-
Notifications
You must be signed in to change notification settings - Fork 3
166 lines (146 loc) · 5.86 KB
/
release.yml
File metadata and controls
166 lines (146 loc) · 5.86 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
name: Release
on:
push:
tags:
- '[0-9]*'
env:
APP_NAME: sendent
jobs:
release:
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Checkout code
uses: actions/checkout@v6
with:
path: ${{ env.APP_NAME }}
- name: Extract version from tag
id: version
run: |
TAG="${GITHUB_REF#refs/tags/}"
echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
echo "version=${TAG}" >> "$GITHUB_OUTPUT"
echo "Extracted version: ${TAG}"
- name: Validate info.xml version matches tag
working-directory: ${{ env.APP_NAME }}
run: |
INFO_VERSION=$(grep -oP '<version>\K[^<]+' appinfo/info.xml)
TAG_VERSION="${{ steps.version.outputs.version }}"
echo "info.xml version: ${INFO_VERSION}"
echo "Tag version: ${TAG_VERSION}"
if [ "${INFO_VERSION}" != "${TAG_VERSION}" ]; then
echo "::error::Version mismatch! info.xml has '${INFO_VERSION}' but tag is '${TAG_VERSION}'"
exit 1
fi
echo "Version match confirmed."
- name: Set up Node.js
uses: actions/setup-node@v6
with:
node-version: '22'
cache: 'npm'
cache-dependency-path: ${{ env.APP_NAME }}/package-lock.json
- name: Install npm dependencies
working-directory: ${{ env.APP_NAME }}
run: npm ci
- name: Build frontend
working-directory: ${{ env.APP_NAME }}
run: npm run build
- name: Clean build artifacts
working-directory: ${{ env.APP_NAME }}
run: |
find js/ -name '*.map' -delete
find js/ -name '*.LICENSE.txt' -delete
find css/ -name '*.map' -delete 2>/dev/null || true
- name: Create release tarball
run: |
tar czf sendent.tar.gz \
--exclude='./sendent/.git' \
--exclude='./sendent/.github' \
--exclude='./sendent/.gitignore' \
--exclude='./sendent/.eslintrc.*' \
--exclude='./sendent/.php_cs*' \
--exclude='./sendent/.php-cs-fixer.dist.php' \
--exclude='./sendent/.phpunit.result.cache' \
--exclude='./sendent/.env' \
--exclude='./sendent/.vscode' \
--exclude='./sendent/.vs' \
--exclude='./sendent/.DS_Store' \
--exclude='./sendent/node_modules' \
--exclude='./sendent/vendor' \
--exclude='./sendent/src' \
--exclude='./sendent/tests' \
--exclude='./sendent/build' \
--exclude='./sendent/releases' \
--exclude='./sendent/certificates' \
--exclude='./sendent/package.json' \
--exclude='./sendent/package-lock.json' \
--exclude='./sendent/composer.json' \
--exclude='./sendent/composer.lock' \
--exclude='./sendent/composer.phar' \
--exclude='./sendent/yarn.lock' \
--exclude='./sendent/webpack.common.js' \
--exclude='./sendent/webpack.dev.js' \
--exclude='./sendent/webpack.prod.js' \
--exclude='./sendent/tsconfig.json' \
--exclude='./sendent/Makefile' \
--exclude='./sendent/psalm.xml' \
--exclude='./sendent/phpunit.xml' \
--exclude='./sendent/phpunit.integration.xml' \
./sendent/
- name: Verify tarball contents
run: |
echo "=== Tarball top-level entries ==="
tar tzf sendent.tar.gz | head -30
echo ""
echo "=== Checking for files that must NOT be present ==="
FORBIDDEN=$(tar tzf sendent.tar.gz | grep -E '(node_modules|\.git/|/src/|/tests/|/vendor/|package\.json|webpack\.|tsconfig|\.map$|\.LICENSE\.txt$)' || true)
if [ -n "$FORBIDDEN" ]; then
echo "::error::Tarball contains forbidden files:"
echo "$FORBIDDEN"
exit 1
fi
echo "Tarball verification passed."
- name: Sign tarball with Nextcloud private key
id: sign
env:
APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }}
run: |
echo "$APP_PRIVATE_KEY" > private_key.pem
SIGNATURE=$(openssl dgst -sha512 -sign private_key.pem sendent.tar.gz | openssl base64 -A)
echo "signature=${SIGNATURE}" >> "$GITHUB_OUTPUT"
rm private_key.pem
- name: Create GitHub Release
id: create_release
uses: softprops/action-gh-release@v2
with:
tag_name: ${{ steps.version.outputs.tag }}
name: ${{ steps.version.outputs.version }}
draft: false
prerelease: false
generate_release_notes: true
files: sendent.tar.gz
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Publish to Nextcloud App Store
env:
NEXTCLOUD_APPSTORE_TOKEN: ${{ secrets.NEXTCLOUD_APPSTORE_TOKEN }}
run: |
DOWNLOAD_URL="https://github.com/${{ github.repository }}/releases/download/${{ steps.version.outputs.tag }}/sendent.tar.gz"
SIGNATURE="${{ steps.sign.outputs.signature }}"
echo "Publishing to Nextcloud App Store..."
echo "Download URL: ${DOWNLOAD_URL}"
HTTP_STATUS=$(curl -s -o response.txt -w "%{http_code}" \
-X POST \
-H "Authorization: Token ${NEXTCLOUD_APPSTORE_TOKEN}" \
-H "Content-Type: application/json" \
-d "{\"download\": \"${DOWNLOAD_URL}\", \"signature\": \"${SIGNATURE}\", \"nightly\": false}" \
https://apps.nextcloud.com/api/v1/apps/releases)
echo "HTTP Status: ${HTTP_STATUS}"
cat response.txt
echo ""
if [ "$HTTP_STATUS" -ge 400 ]; then
echo "::error::App Store publish failed with HTTP ${HTTP_STATUS}"
exit 1
fi
echo "Successfully published to Nextcloud App Store."