure out the version number automatically, it seems cleaner
	# to know the expected version number upfront.
	if [ ${{ runner.os }} == 'Windows' ]; then
	echo "FILEPATH=build/jpackage/RCTab-1.3.999.exe" >> $GITHUB_OUTPUT
	elif [ ${{ runner.os }} == 'Linux' ]; then
	echo "FILEPATH=build/jpackage/rctab_1.3.999_amd64.deb" >> $GITHUB_OUTPUT
	else
	echo "FILEPATH=build/jpackage/RCTab-1.3.999.dmg" >> $GITHUB_OUTPUT
	fi
	- name: "Create executable filename"
	id: exefn
	shell: bash
	run: echo "FILEPATH=build/${{ steps.basefn.outputs.FILEPATH }}${{ steps.ext.outputs.EXT }}" >> $GITHUB_OUTPUT

	- uses: actions/checkout@v3

	- name: "Set up JDK 20.0.1"
	uses: actions/setup-java@v3
	with:
	java-version: '20.0.1'
	distribution: 'temurin'

	- name: "Validate Gradle wrapper"
	uses: gradle/wrapper-validation-action@ccb4328a959376b642e027874838f60f8e596de3

	- name: "Create zip with jlinkZip"
	uses: ./.github/actions/gradle-and-sha
	with:
	gradle-command: jlinkZip
	intermediate-filepath: build/rcv.zip
	final-filepath: ${{ steps.zipfn.outputs.FILEPATH }}

	- name: "Create caches filename"
	id: cachefn
	shell: bash
	run: \|
	mkdir cache
	echo "FILEPATH=cache/${{ steps.basefn.outputs.FILEPATH }}.cache.zip" >> $GITHUB_OUTPUT

	- name: "Create checksum filename"
	id: checksumsfn
	shell: bash
	run: \|
	echo "FILEPATH=cache/checksums.csv" >> $GITHUB_OUTPUT

	- name: "Generate SHA1 and SHA256 for each Maven dependency"
	shell: bash
	run: ./.github/workflows/generate-dependency-hashes.sh ${{ runner.os }} >> ${{steps.checksumsfn.outputs.FILEPATH}}

	- name: "Create dependency zip"
	uses: ./.github/actions/zip
	with:
	# Build, then remove all non-essential files
	command: ./gradlew assemble && ./gradlew --stop
	input: "~/.gradle/caches"
	zipFilename: ${{steps.cachefn.outputs.FILEPATH}}

	- name: "Generate SHA512 for plugins cache"
	shell: bash
	run: \|
	./.github/workflows/sha.sh ${{steps.cachefn.outputs.FILEPATH}} ${{ runner.os }} 512 > ${{steps.cachefn.outputs.FILEPATH}}.sha512

	- name: "Generate SHA512 for checksums of plugins"
	shell: bash
	run: \|
	./.github/workflows/sha.sh ${{steps.checksumsfn.outputs.FILEPATH}} ${{ runner.os }} 512 > ${{steps.checksumsfn.outputs.FILEPATH}}.sha512

	- name: "Generate Golden SHA512 for jlinkZip"
	uses: ./.github/actions/sha-of-zip
	with:
	zipFilename: ${{ steps.zipfn.outputs.FILEPATH }}
	shaA: 512

	- name: "Prepare keychain"
	if: matrix.os == 'macOS-latest' \|\| matrix.os == 'macOS-13'
	env:
	MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
	MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
	run: \|
	export TEMP_PWD=temporary-password-to-avoid-GUI-prompt
	echo "Decode Base64 certificates"
	echo $MACOS_CERTIFICATE \| base64 --decode > certificate.p12
	echo "Create and unlock keychain"
	security create-keychain -p $TEMP_PWD build.keychain
	security unlock-keychain -p $TEMP_PWD build.keychain
	echo "Import certificates into keychain"
	# Note: in the next command, the -A should not be used outside of GitHub actions.
	# It allows any application to read the keychain, which is fine in an ephemeral environment,
	# but not fine if you run this on your own machine.
	security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -A -T /usr/bin/codesign -T /usr/bin/productbuild -T /usr/bin/security
	security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $TEMP_PWD build.keychain

	- name: "Create executable with jpackage (and sign, on MacOS)"
	uses: ./.github/actions/gradle-and-sha
	with:
	gradle-command: jpackage
	intermediate-filepath: ${{ steps.jpackagefn.outputs.FILEPATH }}
	final-filepath: ${{ steps.exefn.outputs.FILEPATH }}

	- name: "Notarize app bundle"
	if: matrix.os == 'macOS-latest' \|\| matrix.os == 'macOS-13'
	env:
	MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }}
	MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }}
	MACOS_NOTARIZATION_PWD: ${{ secrets.MACOS_NOTARIZATION_PWD }}
	IDENTITY_PUBLIC_KEY: A257HB4NS4
	run: \|
	echo "Unlock keychain"
	security unlock-keychain -p temporary-password-to-avoid-GUI-prompt build.keychain
	security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k temporary-password-to-avoid-GUI-prompt build.keychain
	echo "Create keychain profile"
	xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD"
	echo "Creating temp notarization archive"
	ditto -c -k --sequesterRsrc --keepParent ${{ steps.exefn.outputs.FILEPATH }} "notarization.zip"
	echo "Notarize app -- this may take a few minutes"
	xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait
	echo "Attach staple"
	xcrun stapler staple ${{ steps.exefn.outputs.FILEPATH }}

	- uses: actions/upload-artifact@v3
	with:
	name: Package
	if-no-files-found: error
	path: \|
	${{ github.workspace }}/${{ steps.zipfn.outputs.FILEPATH }}
	${{ github.workspace }}/${{ steps.zipfn.outputs.FILEPATH }}.sha512
	${{ github.workspace }}/${{ steps.zipfn.outputs.FILEPATH }}.golden.sha512
	${{ github.workspace }}/${{ steps.exefn.outputs.FILEPATH }}
	${{ github.workspace }}/${{ steps.exefn.outputs.FILEPATH }}.sha512
	${{ github.workspace }}/${{ steps.cachefn.outputs.FILEPATH }}
	${{ github.workspace }}/${{ steps.cachefn.outputs.FILEPATH }}.sha512
	${{ github.workspace }}/${{ steps.checksumsfn.outputs.FILEPATH }}
	${{ github.workspace }}/${{ steps.checksumsfn.outputs.FILEPATH }}.sha512
	retention-days: 90

	- name: "Upload binaries to release"
	uses: svenstaro/upload-release-action@v2
	if: github.event_name == 'release' \|\| github.event_name == 'schedule'
	with:
	repo_token: ${{ secrets.GITHUB_TOKEN }}
	file: build/${{ steps.basefn.outputs.FILEPATH }}*
	tag: ${{ github.ref_name }}
	overwrite: true
	file_glob: true

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Generate Releases #343

Workflow file

Generate Releases #343

Jobs

Run details

Workflow file for this run