mirror of
https://github.com/vector-im/element-call.git
synced 2026-03-25 06:40:26 +00:00
79bd458dc2
npm has recently limited the lifetime of all access tokens to 90 days (https://gh.io/npm-token-changes), so it would be a bit inconvenient to stick to our current access token-based method of publishing releases. Meanwhile npm has implemented a more secure publishing method based on OIDC in which you tell the registry that a particular GitHub Actions workflow should be a "trusted publisher" for a given package, and then the CLI will authenticate automatically. (https://docs.npmjs.com/trusted-publishers) I've already set trusted publishing up on the registry side, and since we're already granting the job permission to generate ID tokens for provenance, there should be no additional lines of config needed to make it work. Let's take away the access token and see how this goes next time we release.
294 lines
11 KiB
YAML
294 lines
11 KiB
YAML
name: Build & publish embedded packages for releases
|
|
|
|
on:
|
|
release:
|
|
types: [published]
|
|
pull_request:
|
|
types:
|
|
- synchronize
|
|
- opened
|
|
- labeled
|
|
push:
|
|
branches: [livekit]
|
|
|
|
jobs:
|
|
versioning:
|
|
name: Versioning
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
DRY_RUN: ${{ steps.dry_run.outputs.DRY_RUN }}
|
|
PREFIXED_VERSION: ${{ steps.prefixed_version.outputs.PREFIXED_VERSION }}
|
|
UNPREFIXED_VERSION: ${{ steps.unprefixed_version.outputs.UNPREFIXED_VERSION }}
|
|
TAG: ${{ steps.tag.outputs.TAG }}
|
|
steps:
|
|
- name: Calculate VERSION
|
|
# We should only use the hard coded test value for a dry run
|
|
run: echo "VERSION=${{ github.event_name == 'release' && github.event.release.tag_name || 'v0.0.0-pre.0' }}" >> "$GITHUB_ENV"
|
|
- id: dry_run
|
|
name: Set DRY_RUN
|
|
# We perform a dry run for all events except releases.
|
|
# This is to help make sure that we notice if the packaging process has become
|
|
# broken ahead of a release.
|
|
run: echo "DRY_RUN=${{ github.event_name != 'release' }}" >> "$GITHUB_OUTPUT"
|
|
- id: prefixed_version
|
|
name: Set PREFIXED_VERSION
|
|
run: echo "PREFIXED_VERSION=${VERSION}" >> "$GITHUB_OUTPUT"
|
|
- id: unprefixed_version
|
|
name: Set UNPREFIXED_VERSION
|
|
# This just strips the leading character
|
|
run: echo "UNPREFIXED_VERSION=${VERSION:1}" >> "$GITHUB_OUTPUT"
|
|
- id: tag
|
|
# latest = a proper release
|
|
# other = anything else
|
|
name: Set tag
|
|
run: |
|
|
if [[ "${VERSION}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
|
|
echo "TAG=latest" >> "$GITHUB_OUTPUT"
|
|
elif [[ "${VERSION}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+\-rc\.[0-9]+$ ]]; then
|
|
echo "TAG=rc" >> "$GITHUB_OUTPUT"
|
|
else
|
|
echo "TAG=other" >> "$GITHUB_OUTPUT"
|
|
fi
|
|
|
|
build_element_call:
|
|
needs: versioning
|
|
uses: ./.github/workflows/build-element-call.yaml
|
|
with:
|
|
vite_app_version: embedded-${{ needs.versioning.outputs.PREFIXED_VERSION }}
|
|
package: embedded
|
|
secrets:
|
|
SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
|
|
SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
|
|
SENTRY_URL: ${{ secrets.SENTRY_URL }}
|
|
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
|
|
|
|
publish_tarball:
|
|
needs: [build_element_call, versioning]
|
|
if: always()
|
|
name: Publish tarball
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: write # required to upload release asset
|
|
steps:
|
|
- name: Determine filename
|
|
run: echo "FILENAME_PREFIX=element-call-embedded-${{ needs.versioning.outputs.UNPREFIXED_VERSION }}" >> "$GITHUB_ENV"
|
|
- name: 📥 Download built element-call artifact
|
|
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
|
|
with:
|
|
github-token: ${{ secrets.GITHUB_TOKEN }}
|
|
run-id: ${{ github.event.workflow_run.id || github.run_id }}
|
|
name: build-output-embedded
|
|
path: ${{ env.FILENAME_PREFIX}}
|
|
- name: Create Tarball
|
|
run: tar --numeric-owner -cvzf ${{ env.FILENAME_PREFIX }}.tar.gz ${{ env.FILENAME_PREFIX }}
|
|
- name: Create Checksum
|
|
run: find ${{ env.FILENAME_PREFIX }} -type f -print0 | sort -z | xargs -0 sha256sum | tee ${{ env.FILENAME_PREFIX }}.sha256
|
|
- name: Upload
|
|
if: ${{ needs.versioning.outputs.DRY_RUN == 'false' }}
|
|
uses: softprops/action-gh-release@aec2ec56f94eb8180ceec724245f64ef008b89f5 # v2
|
|
with:
|
|
files: |
|
|
${{ env.FILENAME_PREFIX }}.tar.gz
|
|
${{ env.FILENAME_PREFIX }}.sha256
|
|
|
|
publish_npm:
|
|
needs: [build_element_call, versioning]
|
|
if: always()
|
|
name: Publish NPM
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
ARTIFACT_VERSION: ${{ steps.artifact_version.outputs.ARTIFACT_VERSION }}
|
|
permissions:
|
|
contents: read
|
|
id-token: write # Allow npm to authenticate as a trusted publisher
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
|
|
|
|
- name: 📥 Download built element-call artifact
|
|
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
|
|
with:
|
|
github-token: ${{ secrets.GITHUB_TOKEN }}
|
|
run-id: ${{ github.event.workflow_run.id || github.run_id }}
|
|
name: build-output-embedded
|
|
path: embedded/web/dist
|
|
|
|
# n.b. We don't enable corepack here because we are using plain npm
|
|
- name: Setup node
|
|
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
|
|
with:
|
|
node-version-file: .node-version
|
|
registry-url: "https://registry.npmjs.org"
|
|
|
|
- name: Publish npm
|
|
working-directory: embedded/web
|
|
run: |
|
|
npm version ${{ needs.versioning.outputs.PREFIXED_VERSION }} --no-git-tag-version
|
|
echo "ARTIFACT_VERSION=$(jq '.version' --raw-output package.json)" >> "$GITHUB_ENV"
|
|
npm publish --provenance --access public --tag ${{ needs.versioning.outputs.TAG }} ${{ needs.versioning.outputs.DRY_RUN == 'true' && '--dry-run' || '' }}
|
|
|
|
- id: artifact_version
|
|
name: Output artifact version
|
|
run: echo "ARTIFACT_VERSION=${{env.ARTIFACT_VERSION}}" >> "$GITHUB_OUTPUT"
|
|
|
|
publish_android:
|
|
needs: [build_element_call, versioning]
|
|
if: always()
|
|
name: Publish Android AAR
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
ARTIFACT_VERSION: ${{ steps.artifact_version.outputs.ARTIFACT_VERSION }}
|
|
permissions:
|
|
contents: read
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
|
|
|
|
- name: 📥 Download built element-call artifact
|
|
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
|
|
with:
|
|
github-token: ${{ secrets.GITHUB_TOKEN }}
|
|
run-id: ${{ github.event.workflow_run.id || github.run_id }}
|
|
name: build-output-embedded
|
|
path: embedded/android/lib/src/main/assets/element-call
|
|
|
|
- name: ☕️ Setup Java
|
|
uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4
|
|
with:
|
|
distribution: "temurin"
|
|
java-version: "17"
|
|
|
|
- name: Get artifact version
|
|
# Anything that is not a final release will be tagged as a snapshot
|
|
run: |
|
|
if [[ "${{ needs.versioning.outputs.TAG }}" == "latest" ]]; then
|
|
echo "ARTIFACT_VERSION=${{ needs.versioning.outputs.UNPREFIXED_VERSION }}" >> "$GITHUB_ENV"
|
|
elif [[ "${{ needs.versioning.outputs.TAG }}" == "rc" ]]; then
|
|
echo "ARTIFACT_VERSION=${{ needs.versioning.outputs.UNPREFIXED_VERSION }}" >> "$GITHUB_ENV"
|
|
else
|
|
echo "ARTIFACT_VERSION=${{ needs.versioning.outputs.UNPREFIXED_VERSION }}-SNAPSHOT" >> "$GITHUB_ENV"
|
|
fi
|
|
|
|
- name: Set version string
|
|
run: sed -i "s/0.0.0/${{ env.ARTIFACT_VERSION }}/g" embedded/android/lib/src/main/kotlin/io/element/android/call/embedded/Version.kt
|
|
|
|
- name: Publish AAR
|
|
working-directory: embedded/android
|
|
env:
|
|
EC_VERSION: ${{ env.ARTIFACT_VERSION }}
|
|
ORG_GRADLE_PROJECT_mavenCentralUsername: ${{ secrets.MAVEN_RELEASE_USERNAME }}
|
|
ORG_GRADLE_PROJECT_mavenCentralPassword: ${{ secrets.MAVEN_RELEASE_PASSWORD }}
|
|
ORG_GRADLE_PROJECT_signingInMemoryKey: ${{ secrets.GPG_SIGNING_KEY }}
|
|
ORG_GRADLE_PROJECT_signingInMemoryKeyPassword: ${{ secrets.GPG_SIGNING_KEY_PASSWORD }}
|
|
run: ./gradlew publishToMavenCentral --no-daemon ${{ needs.versioning.outputs.DRY_RUN == 'true' && '--dry-run' || '' }}
|
|
|
|
- id: artifact_version
|
|
name: Output artifact version
|
|
run: echo "ARTIFACT_VERSION=${{env.ARTIFACT_VERSION}}" >> "$GITHUB_OUTPUT"
|
|
|
|
publish_ios:
|
|
needs: [build_element_call, versioning]
|
|
if: always()
|
|
name: Publish SwiftPM Library
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
ARTIFACT_VERSION: ${{ steps.artifact_version.outputs.ARTIFACT_VERSION }}
|
|
permissions:
|
|
contents: read
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
|
|
with:
|
|
path: element-call
|
|
|
|
- name: 📥 Download built element-call artifact
|
|
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
|
|
with:
|
|
github-token: ${{ secrets.GITHUB_TOKEN }}
|
|
run-id: ${{ github.event.workflow_run.id || github.run_id }}
|
|
name: build-output-embedded
|
|
path: element-call/embedded/ios/Sources/dist
|
|
|
|
- name: Checkout element-call-swift
|
|
uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
|
|
with:
|
|
repository: element-hq/element-call-swift
|
|
path: element-call-swift
|
|
token: ${{ secrets.SWIFT_RELEASE_TOKEN }}
|
|
|
|
- name: Copy files
|
|
run: rsync -a --delete --exclude .git element-call/embedded/ios/ element-call-swift
|
|
|
|
- name: Get artifact version
|
|
run: echo "ARTIFACT_VERSION=${{ needs.versioning.outputs.UNPREFIXED_VERSION }}" >> "$GITHUB_ENV"
|
|
|
|
- name: Set version string
|
|
run: sed -i "s/0.0.0/${{ env.ARTIFACT_VERSION }}/g" element-call-swift/Sources/EmbeddedElementCall/EmbeddedElementCall.swift
|
|
|
|
- name: Test build
|
|
working-directory: element-call-swift
|
|
run: swift build
|
|
|
|
- name: Commit and tag
|
|
working-directory: element-call-swift
|
|
run: |
|
|
git config --global user.email "ci@element.io"
|
|
git config --global user.name "Element CI"
|
|
git add -A
|
|
git commit -am "Release ${{ needs.versioning.outputs.PREFIXED_VERSION }}"
|
|
git tag -a ${{ env.ARTIFACT_VERSION }} -m "${{ github.event.release.html_url }}"
|
|
|
|
- name: Push
|
|
working-directory: element-call-swift
|
|
run: |
|
|
git push --tags ${{ needs.versioning.outputs.DRY_RUN == 'true' && '--dry-run' || '' }}
|
|
|
|
- id: artifact_version
|
|
name: Output artifact version
|
|
run: echo "ARTIFACT_VERSION=${{env.ARTIFACT_VERSION}}" >> "$GITHUB_OUTPUT"
|
|
|
|
release_notes:
|
|
needs: [versioning, publish_npm, publish_android, publish_ios]
|
|
if: always()
|
|
name: Update release notes
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: write # to update release notes
|
|
steps:
|
|
- name: Log versions
|
|
run: |
|
|
echo "NPM: ${{ needs.publish_npm.outputs.ARTIFACT_VERSION }}"
|
|
echo "Android: ${{ needs.publish_android.outputs.ARTIFACT_VERSION }}"
|
|
echo "iOS: ${{ needs.publish_ios.outputs.ARTIFACT_VERSION }}"
|
|
- name: Add release notes
|
|
if: ${{ needs.versioning.outputs.DRY_RUN == 'false' }}
|
|
uses: softprops/action-gh-release@aec2ec56f94eb8180ceec724245f64ef008b89f5 # v2
|
|
with:
|
|
append_body: true
|
|
body: |
|
|
|
|
## Embedded packages
|
|
|
|
This release includes the following embedded packages that allow Element Call to be used as an embedded widget
|
|
within another application.
|
|
|
|
### NPM
|
|
|
|
```
|
|
npm install @element-hq/element-call-embedded@${{ needs.publish_npm.outputs.ARTIFACT_VERSION }}
|
|
```
|
|
|
|
### Android AAR
|
|
|
|
```
|
|
dependencies {
|
|
implementation 'io.element.android:element-call-embedded:${{ needs.publish_android.outputs.ARTIFACT_VERSION }}'
|
|
}
|
|
```
|
|
|
|
### SwiftPM
|
|
|
|
```
|
|
.package(url: "https://github.com/element-hq/element-call-swift.git", from: "${{ needs.publish_ios.outputs.ARTIFACT_VERSION }}")
|
|
```
|