diff --git a/.github/workflows/build-and-release.yml b/.github/workflows/build-and-release.yml index a43a81a..0e3d797 100644 --- a/.github/workflows/build-and-release.yml +++ b/.github/workflows/build-and-release.yml @@ -5,9 +5,18 @@ on: tags: - 'v*.*.*' +env: + APP_NAME: cidgravity_gateway + APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }} + APP_PUBLIC_CRT: ${{ secrets.APP_PUBLIC_CRT }} + jobs: build: runs-on: ubuntu-latest + name: "Build, sign and release app" + strategy: + matrix: + php-versions: ['8.1'] steps: - name: Checkout code @@ -18,24 +27,37 @@ jobs: with: node-version: '20' - - name: Install dependencies and build project - run: | - npm install - npm run build + - name: Setup PHP + uses: shivammathur/setup-php@2.31.1 + with: + php-version: ${{ matrix.php-versions }} + extensions: gd,zip + coverage: none + + - name: Build app + run: make - - name: Prepare zip folder - run: | - mkdir cidgravity_gateway - rsync -av --progress . ./cidgravity_gateway --exclude node_modules --exclude .git --exclude cidgravity_gateway --exclude .github --exclude .vscode - zip -r cidgravity_gateway-${{ github.ref_name }}.zip cidgravity_gateway + - name: Create signed release archive + run: make appstore + env: + app_private_key: ${{ secrets.APP_PRIVATE_KEY }} + app_public_crt: ${{ secrets.APP_PUBLIC_CRT }} - name: Create GitHub Release id: create_release uses: softprops/action-gh-release@v2 with: - files: cidgravity_gateway-${{ github.ref_name }}.zip tag_name: ${{ github.ref_name }} draft: false prerelease: false generate_release_notes: true - + + - name: Upload signed archive to release + uses: svenstaro/upload-release-action@2.9.0 + id: attach_to_release + with: + repo_token: ${{ secrets.GITHUB_TOKEN }} + file: build/artifacts/${{ env.APP_NAME }}.tar.gz + asset_name: cidgravity_gateway-${{ github.ref_name }}.tar.gz + tag: ${{ github.ref_name }} + overwrite: true diff --git a/.github/workflows/publish-to-nextcloud.yml b/.github/workflows/publish-to-nextcloud.yml index bedfb91..318fa19 100644 --- a/.github/workflows/publish-to-nextcloud.yml +++ b/.github/workflows/publish-to-nextcloud.yml @@ -1,14 +1,19 @@ -name: Build and publish app release +name: Publish to Nextcloud store on: - release: - types: [published] + workflow_run: + workflows: ["Build and Release"] + types: + - completed env: - APP_NAME: news + APP_NAME: cidgravity_gateway + APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }} + APP_PUBLIC_CRT: ${{ secrets.APP_PUBLIC_CRT }} jobs: - build_and_publish: + publish_to_nextcloud_store: + environment: release runs-on: ubuntu-latest name: "Release: build, sign and upload the app" strategy: @@ -44,14 +49,24 @@ jobs: tag: ${{ github.ref }} overwrite: true - - name: Upload app to Nextcloud appstore - uses: R0Wi/nextcloud-appstore-push-action@v1.0.3 - with: - app_name: ${{ env.APP_NAME }} - appstore_token: ${{ secrets.APPSTORE_TOKEN }} - download_url: ${{ steps.attach_to_release.outputs.browser_download_url }} - app_private_key: ${{ secrets.APP_PRIVATE_KEY }} - nightly: ${{ github.event.release.prerelease }} + - name: Download release archive + run: | + curl -L ${{ steps.attach_to_release.outputs.browser_download_url }} -o ${{ env.APP_NAME }}.tar.gz + + - name: Sign archive + id: sign_archive + run: | + echo "${{ secrets.APP_PRIVATE_KEY }}" > private_key.pem + signature=$(openssl dgst -sha512 -sign private_key.pem "${{ env.APP_NAME }}.tar.gz" | openssl base64 -A) + echo "SIGNATURE=$signature" >> "$GITHUB_OUTPUT" + shell: bash + + - name: Upload app to Nextcloud appstore via API + run: | + curl -X POST https://apps.nextcloud.com/api/v1/apps/releases \ + -H "Authorization: Token ${{ secrets.APPSTORE_TOKEN }}" \ + -H "Content-Type: application/json" \ + -d '{"download": "${{ steps.attach_to_release.outputs.browser_download_url }}", "signature": "${{ steps.sign_archive.outputs.SIGNATURE }}"}' - name: Delete crt and key from local storage run: rm -f ~/.nextcloud/certificates/* diff --git a/Makefile b/Makefile index 12720ea..c0ac8a4 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,5 @@ app_name=cidgravity_gateway -project_dir=$(CURDIR)/../$(app_name) +project_dir=$(CURDIR) build_dir=$(CURDIR)/build/artifacts appstore_dir=$(build_dir)/appstore source_dir=$(build_dir)/source @@ -85,6 +85,10 @@ appstore: --exclude=vendor \ --exclude=webpack.*.js \ $(project_dir)/ $(sign_dir)/$(app_name) + + php ./bin/tools/file_from_env.php "APP_PRIVATE_KEY" "$(cert_dir)/$(app_name).key" + php ./bin/tools/file_from_env.php "APP_PUBLIC_CRT" "$(cert_dir)/$(app_name).crt" + @if [ -f $(cert_dir)/$(app_name).key ]; then \ echo "Signing app files…"; \ php ../../occ integrity:sign-app \ diff --git a/bin/tools/file_from_env.php b/bin/tools/file_from_env.php new file mode 100644 index 0000000..c4b031e --- /dev/null +++ b/bin/tools/file_from_env.php @@ -0,0 +1,29 @@ +#!/usr/bin/env php + +* @copyright Benjamin Brahmer 2020 +*/ + +if ($argc < 2) { + echo "This script expects two parameters:\n"; + echo "./file_from_env.php ENV_VAR PATH_TO_FILE\n"; + exit(1); +} + +# Read environment variable +$content = getenv($argv[1]); + +if (!$content){ + echo "Variable was empty\n"; + exit(1); +} + +file_put_contents($argv[2], $content); + +echo "Done...\n"; \ No newline at end of file