Merge pull request #5 from opatry/google-signin-oauth

Google sign-in OAuth

.github/workflows/Build.yml

@@ -36,10 +36,10 @@ jobs:
         KEYSTORE_KEY_PASSWORD: ${{ secrets.KEYSTORE_KEY_PASSWORD }}
       run: |
             set -eux
-            keystore_file=$(_ci/decrypt_file.sh _ci/tasksApp.keystore.gpg)
-            ./gradlew --no-daemon :tasks-app-android:assembleRelease \
+            ./_ci/decrypt_secrets.sh
+            ./gradlew --no-daemon :tasks-app-android:assembleStoreRelease \
               -Pci=true \
-              -Pplaystore.keystore.file="${keystore_file}" \
+              -Pplaystore.keystore.file="${PWD}/_ci/tasksApp.keystore" \
               -Pplaystore.keystore.password="${KEYSTORE_PASSWORD}" \
               -Pplaystore.keystore.key_password="${KEYSTORE_KEY_PASSWORD}"
 

.gitignore

@@ -25,3 +25,5 @@ client_secret_*.apps.googleusercontent.com.json
 _ci/api-*.json
 _ci/*.keystore
 bundletool-*.jar
+.idea/appInsightsSettings.xml
+tasks-app-android/google-services.json

README.md

@@ -15,6 +15,21 @@ A basic TODO list application based on [Google Tasks REST API](https://developer
 - [Jetpack Compose](https://developer.android.com/jetpack/compose)
 - [Coil](https://coil-kt.github.io/coil/)
 
+## Local development
+
+Decrypt `*.gpg` files needed for development, and copy decrypted versions in proper places.
+
+```bash
+PLAYSTORE_SECRET_PASSPHRASE=MY_SECRET ./_ci/decrypt_secrets.sh
+```
+
+## Updating `google-services.json`
+
+The production `google-services.json` file is ignored by SCM to avoid exposing API keys in public repository.
+To update it, download the new version, encrypt it using `gpg --symmetric --cipher-algo AES256 google-services.json` 
+and store this in `_ci/google-services.json.gpg`.
+The `decrypt_secrets.sh` will take it into account.
+
 ## License
 
 ```

_ci/decrypt_file.sh

@@ -5,30 +5,31 @@
 
 set -euo pipefail
 
-if [ $# -ne 1 ]; then
-  echo "Usage: $0 input_file.gpg"
+if [ $# -ne 1 ] && [ $# -ne 2 ] ; then
+  echo "Usage: $0 input_file.gpg [output_file]"
+  echo "  Decrypts in-place if no output_file is provided"
   exit 1
 fi
 
 input_file=${1}
+output_file=${2:-""}
+
+if [ -z "${output_file}" ]; then
+  output_file="$(dirname "${input_file}")/$(basename "${input_file}" .gpg)"
+fi
 
 if [ ! -f "${input_file}" ]; then
   echo "${input_file} doesn't exist"
   exit 1
 fi
 
-output_filename=$(basename "${input_file}" .gpg)
+output_dir=$(dirname "${output_file}")
+mkdir -p "${output_dir}"
 
-tmp_dir=$(mktemp -d -t ci-secrets.XXXXXX)
-mkdir -p "${tmp_dir}"
-output_file="${1:-"${tmp_dir}/${output_filename}"}"
 # convert potentially relative path to absolute
 output_file="$(cd "$(dirname "${output_file}")"; pwd)/$(basename "${output_file}")"
 
 # --batch to prevent interactive command --yes to assume "yes" for questions
 gpg --quiet --batch --yes --decrypt \
     --passphrase="${PLAYSTORE_SECRET_PASSPHRASE}" \
     --output "${output_file}" "${input_file}"
-
-# output so that caller can retrieve generated output when not provided explicitly
-echo "${output_file}"

_ci/decrypt_secrets.sh

@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+origin=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd) || exit
+
+cd "${origin}"
+./decrypt_file.sh "${origin}/api-9064832520773894557-417132-bdc7875bde18.json.gpg"
+./decrypt_file.sh "${origin}/tasksApp.keystore.gpg"
+./decrypt_file.sh "${origin}/google-services.json.gpg" \
+                  "${origin}/../tasks-app-android/google-services.json" \
+
+mkdir -p "${origin}/../tasks-app-shared/src/jvmMain/composeResources/files"
+./decrypt_file.sh "${origin}/client_secret_191682949161-esokhlfh7uugqptqnu3su9vgqmvltv95.apps.googleusercontent.com.json.gpg" \
+               "${origin}/../tasks-app-shared/src/jvmMain/composeResources/files/client_secret_191682949161-esokhlfh7uugqptqnu3su9vgqmvltv95.apps.googleusercontent.com.json"
+
+# for now Android & desktop apps use the same GCP Web app credentials, kept split/duplicated in their own source set to ease changing strategy
+# it's the same for `store` & `dev` flavors for now, keep in `src/main/assets` but could be dup again in `src/store/assets` & `src/dev/assets` respectively
+mkdir -p "${origin}/../tasks-app-android/src/main/assets"
+cp "${origin}/../tasks-app-shared/src/jvmMain/composeResources/files/client_secret_191682949161-esokhlfh7uugqptqnu3su9vgqmvltv95.apps.googleusercontent.com.json" \
+   "${origin}/../tasks-app-android/src/main/assets"

_ci/playstore.sh

@@ -16,6 +16,7 @@ available_tracks=("internal" "alpha" "beta" "production")
 default_track="${available_tracks[0]}"
 
 build_type="release"
+flavor="store"
 
 check_track() {
   # shellcheck disable=SC2076
@@ -29,16 +30,28 @@ check_track() {
   fi
 }
 
+if ! command -v bundletools &> /dev/null; then
+  bundletool() {
+    bundletool_version="1.17.1"
+    bundletool_jar="bundletool-all-${bundletool_version}.jar"
+    if [ ! -f "${bundletool_jar}" ]; then
+      info "${YELLOW}bundletool${RESET} not available in the PATH, downloading it"
+      curl -L -o "${bundletool_jar}" https://github.com/google/bundletool/releases/download/${bundletool_version}/bundletool-all-${bundletool_version}.jar
+    fi
+    java -jar "${bundletool_jar}" "${@}"
+  }
+fi
+
 publish_aab() {
   local aab="${1:-}"
   [ -f "${aab}" ] || step_error "No App Bundle (AAB) found '${YELLOW}${aab}${RESET}'"
 
   local track="${2:-"${default_track}"}"
   check_track "${track}" "Invalid track '${YELLOW}${track}${RESET}'"
 
-  metadata_path="${origin}/../fastlane/metadata/android"
+  metadata_path="${origin}/../fastlane/metadata/${flavor}"
 
-  step "Dumping information from App Bundle (AAB)"
+  step "Dumping information from App Bundle (AAB) (using ${YELLOW}bundletool${RESET} version $(bundletool version))"
   manifest_file="${origin}/manifest.xml"
   bundletool dump manifest --bundle="${aab}" > "${manifest_file}"
 
@@ -47,6 +60,7 @@ publish_aab() {
   version_code=$(xmllint --xpath 'string(//manifest/@*[local-name()="versionCode"])' "${manifest_file}")
 
   rm "${manifest_file}"
+  step_done
 
   step "Publishing '${YELLOW}${aab##"${origin}/"}${RESET}' (${BLUE_BOLD}${app_package}${RESET} '${MAGENTA_BOLD}${version_name}${RESET}' #${GREEN_BOLD}${version_code}${RESET}) to '${MAGENTA}${track}${RESET}' track"
 
@@ -74,17 +88,21 @@ publish_aab() {
   fi
 
   bundle exec fastlane supply "${supply_args[@]}"
+
+  step_done
 }
 
 # assisted mode when called on dev machine with fzf installed
 if [ $# -eq 0 ] && [ -z "${CI:-}" ] && command -v fzf &> /dev/null; then
+  echo -e "🚀 Play Store publish\n"
+
   track=$(printf "%s\n" "${available_tracks[@]}" \
             | fzf --prompt "Choose the track to use" \
                   --height ~7 \
                   --layout=reverse-list \
                   || true)
   check_track "${track}"
-  
+
   upload_binary=$(ask_yn_choice "${MAGENTA_BOLD}Publish App Bundle (AAB) (including associated changelog)?${RESET}")
   upload_store_assets=$(ask_yn_choice "${MAGENTA_BOLD}Publish Store assets (descriptions, images & screenshots)?${RESET}")
 else
@@ -95,7 +113,7 @@ else
   upload_store_assets=${3:-false}
 fi
 
-aab="${origin}/../tasks-app-android/build/outputs/bundle/${build_type}/tasks-app-android-${build_type}.aab"
+aab="${origin}/../tasks-app-android/build/outputs/bundle/${flavor}${build_type^}/tasks-app-android-${flavor}-${build_type}.aab"
 
 if [ -z "${CI:-}" ] && [ "${upload_binary}" = true ]; then
   warn "Ensure you have updated your '${BLUE}${build_type}${RESET}' build and updated '${GREEN}tasksApp-code${RESET}'."
@@ -112,16 +130,4 @@ cd "${origin}/.."
 
 bundle exec fastlane run validate_play_store_json_key
 
-if ! command -v bundletool &> /dev/null; then
-  BUNDLETOOL_VERSION="1.17.1"
-  bundletool_jar="bundletool-all-${BUNDLETOOL_VERSION}.jar"
-  if [ ! -f "${bundletool_jar}" ]; then
-    info "${YELLOW}bundletool${RESET} not available in the PATH, downloading it"
-    curl -L -o "${bundletool_jar}" https://github.com/google/bundletool/releases/download/${BUNDLETOOL_VERSION}/bundletool-all-${BUNDLETOOL_VERSION}.jar
-  fi
-  alias bundletool='java -jar "${bundletool_jar}"'
-fi
-
-info "${YELLOW}bundletool${RESET} version $(bundletool version)"
-
 publish_aab "${aab}" "${track}"

build.gradle.kts

@@ -31,4 +31,6 @@ plugins {
     alias(libs.plugins.android.application) apply false
     alias(libs.plugins.android.library) apply false
     alias(libs.plugins.androidx.room) apply false
+    alias(libs.plugins.google.services) apply false
+    alias(libs.plugins.firebase.crashlytics) apply false
 }