From 58108c5960ea6f3b8f5f88b3a9238076c1976589 Mon Sep 17 00:00:00 2001
From: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
Date: Wed, 1 Apr 2026 08:52:22 -0300
Subject: [PATCH] refactor(actions): align signing flow with LibreSign

Run app signing via make appstore by placing APP_PRIVATE_KEY in build/tools/certificates, and simplify release/nightly workflows to match LibreSign style.

Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
---
 .github/workflows/appstore-build-publish.yml | 28 +++------
 .github/workflows/nightly-release.yml        | 61 +++++++++++---------
 2 files changed, 41 insertions(+), 48 deletions(-)

diff --git a/.github/workflows/appstore-build-publish.yml b/.github/workflows/appstore-build-publish.yml
index 498fb8d..eca49cd 100644
--- a/.github/workflows/appstore-build-publish.yml
+++ b/.github/workflows/appstore-build-publish.yml
@@ -10,6 +10,7 @@ on:
 
 permissions:
   contents: write
+  actions: write
 
 jobs:
   build_and_publish:
@@ -26,6 +27,7 @@ jobs:
       - name: Set app env
         run: |
           [ "${GITHUB_REPOSITORY##*/}" = "${APP_NAME}" ]
+          echo "APP_VERSION=${GITHUB_REF##*/}" >> "$GITHUB_ENV"
 
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -91,11 +93,6 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Package ${{ env.APP_NAME }} with makefile
-        run: |
-          make -C "${{ env.APP_NAME }}" appstore
-          make -C "${{ env.APP_NAME }}" verify-appstore-package
-
       - name: Check server download link for ${{ fromJSON(steps.appinfo.outputs.result).nextcloud.min-version }}
         id: server-url
         run: |
@@ -120,22 +117,13 @@ jobs:
           repository: nextcloud/server
           path: nextcloud
 
-      - name: Sign app
+      - name: Package ${{ env.APP_NAME }} ${{ github.ref_name }} with makefile
         run: |
-          KEY_PATH="${GITHUB_WORKSPACE}/${{ env.APP_NAME }}.key"
-          CERT_PATH="${GITHUB_WORKSPACE}/${{ env.APP_NAME }}.crt"
-          APP_PATH="${GITHUB_WORKSPACE}/${{ env.APP_NAME }}/build/artifacts/${{ env.APP_NAME }}"
-
-          printf '%s' '${{ secrets.APP_PRIVATE_KEY }}' > "${KEY_PATH}"
-          chmod 600 "${KEY_PATH}"
-          wget --quiet -O "${CERT_PATH}" "https://github.com/nextcloud/app-certificate-requests/raw/master/${{ env.APP_NAME }}/${{ env.APP_NAME }}.crt"
-
-          php nextcloud/occ integrity:sign-app \
-            --privateKey="${KEY_PATH}" \
-            --certificate="${CERT_PATH}" \
-            --path="${APP_PATH}"
-
-          tar -C "${{ env.APP_NAME }}/build/artifacts" -zcf "${{ env.APP_NAME }}/build/artifacts/${{ env.APP_NAME }}.tar.gz" "${{ env.APP_NAME }}"
+          cd "${{ env.APP_NAME }}"
+          mkdir -p build/tools/certificates/
+          printf '%s' '${{ secrets.APP_PRIVATE_KEY }}' > "build/tools/certificates/${{ env.APP_NAME }}.key"
+          chmod 600 "build/tools/certificates/${{ env.APP_NAME }}.key"
+          make appstore verify-appstore-package
 
       - name: Attach tarball to GitHub release
         uses: svenstaro/upload-release-action@29e53e917877a24fad85510ded594ab3c9ca12de # v2.11.5
diff --git a/.github/workflows/nightly-release.yml b/.github/workflows/nightly-release.yml
index df63ee1..175a20c 100644
--- a/.github/workflows/nightly-release.yml
+++ b/.github/workflows/nightly-release.yml
@@ -17,6 +17,7 @@ on:
 
 permissions:
   contents: write
+  actions: write
 
 jobs:
   check-latest-stable:
@@ -81,6 +82,10 @@ jobs:
           filename: ${{ env.APP_NAME }}/appinfo/info.xml
           expression: "//info//version/text()"
 
+      - name: Set APP_VERSION env
+        run: |
+          echo "APP_VERSION=${{ fromJSON(steps.app-version.outputs.result).version }}" >> "$GITHUB_ENV"
+
       - name: Get appinfo data
         id: appinfo
         uses: skjnldsv/xpath-action@f5b036e9d973f42c86324833fd00be90665fbf77 # v1.0.0
@@ -121,11 +126,6 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Package ${{ env.APP_NAME }} with makefile
-        run: |
-          make -C "${{ env.APP_NAME }}" appstore
-          make -C "${{ env.APP_NAME }}" verify-appstore-package
-
       - name: Check server download link for ${{ fromJSON(steps.appinfo.outputs.result).nextcloud.min-version }}
         id: server-url
         run: |
@@ -150,27 +150,18 @@ jobs:
           repository: nextcloud/server
           path: nextcloud
 
-      - name: Sign app
+      - name: Package ${{ env.APP_NAME }} nightly with makefile
         run: |
-          KEY_PATH="${GITHUB_WORKSPACE}/${{ env.APP_NAME }}.key"
-          CERT_PATH="${GITHUB_WORKSPACE}/${{ env.APP_NAME }}.crt"
-          APP_PATH="${GITHUB_WORKSPACE}/${{ env.APP_NAME }}/build/artifacts/${{ env.APP_NAME }}"
-
-          printf '%s' '${{ secrets.APP_PRIVATE_KEY }}' > "${KEY_PATH}"
-          chmod 600 "${KEY_PATH}"
-          wget --quiet -O "${CERT_PATH}" "https://github.com/nextcloud/app-certificate-requests/raw/master/${{ env.APP_NAME }}/${{ env.APP_NAME }}.crt"
-
-          php nextcloud/occ integrity:sign-app \
-            --privateKey="${KEY_PATH}" \
-            --certificate="${CERT_PATH}" \
-            --path="${APP_PATH}"
-
-          tar -C "${{ env.APP_NAME }}/build/artifacts" -zcf "${{ env.APP_NAME }}/build/artifacts/${{ env.APP_NAME }}.tar.gz" "${{ env.APP_NAME }}"
+          cd "${{ env.APP_NAME }}"
+          mkdir -p build/tools/certificates/
+          printf '%s' '${{ secrets.APP_PRIVATE_KEY }}' > "build/tools/certificates/${{ env.APP_NAME }}.key"
+          chmod 600 "build/tools/certificates/${{ env.APP_NAME }}.key"
+          make appstore verify-appstore-package
 
       - name: Define nightly metadata
         id: version
         run: |
-          echo "version=${{ fromJSON(steps.app-version.outputs.result).version }}" >> "$GITHUB_OUTPUT"
+          echo "version=${APP_VERSION}" >> "$GITHUB_OUTPUT"
           echo 'tag=nightly' >> "$GITHUB_OUTPUT"
           echo "branch=${GITHUB_REF#refs/heads/}" >> "$GITHUB_OUTPUT"
 
@@ -228,11 +219,25 @@ jobs:
               --prerelease
           fi
 
-      - name: Upload nightly tarball
+      - name: Attach tarball to GitHub release
+        uses: svenstaro/upload-release-action@29e53e917877a24fad85510ded594ab3c9ca12de # v2.11.5
+        id: attach_to_release
+        with:
+          repo_token: ${{ secrets.GITHUB_TOKEN }}
+          file: ${{ env.APP_NAME }}/build/artifacts/${{ env.APP_NAME }}.tar.gz
+          asset_name: ${{ env.APP_NAME }}-${{ steps.version.outputs.tag }}.tar.gz
+          tag: ${{ steps.version.outputs.tag }}
+          overwrite: true
+
+      - name: Upload app to Nextcloud appstore (nightly)
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          gh release upload nightly \
-            '${{ env.APP_NAME }}/build/artifacts/${{ env.APP_NAME }}.tar.gz' \
-            --repo '${{ github.repository }}' \
-            --clobber
+          APPSTORE_TOKEN: ${{ secrets.APPSTORE_TOKEN }}
+          APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }}
+        if: env.APPSTORE_TOKEN != '' && env.APP_PRIVATE_KEY != ''
+        uses: nextcloud-releases/nextcloud-appstore-push-action@a011fe619bcf6e77ddebc96f9908e1af4071b9c1 # v1.0.3
+        with:
+          app_name: ${{ env.APP_NAME }}
+          appstore_token: ${{ env.APPSTORE_TOKEN }}
+          download_url: ${{ steps.attach_to_release.outputs.browser_download_url }}
+          app_private_key: ${{ env.APP_PRIVATE_KEY }}
+          nightly: true