Sign code in release pipeline and switch shell script out with Makefile. Fixes #229

2021-03-13 22:31:01 +01:00 · 2021-03-13 22:31:01 +01:00 · 68a221eb2e
parent 2a7b283e07
commit 68a221eb2e
6 changed files with 87 additions and 29 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -6,26 +6,46 @@ on:

 env:
  APP_NAME: breezedark
+  CERT_DIRECTORY: $HOME/.nextcloud/certificates

 jobs:
  release:
    runs-on: ubuntu-latest
    name: Release new version
    steps:
+      - name: Checkout NC server
+        uses: actions/checkout@v2
+        with:
+          repository: nextcloud/server
+          ref: "master"
+
+      - name: Checkout NC submodules
+        shell: bash
+        run: |
+          auth_header="$(git config --local --get http.https://github.com/.extraheader)"
+          git submodule sync --recursive
+          git -c "http.extraheader=$auth_header" -c protocol.version=2 submodule update --init --force --recursive --depth=1
+
      - name: Checkout app
        uses: actions/checkout@v2
        with:
          path: ${{ env.APP_NAME }}

-      - name: Create tarball
-        run: cd ${{ env.APP_NAME }} && ./create_release.sh
+      - name: Run build
+        run: |
+          mkdir -p ${{ env.CERT_DIRECTORY }}
+          echo "${{ secrets.APP_PRIVATE_KEY }}" > ${{ env.CERT_DIRECTORY }}/${{ env.APP_NAME }}.key
+          echo "${{ secrets.APP_CERT }}" > ${{ env.CERT_DIRECTORY }}/${{ env.APP_NAME }}.crt
+          cd ${{ env.APP_NAME }}
+          make appstore
+          rm -rf ${{ env.CERT_DIRECTORY }}

      - name: Upload tarball to release
        uses: svenstaro/upload-release-action@v2
        id: attach_to_release
        with:
          repo_token: ${{ secrets.GITHUB_TOKEN }}
-          file: ${{ env.APP_NAME }}/release/${{ env.APP_NAME }}.tar.gz
+          file: ${{ env.APP_NAME }}/build/${{ env.APP_NAME }}.tar.gz
          asset_name: ${{ env.APP_NAME }}.tar.gz
          tag: ${{ github.ref }}
          overwrite: true
--- a/.gitignore
+++ b/.gitignore
@ -1,4 +1,4 @@
-release
+build
 node_modules
 translationfiles
 translationtool.phar
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -6,6 +6,7 @@

 -   [#165](https://github.com/mwalbeck/nextcloud-breeze-dark/issues/165) Add styling for GpxPod and invert gpxpod icon in files right click menu
 -   [#225](https://github.com/mwalbeck/nextcloud-breeze-dark/issues/225) Notes: Add notes transparent icon
+-   [#229](https://github.com/mwalbeck/nextcloud-breeze-dark/issues/229) Sign code in release pipeline and switch shell script out with Makefile

 ### Changed

--- a/59
+++ b/59
@ -0,0 +1,59 @@
+# This file is licensed under the Affero General Public License version 3 or
+# later. See the COPYING file.
+
+app_name=breezedark
+build_directory=$(CURDIR)/build
+sign_directory=$(build_directory)/sign
+cert_directory=$(HOME)/.nextcloud/certificates
+
+all: dev-setup prettier stylelint
+
+dev-setup: npm-init
+
+npm-init:
+	npm ci
+
+prettier:
+	npm run prettier
+
+prettier-fix:
+	npm run prettier:fix
+
+stylelint:
+	npm run stylelint
+
+stylelint-fix:
+	npm run stylelint:fix
+
+appstore:
+	rm -rf $(build_directory)
+	mkdir -p $(sign_directory)
+	rsync -a \
+	--exclude=".git" \
+	--exclude=".github" \
+	--exclude=".vscode" \
+	--exclude="node_modules" \
+	--exclude="build" \
+	--exclude=".gitignore" \
+	--exclude=".prettierignore" \
+	--exclude=".prettierrc" \
+	--exclude=".stylelintignore" \
+	--exclude=".stylelintrc.json" \
+	--exclude="Makefile" \
+	--exclude="package-lock.json" \
+	--exclude="package.json" \
+	--exclude="screenshot.png" \
+	--exclude="translationtool.phar" \
+	../$(app_name)/ $(sign_directory)/$(app_name)
+	@if [ -f $(cert_directory)/$(app_name).key ]; then \
+		echo "Signing app files…"; \
+		php ../occ integrity:sign-app \
+			--privateKey=$(cert_directory)/$(app_name).key\
+			--certificate=$(cert_directory)/$(app_name).crt\
+			--path=$(sign_directory)/$(app_name); \
+	fi
+	tar czf $(build_directory)/$(app_name).tar.gz \
+		-C $(sign_directory) $(app_name)
+
+sign-package:
+	openssl dgst -sha512 -sign $(cert_directory)/$(app_name).key $(build_directory)/$(app_name).tar.gz | openssl base64;
--- a/create_release.sh
+++ b/create_release.sh
@ -1,23 +0,0 @@
-#!/usr/bin/env bash
-APP_NAME=breezedark
-RELEASE_DIR=$(pwd)/release
-
-rm -rf $RELEASE_DIR
-mkdir -p $RELEASE_DIR
-tar cvzf $RELEASE_DIR/$APP_NAME.tar.gz \
--exclude-vcs \
--exclude="../$APP_NAME/.github" \
--exclude="../$APP_NAME/.vscode" \
--exclude="../$APP_NAME/node_modules" \
--exclude="../$APP_NAME/release" \
--exclude="../$APP_NAME/.gitignore" \
--exclude="../$APP_NAME/.prettierignore" \
--exclude="../$APP_NAME/.prettierrc" \
--exclude="../$APP_NAME/.stylelintignore" \
--exclude="../$APP_NAME/.stylelintrc.json" \
--exclude="../$APP_NAME/create_release.sh" \
--exclude="../$APP_NAME/package-lock.json" \
--exclude="../$APP_NAME/package.json" \
--exclude="../$APP_NAME/screenshot.png" \
--exclude="../$APP_NAME/translationtool.phar" \
-../$APP_NAME
--- a/package.json
+++ b/package.json
@ -12,7 +12,8 @@
    },
    "scripts": {
        "prettier": "prettier --check css/ js/",
-        "prettier-write": "prettier --write css/ js/",
-        "lint:scss": "stylelint css/"
+        "prettier:fix": "prettier --write css/ js/",
+        "stylelint": "stylelint css/",
+        "stylelint:fix": "stylelint css/ --fix"
    }
 }