Generate F-Droid app repository #691
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Generate F-Droid repo | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| dry-run: | |
| description: "Skips pushing changes when enabled. Optional. Defaults to false." | |
| type: boolean | |
| default: false | |
| required: false | |
| schedule: | |
| - cron: "45 2 * * *" | |
| jobs: | |
| apps: | |
| name: "Generate repo from apps listing" | |
| runs-on: ubuntu-24.04 | |
| env: | |
| _COMMIT_MSG_FILE: "${{ github.workspace }}/commit_message.tmp" | |
| permissions: | |
| id-token: write | |
| steps: | |
| - name: Log in to Azure | |
| uses: bitwarden/gh-actions/azure-login@main | |
| with: | |
| subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
| tenant_id: ${{ secrets.AZURE_TENANT_ID }} | |
| client_id: ${{ secrets.AZURE_CLIENT_ID }} | |
| - name: Get Azure Key Vault secrets - GH Org | |
| id: get-kv-secrets | |
| uses: bitwarden/gh-actions/get-keyvault-secrets@main | |
| with: | |
| keyvault: gh-org-bitwarden | |
| secrets: "BW-GHAPP-ID,BW-GHAPP-KEY" | |
| - name: Get Azure Key Vault secrets - f-droid | |
| id: get-kv-fdroid | |
| uses: bitwarden/gh-actions/get-keyvault-secrets@main | |
| with: | |
| keyvault: gh-f-droid | |
| secrets: "FDROID-STORE-KEYSTORE-PASSWORD" | |
| - name: Get Azure Key Vault secrets - BW CI | |
| id: get-kv-secrets-ci | |
| uses: bitwarden/gh-actions/get-keyvault-secrets@main | |
| with: | |
| keyvault: "bitwarden-ci" | |
| secrets: > | |
| github-gpg-private-key, | |
| github-gpg-private-key-passphrase | |
| - name: Generate GH App token | |
| uses: actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b # v2.1.1 | |
| id: app-token | |
| with: | |
| app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }} | |
| private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }} | |
| permission-contents: write | |
| permission-pull-requests: write | |
| # NOTE: intentionally checking out before downloading secrets, otherwise the downloaded files are removed. | |
| # This may be later solved by: https://github.com/actions/checkout/pull/2286 | |
| - name: Checkout repo | |
| uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 | |
| with: | |
| token: ${{ steps.app-token.outputs.token }} | |
| persist-credentials: true | |
| - name: Download secrets | |
| env: | |
| ACCOUNT_NAME: bitwardenci | |
| CONTAINER_NAME: mobile | |
| run: | | |
| mkdir -p fdroid/repo | |
| az storage blob download --account-name "$ACCOUNT_NAME" --container-name "$CONTAINER_NAME" \ | |
| --name store_fdroid-keystore.jks --file fdroid/keystore.p12 --output none | |
| - name: Log out from Azure | |
| uses: bitwarden/gh-actions/azure-logout@main | |
| - name: Import GPG key | |
| uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0 | |
| with: | |
| gpg_private_key: ${{ steps.get-kv-secrets-ci.outputs.github-gpg-private-key }} | |
| passphrase: ${{ steps.get-kv-secrets-ci.outputs.github-gpg-private-key-passphrase }} | |
| git_user_signingkey: true | |
| git_commit_gpgsign: true | |
| - name: Set up Git | |
| run: | | |
| git config --local user.email "106330231+bitwarden-devops-bot@users.noreply.github.com" | |
| git config --local user.name "bitwarden-devops-bot" | |
| - name: Configure F-Droid server | |
| env: | |
| FDROID_STORE_KEYSTORE_PASSWORD: ${{ steps.get-kv-fdroid.outputs.FDROID-STORE-KEYSTORE-PASSWORD }} | |
| run: | | |
| if [ -f "fdroid/keystore.p12" ]; then | |
| echo "keystore found" | |
| else | |
| echo "keystore not found!" | |
| exit 1 | |
| fi | |
| cp base_fdroid_config.yml fdroid/config.yml | |
| chmod 0600 fdroid/config.yml | |
| echo "keypass: '$FDROID_STORE_KEYSTORE_PASSWORD'" >> fdroid/config.yml | |
| echo "keystorepass: '$FDROID_STORE_KEYSTORE_PASSWORD'" >> fdroid/config.yml | |
| - name: Install F-Droid server software | |
| run: | | |
| sudo add-apt-repository ppa:fdroid/fdroidserver | |
| sudo apt-get update | |
| sudo apt-get install fdroidserver | |
| - name: Ignore F-Droid ResParseError | |
| run: | | |
| sudo sed -i 's|raise ResParserError("res0 must be zero!")|log.warning("res0 must be zero!")|g' /usr/lib/python3/dist-packages/androguard/core/bytecodes/axml/__init__.py | |
| sudo sed -i 's|raise ResParserError("res1 must be zero!")|log.warning("res1 must be zero!")|g' /usr/lib/python3/dist-packages/androguard/core/bytecodes/axml/__init__.py | |
| - name: Set up Go | |
| uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 | |
| with: | |
| go-version-file: metascoop/go.mod | |
| cache-dependency-path: metascoop/go.sum | |
| - name: Run metascoop | |
| id: run-metascoop | |
| env: | |
| GH_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }} | |
| run: | | |
| bash run_metascoop.sh "${_COMMIT_MSG_FILE}" | |
| if [ $? -eq 0 ]; then | |
| echo "Changes detected" | |
| echo "has_changes=true" >> "$GITHUB_OUTPUT" | |
| elif [ $? -eq 2 ]; then | |
| echo "No changes detected" | |
| echo "has_changes=false" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "Unexpected exit code: $?" | |
| echo "has_changes=false" >> "$GITHUB_OUTPUT" | |
| fi | |
| continue-on-error: true | |
| - name: Delete F-Droid server config | |
| run: | | |
| rm -f fdroid/config.yml | |
| - name: Update repo | |
| env: | |
| GH_TOKEN: ${{ steps.app-token.outputs.token }} | |
| _DRY_RUN: ${{ inputs.dry-run }} | |
| _METASCOOP_HAS_CHANGES: ${{ steps.run-metascoop.outputs.has_changes }} | |
| run: | | |
| if [ "$_DRY_RUN" = "true" ]; then | |
| echo "Dry run. Changes are not being saved." | |
| elif [ "$_METASCOOP_HAS_CHANGES" != "true" ]; then | |
| echo "No changes to save." | |
| else | |
| bash update_repo.sh "${_COMMIT_MSG_FILE}" | |
| fi |