diff --git a/.github/workflows/release-suite-desktop-web-production.yml b/.github/workflows/release-suite-desktop-web-production.yml new file mode 100644 index 00000000000..54f9dbb007c --- /dev/null +++ b/.github/workflows/release-suite-desktop-web-production.yml @@ -0,0 +1,119 @@ +name: "[Release] publish suite-desktop and suite-web production" + +permissions: + id-token: write # for fetching the OIDC token + contents: read # for actions/checkout + +on: + workflow_dispatch: + inputs: + destkopReleaseChannel: + description: "Select the release channel for suite-desktop." + required: false + type: choice + options: + - canary + - latest + publishWebProduction: + description: "Publish suite-web production." + required: false + type: boolean + default: false + updateStagingPercentage: + description: "Set the percentage of users that will be updated to the new version." + required: false + type: boolean + default: false + setStagingPercentage: + description: "Set the percentage of users that will be updated to the new version." + required: false + type: string + +jobs: + sync-canary-suite-desktop: + if: ${{ github.event.inputs.destkopReleaseChannel == 'canary' }} && github.repository == 'trezor/trezor-suite-release' + name: "Syncing suite-desktop canary" + environment: suite-production + runs-on: ubuntu-latest + steps: + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: arn:aws:iam::538326561891:role/gh_actions_suite_production + aws-region: eu-central-1 + + - name: Sync suite-desktop canary + run: | + aws s3 sync --delete s3://staging-data.trezor.io/suite/releases/desktop/latest/ s3://data.trezor.io/suite/releases/desktop/canary/ + aws cloudfront create-invalidation --distribution-id E1ERY5K2OTKKI1 --paths "/suite/releases/desktop/canary/*" + + sync-latest-suite-desktop: + if: ${{ github.event.inputs.destkopReleaseChannel == 'latest' }} && github.repository == 'trezor/trezor-suite-release' + name: "Syncing suite-desktop latest" + environment: suite-production + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: arn:aws:iam::538326561891:role/gh_actions_suite_production + aws-region: eu-central-1 + + - name: Sync suite-desktop latest + run: | + aws s3 sync --delete s3://staging-data.trezor.io/suite/releases/desktop/latest/ s3://data.trezor.io/suite/releases/desktop/latest/ + aws cloudfront create-invalidation --distribution-id E1ERY5K2OTKKI1 --paths "/suite/releases/desktop/latest/*" + + sync-staging-website: + if: ${{ github.event.inputs.publishWebProduction == true }} && github.repository == 'trezor/trezor-suite-release' + name: "Syncing suite-desktop canary" + environment: suite-production + runs-on: ubuntu-latest + steps: + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: arn:aws:iam::538326561891:role/gh_actions_suite_production + aws-region: eu-central-1 + + - name: Sync suite-web staging to production + run: | + aws s3 sync s3://staging-suite.trezor.io s3://suite.trezor.io + aws cloudfront create-invalidation --distribution-id E4TDVEWU4P4CY --paths "/*" + + update-prod-staging-percentage: + if: ${{ github.event.inputs.updateStagingPercentage == true }} && github.repository == 'trezor/trezor-suite-release' + name: "Update staging percentage" + environment: suite-production + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: arn:aws:iam::538326561891:role/gh_actions_suite_production + aws-region: eu-central-1 + + - name: Update staging percentage + run: | + aws s3 cp s3://data.trezor.io/suite/releases/desktop/latest/latest.yml . + aws s3 cp s3://data.trezor.io/suite/releases/desktop/latest/latest-mac.yml . + aws s3 cp s3://data.trezor.io/suite/releases/desktop/latest/latest-linux.yml . + aws s3 cp s3://data.trezor.io/suite/releases/desktop/latest/latest-linux-arm64.yml . + + yq '.stagingPercentage = ${{ github.event.inputs.setStagingPercentage }}' -i latest.yml + yq '.stagingPercentage = ${{ github.event.inputs.setStagingPercentage }}' -i latest-mac.yml + yq '.stagingPercentage = ${{ github.event.inputs.setStagingPercentage }}' -i latest-linux.yml + yq '.stagingPercentage = ${{ github.event.inputs.setStagingPercentage }}' -i latest-linux-arm64.yml + + aws s3 cp latest.yml s3://data.trezor.io/suite/releases/desktop/latest/latest.yml + aws s3 cp latest-mac.yml s3://data.trezor.io/suite/releases/desktop/latest/latest-mac.yml + aws s3 cp latest-linux.yml s3://data.trezor.io/suite/releases/desktop/latest/latest-linux.yml + aws s3 cp latest-linux-arm64.yml s3://data.trezor.io/suite/releases/desktop/latest/latest-linux-arm64.yml + + - name: Invalidate CloudFront cache + run: | + aws cloudfront create-invalidation --distribution-id E1ERY5K2OTKKI1 --paths "/suite/releases/desktop/latest/*" diff --git a/.github/workflows/release-suite-desktop-web-staging.yml b/.github/workflows/release-suite-desktop-web-staging.yml new file mode 100644 index 00000000000..274e06e291e --- /dev/null +++ b/.github/workflows/release-suite-desktop-web-staging.yml @@ -0,0 +1,203 @@ +name: "[Release] suite-desktop and suite-web staging" + +on: + workflow_dispatch: + inputs: + createTestRelease: + description: "Create a test release." + required: false + type: boolean + default: false + +env: + IS_CODESIGN_BUILD: "true" + DESKTOP_APP_NAME: "Trezor-Suite" + APPLEID: ${{ secrets.APPLEID }} + APPLEIDPASS: ${{ secrets.APPLEIDPASS }} + APPLETEAMID: ${{ secrets.APPLETEAMID }} + CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }} + CSC_LINK: ${{ secrets.CSC_LINK }} + GPG_CSC_KEY_PASSWORD: ${{ secrets.GPG_CSC_KEY_PASSWORD }} + GPG_CSC_LINK: ${{ secrets.GPG_CSC_LINK }} + GPG_CSC_USERID: ${{ secrets.GPG_CSC_USERID }} + JWS_PRIVATE_KEY_ENV: ${{ secrets.JWS_PRIVATE_KEY_ENV }} + WIN_CSC_KEY_PASSWORD: ${{ secrets.WIN_CSC_KEY_PASSWORD }} + WIN_CSC_LINK: ${{ secrets.WIN_CSC_LINK }} + WINDOWS_SIGN_TOKEN_PASSWORD: ${{ secrets.WINDOWS_SIGN_TOKEN_PASSWORD }} + WINDOWS_SIGN_CERTIFICATE_NAME: ${{ secrets.WINDOWS_SIGN_CERTIFICATE_NAME }} + +permissions: + id-token: write # for fetching the OIDC token + contents: read # for actions/checkout + +concurrency: + group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }} + cancel-in-progress: true + +jobs: + suite-desktop: + environment: suite-production + if: github.repository == 'trezor/trezor-suite-release' + name: Build suite-desktop-${{ matrix.platform }} + runs-on: ${{ matrix.os }} + timeout-minutes: 20 + strategy: + fail-fast: false + matrix: + include: + - os: macos-sign + platform: linux + - os: macos-sign + platform: mac + - os: macos-sign-win-token + platform: win + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + lfs: true + submodules: recursive + - name: Install node and yarn + uses: actions/setup-node@v4 + with: + node-version-file: ".nvmrc" + + - name: Install deps and build libs + run: | + yarn install --immutable + yarn message-system-sign-config + yarn workspace @trezor/suite-data build:lib + yarn workspace @trezor/transport-bridge build:lib + - name: Build ${{ matrix.platform }} suite-desktop + run: | + yarn workspace @trezor/suite-desktop build:${{ matrix.platform }} + bash packages/suite-desktop-core/scripts/gnupg-sign.sh + mv packages/suite-desktop/build-electron/* . + - name: Upload suite-desktop production artifacts + uses: actions/upload-artifact@v4 + with: + name: suite-desktop-${{ matrix.platform }} + path: | + Trezor-Suite* + latest*.yml + retention-days: 7 + + suite-desktop-github-release: + if: github.repository == 'trezor/trezor-suite-release' + name: Create GitHub draft release + environment: suite-production + runs-on: ubuntu-latest + needs: suite-desktop + steps: + - name: Checkout code + uses: actions/checkout@v4 + # checkout is only needed for the version number for draft release + - name: Download suite-desktop apps + uses: actions/download-artifact@v4 + with: + pattern: suite-desktop-* + merge-multiple: true + path: ./ + + - name: Create GitHub draft release + env: + GITHUB_TOKEN: ${{ secrets.TREZOR_BOT_TOKEN }} + run: | + gh config set prompt disabled + VERSION=$(jq -r .suiteVersion packages/suite/package.json) + gh release create --repo trezor/trezor-suite --draft v${VERSION} --title "v${VERSION}" ./Trezor-Suite* latest* + + + suite-desktop-autoupdate-release: + if: github.repository == 'trezor/trezor-suite-release' + name: Release suite-desktop auto-update to staging data.trezor.io + environment: suite-production + runs-on: ubuntu-latest + needs: suite-desktop + steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: Configure aws credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: arn:aws:iam::538326561891:role/gh_actions_suite_production + aws-region: eu-central-1 + - name: Download suite-desktop apps + uses: actions/download-artifact@v4 + with: + pattern: suite-desktop-* + merge-multiple: true + path: ./trezor-suite-files + + - name: Upload suite-desktop to staging-data.trezor.io + run: | + # uploads the files to the staging bucket canary folder (canary does not have staging percentage set) + aws s3 sync --delete ./trezor-suite-files s3://staging-data.trezor.io/suite/releases/desktop/canary + # configures the default staging percentage to 20% for production + yq '.stagingPercentage = 20' -i ./trezor-suite-files/latest.yml + yq '.stagingPercentage = 20' -i ./trezor-suite-files/latest-mac.yml + yq '.stagingPercentage = 20' -i ./trezor-suite-files/latest-linux.yml + yq '.stagingPercentage = 20' -i ./trezor-suite-files/latest-linux-arm64.yml + VERSION=$(jq -r .suiteVersion packages/suite/package.json) + aws s3 sync --delete ./trezor-suite-files s3://staging-data.trezor.io/suite/releases/desktop/latest + aws s3 sync --delete s3://staging-data.trezor.io/suite/releases/desktop/latest/ s3://staging-data.trezor.io/suite/releases/desktop/v${VERSION}/ + + build-web: + if: github.repository == 'trezor/trezor-suite-release' + name: Build suite-web and deploy to staging-suite.trezor.io + environment: suite-production + runs-on: ubuntu-latest + needs: suite-desktop + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Configure aws credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: arn:aws:iam::538326561891:role/gh_actions_suite_production + aws-region: eu-central-1 + - name: Setup node + uses: actions/setup-node@v4 + with: + node-version-file: ".nvmrc" + cache: yarn + - name: Install dependencies + run: | + echo -e "\nenableScripts: false" >> .yarnrc.yml + echo -e "\nenableHardenedMode: false" >> .yarnrc.yml + yarn workspaces focus @trezor/suite-web @trezor/connect-iframe @trezor/connect-web @trezor/suite-data @trezor/suite-build + + - name: Build suite-web + env: + ASSET_PREFIX: /web + STAGING_SUITE_SERVER_URL: https://staging-suite.trezor.io + run: | + yarn message-system-sign-config + yarn workspace @trezor/suite-data build:lib + yarn workspace @trezor/connect-iframe build:lib + yarn workspace @trezor/connect-web build + yarn workspace @trezor/suite-web build + + - name: Download suite-desktop apps + uses: actions/download-artifact@v4 + with: + pattern: suite-desktop-* + merge-multiple: true + path: packages/suite-web/build/static/desktop + + # this step should upload build result to s3 bucket staging-suite.trezor.io using awscli + - name: Upload suite-web to staging-suite.trezor.io + run: | + cd packages/suite-web + ./scripts/s3sync.sh staging-suite + + create-test-release: + if: github.repository == 'trezor/trezor-suite-release' && github.event.inputs.createTestRelease == true + name: Create test release + environment: suite-production + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + #TODO! finis the action to update version build app ad deploy it for testing autoupdate. This will only run if the input createTestRelease is set to true. + - run: echo "Creating test release"