Automatic Snap refreshes using GitHub Actions - Snapcrafters Guide

snapcrafters
1

Adding the actions

  1. sync-version-with-upstream.yml runs daily to sync the version in our repos with the upstream released version. Make sure to update this action to point to the upstream of your app.
  2. snap-store-publish-to-candidate.yml runs every time a commit happens to the candidate branch. It
    • Builds the snap, tests it, and pushes it to candidate channel in the store.
    • Creates a “call for testing” issue stating a new version is available to test
  3. snap-store-promote-to-stable.yml runs every time a comment gets added to a call for testing. It
    • Checks if the comment is a command of type /promote <revision> stable from a person who’s either an owner or collaborator on the repo.
    • If so, promotes that revision to the stable channel in the snap store
    • And closes the call for testing.

Configuring the Environment secrets

In the Settings of the repository, create the “Candidate Branch” environment, and configure it so it’s only allowed on the candidate branch, and add the following tokens.

Note: This environment is to protect against a malicious or compomised member of Snapcrafters. Otherwise, someone could push a new branch that contains an action using the tokens to push malicious code or publish malicious snaps.

By limiting these tokens to the candidate branch, the actions using these tokens have to be reviewed first.

It’s very important to only add these secrets in the environment!

The environment should be set up like this:

image
image941×742 63.3 KB

You should add these tokens.

  • SNAPCRAFTERS_BOT_COMMIT: fine-grained GitHub access token from the snapcrafters-bot account which has content:write permissions on this specific repository. Ask Merlijn Sebrechts to generate this token for you and to add it to your repository.

  • SNAP_STORE_CANDIDATE: Snap Store access token that can push a new version of the snap to candidate channel. Generate yourself using the following command. (change <snap-name> to the name of your snap)

    snapcraft export-login --snaps=<snap-name> \
--acls package_access,package_push,package_update,package_release \
--channels candidate \
--expires 2023-12-31

  • SNAP_STORE_STABLE: Snap Store access token that can promote a snap to stable. Generate yourself using the following command. (change <snap-name> to the name of your snap)

    snapcraft export-login --snaps=<snap-name> \
  --acls package_access,package_release \
  --channels stable \
  --expires 2023-12-31

Note: Some of the actions use GITHUB_TOKEN. This is automatically created by GitHub. You don’t need to configure it yourself. Permissions are configured using the permissions key in the action yaml.

Setting the required branch protection rules

It is very important to setup the branch protection rules correctly. Otherwise, anyone will be able to steal your Snap Store tokens! Go to the Settings of your repository and check the branch protection rule in “Branches”.

image
image938×1227 132 KB

image
image927×1346 162 KB

See it in action

Take a look at the signal-desktop snap repository.

4 Likes