mirror of
https://github.com/immich-app/immich.git
synced 2025-05-24 01:12:58 -04:00
504930947d
* fix: set persist-credentials explicitly for checkout https://woodruffw.github.io/zizmor/audits/#artipacked * fix: minimize permissions scope for workflows https://woodruffw.github.io/zizmor/audits/#excessive-permissions * fix: remove potential template injections https://woodruffw.github.io/zizmor/audits/#template-injection * fix: only pass needed secrets in workflow_call https://woodruffw.github.io/zizmor/audits/#secrets-inherit * fix: push perm for single-arch build jobs I hadn't realised these push to the registry too :x * chore: fix formatting * fix: $ * fix: retag job quoting --------- Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
111 lines
3.3 KiB
YAML
111 lines
3.3 KiB
YAML
name: Build Mobile
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
workflow_call:
|
|
inputs:
|
|
ref:
|
|
required: false
|
|
type: string
|
|
secrets:
|
|
KEY_JKS:
|
|
required: true
|
|
ALIAS:
|
|
required: true
|
|
ANDROID_KEY_PASSWORD:
|
|
required: true
|
|
ANDROID_STORE_PASSWORD:
|
|
required: true
|
|
pull_request:
|
|
push:
|
|
branches: [main]
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
permissions: {}
|
|
|
|
jobs:
|
|
pre-job:
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: read
|
|
outputs:
|
|
should_run: ${{ steps.found_paths.outputs.mobile == 'true' || steps.should_force.outputs.should_force == 'true' }}
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- id: found_paths
|
|
uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
|
|
with:
|
|
filters: |
|
|
mobile:
|
|
- 'mobile/**'
|
|
workflow:
|
|
- '.github/workflows/build-mobile.yml'
|
|
- name: Check if we should force jobs to run
|
|
id: should_force
|
|
run: echo "should_force=${{ steps.found_paths.outputs.workflow == 'true' || github.event_name == 'workflow_call' || github.event_name == 'workflow_dispatch' }}" >> "$GITHUB_OUTPUT"
|
|
|
|
build-sign-android:
|
|
name: Build and sign Android
|
|
needs: pre-job
|
|
permissions:
|
|
contents: read
|
|
# Skip when PR from a fork
|
|
if: ${{ !github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]' && needs.pre-job.outputs.should_run == 'true' }}
|
|
runs-on: macos-14
|
|
|
|
steps:
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
|
|
with:
|
|
ref: ${{ inputs.ref || github.sha }}
|
|
persist-credentials: false
|
|
|
|
- uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4
|
|
with:
|
|
distribution: 'zulu'
|
|
java-version: '17'
|
|
cache: 'gradle'
|
|
|
|
- name: Setup Flutter SDK
|
|
uses: subosito/flutter-action@e938fdf56512cc96ef2f93601a5a40bde3801046 # v2
|
|
with:
|
|
channel: 'stable'
|
|
flutter-version-file: ./mobile/pubspec.yaml
|
|
cache: true
|
|
|
|
- name: Create the Keystore
|
|
env:
|
|
KEY_JKS: ${{ secrets.KEY_JKS }}
|
|
working-directory: ./mobile
|
|
run: echo $KEY_JKS | base64 -d > android/key.jks
|
|
|
|
- name: Get Packages
|
|
working-directory: ./mobile
|
|
run: flutter pub get
|
|
|
|
- name: Generate translation file
|
|
run: make translation
|
|
working-directory: ./mobile
|
|
|
|
- name: Build Android App Bundle
|
|
working-directory: ./mobile
|
|
env:
|
|
ALIAS: ${{ secrets.ALIAS }}
|
|
ANDROID_KEY_PASSWORD: ${{ secrets.ANDROID_KEY_PASSWORD }}
|
|
ANDROID_STORE_PASSWORD: ${{ secrets.ANDROID_STORE_PASSWORD }}
|
|
run: |
|
|
flutter build apk --release
|
|
flutter build apk --release --split-per-abi --target-platform android-arm,android-arm64,android-x64
|
|
|
|
- name: Publish Android Artifact
|
|
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
|
|
with:
|
|
name: release-apk-signed
|
|
path: mobile/build/app/outputs/flutter-apk/*.apk
|