This has several benefits:
* Less abuse of `extra-sandbox-paths` Nix option
* Less inputs to the Android release build derivation
* Easier for users to sign the build themselves
* Simplification of `scripts/release-android.sh`
* Preparation for building using Nix Flakes
The only two remaining credentials passed via `extra-sandbox-paths` is
the Infura and OpenSea API keys, and there is no way around that other
than passing them via Nix arguments, but that would cause them to end up
in `/nix/store` as part of `.drv` files.
I'm also renaming `release-fdroid` to `build-fdroid` to be consistent.
Depends on: https://github.com/status-im/status-jenkins-lib/pull/42
Signed-off-by: Jakub Sokołowski <jakub@status.im>
Minor upgrade done to match the version deployed in CI due to a bug
with `nix-copy-closure` which broken Nix cache jobs:
https://github.com/status-im/infra-ci/issues/49
This will not force upgrade on developes, nor require any `make nix-purge`.
If however and upgrade is wanted it can be simply done with `nix upgrade-nix`.
Signed-off-by: Jakub Sokołowski <jakub@status.im>
By using just the timestamp we increase the probability of hitting a
race condition with another build due to same filename of sandbox file.
Depends on: https://github.com/status-im/status-jenkins-lib/pull/40
Signed-off-by: Jakub Sokołowski <jakub@status.im>
Will make it easier and safer to upgrade Nix on CI hosts.
Also added architecture since we are starting to mix those.
Signed-off-by: Jakub Sokołowski <jakub@status.im>
This will make identifying installed software easier.
It can also be used to generate F-Droid RPs more easily.
Depends on:
https://github.com/status-im/status-jenkins-lib/pull/35
Signed-off-by: Jakub Sokołowski <jakub@status.im>
This is required to also ad GitHub releases to `status-desktop`.
Also renamed `status-react-jenkins` to `status-jenkins-lib` for clarity.
Depends on: https://github.com/status-im/status-react-jenkins/pull/23
Signed-off-by: Jakub Sokołowski <jakub@status.im>
This changes the behavior of mobile combined builds to not publish
the results of `nightly` or `release` builds unless `PUBLISH`
parameter is set to `true`.
It also makes the `BUILD_TYPE` into a dropdown choice field with
pre-defined values, like `manual` or `e2e`.
Changes:
- Add parameter definitions for `BUILD_TYPE` and `PUBLISH`
- Move uploading of `latest.json` to `Publish` stage
- Make `Publish` stage optional based on the `PUBLISH` parameter
Requires: https://github.com/status-im/status-react-jenkins/pull/21
Signed-off-by: Jakub Sokołowski <jakub@status.im>
Signed-off-by: Andrea Maria Piana <andrea.maria.piana@gmail.com>
Using different temporary keychains does not work if we do not set
`default_keychain=true`, because `codesign` then can't find the cert:
```
error: No signing certificate "iOS Distribution" found: No "iOS Distribution" signing certificate matching team ID
```
But if we set `default_keychain=true` then we cause a race condition
when the keychain is deleted by a parallel job while another is using it
as its default.
For this reason we have to use a static keychain name and keep it
between builds.
I tried disabling `default_keychain=true` in #11378 but it worked only
because the default user keychain already had the cert.
Signed-off-by: Jakub Sokołowski <jakub@status.im>
Signed-off-by: Andrea Maria Piana <andrea.maria.piana@gmail.com>
This is a new approach to signing the iOS app by using a temporary
Keychain created only for that specific build and unlocked in advance.
By doing it this way we can avoid issues with `errSecInternalComponent`
appearing when there is no UI to open a Keychain password prompt when
running build in CI. I've described this problem in details in:
https://github.com/fastlane/fastlane/issues/15185
Thanks to `codesign:` partition ID being added to key partition list by
Fastlane `match` when importing a Keychain this approach now works:
https://github.com/fastlane/fastlane/pull/17456
Signed-off-by: Jakub Sokołowski <jakub@status.im>
The env variable `INFURA_TOKEN` is used at build time of JS bundle, not
the final APK file. We never passed the `secretsFile` to the
derivation for JS bundle so it never saw the `INFURA_TOKEN`.
Signed-off-by: Jakub Sokołowski <jakub@status.im>
* `status-im-releases` for release builds
* `status-im-nightlies` for nightlies
I want to reserve the `status-im` bucket for use with the site.
Signed-off-by: Jakub Sokołowski <jakub@status.im>
This updates a bunch of things in the Jenkins logic.
For details of that see:
https://github.com/status-im/status-react-jenkins/pull/12
It grew out of the changes I made to make PR builds available in Desktop client:
https://github.com/status-im/nim-status-client/pull/507
Changes:
- Bump `status-react-jenkins` library to newer version, probably `1.2.0`
- Update use of `utils.pkgFilename()` in `ci/Jenkinsfile.combined`
- Make all iOS builds go into the same folder: `status-ios`
- Drop e2e build type, infer it from Android ABIs set to `x86` only
- Simplify logic in `nix/mobile/android/release.nix.`
Signed-off-by: Jakub Sokołowski <jakub@status.im>
Build PR Scheme in PR build
use named parameters, use pr_build boolean
Signed-off-by: Jakub Sokołowski <jakub@status.im>
Enable capabilities
Signed-off-by: Jakub Sokołowski <jakub@status.im>
Add custom app icon
Remove user defined profile
Add PR scheme
Explicit provide provisioning profiles
Fix pr schema
Bump jenkins
Pod bump
Describe pr_build argument
Signed-off-by: Gheorghe Pinzaru <feross95@gmail.com>
This way we can use different token for e2e, release, and devel builds.
Signed-off-by: Jakub Sokołowski <jakub@status.im>
Signed-off-by: Andrea Maria Piana <andrea.maria.piana@gmail.com>
Changes:
- Add `nix/DETAILS.md` for more in-depth info
- Rename some of `config.status-im` variables
- Drop `env` argument for Android build
- Use `overlays` instead of `packageOverrides`
- Move the `pkgs` overlay to `nix/overlay.nix`
- Move `nix/status-go/utils.nix` to `nix/tools`
- Make `shell.nix` use the `shells.default` only
- Use `default.nix` as target for `nix/scripts/shell.sh`
- Make `nix/scripts/shell.sh` use `--attr` instead of `target`
- Drop the `target` argument in favour of using `--attr`
- Drop unnecessary `src` from `nix/mobile/ios/default.nix`
- Move `mkShell` and `mergeSh` under `lib`
- Move `patched-go` package to `nix/pkgs` directory
- Move `gomobile` package to `nix/pkgs` directory
- Move `ANDROID_ABI_SPLIT` to `config.status-im.android.abi-split`
- Move `ANDROID_ABI_INCLUDE to `config.status-im.android.abi-include`
Signed-off-by: Jakub Sokołowski <jakub@status.im>
Because we run nix/scripts/clean.sh after building JSBundle it is
removed from Nix store and can't be reused in the Bundle stage.
Signed-off-by: Jakub Sokołowski <jakub@status.im>
This PR extracts all the ci/*.groovy scripts into a separate private repo located at:
https://github.com/status-im/status-react-jenkins
The main reasons for a separate repo are:
* Hiding the internal details of our CI setup
* Hiding names of Jenkins credentials available in CI jobs
* Lowering attack surface for malicious external contributors
* Increasing focus on PRs related to CI setup
You can read more about how Jenkins pipeline shared libraries work here:
https://jenkins.io/doc/book/pipeline/shared-libraries/
In simple terms I've added the repo to the main Jenkins configuration in "Global Pipeline Libraries" section and load it using:
library 'status-react-jenkins@master'
Which makes globally available all of the libraries defined in the `vars` directory of that repo.
This also eliminates the need for statements like `android = load 'ci/android.groovy'`.
Signed-off-by: Jakub Sokołowski <jakub@status.im>
Changes:
- Adds a new `nix-gc` Makefile target for removing old packages
- Moves all `nix/*.sh` files to `nix/scripts/*.sh` to make things more tidy
- Renames `TARGET_OS` into `TARGET` and makes it effective only with `nix/scripts/shell.sh`
- Renames `target-os` Nix argument to just `target` and makes it effective only with `shell.nix`
- Drops `IN_CI_ENVIRONMENT` env variable which was useless
- Drops use of `target-os` argument outside of `shell.nix` (with few exceptions, but just in naming)
- `nix/platform.nix` has been made obsolete and removed
- Moves the definition of all major targets to `nix/targets.nix`
- Moves the definition of all major shells to `nix/shells.nix`
- Makes `default.nix` and `shell.nix` just thin wrappers around `nix/default.nix`
- `nix/nixpkgs-bootstrap.nix` has been moved to `nix/pkgs.nix`
- All package and tool overrides have been moved to `nix/pkgs.nix`
- Explicit passing of contents of `pkgs` has been removed in favor of `callPackage` doing it for us
- `nix/bootstrapped-shell.nix` has been moved to `nix/tools/mkShell.nix`
- A new `mergeSh` tool has been added to `pkgs` from `nix/tools/mergeSh.nix`
- This tool is used to merge shells created using `mkShell`
- `mobile/targets/jsbundle.nix` has been moved to `mobile/android/jsbundle/default.nix`
- Moves `status-go` version sanitization to `nix/status-go/utils.nix`
- Renames version to rawVersion and versionName to cleanVersion in status-go derivation
- Ports nix/mobile/ios/install-pods-and-status-go.sh to Nix sub-shells
- Moves adjustment of `inotify/max_user_watches` out into `scripts/inotify_fix.sh`
- Makes iOS builds use the Nix version of Fastlane
Signed-off-by: Jakub Sokołowski <jakub@status.im>