From 1276dc484b415c49d040d3b0bab486030c782e53 Mon Sep 17 00:00:00 2001 From: Konstantin Ivanov <54908981+konstantiniiv@users.noreply.github.com> Date: Mon, 11 Aug 2025 11:51:53 +0200 Subject: [PATCH 1/2] DROID-3917 update workflow --- ...lease-apks-as-github-actions-artefacts.yml | 41 ++++++++++++------- 1 file changed, 26 insertions(+), 15 deletions(-) diff --git a/.github/workflows/build-release-apks-as-github-actions-artefacts.yml b/.github/workflows/build-release-apks-as-github-actions-artefacts.yml index 9a0aecd61e..1732ab8099 100644 --- a/.github/workflows/build-release-apks-as-github-actions-artefacts.yml +++ b/.github/workflows/build-release-apks-as-github-actions-artefacts.yml @@ -4,7 +4,7 @@ on: workflow_dispatch: inputs: tag: - description: 'Git tag to build from' + description: "Git tag to build from" required: true type: string @@ -15,9 +15,9 @@ jobs: steps: - name: Checkout repo at tag - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: - fetch-depth: 0 # needed to fetch all tags + fetch-depth: 0 ref: ${{ github.event.inputs.tag }} - name: Set up Android NDK @@ -29,7 +29,7 @@ jobs: - name: Set up Java uses: actions/setup-java@v3 with: - distribution: "zulu" + distribution: zulu java-version: 17 - name: Setup middleware dependency @@ -39,22 +39,23 @@ jobs: amplitude_secret: ${{ secrets.ANYTYPE_AMPLITUDE_SECRET }} amplitude_secret_debug: ${{ secrets.ANYTYPE_AMPLITUDE_DEBUG_SECRET }} sentry_dsn_secret: ${{ secrets.ANYTYPE_SENTRY_DSN_SECRET }} - run: ./middleware2.sh $token_secret $user_secret $amplitude_secret $amplitude_secret_debug $sentry_dsn_secret + run: ./middleware2.sh "$token_secret" "$user_secret" "$amplitude_secret" "$amplitude_secret_debug" "$sentry_dsn_secret" - name: Decrypt secrets - run: ./scripts/release/decrypt-secrets.sh env: ENCRYPT_KEY: ${{ secrets.ENCRYPT_KEY }} + run: ./scripts/release/decrypt-secrets.sh - name: Setup keystore env: + TOKEN_SECRET: ${{ secrets.ANYTYPE_SECRET }} RELEASE_KEY_ALIAS: ${{ secrets.RELEASE_KEY_ALIAS }} RELEASE_KEY_PWD: ${{ secrets.RELEASE_KEY_PWD }} RELEASE_STORE_PWD: ${{ secrets.RELEASE_STORE_PWD }} - run: ./scripts/release/setup-store.sh $token_secret $RELEASE_KEY_ALIAS $RELEASE_KEY_PWD $RELEASE_STORE_PWD + run: ./scripts/release/setup-store.sh "$TOKEN_SECRET" "$RELEASE_KEY_ALIAS" "$RELEASE_KEY_PWD" "$RELEASE_STORE_PWD" - name: Checkout license repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: repository: anyproto/open ref: refs/heads/main @@ -69,8 +70,8 @@ jobs: license_finder ignored_dependencies add skiko --why "Excluded due to native binary license concerns" license_finder inherited_decisions add open/decisions.yml license_finder --gradle-command="./gradlew \ - -Pcom.anytype.ci=true \ - -Dorg.gradle.unsafe.configuration-cache=false" + -Pcom.anytype.ci=true \ + -Dorg.gradle.unsafe.configuration-cache=false" - name: Prepare Android Manifest run: ./scripts/release/apk.sh @@ -78,10 +79,6 @@ jobs: - name: Build release APKs run: ./gradlew :app:assembleRelease -PenableAbiSplits=true - - name: Clean secrets - if: always() - run: ./scripts/release/clean-secrets.sh - - name: Prepare artefacts run: ./scripts/release/prepare-release-artefacts.sh @@ -89,4 +86,18 @@ jobs: uses: actions/upload-artifact@v4 with: name: release-apks-${{ github.event.inputs.tag }} - path: app/build/outputs/apk/release/release-artefacts/ \ No newline at end of file + path: app/build/outputs/apk/release/release-artefacts/. + + # ---- Cleanup is LAST, best-effort, and cannot fail the job ---- + - name: Clean secrets + if: always() + run: | + set -u + if [ -x ./scripts/release/clean-secrets.sh ]; then + ./scripts/release/clean-secrets.sh + elif [ -f ./scripts/release/clean-secrets.sh ]; then + chmod +x ./scripts/release/clean-secrets.sh + ./scripts/release/clean-secrets.sh + else + echo "scripts/release/clean-secrets.sh not found; skipping" + fi \ No newline at end of file From d67cf5d596ce192878ef046e96514f43b1a947d3 Mon Sep 17 00:00:00 2001 From: Konstantin Ivanov <54908981+konstantiniiv@users.noreply.github.com> Date: Mon, 11 Aug 2025 12:05:16 +0200 Subject: [PATCH 2/2] DROID-3917 license --- .../build-release-apks-as-github-actions-artefacts.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/build-release-apks-as-github-actions-artefacts.yml b/.github/workflows/build-release-apks-as-github-actions-artefacts.yml index 1732ab8099..7795200963 100644 --- a/.github/workflows/build-release-apks-as-github-actions-artefacts.yml +++ b/.github/workflows/build-release-apks-as-github-actions-artefacts.yml @@ -69,6 +69,11 @@ jobs: sudo gem install license_finder license_finder ignored_dependencies add skiko --why "Excluded due to native binary license concerns" license_finder inherited_decisions add open/decisions.yml + + license_finder licenses add "KBase58" MIT --who "CI" --why "Upstream repo license" --homepage "https://github.com/komputing/KBase58" + license_finder licenses add "any-crypto-kotlin" MIT --who "CI" --why "Upstream repo license" --homepage "https://github.com/anyproto/any-crypto-kotlin" + + license_finder permitted_licenses add MIT --who "CI" --why "Allowed OSS license" license_finder --gradle-command="./gradlew \ -Pcom.anytype.ci=true \ -Dorg.gradle.unsafe.configuration-cache=false"