Skip to content
.github/workflows/release.yml

fix(ci): harden zapstore signing secret handling #4

Sign in to view logs

fix(ci): harden zapstore signing secret handling

fix(ci): harden zapstore signing secret handling #4

Workflow file for this run

.github/workflows/release.yml at d6cc413
name: release

Check failure on line 1 in .github/workflows/release.yml

View workflow run for this annotation

GitHub Actions / .github/workflows/release.yml

Invalid workflow file 

(Line: 150, Col: 9): Unrecognized function: 'hashFiles'. Located at position 137 within expression: (github.actor == 'justinmoon' || github.actor == 'futurepaul' || github.actor == 'AnthonyRonning' || github.actor == 'benthecarman') && hashFiles('secrets/zapstore-signing.env.age') != ''
on:
push:
tags:
- "v*"
workflow_dispatch:
permissions:
contents: write
jobs:
check:
if: github.actor == 'justinmoon' || github.actor == 'futurepaul' || github.actor == 'AnthonyRonning' || github.actor == 'benthecarman'
runs-on: blacksmith-16vcpu-ubuntu-2404
steps:
- uses: actions/checkout@v4
- uses: useblacksmith/stickydisk@v1
with:
key: ${{ github.repository }}-nix-v1-${{ runner.os }}
path: /nix
- name: Fix /nix ownership
run: |
if [ -d /nix ] && [ "$(stat -c %u /nix)" != "$(id -u)" ]; then
sudo chown -R $(id -u):$(id -g) /nix
fi
- uses: nixbuild/nix-quick-install-action@v30
- uses: useblacksmith/stickydisk@v1
with:
key: ${{ github.repository }}-cargo-home-v1-${{ runner.os }}
path: ~/.cargo
- uses: useblacksmith/stickydisk@v1
with:
key: ${{ github.repository }}-cargo-target-v1-${{ runner.os }}
path: target
- name: Validate tag matches VERSION
run: |
set -euo pipefail
if [ "${GITHUB_REF_TYPE}" != "tag" ]; then
echo "error: release workflow must run on a tag ref"
exit 1
fi
expected_tag="v$(./scripts/version-read --name)"
if [ "${GITHUB_REF_NAME}" != "$expected_tag" ]; then
echo "error: tag/version mismatch: ref=${GITHUB_REF_NAME}, expected=${expected_tag}"
exit 1
fi
- run: nix develop .#default -c just pre-merge-pika
build:
if: github.actor == 'justinmoon' || github.actor == 'futurepaul' || github.actor == 'AnthonyRonning' || github.actor == 'benthecarman'
needs: check
runs-on: blacksmith-16vcpu-ubuntu-2404
steps:
- uses: actions/checkout@v4
- uses: useblacksmith/stickydisk@v1
with:
key: ${{ github.repository }}-nix-v1-${{ runner.os }}
path: /nix
- name: Fix /nix ownership
run: |
if [ -d /nix ] && [ "$(stat -c %u /nix)" != "$(id -u)" ]; then
sudo chown -R $(id -u):$(id -g) /nix
fi
- uses: nixbuild/nix-quick-install-action@v30
- uses: useblacksmith/stickydisk@v1
with:
key: ${{ github.repository }}-cargo-home-v1-${{ runner.os }}
path: ~/.cargo
- uses: useblacksmith/stickydisk@v1
with:
key: ${{ github.repository }}-cargo-target-v1-${{ runner.os }}
path: target
- name: Validate tag matches VERSION
run: |
set -euo pipefail
expected_tag="v$(./scripts/version-read --name)"
if [ "${GITHUB_REF_NAME}" != "$expected_tag" ]; then
echo "error: tag/version mismatch: ref=${GITHUB_REF_NAME}, expected=${expected_tag}"
exit 1
fi
- name: Build signed release APK
env:
AGE_SECRET_KEY: ${{ secrets.AGE_SECRET_KEY }}
run: nix develop .#default -c just android-release
- name: Generate checksums
run: sha256sum dist/*.apk > dist/SHA256SUMS
- uses: actions/upload-artifact@v4
with:
name: release-apk
path: |
dist/*.apk
dist/SHA256SUMS
if-no-files-found: error
publish:
if: github.actor == 'justinmoon' || github.actor == 'futurepaul' || github.actor == 'AnthonyRonning' || github.actor == 'benthecarman'
needs: build
runs-on: blacksmith-16vcpu-ubuntu-2404
steps:
- uses: actions/checkout@v4
- uses: useblacksmith/stickydisk@v1
with:
key: ${{ github.repository }}-nix-v1-${{ runner.os }}
path: /nix
- name: Fix /nix ownership
run: |
if [ -d /nix ] && [ "$(stat -c %u /nix)" != "$(id -u)" ]; then
sudo chown -R $(id -u):$(id -g) /nix
fi
- uses: nixbuild/nix-quick-install-action@v30
- uses: actions/download-artifact@v4
with:
name: release-apk
path: dist
- name: Validate tag matches VERSION
run: |
set -euo pipefail
expected_tag="v$(./scripts/version-read --name)"
if [ "${GITHUB_REF_NAME}" != "$expected_tag" ]; then
echo "error: tag/version mismatch: ref=${GITHUB_REF_NAME}, expected=${expected_tag}"
exit 1
fi
- name: Create GitHub Release
uses: softprops/action-gh-release@v2
with:
tag_name: ${{ github.ref_name }}
name: Pika Android ${{ github.ref_name }}
generate_release_notes: true
overwrite_files: true
files: |
dist/*.apk
dist/SHA256SUMS
publish-zapstore:
if: (github.actor == 'justinmoon' || github.actor == 'futurepaul' || github.actor == 'AnthonyRonning' || github.actor == 'benthecarman') && hashFiles('secrets/zapstore-signing.env.age') != ''
needs: [build, publish]
runs-on: blacksmith-16vcpu-ubuntu-2404
steps:
- uses: actions/checkout@v4
- uses: useblacksmith/stickydisk@v1
with:
key: ${{ github.repository }}-nix-v1-${{ runner.os }}
path: /nix
- name: Fix /nix ownership
run: |
if [ -d /nix ] && [ "$(stat -c %u /nix)" != "$(id -u)" ]; then
sudo chown -R $(id -u):$(id -g) /nix
fi
- uses: nixbuild/nix-quick-install-action@v30
- uses: actions/download-artifact@v4
with:
name: release-apk
path: dist
- name: Validate tag matches VERSION
run: |
set -euo pipefail
expected_tag="v$(./scripts/version-read --name)"
if [ "${GITHUB_REF_NAME}" != "$expected_tag" ]; then
echo "error: tag/version mismatch: ref=${GITHUB_REF_NAME}, expected=${expected_tag}"
exit 1
fi
- name: Publish to Zapstore
env:
AGE_SECRET_KEY: ${{ secrets.AGE_SECRET_KEY }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -euo pipefail
set +x
apk_count="$(find dist -maxdepth 1 -type f -name '*.apk' | wc -l | xargs)"
if [ "$apk_count" -ne 1 ]; then
echo "error: expected exactly one APK artifact in dist/, found $apk_count"
find dist -maxdepth 1 -type f -name '*.apk' -print
exit 1
fi
apk_path="$(find dist -maxdepth 1 -type f -name '*.apk' | head -n 1)"
nix develop .#default -c ./scripts/zapstore-publish "$apk_path" "https://github.com/${GITHUB_REPOSITORY}"