chore: define workflow permissions (#1844) #144
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| on: | |
| push: | |
| branches: | |
| - main | |
| tags: | |
| - "v*" | |
| env: | |
| NPM_TAG: "next" | |
| EMULATOR_NAME: "runtime-emu" | |
| NDK_VERSION: r27d | |
| ANDROID_API: 33 | |
| ANDROID_ABI: x86_64 | |
| NDK_ARCH: darwin | |
| permissions: | |
| contents: read | |
| jobs: | |
| build: | |
| name: Build | |
| runs-on: macos-13 | |
| outputs: | |
| npm_version: ${{ steps.npm_version_output.outputs.NPM_VERSION }} | |
| npm_tag: ${{ steps.npm_version_output.outputs.NPM_TAG }} | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
| with: | |
| fetch-depth: 0 | |
| submodules: true | |
| - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3.9.1 | |
| with: | |
| node-version: 22 | |
| registry-url: "https://registry.npmjs.org" | |
| - uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3.14.1 | |
| with: | |
| distribution: "temurin" | |
| java-version: "21" | |
| cache: gradle | |
| - name: Setup Android SDK | |
| uses: android-actions/setup-android@7c5672355aaa8fde5f97a91aa9a99616d1ace6bc # v2.0.10 | |
| - name: Homebrew dependencies | |
| run: | | |
| brew install wget | |
| - name: Setup NDK | |
| run: | | |
| echo "y" | sdkmanager "cmake;3.6.4111459" | |
| wget https://dl.google.com/android/repository/android-ndk-$NDK_VERSION-$NDK_ARCH.zip | |
| chmod +x android-ndk-$NDK_VERSION-$NDK_ARCH.zip | |
| unzip -q android-ndk-$NDK_VERSION-$NDK_ARCH.zip | |
| rm -rf android-ndk-$NDK_VERSION-$NDK_ARCH.zip | |
| export ANDROID_NDK_HOME=`pwd`/android-ndk-$NDK_VERSION | |
| echo ANDROID_NDK_HOME=${ANDROID_NDK_HOME} >> $GITHUB_ENV | |
| echo ANDROID_NDK=${ANDROID_NDK_HOME} >> $GITHUB_ENV | |
| echo ${ANDROID_NDK_HOME} >> $GITHUB_PATH | |
| - name: Install Dependencies | |
| run: | | |
| npm install | |
| npm install --prefix ./test-app/tools | |
| - name: Get Current Version | |
| run: | | |
| NPM_VERSION=$(node -e "console.log(require('./package.json').version);") | |
| echo NPM_VERSION=$NPM_VERSION >> $GITHUB_ENV | |
| - name: Bump version for dev release | |
| if: ${{ !contains(github.ref, 'refs/tags/') }} | |
| run: | | |
| NPM_VERSION=$(node ./scripts/get-next-version.js) | |
| echo NPM_VERSION=$NPM_VERSION >> $GITHUB_ENV | |
| npm version $NPM_VERSION --no-git-tag-version | |
| - name: Output NPM Version and tag | |
| id: npm_version_output | |
| run: | | |
| NPM_TAG=$(node ./scripts/get-npm-tag.js) | |
| echo NPM_VERSION=$NPM_VERSION >> $GITHUB_OUTPUT | |
| echo NPM_TAG=$NPM_TAG >> $GITHUB_OUTPUT | |
| - name: Build npm package | |
| run: ./gradlew -PgitCommitVersion=${{ github.sha }} -PnoCCache --stacktrace | |
| - name: Upload npm package artifact | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: npm-package | |
| path: dist/nativescript-android-${{steps.npm_version_output.outputs.NPM_VERSION}}.tgz | |
| - name: Upload debug symbols | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: debug-symbols | |
| path: test-app/runtime/build/intermediates/merged_native_libs/release/mergeReleaseNativeLibs/out/lib/* | |
| test: | |
| name: Test | |
| runs-on: macos-13 | |
| needs: build | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
| with: | |
| submodules: true | |
| - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3.9.1 | |
| with: | |
| node-version: 22 | |
| registry-url: "https://registry.npmjs.org" | |
| - uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3.14.1 | |
| with: | |
| distribution: "temurin" | |
| java-version: "21" | |
| cache: gradle | |
| - name: Setup Android SDK | |
| uses: android-actions/setup-android@7c5672355aaa8fde5f97a91aa9a99616d1ace6bc # v2.0.10 | |
| - name: Homebrew dependencies | |
| run: | | |
| brew install wget | |
| - name: Setup NDK | |
| run: | | |
| echo "y" | sdkmanager "cmake;3.6.4111459" | |
| wget https://dl.google.com/android/repository/android-ndk-$NDK_VERSION-$NDK_ARCH.zip | |
| chmod +x android-ndk-$NDK_VERSION-$NDK_ARCH.zip | |
| unzip -q android-ndk-$NDK_VERSION-$NDK_ARCH.zip | |
| rm -rf android-ndk-$NDK_VERSION-$NDK_ARCH.zip | |
| export ANDROID_NDK_HOME=`pwd`/android-ndk-$NDK_VERSION | |
| echo ANDROID_NDK_HOME=${ANDROID_NDK_HOME} >> $GITHUB_ENV | |
| echo ANDROID_NDK=${ANDROID_NDK_HOME} >> $GITHUB_ENV | |
| echo ${ANDROID_NDK_HOME} >> $GITHUB_PATH | |
| - name: Install Dependencies | |
| run: | | |
| npm install | |
| npm install --prefix ./test-app/tools | |
| - name: SBG tests | |
| run: ./gradlew runSbgTests --stacktrace | |
| - name: Run unit tests | |
| uses: ReactiveCircus/android-emulator-runner@1dcd0090116d15e7c562f8db72807de5e036a4ed # v2.34.0 | |
| with: | |
| api-level: ${{env.ANDROID_API}} | |
| # this is needed on API 30+ | |
| #target: google_apis | |
| arch: ${{env.ANDROID_ABI}} | |
| script: ./gradlew runtestsAndVerifyResults --stacktrace | |
| publish: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - build | |
| - test | |
| permissions: | |
| contents: read | |
| id-token: write | |
| env: | |
| NPM_VERSION: ${{needs.build.outputs.npm_version}} | |
| NPM_TAG: ${{needs.build.outputs.npm_tag}} | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3.9.1 | |
| with: | |
| node-version: 22 | |
| registry-url: "https://registry.npmjs.org" | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: npm-package | |
| path: dist | |
| - name: Publish package | |
| run: | | |
| echo "Publishing @nativescript/android@$NPM_VERSION to NPM with tag $NPM_TAG..." | |
| npm publish ./dist/nativescript-android-${{env.NPM_VERSION}}.tgz --tag $NPM_TAG --provenance | |
| env: | |
| NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }} | |
| github-release: | |
| runs-on: ubuntu-latest | |
| # only runs on tagged commits | |
| if: ${{ contains(github.ref, 'refs/tags/') }} | |
| permissions: | |
| contents: write | |
| needs: | |
| - build | |
| - test | |
| env: | |
| NPM_VERSION: ${{needs.build.outputs.npm_version}} | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
| with: | |
| fetch-depth: 0 | |
| - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3.9.1 | |
| with: | |
| node-version: 22 | |
| - name: Setup | |
| run: npm install | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: npm-package | |
| path: dist | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: debug-symbols | |
| path: dist/debug-symbols | |
| - name: Zip debug symbols | |
| working-directory: dist/debug-symbols | |
| run: zip -r debug-symbols.zip . | |
| - name: Partial Changelog | |
| run: npx conventional-changelog -p angular -r2 > body.md | |
| - uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b # v1.20.0 | |
| with: | |
| artifacts: "dist/nativescript-android-*.tgz,dist/debug-symbols/debug-symbols.zip" | |
| bodyFile: "body.md" | |
| prerelease: ${{needs.build.outputs.npm_tag != 'latest'}} |