name: Release on: push: branches: [master, main] tags: ["*"] release: types: [ published ] env: pkg-assembly: 'bitcoin-s-bundle.jar' pkg-name: 'bitcoin-s' jobs: publish: runs-on: ubuntu-latest timeout-minutes: 60 steps: - uses: actions/checkout@v2.3.4 with: fetch-depth: 0 - uses: olafurpg/setup-scala@v13 with: java-version: openjdk@1.17.0 - uses: olafurpg/setup-gpg@v3 - run: sbt -J-Xmx2g ci-release docs/publishWebsite env: PGP_PASSPHRASE: ${{ secrets.PGP_PASSPHRASE }} PGP_SECRET: ${{ secrets.PGP_SECRET }} SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }} SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }} GITHUB_DEPLOY_KEY: ${{ secrets.GITHUB_TOKEN }} GIT_DEPLOY_KEY: ${{ secrets.GIT_DEPLOY_KEY }} osx: runs-on: [ macos-latest ] steps: - name: Checkout repo uses: actions/checkout@v2 with: fetch-depth: 0 - name: Setup Scala uses: olafurpg/setup-scala@v13 with: java-version: openjdk@1.17.0 - name: 'Get Previous tag' id: previoustag uses: "WyriHaximus/github-action-get-previous-tag@v1" with: fallback: 0.0.0 # Optional fallback tag to use when no tag can be found - name: Import developer cert to keychain uses: apple-actions/import-codesign-certs@v1 with: create-keychain: true p12-file-base64: ${{ secrets.CERTIFICATES_P12 }} p12-password: ${{ secrets.CERTIFICATES_P12_PASSWORD }} keychain-password: ${{ secrets.CERTIFICATES_P12_PASSWORD }} - name: Build fat jar run: sbt "bundle/assembly" - name: Add cert to keychain and unlock keychain & build and sign dmg env: pkg-version: ${{steps.previoustag.outputs.tag}} MACOS_CERTIFICATE_PWD: ${{ secrets.CERTIFICATES_P12_PASSWORD }} MAC_NOTARIZATION_PW: ${{secrets.MAC_NOTARIZATION_PW}} # Steps to build a fully signed and notarized bitcoin-s dmg # 1. Unlock the OS x keychain so we don't have to input passwords via GUI prompts # 2. Build bitcoin-s.app that is recursively signed with jpackage --mac-sign # 3. Build an unsigned dmg that contains bitcoin-s.app inside of it (no idea why --mac-sign doesn't work with --type dmg) # 4. Sign the dmg with codesign (jpackage dmg signing is broken for some reason) # 5. Submit the dmg to apple's notarization service so can get it whitelisted for installation (see: https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution) # 6. Sleep until apple notorization is done # 7. Retrieve the signature and staple it to the dmg to so network requests do not need to be made to open the dmg # 8. Check all signatures on bitcoin-s.app (see: https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087735) # 9. Check all dmg signatures # 10. Display information about signed dmg run: | echo "Hello world" java -version jpackage --version ls -l security unlock-keychain -p $MACOS_CERTIFICATE_PWD signing_temp.keychain security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $MACOS_CERTIFICATE_PWD signing_temp.keychain echo "===========jpackage app image begin================" jpackage --verbose --name ${{ env.pkg-name }} --app-version ${{steps.previoustag.outputs.tag}} --mac-package-name ${{ env.pkg-name }} --type app-image -i app/bundle/target/scala-2.13/ --main-class org.bitcoins.bundle.gui.BundleGUI --main-jar ${{ env.pkg-assembly }} --icon app/gui/src/main/resources/icons/bitcoin-s.icns --mac-sign --mac-signing-keychain /Users/runner/Library/Keychains/signing_temp.keychain-db --mac-signing-key-user-name "Chris Stewart (9ZG3GPKHX8)" echo "===========jpackage dmg begin================" jpackage --verbose --name ${{ env.pkg-name }} --app-version ${{steps.previoustag.outputs.tag}} --mac-package-name ${{ env.pkg-name }} --type dmg --app-image bitcoin-s.app --mac-sign --mac-signing-key-user-name "Chris Stewart (9ZG3GPKHX8)" echo "Signing dmg with code sign" codesign -s "Developer ID Application: Chris Stewart (9ZG3GPKHX8)" --options runtime -vvvv --deep ${{ env.pkg-name }}-${{steps.previoustag.outputs.tag}}.dmg echo "Running xcrun alttool --notarize app" REQUEST_UUID=$(xcrun altool --notarize-app --primary-bundle-id "org.bitcoins.bundle" -u "stewart.chris1234@gmail.com" --team-id "9ZG3GPKHX8" --password "$MAC_NOTARIZATION_PW" --file ${{ env.pkg-name }}-${{steps.previoustag.outputs.tag}}.dmg | grep RequestUUID | awk '{print $3}') echo "Waiting for notarization from Apple for $REQUEST_UUID" sleep 5 xcrun altool --notarization-info "$REQUEST_UUID" -u "stewart.chris1234@gmail.com" --team-id "9ZG3GPKHX8" -p "$MAC_NOTARIZATION_PW" echo "Start while loop" while xcrun altool --notarization-info "$REQUEST_UUID" -u "stewart.chris1234@gmail.com" --team-id "9ZG3GPKHX8" -p "$MAC_NOTARIZATION_PW" | grep "Status: in progress" > /dev/null; do echo "Verification in progress..." sleep 30 done xcrun stapler staple ${{ env.pkg-name }}-${{steps.previoustag.outputs.tag}}.dmg echo "Done stapling" spctl -vvv --assess --type exec bitcoin-s.app echo "Done inspecting app with spctl" codesign -vvv --deep --strict ${{ env.pkg-name }}-${{steps.previoustag.outputs.tag}}.dmg echo "Done verifying code signing deep" codesign -dvv ${{ env.pkg-name }}-${{steps.previoustag.outputs.tag}}.dmg echo "Done verifying artifacts" ls -l - name: 'Echo download path' run: echo ${{steps.download.outputs.download-path}} - name: Upload dmg uses: actions/upload-artifact@v1 with: name: "mac" path: ${{ env.pkg-name }}-${{steps.previoustag.outputs.tag}}.dmg - name: Upload if release uses: softprops/action-gh-release@v1 if: startsWith(github.ref, 'refs/tags/') with: name: "mac" files: ${{ env.pkg-name }}-${{steps.previoustag.outputs.tag}}.dmg env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} linux: runs-on: [ ubuntu-latest ] steps: - uses: actions/checkout@v2 with: fetch-depth: 0 - name: Setup Scala uses: olafurpg/setup-scala@v13 with: java-version: openjdk@1.17.0 - name: 'Get Previous tag' id: previoustag uses: "WyriHaximus/github-action-get-previous-tag@v1" with: fallback: 1.0.0 # Optional fallback tag to use when no tag can be found - name: Build fat jar run: sbt "bundle/assembly" - name: Package jar as debian package env: pkg-version: ${{steps.previoustag.outputs.tag}} run: "jpackage --linux-shortcut --name ${{ env.pkg-name }} --app-version ${{steps.previoustag.outputs.tag}} --type deb -i app/bundle/target/scala-2.13/ --main-class org.bitcoins.bundle.gui.BundleGUI --main-jar ${{ env.pkg-assembly }} --icon app/gui/src/main/resources/icons/bitcoin-s.png" - name: View Artifacts run: ls -l - name: Print working dir run: pwd - name: Upload deb uses: actions/upload-artifact@v1 env: pkg-version: ${{steps.previoustag.outputs.tag}} with: name: "deb" path: "${{ env.pkg-name }}_${{ steps.previoustag.outputs.tag }}-1_amd64.deb" - name: Upload if release uses: softprops/action-gh-release@v1 if: startsWith(github.ref, 'refs/tags/') with: name: "deb" files: "${{ env.pkg-name }}_${{ steps.previoustag.outputs.tag }}-1_amd64.deb" env: pkg-version: ${{steps.previoustag.outputs.tag}} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} windows: runs-on: [windows-latest] steps: - name: Checkout repo uses: actions/checkout@v2 with: fetch-depth: 0 - name: Setup Scala uses: olafurpg/setup-scala@v13 with: java-version: openjdk@1.17.0 - name: 'Get Previous tag' id: previoustag uses: "WyriHaximus/github-action-get-previous-tag@v1" with: fallback: 1.0.0 # Optional fallback tag to use when no tag can be found - name: Build msi shell: bash run: sbt bundle/windows:packageBin - name: View artifacts run: ls -R . - name: Upload installer uses: actions/upload-artifact@v1 with: name: windows path: "D:\\a\\bitcoin-s\\bitcoin-s\\app\\bundle\\target\\windows\\bitcoin-s-bundle.msi" - name: Upload if release uses: softprops/action-gh-release@v1 if: startsWith(github.ref, 'refs/tags/') with: name: windows files: "D:\\a\\bitcoin-s\\bitcoin-s\\app\\bundle\\target\\windows\\bitcoin-s-bundle.msi" env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} mac-zips: runs-on: [ macos-latest ] steps: - uses: actions/checkout@v2 with: fetch-depth: 0 - name: Setup Scala uses: olafurpg/setup-scala@v13 with: java-version: openjdk@1.17.0 - name: 'Get Previous tag' id: previoustag uses: "WyriHaximus/github-action-get-previous-tag@v1" with: fallback: 1.0.0 # Optional fallback tag to use when no tag can be found - name: Build zip run: sbt "universal:stage;universal:packageBin" - name: View Artifacts run: ls -l app/server/target/universal/stage - name: pwd run: pwd - name: Upload bitcoin-s-server-mac zip uses: actions/upload-artifact@v3 env: pkg-version: ${{steps.previoustag.outputs.tag}} with: name: "bitcoin-s-server-mac" path: app/server/target/universal/stage - name: Upload bitcoin-s-oracle-server zip uses: actions/upload-artifact@v3 env: pkg-version: ${{steps.previoustag.outputs.tag}} with: name: "bitcoin-s-oracle-server-mac" path: app/oracle-server/target/universal/stage - name: Upload bitcoin-s-cli zip uses: actions/upload-artifact@v3 env: pkg-version: ${{steps.previoustag.outputs.tag}} with: name: "bitcoin-s-cli-mac" path: app/cli/target/universal/stage/ - name: Upload bitcoin-s-server if release uses: softprops/action-gh-release@v1 if: startsWith(github.ref, 'refs/tags/') with: name: "bitcoin-s-server-mac-${{steps.previoustag.outputs.tag}}" files: app/server/target/universal/*.zip env: pkg-version: ${{steps.previoustag.outputs.tag}} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload bitcoin-s-oracle-server if release uses: softprops/action-gh-release@v1 if: startsWith(github.ref, 'refs/tags/') with: name: "bitcoin-s-oracle-server-mac-${{steps.previoustag.outputs.tag}}" files: app/oracle-server/target/universal/*.zip env: pkg-version: ${{steps.previoustag.outputs.tag}} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload bitcoin-s-cli if release uses: softprops/action-gh-release@v1 if: startsWith(github.ref, 'refs/tags/') with: name: "bitcoin-s-cli-mac-${{steps.previoustag.outputs.tag}}" files: app/cli/target/universal/*.zip env: pkg-version: ${{steps.previoustag.outputs.tag}} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} linux-zips: runs-on: [ ubuntu-latest ] steps: - uses: actions/checkout@v2 with: fetch-depth: 0 - name: Setup Scala uses: olafurpg/setup-scala@v13 with: java-version: openjdk@1.17.0 - name: 'Get Previous tag' id: previoustag uses: "WyriHaximus/github-action-get-previous-tag@v1" with: fallback: 1.0.0 # Optional fallback tag to use when no tag can be found - name: Build zip run: sbt "universal:stage;universal:packageBin" - name: View Artifacts run: ls -l app/server/target/universal/stage - name: pwd run: pwd - name: Upload bitcoin-s-server-linux zip uses: actions/upload-artifact@v3 env: pkg-version: ${{steps.previoustag.outputs.tag}} with: name: "bitcoin-s-server-linux" path: app/server/target/universal/stage/ - name: Upload bitcoin-s-oracle-server-linux zip uses: actions/upload-artifact@v3 env: pkg-version: ${{steps.previoustag.outputs.tag}} with: name: "bitcoin-s-oracle-server-linux" path: app/oracle-server/target/universal/stage/ - name: Upload bitcoin-s-cli-linux zip uses: actions/upload-artifact@v3 env: pkg-version: ${{steps.previoustag.outputs.tag}} with: name: "bitcoin-s-cli-linux" path: app/cli/target/universal/stage/ - name: Upload bitcoin-s-server if release uses: softprops/action-gh-release@v1 if: startsWith(github.ref, 'refs/tags/') with: name: "bitcoin-s-server-linux-${{steps.previoustag.outputs.tag}}" files: app/server/target/universal/*.zip env: pkg-version: ${{steps.previoustag.outputs.tag}} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload bitcoin-s-oracle-server if release uses: softprops/action-gh-release@v1 if: startsWith(github.ref, 'refs/tags/') with: name: "bitcoin-s-oracle-server-linux-${{steps.previoustag.outputs.tag}}" files: app/oracle-server/target/universal/*.zip env: pkg-version: ${{steps.previoustag.outputs.tag}} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload bitcoin-s-cli if release uses: softprops/action-gh-release@v1 if: startsWith(github.ref, 'refs/tags/') with: name: "bitcoin-s-cli-linux-${{steps.previoustag.outputs.tag}}" files: app/cli/target/universal/*.zip env: pkg-version: ${{steps.previoustag.outputs.tag}} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} windows-zips: runs-on: [windows-latest] steps: - uses: actions/checkout@v2 with: fetch-depth: 0 - name: Setup Scala uses: olafurpg/setup-scala@v13 with: java-version: openjdk@1.17.0 - name: 'Get Previous tag' id: previoustag uses: "WyriHaximus/github-action-get-previous-tag@v1" with: fallback: 1.0.0 # Optional fallback tag to use when no tag can be found - name: Build zip shell: bash run: sbt "universal:stage;universal:packageBin" - name: View Artifacts run: ls -l app/server/target/universal/stage - name: pwd run: pwd - name: Upload bitcoin-s-server-windows zip uses: actions/upload-artifact@v3 env: pkg-version: ${{steps.previoustag.outputs.tag}} with: name: "bitcoin-s-server-windows" path: app/server/target/universal/stage/ - name: Upload bitcoin-s-oracle-server zip uses: actions/upload-artifact@v3 env: pkg-version: ${{steps.previoustag.outputs.tag}} with: name: "bitcoin-s-oracle-server-windows" path: app/oracle-server/target/universal/stage/ - name: Upload bitcoin-s-cli zip uses: actions/upload-artifact@v3 env: pkg-version: ${{steps.previoustag.outputs.tag}} with: name: "bitcoin-s-cli-windows" path: app/cli/target/universal/stage/ - name: Upload bitcoin-s-server if release uses: softprops/action-gh-release@v1 if: startsWith(github.ref, 'refs/tags/') with: name: "bitcoin-s-server-windows-${{steps.previoustag.outputs.tag}}" files: app/server/target/universal/*.zip env: pkg-version: ${{steps.previoustag.outputs.tag}} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload bitcoin-s-oracle-server if release uses: softprops/action-gh-release@v1 if: startsWith(github.ref, 'refs/tags/') with: name: "bitcoin-s-oracle-server-windows-${{steps.previoustag.outputs.tag}}" files: app/oracle-server/target/universal/*.zip env: pkg-version: ${{steps.previoustag.outputs.tag}} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload bitcoin-s-cli if release uses: softprops/action-gh-release@v1 if: startsWith(github.ref, 'refs/tags/') with: name: "bitcoin-s-cli-windows-${{steps.previoustag.outputs.tag}}" files: app/cli/target/universal/*.zip env: pkg-version: ${{steps.previoustag.outputs.tag}} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}