secant-android-wallet/.github/workflows/deploy.yml

# Expected secrets
# GOOGLE_PLAY_CLOUD_PROJECT - Google Cloud project associated with Google Play
# GOOGLE_PLAY_SERVICE_ACCOUNT - Email address of service account
# GOOGLE_PLAY_WORKLOAD_IDENTITY_PROVIDER - Workload identity provider to generate temporary service account key
# UPLOAD_KEYSTORE_BASE_64 - The upload signing key for the app
# UPLOAD_KEYSTORE_PASSWORD - The password for UPLOAD_KEYSTORE_BASE_64
# UPLOAD_KEY_ALIAS - The key alias inside UPLOAD_KEYSTORE_BASE_64
# UPLOAD_KEY_ALIAS_PASSWORD - The password for the key alias

name: Deploy

on:
  workflow_dispatch:
  push:
    branches:
      - main
    paths-ignore:
      - '.github/ISSUE_TEMPLATE/*'
      - '.github/PULL_REQUEST_TEMPLATE.md'
      - 'LICENSE'
      - 'README.md'
      - 'docs/**'

concurrency: deploy

jobs:
  validate_gradle_wrapper:
    permissions:
      contents: read
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        timeout-minutes: 1
        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846
      # Gradle Wrapper validation can be flaky
      # https://github.com/gradle/wrapper-validation-action/issues/40
      - name: Gradle Wrapper Validation
        timeout-minutes: 1
        uses: gradle/wrapper-validation-action@e6e38bacfdf1a337459f332974bb2327a31aaf4b

  check_secrets:
    environment: deployment
    permissions:
      contents: read
    runs-on: ubuntu-latest
    outputs:
      has-secrets: ${{ steps.check_secrets.outputs.defined }}
    steps:
      - id: check_secrets
        env:
          GOOGLE_PLAY_CLOUD_PROJECT: ${{ secrets.GOOGLE_PLAY_CLOUD_PROJECT }}
          GOOGLE_PLAY_SERVICE_ACCOUNT: ${{ secrets.GOOGLE_PLAY_SERVICE_ACCOUNT }}
          GOOGLE_PLAY_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GOOGLE_PLAY_WORKLOAD_IDENTITY_PROVIDER }}
        if: "${{ env.GOOGLE_PLAY_CLOUD_PROJECT != '' && env.GOOGLE_PLAY_SERVICE_ACCOUNT != '' && env.GOOGLE_PLAY_WORKLOAD_IDENTITY_PROVIDER != '' }}"
        run: echo "::set-output name=defined::true"

  build_and_deploy:
    if: needs.check_secrets.outputs.has-secrets == 'true'
    needs: [validate_gradle_wrapper, check_secrets]
    environment: deployment
    permissions:
      contents: read
      id-token: write
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        timeout-minutes: 1
        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846
      - name: Setup
        id: setup
        timeout-minutes: 12
        uses: ./.github/actions/setup
      - name: Authenticate to Google Cloud for Google Play
        id: auth_google_play
        uses: google-github-actions/auth@8d125895b958610ec414ca4dae010257eaa814d3
        with:
          create_credentials_file: true
          project_id: ${{ secrets.GOOGLE_PLAY_CLOUD_PROJECT }}
          service_account: ${{ secrets.GOOGLE_PLAY_SERVICE_ACCOUNT }}
          workload_identity_provider: ${{ secrets.GOOGLE_PLAY_WORKLOAD_IDENTITY_PROVIDER }}
          access_token_lifetime: '1500s'
      - name: Export Signing Key
        env:
          SIGNING_KEYSTORE_BASE_64: ${{ secrets.UPLOAD_KEYSTORE_BASE_64 }}
          SIGNING_KEY_PATH: ${{ format('{0}/release.jks', env.home) }}
        shell: bash
        run: |
          echo ${SIGNING_KEYSTORE_BASE_64} | base64 --decode > ${SIGNING_KEY_PATH}          
      - name: Upload to Play Store
        timeout-minutes: 25
        env:
          ORG_GRADLE_PROJECT_ZCASH_GOOGLE_PLAY_SERVICE_KEY_FILE_PATH: ${{ steps.auth_google_play.outputs.credentials_file_path }}
          ORG_GRADLE_PROJECT_ZCASH_RELEASE_KEYSTORE_PATH: ${{ format('{0}/release.jks', env.home) }}
          ORG_GRADLE_PROJECT_ZCASH_RELEASE_KEYSTORE_PASSWORD: ${{ secrets.UPLOAD_KEYSTORE_PASSWORD }}
          ORG_GRADLE_PROJECT_ZCASH_RELEASE_KEY_ALIAS: ${{ secrets.UPLOAD_KEY_ALIAS }}
          ORG_GRADLE_PROJECT_ZCASH_RELEASE_KEY_ALIAS_PASSWORD: ${{ secrets.UPLOAD_KEY_ALIAS_PASSWORD }}
          ORG_GRADLE_PROJECT_ZCASH_GOOGLE_PLAY_DEPLOY_MODE: deploy
        run: |
          ./gradlew :app:publishBundle          
      - name: Collect Artifacts
        timeout-minutes: 1
        env:
          ARTIFACTS_DIR_PATH: ${{ format('{0}/artifacts', env.home) }}
          BINARIES_ZIP_PATH: ${{ format('{0}/artifacts/binaries.zip', env.home) }}
          MAPPINGS_ZIP_PATH: ${{ format('{0}/artifacts/mappings.zip', env.home) }}
        run: |
          mkdir ${ARTIFACTS_DIR_PATH}
          zip -r ${BINARIES_ZIP_PATH} . -i *app/build/outputs/apk/*/release/*.apk *app/build/outputs/bundle/*/release/*.aab
          zip -r ${MAPPINGS_ZIP_PATH} . -i *app/build/outputs/mapping/*/mapping.txt          
      - name: Upload Artifacts
        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535
        timeout-minutes: 1
        with:
          name: Release binaries
          path: ~/artifacts