diff --git a/.github/actions/build/action.yml b/.github/actions/build/action.yml index 98110525..aa8d6531 100644 --- a/.github/actions/build/action.yml +++ b/.github/actions/build/action.yml @@ -7,6 +7,7 @@ runs: using: "composite" steps: - name: Build Android + shell: bash env: # ANDROID_SDK_ROOT has been in the env by 'setup-android' action in prepare.yml # and is => /usr/local/lib/android/sdk diff --git a/.github/actions/deploy/action.yml b/.github/actions/deploy/action.yml index a72d5783..ba7a3b16 100644 --- a/.github/actions/deploy/action.yml +++ b/.github/actions/deploy/action.yml @@ -3,19 +3,46 @@ name: Deploy description: Deploy the Android library artifacts to Maven Central +inputs: + OSSRH-username: + description: "The OSS Repository Hosting username" + required: true + OSSRH-password: + description: "The OSS Repository Hosting password" + required: true + UAT-OSSRH-username: + description: "The UAT OSS Repository Hosting username" + required: true + UAT-OSSRH-password: + description: "The UAT OSS Repository Hosting password" + required: true + signing-key-id: + description: "The signing key ID" + required: true + signing-password: + description: "The signing password" + required: true + signing-secret-key-ring-file: + description: "The path to the secret key ring file" + required: true + Sonatype-staging-profile-id: + description: "The Sonatype staging profile ID" + required: true + runs: using: "composite" steps: - name: Publish to MavenCentral + shell: bash run: ./gradlew publishAllPublicationsToSonatypeRepository --max-workers 1 closeAndReleaseSonatypeStagingRepository env: - UAT_OSSRH_USERNAME: ${{ secrets.UAT_OSSRH_USERNAME }} - UAT_OSSRH_PASSWORD: ${{ secrets.UAT_OSSRH_PASSWORD }} + UAT_OSSRH_USERNAME: ${{ inputs.UAT-OSSRH-username }} + UAT_OSSRH_PASSWORD: ${{ inputs.UAT-OSSRH-password }} # TODO: remove these after UAT is confirmed working - OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }} - OSSRH_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} + OSSRH_USERNAME: ${{ inputs.OSSRH-username }} + OSSRH_PASSWORD: ${{ inputs.OSSRH-password }} # ==== - SIGNING_KEY_ID: ${{ secrets.SIGNING_KEY_ID }} - SIGNING_PASSWORD: ${{ secrets.SIGNING_PASSWORD }} - SIGNING_SECRET_KEY_RING_FILE: ${{ secrets.SIGNING_SECRET_KEY_RING_FILE }} - SONATYPE_STAGING_PROFILE_ID: ${{ secrets.SONATYPE_STAGING_PROFILE_ID }} + SIGNING_KEY_ID: ${{ inputs.signing-key-id }} + SIGNING_PASSWORD: ${{ inputs.signing-password }} + SIGNING_SECRET_KEY_RING_FILE: ${{ inputs.signing-secret-key-ring-file }} + SONATYPE_STAGING_PROFILE_ID: ${{ inputs.Sonatype-staging-profile-id }} diff --git a/.github/actions/prepare/action.yml b/.github/actions/prepare/action.yml index 269efab3..24f44dd7 100644 --- a/.github/actions/prepare/action.yml +++ b/.github/actions/prepare/action.yml @@ -1,6 +1,5 @@ # This is a GitHub Composite Action that prepares the Android environment for the build. # This includes: -# - Checking out the code # - Configuring AWS credentials # - Updating Java # - Setting up the Android SDK @@ -12,22 +11,27 @@ name: Prepare description: Prepare the Android environment for the build +inputs: + actions-role: + description: "The role to assume for AWS actions" + required: true + GPG-key-contents: + description: "The GPG key contents" + required: true + signing-secret-key-ring-file: + description: "The path to the secret key ring file" + required: true + runs: using: "composite" steps: - - name: Check out code - uses: actions/checkout@v4 - with: - submodules: true - token: ${{ secrets.PAT_GITHUB }} - - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v2 with: aws-region: us-west-2 - role-to-assume: ${{ secrets.ACTIONS_ROLE }} + role-to-assume: ${{ inputs.actions-role }} - - name: Update Java + - name: Install Java uses: actions/setup-java@v4 with: distribution: "zulu" @@ -37,6 +41,7 @@ runs: uses: android-actions/setup-android@v3 - name: Install NDK & tools + shell: bash # Starts from: pwd => /home/runner/work/rive/rive # ANDROID_HOME => /usr/local/lib/android/sdk run: | @@ -48,12 +53,14 @@ runs: echo "y" | sdkmanager --install 'cmake;3.22.1' --channel=0 --sdk_root=${ANDROID_SDK_ROOT} - name: Configure venv + shell: bash run: | python3 -m venv .venv source .venv/bin/activate echo PATH=$PATH >> $GITHUB_ENV - name: Installing pre-requisites + shell: bash run: | set -x # Install some dependencies & premake5 @@ -64,9 +71,10 @@ runs: # Base64 decodes and pipes the GPG key content into the secret file - name: Prepare environment + shell: bash env: - GPG_KEY_CONTENTS: ${{ secrets.GPG_KEY_CONTENTS }} - SIGNING_SECRET_KEY_RING_FILE: ${{ secrets.SIGNING_SECRET_KEY_RING_FILE }} + GPG_KEY_CONTENTS: ${{ inputs.GPG-key-contents }} + SIGNING_SECRET_KEY_RING_FILE: ${{ inputs.signing-secret-key-ring-file }} run: | git fetch --unshallow sudo bash -c "echo '$GPG_KEY_CONTENTS' | base64 -d > '$SIGNING_SECRET_KEY_RING_FILE'" diff --git a/.github/actions/version-bump/action.yml b/.github/actions/version-bump/action.yml index 363e7cd4..c21546b3 100644 --- a/.github/actions/version-bump/action.yml +++ b/.github/actions/version-bump/action.yml @@ -17,33 +17,41 @@ inputs: description: "Minor" type: boolean default: false + Rive-repo-PAT: + description: "The GitHub Personal Access Token for the Rive repository" + required: true runs: using: "composite" steps: - name: Install dependencies + shell: bash run: npm ci working-directory: ./.github/scripts/release - name: Git config + shell: bash run: | git config --local user.email 'hello@rive.app' git config --local user.name ${{ github.actor }} - if: ${{ inputs.major == true }} name: Major Release - Bump version number, update changelog, push and tag + shell: bash run: npm run release -- major --ci working-directory: ./.github/scripts/release env: - GITHUB_TOKEN: ${{ secrets.RIVE_REPO_PAT }} + GITHUB_TOKEN: ${{ inputs.Rive-repo-PAT }} - if: ${{inputs.major == false && inputs.minor == true}} name: Minor release - Bump version number, update changelog, push and tag + shell: bash run: npm run release -- minor --ci working-directory: ./.github/scripts/release env: - GITHUB_TOKEN: ${{ secrets.RIVE_REPO_PAT }} + GITHUB_TOKEN: ${{ inputs.Rive-repo-PAT }} - if: ${{inputs.major == false && inputs.minor == false}} name: Build release - Bump version number, update changelog, push and tag + shell: bash run: npm run release -- --ci working-directory: ./.github/scripts/release env: - GITHUB_TOKEN: ${{ secrets.RIVE_REPO_PAT }} + GITHUB_TOKEN: ${{ inputs.Rive-repo-PAT }} diff --git a/.github/workflows/re-release.yml b/.github/workflows/re-release.yml index dab39463..89260234 100644 --- a/.github/workflows/re-release.yml +++ b/.github/workflows/re-release.yml @@ -4,6 +4,7 @@ # Note: We may want to consider GitHub Reusable Workflows instead of Composite Actions in the future. # See https://docs.github.com/en/actions/sharing-automations/avoiding-duplication for the differences. # Notably the logging visibility may improve by switching. +# Reusable workflows can also view secrets rather than requiring them as inputs. name: Re-Release @@ -18,9 +19,27 @@ jobs: id-token: write contents: read steps: + - name: Check out code + uses: actions/checkout@v4 + with: + submodules: true + token: ${{ secrets.PAT_GITHUB }} - name: Prepare uses: ./.github/actions/prepare + with: + actions-role: ${{ secrets.ACTIONS_ROLE }} + GPG-key-contents: ${{ secrets.GPG_KEY_CONTENTS }} + signing-secret-key-ring-file: ${{ secrets.SIGNING_SECRET_KEY_RING_FILE }} - name: Build uses: ./.github/actions/build - name: Deploy uses: ./.github/actions/deploy + with: + OSSRH-username: ${{ secrets.OSSRH_USERNAME }} + OSSRH-password: ${{ secrets.OSSRH_PASSWORD }} + UAT-OSSRH-username: ${{ secrets.UAT_OSSRH_USERNAME }} + UAT-OSSRH-password: ${{ secrets.UAT_OSSRH_PASSWORD }} + signing-key-id: ${{ secrets.SIGNING_KEY_ID }} + signing-password: ${{ secrets.SIGNING_PASSWORD }} + signing-secret-key-ring-file: ${{ secrets.SIGNING_SECRET_KEY_RING_FILE }} + Sonatype-staging-profile-id: ${{ secrets.SONATYPE_STAGING_PROFILE_ID }} diff --git a/.rive_head b/.rive_head index e1d36928..34ccab08 100644 --- a/.rive_head +++ b/.rive_head @@ -1 +1 @@ -28582ea0fda2be47d7a0f00eea28ee318a469111 +73977611cb80960092a765fc3a0ffdbb2c3d50b5