Skip to content

Audit suggestion fixes (#1068) #1505

Audit suggestion fixes (#1068)

Audit suggestion fixes (#1068) #1505

Workflow file for this run

name: Publish releases
on:
push:
branches: [ main ]
tags:
- '*'
permissions:
contents: "read"
id-token: "write"
env:
GOPRIVATE: github.com/getlantern
S3_BUCKET: lantern
jobs:
set-version:
runs-on: ubuntu-latest
outputs:
version: ${{ steps.set-version.outputs.version }}
prefix: ${{ steps.set-version.outputs.prefix }}
version_file: ${{ steps.set-version.outputs.version_file }}
steps:
- id: set-version
shell: python
run: |
import sys, os
ref = os.environ.get("GITHUB_REF","")
if "refs/tags/lantern" not in ref:
li = 'lantern-installer-dev'
vf = 'version-android-dev.txt'
version = '9999.99.99-dev'
else:
a = ref.strip().replace('refs/tags/lantern-', '')
parts = a.split('-',1)
suffix = parts[1] if len(parts)>1 else ''
beta = 'beta' in suffix
internal = 'internal' in suffix
if beta:
li = 'lantern-installer-preview'
vf = 'version-android-beta.txt'
version = parts[0]
elif internal:
li = 'lantern-installer-internal'
vf = 'version-android-internal.txt'
version = parts[0]
else:
li = 'lantern-installer'
vf = 'version-android.txt'
version = a
print('Setting version to ' + version)
print('Setting prefix to ' + li)
print('Setting version file to ' + vf)
print(f'::set-output name=version::{version}')
print(f'::set-output name=prefix::{li}')
print(f'::set-output name=version_file::{vf}')
build-linux:
uses: ./.github/workflows/build-linux.yml
secrets: inherit
needs: set-version
with:
version: ${{ needs.set-version.outputs.version }}
prefix: ${{ needs.set-version.outputs.prefix }}
dist-suffix: x64
# build-windows-x32:
# uses: ./.github/workflows/build-windows.yml
# secrets: inherit
# needs: set-version
# with:
# version: ${{ needs.set-version.outputs.version }}
# prefix: ${{ needs.set-version.outputs.prefix }}
# dist-suffix: 32-bit
# installer-suffix: -x32
# update-suffix: 386
# arch: x32
build-windows-x64:
uses: ./.github/workflows/build-windows.yml
secrets: inherit
needs: set-version
with:
version: ${{ needs.set-version.outputs.version }}
prefix: ${{ needs.set-version.outputs.prefix }}
build-suffix: 64
dist-suffix: 64-bit
update-suffix: x64
installer-suffix: -x64
arch: x64
build-darwin:
uses: ./.github/workflows/build-darwin.yml
secrets: inherit
needs: set-version
with:
macos_version: macos-14
xcode_version: latest-stable
version: ${{ needs.set-version.outputs.version }}
version_file: ${{ needs.set-version.outputs.version_file }}
prefix: ${{ needs.set-version.outputs.prefix }}
build-android:
needs: set-version
env:
version: ${{ needs.set-version.outputs.version }}
version_file: ${{ needs.set-version.outputs.version_file }}
prefix: ${{ needs.set-version.outputs.prefix }}
runs-on: macos-latest-xlarge
steps:
- uses: actions/checkout@v4
with:
lfs: true
- name: Pull LFS objects
run: git lfs pull
# Install Flutter
- uses: subosito/flutter-action@v2
with:
channel: "stable"
flutter-version-file: pubspec.yaml
- run: flutter --version
- name: Setup Go
uses: actions/setup-go@v4
with:
go-version-file: "go.mod"
- name: Install latest protoc-gen-go
run: go install github.com/golang/protobuf/protoc-gen-go@latest
- name: Granting private modules access
run: |
git config --global url."https://${{ secrets.CI_PRIVATE_REPOS_GH_TOKEN }}:[email protected]/".insteadOf "https://github.com/"
- name: Setup Sentry CLI
uses: mathieu-bour/setup-sentry-cli@v1
with:
version: latest
token: ${{ SECRETS.SENTRY_TOKEN }} # from GitHub secrets
organization: getlantern
project: android
- name: Setup JDK
uses: actions/setup-java@v4
with:
distribution: temurin
java-version: 17
- name: Generate ffi bindings
run: |
make darwin
make ffigen
- name: Setup protoc
uses: arduino/setup-protoc@v2
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
- name: Activate protoc-gen-dart plugin
run: |
echo "${HOME}/.pub-cache/bin" >> $GITHUB_PATH
dart pub global activate protoc_plugin
- name: Set gradle properties
env:
GRADLE_PROPERTIES: ${{ secrets.GRADLE_PROPERTIES }}
run: |
mkdir -p ~/.gradle/
echo "GRADLE_USER_HOME=${HOME}/.gradle" >> $GITHUB_ENV
echo "${GRADLE_PROPERTIES}" > ~/.gradle/gradle.properties
- name: Decode Keystore
id: write_file
uses: timheuer/[email protected]
with:
fileName: 'keystore.release.jks'
fileDir: './android/app'
encodedString: ${{ secrets.KEYSTORE }}
- name: Generate app.env
env:
ANDROID_INTERSTITIAL_AD_ID: ${{ secrets.INTERSTITIAL_AD_UNIT_ID }}
IOS_INTERSTITIAL_AD_ID: ${{ secrets.INTERSTITIAL_AD_UNIT_ID_IOS }}
run: |
touch app.env
echo "Android_interstitialAd=$ANDROID_INTERSTITIAL_AD_ID" > app.env
echo "IOS_interstitialAd=$IOS_INTERSTITIAL_AD_ID" >> app.env
- name: Build Android installers
run: make package-android
env:
INTERSTITIAL_AD_UNIT: "${{ secrets.INTERSTITIAL_AD_UNIT_ID }}"
SENTRY_AUTH_TOKEN: "${{ secrets.SENTRY_AUTH_TOKEN }}"
VERSION: "${{ env.version }}"
- uses: actions/upload-artifact@v3
with:
name: android-apk-build
retention-days: 2
path: |
lantern-installer.apk
- uses: actions/upload-artifact@v3
with:
name: android-aab-build
retention-days: 2
path: |
lantern-installer.aab
- uses: actions/setup-python@v5
with:
python-version: '3.12'
- name: Install s3cmd
run: pip install s3cmd
- name: Set s3cmd permissions
run: |
echo "[default]" > "$HOME/.s3cfg"
echo "access_key = ${{ secrets.AWS_ACCESS_KEY }}" >> "$HOME/.s3cfg"
echo "secret_key = ${{ secrets.AWS_SECRET_KEY }}" >> "$HOME/.s3cfg"
- name: Push binaries to s3
env:
VERSION: "${{ env.version }}"
APK: "${{ env.prefix }}-${{ env.version }}.apk"
AAB: "${{ env.prefix }}-${{ env.version }}.aab"
run: |
mv lantern-installer.apk "$APK"
mv lantern-installer.aab "$AAB"
cp "$APK" ${{ env.prefix }}.apk
cp "$AAB" ${{ env.prefix }}.aab
echo ${{ env.version }} > ${{ env.version_file }}
shasum -a 256 "$APK" | cut -d " " -f 1 > "$APK".sha256
shasum -a 256 "$AAB" | cut -d " " -f 1 > "$AAB".sha256
cp "$APK".sha256 ${{ env.prefix }}.apk.sha256
cp "$AAB".sha256 ${{ env.prefix }}.aab.sha256
s3cmd put --acl-public "$APK" ${{ env.version_file }} "$APK".sha256 ${{ env.prefix }}.apk.sha256 ${{ env.prefix }}.apk "s3://$S3_BUCKET"
s3cmd put --acl-public "$AAB" "$AAB".sha256 ${{ env.prefix }}.aab.sha256 ${{ env.prefix }}.aab "s3://$S3_BUCKET"
s3cmd modify --add-header='content-type':'application/vnd.android.package-archive' "s3://$S3_BUCKET/$APK"
s3cmd modify --add-header='content-type':'application/vnd.android.package-archive' "s3://$S3_BUCKET/${{ env.prefix }}.apk"
s3cmd modify --add-header='content-type':'application/vnd.android.package-archive' "s3://$S3_BUCKET/$AAB"
s3cmd modify --add-header='content-type':'application/vnd.android.package-archive' "s3://$S3_BUCKET/${{ env.prefix }}.aab"
push-binaries:
runs-on: ubuntu-latest
needs: [ set-version, build-android, build-darwin, build-linux, build-windows-x64 ]
env:
version: ${{ needs.set-version.outputs.version }}
prefix: ${{ needs.set-version.outputs.prefix }}
steps:
- name: Download the mac build output
uses: actions/download-artifact@v4
with:
name: osx-build
- name: Download the linux build output
uses: actions/download-artifact@v4
with:
name: linux-build
- name: Download the windows64 build output
uses: actions/download-artifact@v4
with:
name: windows64-installer-signed
- name: Download the apk build output
uses: actions/download-artifact@v3
with:
name: android-apk-build
- name: Download the aab build output
uses: actions/download-artifact@v3
with:
name: android-aab-build
- name: Upload Android App bundle to Play Store (beta)
if: needs.set-version.outputs.prefix == 'lantern-installer-preview'
uses: r0adkll/upload-google-play@v1
with:
serviceAccountJsonPlainText: ${{ secrets.SERVICE_ACCOUNT_JSON }}
packageName: org.getlantern.lantern
releaseFiles: lantern-installer.aab
track: beta
- name: Upload Android App bundle to Play Store (production)
if: needs.set-version.outputs.prefix == 'lantern-installer'
uses: r0adkll/upload-google-play@v1
with:
serviceAccountJsonPlainText: ${{ secrets.SERVICE_ACCOUNT_JSON }}
packageName: org.getlantern.lantern
releaseFiles: lantern-installer.aab
track: production
- name: Grant private modules access
run: git config --global url."https://${{ secrets.CI_PRIVATE_REPOS_GH_TOKEN }}:[email protected]/".insteadOf "https://github.com/"
- name: Clone binaries repo
run: git clone --depth 1 https://github.com/getlantern/lantern-binaries
- name: Rename builds
run: |
diff lantern-installer.apk ${{ env.prefix }}.apk || mv -f lantern-installer.apk ${{ env.prefix }}.apk
diff lantern-installer.aab ${{ env.prefix }}.aab || mv -f lantern-installer.aab ${{ env.prefix }}.aab
mv "lantern_${{env.version}}_x64.deb" ${{ env.prefix }}-64-bit.deb
mv -f lantern-installer.dmg ${{ env.prefix }}.dmg
diff lantern-installer-x64.exe ${{ env.prefix }}-64-bit.exe || mv -f lantern-installer-x64.exe ${{ env.prefix }}-64-bit.exe
- name: Prepare sha256 sums
run: |
shasum -a 256 ${{ env.prefix }}.apk | cut -d " " -f 1 > ${{ env.prefix }}.apk.sha256
shasum -a 256 ${{ env.prefix }}.aab | cut -d " " -f 1 > ${{ env.prefix }}.aab.sha256
shasum -a 256 ${{ env.prefix }}-mac.dmg | cut -d " " -f 1 > ${{ env.prefix }}-mac.dmg.sha256
shasum -a 256 ${{ env.prefix }}-mac_arm.dmg | cut -d " " -f 1 > ${{ env.prefix }}-mac_arm.dmg.sha256
shasum -a 256 ${{ env.prefix }}-x64.exe | cut -d " " -f 1 > ${{ env.prefix }}-x64.exe.sha256
shasum -a 256 ${{ env.prefix }}-64-bit.deb | cut -d " " -f 1 > ${{ env.prefix }}-64-bit.deb.sha256
- name: Commit
run: |
mv lantern-installer* ./lantern-binaries/
cd lantern-binaries
git config user.email "[email protected]"
git config user.name "Lantern Bot"
git add .
git commit -m "Lantern binaries for version ${{ env.version }}"
git push origin main