first commit - 1.0.0 #4
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Official Release | |
| # Required repository secrets: | |
| # - ANDROID_SIGNING_KEYSTORE_BASE64 | |
| # - ANDROID_SIGNING_STORE_PASSWORD | |
| # - ANDROID_SIGNING_KEY_ALIAS | |
| # - ANDROID_SIGNING_KEY_PASSWORD | |
| # | |
| on: | |
| push: | |
| tags: | |
| - "*" | |
| permissions: | |
| contents: write | |
| env: | |
| ANDROID_API: "26" | |
| GRADLE_ANDROID_NDK_VERSION: "26.3.11579264" | |
| STORMDNS_ANDROID_NDK_VERSION: "29.0.14206865" | |
| jobs: | |
| release: | |
| name: Build, sign, and publish release APKs | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout WhiteDNS | |
| uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| - name: Set up JDK | |
| uses: actions/setup-java@v4 | |
| with: | |
| distribution: temurin | |
| java-version: "17" | |
| cache: gradle | |
| - name: Set up Android SDK | |
| uses: android-actions/setup-android@v3 | |
| - name: Install Android SDK packages | |
| run: | | |
| set -euo pipefail | |
| command -v sdkmanager | |
| yes | sdkmanager --licenses >/dev/null || true | |
| sdkmanager \ | |
| "platforms;android-36" \ | |
| "build-tools;36.0.0" \ | |
| "ndk;${GRADLE_ANDROID_NDK_VERSION}" \ | |
| "ndk;${STORMDNS_ANDROID_NDK_VERSION}" | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: third_party/StormDNS/go.mod | |
| cache-dependency-path: third_party/StormDNS/go.sum | |
| - name: Build StormDNS native clients | |
| run: | | |
| set -euo pipefail | |
| make stormdns \ | |
| NDK_HOST=linux-x86_64 \ | |
| NDK_ROOT="${ANDROID_HOME}/ndk/${STORMDNS_ANDROID_NDK_VERSION}" | |
| - name: Run unit tests | |
| run: ./gradlew testDebugUnitTest | |
| - name: Build unsigned release APKs | |
| run: | | |
| set -euo pipefail | |
| TAG_NAME="${GITHUB_REF_NAME}" | |
| VERSION_NAME="${TAG_NAME#v}" | |
| ./gradlew :app:assembleRelease \ | |
| -PWHITE_DNS_VERSION_NAME="${VERSION_NAME}" \ | |
| -PWHITE_DNS_VERSION_CODE="${GITHUB_RUN_NUMBER}" | |
| - name: Sign release APKs | |
| env: | |
| ANDROID_SIGNING_KEYSTORE_BASE64: ${{ secrets.ANDROID_SIGNING_KEYSTORE_BASE64 }} | |
| ANDROID_SIGNING_STORE_PASSWORD: ${{ secrets.ANDROID_SIGNING_STORE_PASSWORD }} | |
| ANDROID_SIGNING_KEY_ALIAS: ${{ secrets.ANDROID_SIGNING_KEY_ALIAS }} | |
| ANDROID_SIGNING_KEY_PASSWORD: ${{ secrets.ANDROID_SIGNING_KEY_PASSWORD }} | |
| run: | | |
| set -euo pipefail | |
| for secret_name in \ | |
| ANDROID_SIGNING_KEYSTORE_BASE64 \ | |
| ANDROID_SIGNING_STORE_PASSWORD \ | |
| ANDROID_SIGNING_KEY_ALIAS \ | |
| ANDROID_SIGNING_KEY_PASSWORD | |
| do | |
| if [[ -z "${!secret_name:-}" ]]; then | |
| echo "::error::Missing GitHub secret: ${secret_name}" | |
| exit 1 | |
| fi | |
| done | |
| TAG_NAME="${GITHUB_REF_NAME}" | |
| KEYSTORE_PATH="${RUNNER_TEMP}/whitedns-release.keystore" | |
| echo "${ANDROID_SIGNING_KEYSTORE_BASE64}" | base64 --decode > "${KEYSTORE_PATH}" | |
| BUILD_TOOLS_DIR="$(find "${ANDROID_HOME}/build-tools" -mindepth 1 -maxdepth 1 -type d | sort -V | tail -n 1)" | |
| mkdir -p dist | |
| shopt -s nullglob | |
| unsigned_apks=(app/build/outputs/apk/release/*-release-unsigned.apk) | |
| if (( ${#unsigned_apks[@]} == 0 )); then | |
| echo "::error::No unsigned release APKs found." | |
| exit 1 | |
| fi | |
| for unsigned_apk in "${unsigned_apks[@]}"; do | |
| base_name="$(basename "${unsigned_apk}" -release-unsigned.apk)" | |
| abi_name="${base_name#app-}" | |
| aligned_apk="${RUNNER_TEMP}/${base_name}-aligned.apk" | |
| signed_apk="dist/WhiteDNS-${TAG_NAME}-${abi_name}.apk" | |
| "${BUILD_TOOLS_DIR}/zipalign" -f -p 4 "${unsigned_apk}" "${aligned_apk}" | |
| "${BUILD_TOOLS_DIR}/apksigner" sign \ | |
| --ks "${KEYSTORE_PATH}" \ | |
| --ks-pass "pass:${ANDROID_SIGNING_STORE_PASSWORD}" \ | |
| --ks-key-alias "${ANDROID_SIGNING_KEY_ALIAS}" \ | |
| --key-pass "pass:${ANDROID_SIGNING_KEY_PASSWORD}" \ | |
| --out "${signed_apk}" \ | |
| "${aligned_apk}" | |
| "${BUILD_TOOLS_DIR}/apksigner" verify --verbose "${signed_apk}" | |
| done | |
| cp THIRD_PARTY_NOTICES.md "dist/WhiteDNS-${TAG_NAME}-THIRD_PARTY_NOTICES.md" | |
| (cd dist && shasum -a 256 * > SHA256SUMS.txt) | |
| - name: Publish GitHub Release | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| set -euo pipefail | |
| TAG_NAME="${GITHUB_REF_NAME}" | |
| RELEASE_TITLE="WhiteDNS ${TAG_NAME}" | |
| NOTES_FILE="${RUNNER_TEMP}/release-notes.md" | |
| cat > "${NOTES_FILE}" <<EOF | |
| Official WhiteDNS release for ${TAG_NAME}. | |
| WhiteDNS is not published on Google Play. APKs attached to this GitHub release are the official release artifacts for this tag. | |
| See LICENSE.MD, CONTRIBUTING.md, CLA.md, and TRADEMARK.MD before using or contributing to this project. | |
| EOF | |
| release_flags=() | |
| if [[ "${TAG_NAME}" =~ (alpha|beta|rc) ]]; then | |
| release_flags+=(--prerelease) | |
| fi | |
| if gh release view "${TAG_NAME}" >/dev/null 2>&1; then | |
| gh release upload "${TAG_NAME}" dist/* --clobber | |
| else | |
| gh release create "${TAG_NAME}" dist/* \ | |
| --title "${RELEASE_TITLE}" \ | |
| --notes-file "${NOTES_FILE}" \ | |
| "${release_flags[@]}" | |
| fi |