bitcoin-s/.github/workflows/javafx.yml

# Legacy JavaFX Desktop Application builds
name: JavaFX Desktop Apps
on:
  push:
    branches: [master, main]
    tags: ["*"]
  release:
    types: [ published ]

env:
  pkg-assembly: 'bitcoin-s-bundle.jar'
  pkg-name: 'bitcoin-s'

jobs:
  javafx-macos:
    runs-on: [ macos-latest ]
    steps:
      - name: Checkout repo
        uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - name: Setup Scala
        uses: olafurpg/setup-scala@v13
        with:
          java-version: openjdk@1.17.0
      - name: Get Previous tag
        id: previoustag
        uses: WyriHaximus/github-action-get-previous-tag@v1
        with:
          fallback: 0.0.0 # Optional fallback tag to use when no tag can be found
      - name: Import developer cert to keychain
        uses: apple-actions/import-codesign-certs@v1
        with:
          create-keychain: true
          p12-file-base64: ${{ secrets.CERTIFICATES_P12 }}
          p12-password: ${{ secrets.CERTIFICATES_P12_PASSWORD }}
          keychain-password: ${{ secrets.CERTIFICATES_P12_PASSWORD }}
      - name: Build fat jar
        run: sbt "bundle/assembly"
      - name: Add cert to keychain and unlock keychain & build and sign dmg
        env:
          pkg-version: ${{steps.previoustag.outputs.tag}}
          MACOS_CERTIFICATE_PWD: ${{ secrets.CERTIFICATES_P12_PASSWORD }}
          MAC_NOTARIZATION_PW: ${{secrets.MAC_NOTARIZATION_PW}}
        # Steps to build a fully signed and notarized bitcoin-s dmg
        # 1. Unlock the OS x keychain so we don't have to input passwords via GUI prompts
        # 2. Build bitcoin-s.app that is recursively signed with jpackage --mac-sign
        # 3. Build an unsigned dmg that contains bitcoin-s.app inside of it (no idea why --mac-sign doesn't work with --type dmg)
        # 4. Sign the dmg with codesign (jpackage dmg signing is broken for some reason)
        # 5. Submit the dmg to apple's notarization service so can get it whitelisted for installation (see: https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution)
        # 6. Sleep until apple notorization is done
        # 7. Retrieve the signature and staple it to the dmg to so network requests do not need to be made to open the dmg
        # 8. Check all signatures on bitcoin-s.app (see: https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087735)
        # 9. Check all dmg signatures
        # 10. Display information about signed dmg
        run: |
          echo "Hello world"
          java -version
          jpackage --version
          ls -l
          security unlock-keychain -p $MACOS_CERTIFICATE_PWD signing_temp.keychain
          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $MACOS_CERTIFICATE_PWD signing_temp.keychain
          echo "===========jpackage app image begin================"
          jpackage --verbose --name ${{ env.pkg-name }} --app-version ${{steps.previoustag.outputs.tag}} --mac-package-name ${{ env.pkg-name }} --type app-image -i app/bundle/target/scala-2.13/ --main-class org.bitcoins.bundle.gui.BundleGUI --main-jar ${{ env.pkg-assembly }} --icon app/gui/src/main/resources/icons/bitcoin-s.icns --mac-sign --mac-signing-keychain /Users/runner/Library/Keychains/signing_temp.keychain-db --mac-signing-key-user-name "Chris Stewart (9ZG3GPKHX8)"
          echo "===========jpackage dmg begin================"
          jpackage --verbose --name ${{ env.pkg-name }} --app-version ${{steps.previoustag.outputs.tag}} --mac-package-name ${{ env.pkg-name }} --type dmg --app-image bitcoin-s.app --mac-sign --mac-signing-key-user-name "Chris Stewart (9ZG3GPKHX8)"
          echo "Signing dmg with code sign"
          codesign -s "Developer ID Application: Chris Stewart (9ZG3GPKHX8)" --options runtime -vvvv --deep ${{ env.pkg-name }}-${{steps.previoustag.outputs.tag}}.dmg
          echo "Running xcrun alttool --notarize app"
          REQUEST_UUID=$(xcrun altool --notarize-app --primary-bundle-id "org.bitcoins.bundle" -u "stewart.chris1234@gmail.com" --team-id "9ZG3GPKHX8" --password "$MAC_NOTARIZATION_PW"  --file ${{ env.pkg-name }}-${{steps.previoustag.outputs.tag}}.dmg | grep RequestUUID | awk '{print $3}')
          echo "Waiting for notarization from Apple for $REQUEST_UUID"
          sleep 5
          xcrun altool --notarization-info "$REQUEST_UUID" -u "stewart.chris1234@gmail.com" --team-id "9ZG3GPKHX8" -p "$MAC_NOTARIZATION_PW"
          echo "Start while loop"
          while xcrun altool --notarization-info "$REQUEST_UUID" -u "stewart.chris1234@gmail.com" --team-id "9ZG3GPKHX8" -p "$MAC_NOTARIZATION_PW" | grep "Status: in progress" > /dev/null; do
            echo "Verification in progress..."
            sleep 30
          done
          xcrun stapler staple ${{ env.pkg-name }}-${{steps.previoustag.outputs.tag}}.dmg
          echo "Done stapling"
          spctl -vvv --assess --type exec bitcoin-s.app
          echo "Done inspecting app with spctl"
          codesign -vvv --deep --strict ${{ env.pkg-name }}-${{steps.previoustag.outputs.tag}}.dmg
          echo "Done verifying code signing deep"
          codesign -dvv ${{ env.pkg-name }}-${{steps.previoustag.outputs.tag}}.dmg
          echo "Done verifying artifacts"
          ls -l          
      - name: Echo download path
        run: echo ${{steps.download.outputs.download-path}}
      - name: Upload mac-javafx dmg
        uses: actions/upload-artifact@v3
        with:
          name: mac-javafx
          path: ${{ env.pkg-name }}-${{steps.previoustag.outputs.tag}}.dmg
      - name: Upload if release
        uses: softprops/action-gh-release@v1
        if: startsWith(github.ref, 'refs/tags/')
        with:
          name: mac-javafx
          files: ${{ env.pkg-name }}-${{steps.previoustag.outputs.tag}}.dmg
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  javafx-linux:
    runs-on: [ ubuntu-latest ]
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - name: Setup Scala
        uses: olafurpg/setup-scala@v13
        with:
          java-version: openjdk@1.17.0
      - name: Get Previous tag
        id: previoustag
        uses: WyriHaximus/github-action-get-previous-tag@v1
        with:
          fallback: 1.0.0 # Optional fallback tag to use when no tag can be found
      - name: Build fat jar
        run: sbt "bundle/assembly"
      - name: Package jar as debian package
        env:
          pkg-version: ${{steps.previoustag.outputs.tag}}
        run: "jpackage --linux-shortcut --name ${{ env.pkg-name }} --app-version ${{steps.previoustag.outputs.tag}} --type deb -i app/bundle/target/scala-2.13/ --main-class org.bitcoins.bundle.gui.BundleGUI --main-jar ${{ env.pkg-assembly }} --icon app/gui/src/main/resources/icons/bitcoin-s.png"
      - name: View Artifacts
        run: ls -l
      - name: Print working dir
        run: pwd
      - name: Upload linux-javafx deb
        uses: actions/upload-artifact@v3
        env:
          pkg-version: ${{steps.previoustag.outputs.tag}}
        with:
          name: linux-javafx
          path: ${{ env.pkg-name }}_${{ steps.previoustag.outputs.tag }}-1_amd64.deb
      - name: Upload if release
        uses: softprops/action-gh-release@v1
        if: startsWith(github.ref, 'refs/tags/')
        with:
          name: linux-javafx
          files: ${{ env.pkg-name }}_${{ steps.previoustag.outputs.tag }}-1_amd64.deb
        env:
          pkg-version: ${{steps.previoustag.outputs.tag}}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  javafx-windows:
    runs-on: [windows-latest]
    steps:
      - name: Checkout repo
        uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - name: Setup Scala
        uses: olafurpg/setup-scala@v13
        with:
          java-version: openjdk@1.17.0
      - name: Get Previous tag
        id: previoustag
        uses: WyriHaximus/github-action-get-previous-tag@v1
        with:
          fallback: 1.0.0 # Optional fallback tag to use when no tag can be found
      - name: Build msi
        shell: bash
        run: sbt bundle/windows:packageBin
      - name: View artifacts
        run: ls -R .
      - name: Upload windows-javafx msi
        uses: actions/upload-artifact@v3
        with:
          name: windows-javafx
          path: "D:\\a\\bitcoin-s\\bitcoin-s\\app\\bundle\\target\\windows\\bitcoin-s-bundle.msi"
      - name: Upload if release
        uses: softprops/action-gh-release@v1
        if: startsWith(github.ref, 'refs/tags/')
        with:
          name: windows-javafx
          files: "D:\\a\\bitcoin-s\\bitcoin-s\\app\\bundle\\target\\windows\\bitcoin-s-bundle.msi"
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}