Skip to content
Closed
Show file tree
Hide file tree
Changes from 4 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,9 @@ jobs:
uses: gradle/actions/setup-gradle@v5

- name: Decode google-services.json
run: echo "$GOOGLE_SERVICES_JSON_BASE64" | base64 -d > app/google-services.json
run: |
mkdir -p app/src/debug
echo "$GOOGLE_SERVICES_JSON_BASE64" | base64 -d > app/src/debug/google-services.json
env:
GOOGLE_SERVICES_JSON_BASE64: ${{ secrets.GOOGLE_SERVICES_JSON_BASE64 }}

Expand Down
8 changes: 6 additions & 2 deletions .github/workflows/e2e.yml
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,9 @@ jobs:
uses: gradle/actions/setup-gradle@v5

- name: Decode google-services.json
run: echo "$GOOGLE_SERVICES_JSON_BASE64" | base64 -d > app/google-services.json
run: |
mkdir -p app/src/debug
echo "$GOOGLE_SERVICES_JSON_BASE64" | base64 -d > app/src/debug/google-services.json
env:
GOOGLE_SERVICES_JSON_BASE64: ${{ secrets.GOOGLE_SERVICES_JSON_BASE64 }}

Expand Down Expand Up @@ -100,7 +102,9 @@ jobs:
uses: gradle/actions/setup-gradle@v5

- name: Decode google-services.json
run: echo "$GOOGLE_SERVICES_JSON_BASE64" | base64 -d > app/google-services.json
run: |
mkdir -p app/src/debug
echo "$GOOGLE_SERVICES_JSON_BASE64" | base64 -d > app/src/debug/google-services.json
env:
GOOGLE_SERVICES_JSON_BASE64: ${{ secrets.GOOGLE_SERVICES_JSON_BASE64 }}

Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/e2e_migration.yml
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,9 @@ jobs:
uses: gradle/actions/setup-gradle@v5

- name: Decode google-services.json
run: echo "$GOOGLE_SERVICES_JSON_BASE64" | base64 -d > app/google-services.json
run: |
mkdir -p app/src/debug
echo "$GOOGLE_SERVICES_JSON_BASE64" | base64 -d > app/src/debug/google-services.json
env:
GOOGLE_SERVICES_JSON_BASE64: ${{ secrets.GOOGLE_SERVICES_JSON_BASE64 }}

Expand Down
99 changes: 99 additions & 0 deletions .github/workflows/release-internal.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,99 @@
name: Release Internal

on:
workflow_dispatch:

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: false

env:
TERM: xterm-256color
FORCE_COLOR: 1

jobs:
build-internal:
if: github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/heads/release-') || startsWith(github.ref, 'refs/tags/v')
runs-on: ubuntu-latest
timeout-minutes: 45
environment: release-internal

permissions:
contents: read
packages: read

steps:
- name: Checkout
uses: actions/checkout@v6

- name: Setup Java
uses: actions/setup-java@v5
with:
java-version: '17'
distribution: 'adopt'

- name: Setup Gradle
uses: gradle/actions/setup-gradle@v5

- name: Decode mainnet release google-services.json
env:
MAINNET_RELEASE_GOOGLE_SERVICES_JSON_BASE64: ${{ secrets.MAINNET_RELEASE_GOOGLE_SERVICES_JSON_BASE64 }}
run: |
set -euo pipefail
test -n "$MAINNET_RELEASE_GOOGLE_SERVICES_JSON_BASE64"
mkdir -p app/src/mainnetRelease
printf '%s' "$MAINNET_RELEASE_GOOGLE_SERVICES_JSON_BASE64" | base64 --decode > app/src/mainnetRelease/google-services.json

- name: Decode internal keystore
env:
INTERNAL_KEYSTORE_BASE64: ${{ secrets.INTERNAL_KEYSTORE_BASE64 }}
run: |
set -euo pipefail
test -n "$INTERNAL_KEYSTORE_BASE64"
umask 077
keystore_path="$RUNNER_TEMP/internal.keystore"
printf '%s' "$INTERNAL_KEYSTORE_BASE64" | base64 --decode > "$keystore_path"
echo "KEYSTORE_FILE=$keystore_path" >> "$GITHUB_ENV"

- name: Build internal release APK
env:
GPR_USER: ${{ secrets.GPR_USER || github.actor }}
GPR_TOKEN: ${{ secrets.GPR_TOKEN || github.token }}
GITHUB_TOKEN: ${{ secrets.GPR_TOKEN || github.token }}
KEYSTORE_PASSWORD: ${{ secrets.INTERNAL_KEYSTORE_PASSWORD }}
KEY_ALIAS: ${{ secrets.INTERNAL_KEY_ALIAS }}
KEY_PASSWORD: ${{ secrets.INTERNAL_KEY_PASSWORD }}
run: ./gradlew assembleMainnetRelease --no-daemon --stacktrace

- name: Verify internal release signature
run: |
set -euo pipefail
android_sdk_root="${ANDROID_HOME:-${ANDROID_SDK_ROOT:-}}"
test -n "$android_sdk_root"
apksigner_path="$(find "$android_sdk_root/build-tools" -name apksigner -type f | sort -V | tail -n 1)"
test -n "$apksigner_path"

apk_count=0
while IFS= read -r -d '' apk_path; do
apk_count=$((apk_count + 1))
"$apksigner_path" verify --verbose --print-certs "$apk_path"
done < <(find app/build/outputs/apk/mainnet/release -name 'bitkit-mainnet-release-*.apk' -print0)
test "$apk_count" -gt 0

- name: Collect internal artifacts
id: artifacts
run: |
set -euo pipefail
artifact_dir="$RUNNER_TEMP/internal-release"
mkdir -p "$artifact_dir"
find app/build/outputs/apk/mainnet/release -name 'bitkit-mainnet-release-*.apk' -print0 |
xargs -0 -I {} cp {} "$artifact_dir/"
(cd "$artifact_dir" && sha256sum *.apk > SHA256SUMS.txt)
echo "artifact_dir=$artifact_dir" >> "$GITHUB_OUTPUT"

- name: Upload internal artifacts
uses: actions/upload-artifact@v6
with:
name: bitkit-internal-release-${{ github.run_number }}
path: ${{ steps.artifacts.outputs.artifact_dir }}
retention-days: 30
123 changes: 123 additions & 0 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,123 @@
name: Release

on:
workflow_dispatch:

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: false

env:
TERM: xterm-256color
FORCE_COLOR: 1

jobs:
build-release:
if: github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/heads/release-') || startsWith(github.ref, 'refs/tags/v')
runs-on: ubuntu-latest
timeout-minutes: 45
environment: release

permissions:
contents: read
packages: read

steps:
- name: Checkout
uses: actions/checkout@v6

- name: Setup Java
uses: actions/setup-java@v5
with:
java-version: '17'
distribution: 'adopt'

- name: Setup Gradle
uses: gradle/actions/setup-gradle@v5

- name: Decode mainnet release google-services.json
env:
MAINNET_RELEASE_GOOGLE_SERVICES_JSON_BASE64: ${{ secrets.MAINNET_RELEASE_GOOGLE_SERVICES_JSON_BASE64 }}
run: |
set -euo pipefail
test -n "$MAINNET_RELEASE_GOOGLE_SERVICES_JSON_BASE64"
mkdir -p app/src/mainnetRelease
printf '%s' "$MAINNET_RELEASE_GOOGLE_SERVICES_JSON_BASE64" | base64 --decode > app/src/mainnetRelease/google-services.json

- name: Decode release keystore
env:
BITKIT_KEYSTORE_BASE64: ${{ secrets.BITKIT_KEYSTORE_BASE64 }}
run: |
set -euo pipefail
test -n "$BITKIT_KEYSTORE_BASE64"
umask 077
keystore_path="$RUNNER_TEMP/bitkit.keystore"
printf '%s' "$BITKIT_KEYSTORE_BASE64" | base64 --decode > "$keystore_path"
echo "KEYSTORE_FILE=$keystore_path" >> "$GITHUB_ENV"

- name: Build release artifacts
env:
GPR_USER: ${{ secrets.GPR_USER || github.actor }}
GPR_TOKEN: ${{ secrets.GPR_TOKEN || github.token }}
GITHUB_TOKEN: ${{ secrets.GPR_TOKEN || github.token }}
KEYSTORE_PASSWORD: ${{ secrets.BITKIT_KEYSTORE_PASSWORD }}
KEY_ALIAS: ${{ secrets.BITKIT_KEY_ALIAS }}
KEY_PASSWORD: ${{ secrets.BITKIT_KEY_PASSWORD }}
run: ./gradlew assembleMainnetRelease bundleMainnetRelease --no-daemon --stacktrace

- name: Verify release signatures
run: |
set -euo pipefail
android_sdk_root="${ANDROID_HOME:-${ANDROID_SDK_ROOT:-}}"
test -n "$android_sdk_root"
apksigner_path="$(find "$android_sdk_root/build-tools" -name apksigner -type f | sort -V | tail -n 1)"
test -n "$apksigner_path"

apk_count=0
while IFS= read -r -d '' apk_path; do
apk_count=$((apk_count + 1))
"$apksigner_path" verify --verbose --print-certs "$apk_path"
done < <(find app/build/outputs/apk/mainnet/release -name 'bitkit-mainnet-release-*.apk' -print0)
test "$apk_count" -gt 0

bundle_count=0
while IFS= read -r -d '' bundle_path; do
bundle_count=$((bundle_count + 1))
verify_output="$(mktemp)"
if ! jarsigner -verify -verbose -certs "$bundle_path" 2>&1 | tee "$verify_output"; then
rm -f "$verify_output"
exit 1
fi
if grep -qi "jar is unsigned" "$verify_output"; then
echo "Unsigned bundle: $bundle_path"
rm -f "$verify_output"
exit 1
fi
if ! grep -qi "jar verified" "$verify_output"; then
echo "Bundle signature verification did not report success: $bundle_path"
rm -f "$verify_output"
exit 1
fi
rm -f "$verify_output"
done < <(find app/build/outputs/bundle/mainnetRelease -name 'bitkit-mainnet-release-*.aab' -print0)
test "$bundle_count" -gt 0

- name: Collect release artifacts
id: artifacts
run: |
set -euo pipefail
artifact_dir="$RUNNER_TEMP/release"
mkdir -p "$artifact_dir"
find app/build/outputs/bundle/mainnetRelease -name 'bitkit-mainnet-release-*.aab' -print0 |
xargs -0 -I {} cp {} "$artifact_dir/"
find app/build/outputs/apk/mainnet/release -name 'bitkit-mainnet-release-*.apk' -print0 |
xargs -0 -I {} cp {} "$artifact_dir/"
(cd "$artifact_dir" && sha256sum *.aab *.apk > SHA256SUMS.txt)
echo "artifact_dir=$artifact_dir" >> "$GITHUB_OUTPUT"

Comment thread
ovitrif marked this conversation as resolved.
- name: Upload release artifacts
uses: actions/upload-artifact@v6
with:
name: bitkit-release-${{ github.run_number }}
path: ${{ steps.artifacts.outputs.artifact_dir }}
retention-days: 30
117 changes: 117 additions & 0 deletions .github/workflows/reproducible-release.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,117 @@
name: Reproducible Release

on:
workflow_dispatch:
inputs:
comparison_artifact_name:
description: Optional artifact name to compare against with diffoscope
required: false
default: ''
comparison_run_id:
description: Workflow run id that produced the comparison artifact
required: false
default: ''

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: false

env:
TERM: xterm-256color
FORCE_COLOR: 1

jobs:
reproduce-mainnet:
if: github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/heads/release-') || startsWith(github.ref, 'refs/tags/v')
runs-on: ubuntu-latest
timeout-minutes: 60
environment: release

permissions:
actions: read
contents: read
packages: read

steps:
- name: Checkout
uses: actions/checkout@v6

- name: Setup Java
uses: actions/setup-java@v5
with:
java-version: '17'
distribution: 'adopt'

- name: Setup Gradle
uses: gradle/actions/setup-gradle@v5

- name: Decode mainnet release google-services.json
env:
MAINNET_RELEASE_GOOGLE_SERVICES_JSON_BASE64: ${{ secrets.MAINNET_RELEASE_GOOGLE_SERVICES_JSON_BASE64 }}
run: |
set -euo pipefail
test -n "$MAINNET_RELEASE_GOOGLE_SERVICES_JSON_BASE64"
mkdir -p app/src/mainnetRelease
printf '%s' "$MAINNET_RELEASE_GOOGLE_SERVICES_JSON_BASE64" | base64 --decode > app/src/mainnetRelease/google-services.json

- name: Decode release keystore
env:
BITKIT_KEYSTORE_BASE64: ${{ secrets.BITKIT_KEYSTORE_BASE64 }}
run: |
set -euo pipefail
test -n "$BITKIT_KEYSTORE_BASE64"
umask 077
keystore_path="$RUNNER_TEMP/bitkit.keystore"
printf '%s' "$BITKIT_KEYSTORE_BASE64" | base64 --decode > "$keystore_path"
echo "KEYSTORE_FILE=$keystore_path" >> "$GITHUB_ENV"

- name: Validate comparison inputs
if: ${{ github.event_name == 'workflow_dispatch' && inputs.comparison_artifact_name != '' }}
env:
COMPARISON_RUN_ID: ${{ inputs.comparison_run_id }}
run: |
set -euo pipefail
test -n "$COMPARISON_RUN_ID"

- name: Download comparison artifact
if: ${{ github.event_name == 'workflow_dispatch' && inputs.comparison_artifact_name != '' }}
uses: actions/download-artifact@v6
with:
name: ${{ inputs.comparison_artifact_name }}
Comment thread
ovitrif marked this conversation as resolved.
path: ${{ runner.temp }}/comparison
github-token: ${{ github.token }}
Comment thread
ovitrif marked this conversation as resolved.
repository: ${{ github.repository }}
run-id: ${{ inputs.comparison_run_id }}

- name: Install diffoscope
if: ${{ github.event_name == 'workflow_dispatch' && inputs.comparison_artifact_name != '' }}
run: |
set -euo pipefail
sudo apt-get update
sudo apt-get install -y diffoscope

- name: Build reproducibility artifacts
env:
GPR_USER: ${{ secrets.GPR_USER || github.actor }}
GPR_TOKEN: ${{ secrets.GPR_TOKEN || github.token }}
GITHUB_TOKEN: ${{ secrets.GPR_TOKEN || github.token }}
KEYSTORE_PASSWORD: ${{ secrets.BITKIT_KEYSTORE_PASSWORD }}
KEY_ALIAS: ${{ secrets.BITKIT_KEY_ALIAS }}
KEY_PASSWORD: ${{ secrets.BITKIT_KEY_PASSWORD }}
OUTPUT_DIR: ${{ runner.temp }}/reproducible-release
run: |
set -euo pipefail
if [ -d "$RUNNER_TEMP/comparison/extracted-apks" ]; then
export DIFFOSCOPE_COMPARE_DIR="$RUNNER_TEMP/comparison/extracted-apks"
elif [ -d "$RUNNER_TEMP/comparison" ]; then
export DIFFOSCOPE_COMPARE_DIR="$RUNNER_TEMP/comparison"
Comment thread
ovitrif marked this conversation as resolved.
fi
scripts/reproduce-release.sh

- name: Upload reproducibility artifacts
if: ${{ always() }}
uses: actions/upload-artifact@v6
with:
name: bitkit-reproducible-release-${{ github.run_number }}
path: ${{ runner.temp }}/reproducible-release
retention-days: 30
4 changes: 3 additions & 1 deletion .github/workflows/ui-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,9 @@ jobs:
gradle-${{ runner.os }}-

- name: Decode google-services.json
run: echo "$GOOGLE_SERVICES_JSON_BASE64" | base64 -d > app/google-services.json
run: |
mkdir -p app/src/debug
echo "$GOOGLE_SERVICES_JSON_BASE64" | base64 -d > app/src/debug/google-services.json
env:
GOOGLE_SERVICES_JSON_BASE64: ${{ secrets.GOOGLE_SERVICES_JSON_BASE64 }}

Expand Down
Loading
Loading