# Expected secrets # GOOGLE_PLAY_CLOUD_PROJECT - Google Cloud project associated with Google Play # GOOGLE_PLAY_SERVICE_ACCOUNT - Email address of service account # GOOGLE_PLAY_SERVICE_ACCOUNT_KEY - Google Play Service Account key to authorize on Google Play # GOOGLE_PLAY_PUBLISHER_API_KEY - Google Play Publisher API key to authorize the publisher on Google Play API # GOOGLE_PLAY_WORKLOAD_IDENTITY_PROVIDER - Workload identity provider to generate temporary service account key # UPLOAD_KEYSTORE_BASE_64 - The upload signing key for the app # UPLOAD_KEYSTORE_PASSWORD - The password for UPLOAD_KEYSTORE_BASE_64 # UPLOAD_KEY_ALIAS - The key alias inside UPLOAD_KEYSTORE_BASE_64 # UPLOAD_KEY_ALIAS_PASSWORD - The password for the key alias # FIREBASE_DEBUG_JSON_BASE64 - Optional JSON to enable Firebase (e.g. Crashlytics) for debug builds # FIREBASE_RELEASE_JSON_BASE64 - Optional JSON to enable Firebase (e.g. Crashlytics) for release builds # Expected variables # SUPPORT_EMAIL_ADDRESS - Contact email address for sending requests from the app name: Deploy on: workflow_dispatch: push: branches: - main paths-ignore: - '.github/ISSUE_TEMPLATE/*' - '.github/PULL_REQUEST_TEMPLATE.md' - 'LICENSE' - 'README.md' - 'docs/**' concurrency: deploy jobs: validate_gradle_wrapper: permissions: contents: read runs-on: ubuntu-latest steps: - name: Checkout timeout-minutes: 1 uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # Gradle Wrapper validation can be flaky # https://github.com/gradle/wrapper-validation-action/issues/40 - name: Gradle Wrapper Validation timeout-minutes: 1 uses: gradle/wrapper-validation-action@56b90f209b02bf6d1deae490e9ef18b21a389cd4 check_secrets: environment: deployment permissions: contents: read runs-on: ubuntu-latest outputs: has-secrets: ${{ steps.check_secrets.outputs.defined }} steps: - id: check_secrets env: GOOGLE_PLAY_CLOUD_PROJECT: ${{ secrets.GOOGLE_PLAY_CLOUD_PROJECT }} # TODO [#1033]: Use token-based authorization on Google Play for automated deployment # TODO [#1033]: https://github.com/zcash/secant-android-wallet/issues/1033 # Note that these properties are not currently used due to #1033 # GOOGLE_PLAY_SERVICE_ACCOUNT: ${{ secrets.GOOGLE_PLAY_SERVICE_ACCOUNT }} # GOOGLE_PLAY_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GOOGLE_PLAY_WORKLOAD_IDENTITY_PROVIDER }} GOOGLE_PLAY_SERVICE_ACCOUNT_KEY: ${{ secrets.GOOGLE_PLAY_SERVICE_ACCOUNT_KEY }} GOOGLE_PLAY_PUBLISHER_API_KEY: ${{ secrets.GOOGLE_PLAY_PUBLISHER_API_KEY }} if: "${{ env.GOOGLE_PLAY_CLOUD_PROJECT != '' && env.GOOGLE_PLAY_SERVICE_ACCOUNT_KEY != '' && env.GOOGLE_PLAY_PUBLISHER_API_KEY != '' }}" run: echo "defined=true" >> $GITHUB_OUTPUT build_and_deploy: if: needs.check_secrets.outputs.has-secrets == 'true' needs: [validate_gradle_wrapper, check_secrets] environment: deployment permissions: contents: read id-token: write runs-on: ubuntu-latest steps: - name: Checkout timeout-minutes: 1 uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: ref: main fetch-depth: 0 # To fetch all commits - name: Set up Java uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 timeout-minutes: 1 with: distribution: 'temurin' java-version: 17 - name: Set up Gradle uses: gradle/gradle-build-action@842c587ad8aa4c68eeba24c396e15af4c2e9f30a timeout-minutes: 10 with: gradle-home-cache-cleanup: true - name: Export Google Services JSON env: FIREBASE_DEBUG_JSON_BASE64: ${{ secrets.FIREBASE_DEBUG_JSON_BASE64 }} FIREBASE_RELEASE_JSON_BASE64: ${{ secrets.FIREBASE_RELEASE_JSON_BASE64 }} if: "${{ env.FIREBASE_DEBUG_JSON_BASE64 != '' && env.FIREBASE_RELEASE_JSON_BASE64 != '' }}" shell: bash run: | mkdir -p app/src/debug/ mkdir -p app/src/release/ echo ${FIREBASE_DEBUG_JSON_BASE64} | base64 --decode > app/src/debug/google-services.json echo ${FIREBASE_RELEASE_JSON_BASE64} | base64 --decode > app/src/release/google-services.json - name: Authenticate to Google Cloud for Google Play # TODO [#1033]: Use token-based authorization on Google Play for automated deployment # TODO [#1033]: https://github.com/zcash/secant-android-wallet/issues/1033 # Note that this step is not currently used due to #1033 if: false id: auth_google_play uses: google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033 with: create_credentials_file: true project_id: ${{ secrets.GOOGLE_PLAY_CLOUD_PROJECT }} service_account: ${{ secrets.GOOGLE_PLAY_SERVICE_ACCOUNT }} workload_identity_provider: ${{ secrets.GOOGLE_PLAY_WORKLOAD_IDENTITY_PROVIDER }} access_token_lifetime: '1500s' - name: Set Env shell: bash run: | echo "home=${HOME}" >> "$GITHUB_ENV" - name: Export Signing Key env: SIGNING_KEYSTORE_BASE_64: ${{ secrets.UPLOAD_KEYSTORE_BASE_64 }} SIGNING_KEY_PATH: ${{ format('{0}/release.jks', env.home) }} shell: bash run: | echo ${SIGNING_KEYSTORE_BASE_64} | base64 --decode > ${SIGNING_KEY_PATH} - name: Upload to Play Store timeout-minutes: 25 env: ORG_GRADLE_PROJECT_ZCASH_SUPPORT_EMAIL_ADDRESS: ${{ vars.SUPPORT_EMAIL_ADDRESS }} # TODO [#1033]: Use token-based authorization on Google Play for automated deployment # TODO [#1033]: https://github.com/zcash/secant-android-wallet/issues/1033 # Note that these properties are not currently used due to #1033 # ORG_GRADLE_PROJECT_ZCASH_GOOGLE_PLAY_SERVICE_ACCOUNT: ${{ secrets.GOOGLE_PLAY_SERVICE_ACCOUNT }} # ORG_GRADLE_PROJECT_ZCASH_GOOGLE_PLAY_SERVICE_KEY_FILE_PATH: ${{ steps.auth_google_play.outputs.credentials_file_path }} ORG_GRADLE_PROJECT_ZCASH_GOOGLE_PLAY_SERVICE_ACCOUNT_KEY: ${{ secrets.GOOGLE_PLAY_SERVICE_ACCOUNT_KEY }} ORG_GRADLE_PROJECT_ZCASH_GOOGLE_PLAY_PUBLISHER_API_KEY: ${{ secrets.GOOGLE_PLAY_PUBLISHER_API_KEY }} ORG_GRADLE_PROJECT_ZCASH_GOOGLE_PLAY_DEPLOY_TRACK: internal ORG_GRADLE_PROJECT_ZCASH_GOOGLE_PLAY_DEPLOY_STATUS: completed ORG_GRADLE_PROJECT_ZCASH_RELEASE_KEYSTORE_PATH: ${{ format('{0}/release.jks', env.home) }} ORG_GRADLE_PROJECT_ZCASH_RELEASE_KEYSTORE_PASSWORD: ${{ secrets.UPLOAD_KEYSTORE_PASSWORD }} ORG_GRADLE_PROJECT_ZCASH_RELEASE_KEY_ALIAS: ${{ secrets.UPLOAD_KEY_ALIAS }} ORG_GRADLE_PROJECT_ZCASH_RELEASE_KEY_ALIAS_PASSWORD: ${{ secrets.UPLOAD_KEY_ALIAS_PASSWORD }} run: | ./gradlew :app:publishToGooglePlay - name: Collect Artifacts timeout-minutes: 1 env: ARTIFACTS_DIR_PATH: ${{ format('{0}/artifacts', env.home) }} BINARIES_ZIP_PATH: ${{ format('{0}/artifacts/binaries.zip', env.home) }} MAPPINGS_ZIP_PATH: ${{ format('{0}/artifacts/mappings.zip', env.home) }} run: | mkdir ${ARTIFACTS_DIR_PATH} zip -r ${BINARIES_ZIP_PATH} . -i app/build/outputs/apk/\*/\*.apk app/build/outputs/bundle/\*/\*.aab zip -r ${MAPPINGS_ZIP_PATH} . -i app/build/outputs/mapping/\*/mapping.txt - name: Upload Artifacts uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 timeout-minutes: 5 with: name: Binaries path: ~/artifacts # Due to how the Gradle publishing plugin works, this scan happens after the upload to Google Play. # Rather than being preventative, this is primarily an "early warning system" to verify that our # binaries aren't being misclassified as malware. antivirus: needs: [build_and_deploy] runs-on: ubuntu-latest permissions: contents: read steps: - name: Checkout timeout-minutes: 1 uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 - name: Download release artifact uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a with: name: Binaries - name: Unzip artifacts timeout-minutes: 1 run: | unzip binaries.zip - name: Antivirus timeout-minutes: 12 with: path-to-scan: . uses: ./.github/actions/antivirus