status-react/scripts/build-android.sh
Jakub Sokołowski acfa73ab43
nix: build unsigned Android APK, sign separately
This has several benefits:

* Less abuse of `extra-sandbox-paths` Nix option
* Less inputs to the Android release build derivation
* Easier for users to sign the build themselves
* Simplification of `scripts/release-android.sh`
* Preparation for building using Nix Flakes

The only two remaining credentials passed via `extra-sandbox-paths` is
the Infura and OpenSea API keys, and there is no way around that other
than passing them via Nix arguments, but that would cause them to end up
in `/nix/store` as part of `.drv` files.

I'm also renaming `release-fdroid` to `build-fdroid` to be consistent.

Depends on: https://github.com/status-im/status-jenkins-lib/pull/42

Signed-off-by: Jakub Sokołowski <jakub@status.im>
2022-05-21 11:10:11 +02:00

73 lines
2.5 KiB
Bash
Executable File

#!/usr/bin/env bash
# Needed to fail on must_get_env()
set -e
GIT_ROOT=$(cd "${BASH_SOURCE%/*}" && git rev-parse --show-toplevel)
source "${GIT_ROOT}/scripts/colors.sh"
function must_get_env() {
declare -n VAR_VALUE="$1"
if [[ -n "${VAR_VALUE}" ]]; then
echo "${VAR_VALUE}"
return
fi
echo -e "${RED}No required env variable:${RST} ${BLD}${!VAR_VALUE}${RST}" 1>&2
exit 1
}
function append_env_export() {
VAR_NAME=${1}
VAR_VALUE=$(must_get_env "${VAR_NAME}")
echo "export ${VAR_NAME}=\"${VAR_VALUE}\";" >> "${SECRETS_FILE_PATH}"
}
config=''
if [[ -n "${STATUS_GO_SRC_OVERRIDE}" ]]; then
config+="status-im.status-go.src-override=\"${STATUS_GO_SRC_OVERRIDE}\";"
fi
config+="status-im.commit-hash=\"$(git rev-parse --verify HEAD)\";"
config+="status-im.build-type=\"$(must_get_env BUILD_TYPE)\";"
config+="status-im.build-number=\"$(must_get_env BUILD_NUMBER)\";"
config+="status-im.android.abi-split=\"$(must_get_env ANDROID_ABI_SPLIT)\";"
config+="status-im.android.abi-include=\"$(must_get_env ANDROID_ABI_INCLUDE)\";"
nixOpts=()
# We create if now so the trap knows its location
export SECRETS_FILE_PATH=$(mktemp)
chmod 644 ${SECRETS_FILE_PATH}
# If secrets file was created we want to remove it.
trap "rm -vf ${SECRETS_FILE_PATH}" EXIT ERR INT QUIT
# Secrets like this can't be passed via args or they end up in derivation.
if [[ -n "${INFURA_TOKEN}" ]]; then append_env_export 'INFURA_TOKEN'; fi
if [[ -n "${OPENSEA_API_KEY}" ]]; then append_env_export 'OPENSEA_API_KEY'; fi
# If no secrets were passed there's no need to pass the 'secretsFile'.
if [[ -s "${SECRETS_FILE_PATH}" ]]; then
nixOpts+=("--argstr" "secretsFile" "${SECRETS_FILE_PATH}")
fi
# Used by Clojure at compile time to include JS modules
nixOpts+=("--argstr" "buildEnv" "$(must_get_env BUILD_ENV)")
if [[ "$(uname -s)" =~ Darwin ]]; then
# Start a watchman instance if not started already and store its socket path.
# In order to get access to the right versions of watchman and jq,
# we start an ad-hoc nix-shell that imports the packages from nix/nixpkgs-bootstrap.
WATCHMAN_SOCKFILE=$(watchman get-sockname --no-pretty | jq -r .sockname)
nixOpts+=(
"--argstr" "watchmanSockPath" "${WATCHMAN_SOCKFILE}"
"--option" "extra-sandbox-paths" "${KEYSTORE_PATH} ${SECRETS_FILE_PATH} ${WATCHMAN_SOCKFILE}"
)
else
nixOpts+=(
"--option" "build-use-sandbox" "true"
"--option" "extra-sandbox-paths" "${KEYSTORE_PATH} ${SECRETS_FILE_PATH}"
)
fi
nixOpts+=("--arg" "config" "{${config}}")
${GIT_ROOT}/nix/scripts/build.sh targets.mobile.android.release "${nixOpts[@]}"