Merge pull request #345 from slovensko-digital/dependabot/maven/net.s… #647
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Package | |
| on: | |
| push: | |
| tags: | |
| - "v[0-9]+.[0-9]+.[0-9]+" | |
| jobs: | |
| build: | |
| runs-on: ${{ matrix.config.os }} | |
| environment: packaging | |
| strategy: | |
| matrix: | |
| config: | |
| - os: ubuntu-latest | |
| - os: macos-latest | |
| - os: windows-latest | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Update version in pom if tag pushed | |
| if: startsWith(github.ref, 'refs/tags/') | |
| run: ./mvnw versions:set -DnewVersion=$(git describe --tags --abbrev=0 | sed -r 's/^v//g') | |
| shell: bash | |
| - name: Set up JDK | |
| uses: actions/setup-java@v3 | |
| with: | |
| java-version: "17.0.7+7" | |
| distribution: "liberica" | |
| java-package: "jdk+fx" | |
| - name: Cache local Maven repository and JDK cache | |
| uses: actions/cache@v3 | |
| with: | |
| path: | | |
| ~/.m2/repository | |
| target/jdkCache | |
| key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} | |
| restore-keys: | | |
| ${{ runner.os }}-maven- | |
| - name: Install an Apple keychain (MacOS) | |
| if: runner.os == 'macOS' | |
| # based on https://docs.github.com/en/actions/deployment/deploying-xcode-applications/installing-an-apple-certificate-on-macos-runners-for-xcode-development#add-a-step-to-your-workflow | |
| env: | |
| APPLE_KEYCHAIN_BASE64: ${{ secrets.APPLE_KEYCHAIN_BASE64 }} | |
| APPLE_KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }} | |
| APPLE_DEVELOPER_IDENTITY: ${{ secrets.APPLE_DEVELOPER_IDENTITY }} | |
| shell: bash | |
| run: | | |
| # create variables | |
| APPLE_KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db | |
| # share to rest of steps | |
| echo "APPLE_KEYCHAIN_PATH=$APPLE_KEYCHAIN_PATH" >> "$GITHUB_ENV" | |
| # import keychain from secrets | |
| echo -n "$APPLE_KEYCHAIN_BASE64" | base64 --decode -o $APPLE_KEYCHAIN_PATH | |
| set -x | |
| # unlock, set timeout and set as used keychain | |
| security unlock-keychain -p "$APPLE_KEYCHAIN_PASSWORD" $APPLE_KEYCHAIN_PATH | |
| #security set-keychain-settings -lut 21600 $APPLE_KEYCHAIN_PATH | |
| security list-keychain -d user -s $APPLE_KEYCHAIN_PATH | |
| security default-keychain -s $APPLE_KEYCHAIN_PATH | |
| - name: Package with Maven | |
| run: ./mvnw -B -C -V package | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| APPLE_KEYCHAIN_PATH: ${{ env.APPLE_KEYCHAIN_PATH }} | |
| APPLE_DEVELOPER_IDENTITY: ${{ secrets.APPLE_DEVELOPER_IDENTITY }} | |
| - name: Notarize release with Apple (MacOS) | |
| if: runner.os == 'macOS' | |
| env: | |
| APPLE_KEYCHAIN_PATH: ${{ env.APPLE_KEYCHAIN_PATH }} | |
| shell: bash | |
| run: | | |
| set -x | |
| # run notarization | |
| xcrun notarytool submit --keychain-profile "autogram" --keychain $APPLE_KEYCHAIN_PATH --wait target/Autogram-*.pkg | |
| # staple | |
| xcrun stapler staple target/Autogram-*.pkg | |
| # lock all keychains | |
| security lock-keychain -a | |
| - name: Sign on Azure | |
| if: runner.os == 'Windows' | |
| shell: bash | |
| run: | | |
| dotnet tool install --global AzureSignTool | |
| AzureSignTool sign --description "Autogram" -kvu "${{ secrets.AZURE_KEY_VAULT_URI }}" -kvi "${{ secrets.AZURE_CLIENT_ID }}" -kvt "${{ secrets.AZURE_TENANT_ID }}" -kvs "${{ secrets.AZURE_CLIENT_SECRET }}" -kvc ${{ secrets.AZURE_CERT_NAME }} -tr http://timestamp.digicert.com -v target/*.msi | |
| - name: Create release if tag pushed | |
| uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 | |
| if: startsWith(github.ref, 'refs/tags/') | |
| with: | |
| draft: true | |
| prerelease: true | |
| files: | | |
| target/*.exe | |
| target/*.msi | |
| target/*.rpm | |
| target/*.deb | |
| target/*.pkg | |
| target/*.dmg | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |