Git tag releases & use github releases, including for version 1.22.1 on Google Play

[emanuelb]

This repo has no tags: https://github.com/SlvLabs/slavi-wallet/tags and no github releases: https://github.com/SlvLabs/slavi-wallet/releases

Please tag new releases, so each tag will point to the related commit used to build the release, also add description of the release for github releases.

For example the version on Google Play is 1.22.1 https://play.google.com/store/apps/details?id=com.defiwalletmobile

While in this repo the latest commit is for newer version 1.23.4 then in store 1.22.1 which is not clear what commit was used to build the version on the google play as multiple candidates are plausible:

• https://github.com/SlvLabs/slavi-wallet/commit/e9ae55f82823d3e918288c525bf6e4a6514265b3 (this set versionName "1.22.1"
• the commit after it (the one after it change the versionName to higher value) also it's closer with date to the date of the published app https://github.com/SlvLabs/slavi-wallet/commit/b7d3e9356c88d5499ccc24e7a022ca613694549f

This helps to test reproducible builds easier and have other benefits as well.

Check out the project WalletScrutiny https://walletscrutiny.com/ and related issue to test this wallet at: https://gitlab.com/walletscrutiny/walletScrutinyCom/-/issues/488

[xrviv]

Google Play app is now 1.25.2 as of November 17, 2023.

[xrviv]

Hello, I tried to build with this Dockerfile with reference to your package.json file, but I'm afraid it failed. Without tags/releases, I would be constrained to mark this project as non-verifiable (in the reproducible builds) sense.

A bit of a backgrounder on reproducible-builds.org

Why does it matter?

Whilst anyone may inspect the source code of free and open source software for malicious flaws, most software is distributed pre-compiled with no method to confirm whether they correspond.

This incentivises attacks on developers who release software, not only via traditional exploitation, but also in the forms of political influence, blackmail or even threats of violence.

This is particularly a concern for developers collaborating on privacy or security software: attacking these typically result in compromising particularly politically-sensitive targets such as dissidents, journalists and whistleblowers, as well as anyone wishing to communicate securely under a repressive regime.

Anyway, this is the Dockerfile I tried to use. I tried to base it off the dependencies on package.json, but it failed, so I suppose it's of no use:

# Use a Node.js base image
FROM docker.io/node:16.20.0-bullseye-slim

# Set arguments and environment variables
ARG UID=1000
ENV ANDROID_SDK_ROOT="/home/appuser/sdk" \
    ANDROID_HOME="/home/appuser/sdk" \
    NODE_ENV="production"

# Install required packages
RUN set -ex; \
    apt-get update; \
    DEBIAN_FRONTEND=noninteractive apt-get install --yes \
      -o APT::Install-Suggests=false --no-install-recommends \
      patch git openjdk-11-jre-headless; \
    rm -rf /var/lib/apt/lists/*; \
    deluser node; \
    useradd --uid $UID --create-home --shell /bin/bash appuser; \
    mkdir -p /Users/runner/work/1/; \
    chown -R appuser:appuser /Users/;

# Switch to the new user
USER appuser

# Prepare Android SDK licenses
RUN set -ex; \
    mkdir -p "/home/appuser/sdk/licenses"; \
    printf "\n24333f8a63b6825ea9c5514f83c2829b004d1fee" > "/home/appuser/sdk/licenses/android-sdk-license"; \
    cd /Users/runner/work/1/; \
    git clone https://github.com/SlvLabs/slavi-wallet /Users/runner/work/1/s/;

# Set the working directory
WORKDIR /Users/runner/work/1/s/

# Install npm dependencies
RUN set -ex; \
    npm install --production --no-optional --omit=optional --no-audit --no-fund --ignore-scripts; \
    npm run postinstall;

# Build the Android app
RUN set -ex; \
    cd /Users/runner/work/1/s/android; \
    ./gradlew assembleRelease