App Store Build and Publish Job Problem

sebastiank · September 22, 2023, 10:12pm

Hi All,

Working on a app for the community and would like to implement an automated build and publish from GitHub, instead of doing it manually every time.

I’ve copied the NC appstore-build-publish.yml template and created the appropriate secret variables in GitHub (APPSTORE_TOKEN, APP_PRIVATE_KEY) but the action will not run, I get a status of “skipped” with no errors.

Here is the template:

github.com

ksainc/integration_ews/blob/main/.github/workflows/appstore-build-publish.yml

# This workflow is provided via the organization template repository
#
# https://github.com/nextcloud/.github
# https://docs.github.com/en/actions/learn-github-actions/sharing-workflows-with-your-organization

name: Build and publish app release

on:
  release:
    types: [published]

env:
  PHP_VERSION: 8.1

jobs:
  build_and_publish:
    runs-on: ubuntu-latest

    # Only allowed to be run on nextcloud-releases repositories
    if: ${{ github.repository_owner == 'nextcloud-releases' }}

This file has been truncated. show original

And here is the status when it runs:

Thank you in advance!
Sebastian

christianlupus · September 23, 2023, 7:36am

Hello.

The problem is twofold.

The original problem is most probably this line. Comment it out and it should work.

I suspect you are no employee of the company. This, you do not have access to the GitHub organization nextcloud-releases, right?

The second problem: where is your app located currently? In the nextcloud-releases organization or somewhere else?

I had the problem that the cookbook is located in the organization. There are many people there that have wow access. Thus,I outsourced the app store to a foreign organization to avoid security implications: anyone with write access might be able to extracta secret otherwise.

If you want to be nice to anyone forking your repo or need to separate the repositories, keep the line but fix the right hand side according to your needs.

We can discuss things of you like but I would need some more information from you then.

Christian

sebastiank · September 24, 2023, 4:07am

Hi @christianlupus

I will try commenting out that line.

Yes, I am not an employee of the NC. The app is located in my github with only myself that has access.

Sebastian

christianlupus · September 24, 2023, 8:20am

Report back of that worked out or if you run into issues.

sebastiank · October 3, 2023, 10:41pm

Hi @christianlupus,

So the build jobs is actually executing now, but NOT completing.

Its seems to be erroring at the makefile stage. Here is the error:

 tar: Exiting with failure status due to previous errors
make: *** [Makefile:127: appstore] Error 2
Error: Process completed with exit code 2.

And I believe that is being caused by this error further up:

tar: ../integration_ews/build/artifacts/appstore/integration_ews.tar.gz: file changed as we read it
tar: The following options were used after any non-optional arguments in archive create or update mode.  These options are positional and affect only arguments that follow them.  Please, rearrange them properly.

Here is the run.

Any ideas?

Sebastian

christianlupus · October 4, 2023, 4:54am

Okay,I had to do quite some manual comparison back and forth. Long sorry short: there is a bug in my understanding in the workflow template.

You seem to have found at least a partial solution (your makefile was wrong).
In this line the wrong path is used. The rest of this snippet needs tweaking as well to make this possible, I guess.

I cannot help you from my mobile phone.

christianlupus · October 4, 2023, 10:31am

OK, let me get you running.

The appstore make target builds the appstore tarball in build/artifacts/appstore/integration_ews.tar.gz.
The signing workflow step expects the tarball to be in build/artifacts/integration_ews.tar.gz (note the missing part appstore).

You could fix the paths but you could also do things simpler: You could drop the extraction from the GH actions altogether as you just created a folder in build/artifacts/sign containing all files in the tarball. You would have to fix the path in the signing command to use said extracted folder. Also, the repacking will use the wrong path here. You could simply move the folder sign to ${{ env.APP_NAME }}. Then, the signature should run if I did not miss any path issue.

I hope thi shelped you to get it running. If not, feel free to write back. In the worst case, I can create a PR for you.

sebastiank · October 4, 2023, 12:29pm

Morning @christianlupus

Firstly, I wan to say thank you for all the help so far, I would not have made any progress with out you. And its amazing how I can code in 10+ different languages including assembler but these git flows, make me face palm my self every time.

Okay, so what I have tried so far.

I took your recommendation, and removed the extraction process, and changed the paths. Then tried running the process again. And… It failed.

Here are the changes:

Then using some logic, I decided there was no point in signing the app twice, since the last step in the Makefile is to sign the app. So I removed the sections that download NC and sign the app and tried running the process again… And it failed. (Face Palm)

Here are the last chagnes:

Sebastian

christianlupus · October 4, 2023, 4:46pm

OK, you have different things intermixed in mind:

You need to sign the tarball in order for the app store to accept it. This confirms that you as the author has built the tarball and not some bad guy. You do this in the Makefile (not needed in fact, just for your convinience) and in the GH flow.
There is the code signing. This is to prevent changes to the files after installing the app in the user’s NC server. The admin will get a warning if a file was changed. This is what used to happen in the GH flow but you removed. This is optional.

To get the next step running, have a look at the package with makefile step (and its output in the actions tab):

tar -czf /home/runner/work/integration_ews/integration_ews/integration_ews/build/artifacts/appstore/integration_ews.tar.gz \
	-C /home/runner/work/integration_ews/integration_ews/integration_ews/build/artifacts/sign integration_ews

The actual file is build/artifacts/appstore/integration_ews.tar.gz. And as such, you will have to fix the path in the upload script to be in appstore not sign. Sorry, I might have brought you on this terrain by accident.

I hope this will get you running finally.
Christian

sebastiank · October 4, 2023, 10:11pm

Hi @christianlupus

Well two days to beating this problem but it finally worked. Had two more minor errors in the Attach tar ball section and Upload App section, but I managed to figure them out.

Once again, thank you so much this will make the development process a lot easier. I am working on two more integration apps and the manually process of releasing was really becoming a pain.

Sebastian