chore(workflows,fastlane): configure macOS App Store distribution for desktop app (lanes, workflow, screenshots) (#2976)

.github/workflows/monthly-release.yaml

@@ -62,5 +62,5 @@ concurrency:
 jobs:
   monthly_release:
     name: Tag Monthly Release
-    uses: openMF/mifos-x-actionhub/.github/workflows/monthly-version-tag.yaml@v1.0.0
+    uses: openMF/mifos-x-actionhub/.github/workflows/monthly-version-tag.yaml@v1.0.7
     secrets: inherit

.github/workflows/multi-platform-build-and-publish.yml

@@ -0,0 +1,169 @@
+# GitHub Actions Workflow for Kotlin Multi-Platform Application Deployment
+#
+# OVERVIEW:
+# This workflow supports building and publishing applications across multiple platforms:
+# - Android (APK/AAB)
+# - iOS (IPA)
+# - Desktop (EXE, MSI, DMG, DEB)
+# - Web (GitHub Pages)
+#
+# PREREQUISITES:
+# Ensure your project is configured with:
+#  - Gradle build system
+#  - Kotlin Multiplatform Project with Android, iOS, Desktop, and Web modules
+#  - Fastlane for deployment automation
+#  - Separate modules/package names for each platform
+#
+# REQUIRED SECRETS:
+# Configure the following secrets in GitHub repository settings:
+# - ORIGINAL_KEYSTORE_FILE: Base64 encoded Android release keystore
+# - ORIGINAL_KEYSTORE_FILE_PASSWORD: Keystore password
+# - ORIGINAL_KEYSTORE_ALIAS: Keystore alias
+# - ORIGINAL_KEYSTORE_ALIAS_PASSWORD: Keystore alias password
+
+# - UPLOAD_KEYSTORE_FILE: Base64 encoded Android release keystore
+# - UPLOAD_KEYSTORE_FILE_PASSWORD: Keystore password
+# - UPLOAD_KEYSTORE_ALIAS: Keystore alias
+# - UPLOAD_KEYSTORE_ALIAS_PASSWORD: Keystore alias password
+
+# - GOOGLESERVICES: Google Services configuration JSON
+# - PLAYSTORECREDS: Play Store service account credentials
+# - FIREBASECREDS: Firebase distribution credentials
+
+# - NOTARIZATION_APPLE_ID: Apple ID for macOS app notarization
+# - NOTARIZATION_PASSWORD: Notarization password
+# - NOTARIZATION_TEAM_ID: Apple developer team ID
+
+# WORKFLOW INPUTS:
+# - release_type: 'internal' (default) or 'beta'
+# - target_branch: Branch to use for release (default: 'dev')
+# - android_package_name: Name of Android module
+# - ios_package_name: Name of iOS module
+# - desktop_package_name: Name of desktop module
+# - web_package_name: Name of web module
+# - publish_android: Enable/disable Android Play Store publishing
+# - build_ios: Enable/disable iOS build
+# - publish_ios: Enable/disable iOS App Store publishing
+
+# USAGE:
+# 1. Ensure all required secrets are configured
+# 2. Customize package names in workflow inputs
+# 3. Toggle platform-specific publishing flags
+# 4. Trigger workflow manually or via GitHub Actions UI
+
+# https://github.com/openMF/mifos-x-actionhub/blob/main/.github/workflows/multi-platform-build-and-publish.yaml
+
+# ##############################################################################
+#                 DON'T EDIT THIS FILE UNLESS NECESSARY                        #
+# ##############################################################################
+name: Multi-Platform Build and Publish
+
+on:
+  workflow_dispatch:
+    inputs:
+      release_type:
+        type: choice
+        options:
+          - internal
+          - beta
+        default: internal
+        description: Release Type
+
+      target_branch:
+        type: string
+        default: 'development'
+        description: 'Target branch for release'
+
+      distribute_ios_firebase:
+        type: boolean
+        default: false
+        description: Distribute iOS App via Firebase App Distribution
+
+      distribute_ios_testflight:
+        type: boolean
+        default: false
+        description: Distribute iOS App via TestFlight (App Store Connect)
+
+      distribute_ios_appstore:
+        type: boolean
+        default: false
+        description: Distribute iOS App to Appstore
+
+permissions:
+  contents: write
+  id-token: write
+  pages: write
+
+concurrency:
+  group: "reusable"
+  cancel-in-progress: false
+
+jobs:
+  multi_platform_build_and_publish:
+    name: Multi-Platform Build and Publish
+    uses: openMF/mifos-x-actionhub/.github/workflows/multi-platform-build-and-publish.yaml@v1.0.7
+    with:
+      java-version: 21
+      release_type: ${{ inputs.release_type }}
+      target_branch: ${{ inputs.target_branch }}
+      android_package_name: 'cmp-android'
+      ios_package_name: 'cmp-ios'
+      desktop_package_name: 'cmp-desktop'
+      web_package_name: 'cmp-web'
+      tester_groups: 'mifos-mobile-apps'
+      app_identifier: 'org.mifos.mobile'
+      git_url: 'git@github.com:openMF/ios-provisioning-profile.git'
+      git_branch: 'mifos-mobile'
+      match_type: 'adhoc'
+      provisioning_profile_name: 'match AdHoc org.mifos.mobile'
+      firebase_app_id: '1:728434912738:ios:ee2e0815a6915b351a1dbb'
+      metadata_path: './fastlane/metadata/ios'
+      use_cocoapods: true         # <-- Set to true if using CocoaPods integration for KMP
+      shared_module: ':cmp-shared' # <-- Gradle path to your shared KMP module (e.g., :shared)
+      cmp_desktop_dir: 'cmp-desktop'
+      keychain_name: signing.keychain-db # optional
+      distribute_ios_firebase: ${{ inputs.distribute_ios_firebase }}
+      distribute_ios_testflight: ${{ inputs.distribute_ios_testflight }}
+      distribute_ios_appstore: ${{ inputs.distribute_ios_appstore }}
+    secrets:
+      original_keystore_file: ${{ secrets.ORIGINAL_KEYSTORE_FILE }}
+      original_keystore_file_password: ${{ secrets.ORIGINAL_KEYSTORE_FILE_PASSWORD }}
+      original_keystore_alias: ${{ secrets.ORIGINAL_KEYSTORE_ALIAS }}
+      original_keystore_alias_password: ${{ secrets.ORIGINAL_KEYSTORE_ALIAS_PASSWORD }}
+
+      upload_keystore_file: ${{ secrets.UPLOAD_KEYSTORE_FILE }}
+      upload_keystore_file_password: ${{ secrets.UPLOAD_KEYSTORE_FILE_PASSWORD }}
+      upload_keystore_alias: ${{ secrets.UPLOAD_KEYSTORE_ALIAS }}
+      upload_keystore_alias_password: ${{ secrets.UPLOAD_KEYSTORE_ALIAS_PASSWORD }}
+
+      notarization_apple_id: ${{ secrets.NOTARIZATION_APPLE_ID }}
+      notarization_password: ${{ secrets.NOTARIZATION_PASSWORD }}
+      notarization_team_id: ${{ secrets.NOTARIZATION_TEAM_ID }}
+      keychain_password: ${{ secrets.KEYCHAIN_PASSWORD }}
+      certificates_password: ${{ secrets.CERTIFICATES_PASSWORD }}
+      mac_app_distribution_certificate_b64: ${{ secrets.MAC_APP_DISTRIBUTION_CERTIFICATE_B64 }}
+      mac_installer_distribution_certificate_b64: ${{ secrets.MAC_INSTALLER_DISTRIBUTION_CERTIFICATE_B64 }}
+      mac_embedded_provision_b64: ${{ secrets.MAC_EMBEDDED_PROVISION_B64 }}
+      mac_runtime_provision_b64: ${{ secrets.MAC_RUNTIME_PROVISION_B64 }}
+      appstore_key_id: ${{ secrets.APPSTORE_KEY_ID }}
+      appstore_issuer_id: ${{ secrets.APPSTORE_ISSUER_ID }}
+      appstore_auth_key: ${{ secrets.APPSTORE_AUTH_KEY }}
+      match_password: ${{ secrets.MATCH_PASSWORD }}
+      match_ssh_private_key: ${{ secrets.MATCH_SSH_PRIVATE_KEY }}
+
+      windows_signing_key: ${{ secrets.WINDOWS_SIGNING_KEY }}
+      windows_signing_password: ${{ secrets.WINDOWS_SIGNING_PASSWORD }}
+      windows_signing_certificate: ${{ secrets.WINDOWS_SIGNING_CERTIFICATE }}
+
+      macos_signing_key: ${{ secrets.MACOS_SIGNING_KEY }}
+      macos_signing_password: ${{ secrets.MACOS_SIGNING_PASSWORD }}
+      macos_signing_certificate: ${{ secrets.MACOS_SIGNING_CERTIFICATE }}
+
+      linux_signing_key: ${{ secrets.LINUX_SIGNING_KEY }}
+      linux_signing_password: ${{ secrets.LINUX_SIGNING_PASSWORD }}
+      linux_signing_certificate: ${{ secrets.LINUX_SIGNING_CERTIFICATE }}
+
+      google_services: ${{ secrets.GOOGLESERVICES }}
+      firebase_creds: ${{ secrets.FIREBASECREDS }}
+      playstore_creds: ${{ secrets.PLAYSTORECREDS }}
+      token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/pr-check.yml

@@ -13,7 +13,7 @@
 ### Workflow Jobs
 # 1. **Setup**: Prepares the build environment
 #   - Checks out repository code
-#   - Sets up Java 17
+#   - Sets up Java (configurable; defaults to 17)
 #   - Configures Gradle
 #   - Manages dependency caching
 #
@@ -36,7 +36,7 @@
 #   - Generates platform-specific executables and packages
 #
 ### Prerequisites
-#   - Java 17
+#   - Java (configurable; default 17)
 #   - Gradle
 #   - Configured build scripts for:
 #       - Android module
@@ -49,13 +49,19 @@
 ### Configuration Parameters
 # The workflow requires two input parameters:
 #
-#   |         Parameter      |              Description           |  Type  | Required |
-#   |------------------------|------------------------------------|--------|----------|
-#   | `android_package_name` | Name of the Android project module | String |    Yes   |
-#   | `desktop_package_name` | Name of the Desktop project module | String |    Yes   |
+#   |         Parameter      |              Description           |  Type  | Required  |
+#   |------------------------|------------------------------------|--------|-----------|
+#   | `android_package_name` | Name of the Android project module | String |    Yes    |
+#   | `desktop_package_name` | Name of the Desktop project module | String |    Yes    |
+#   |`web_package_name`      | Name of the Web (Kotlin/JS) project/module | String | No|
+#   |`ios_package_name`      | Name of the iOS project/module	| String |	No	       |
+#   |`build_ios`	         | Build iOS targets as part of PR checks |	Boolean	| No   |
+#   |`use_cocoapods`         | Use CocoaPods for iOS integration	| Boolean	| No   |
+#   |`shared_module	         | Path of the shared KMP module  |	String	| (required when build_ios=true) |
+#   |`java-version	         | Java version to use (configurable; defaults to 17)| No  |
 #
 
-# https://github.com/openMF/mifos-mobile-github-actions/blob/main/.github/workflows/pr-check.yaml
+# https://github.com/openMF/mifos-x-actionhub/blob/main/.github/workflows/pr-check.yaml
 
 # ##############################################################################
 #                 DON'T EDIT THIS FILE UNLESS NECESSARY                        #
@@ -82,7 +88,7 @@ permissions:
 jobs:
   pr_checks:
     name: PR Checks KMP
-    uses: openMF/mifos-x-actionhub/.github/workflows/pr-check.yaml@v1.0.0
+    uses: openMF/mifos-x-actionhub/.github/workflows/pr-check.yaml@v1.0.7
     secrets: inherit
     with:
       android_package_name: 'cmp-android' # <-- Change Your Android Package Name
@@ -90,3 +96,6 @@ jobs:
       web_package_name: 'cmp-web' # <-- Change Your Web Package Name
       ios_package_name: 'cmp-ios' # <-- Change Your iOS Package Name
       build_ios: true # <-- Change to 'false' if you don't want to build iOS
+      use_cocoapods: true
+      shared_module: ':cmp-shared'
+      java-version: '21'

.github/workflows/promote-to-production.yml

@@ -70,6 +70,6 @@ jobs:
   # Job to promote app from beta to production in Play Store
   play_promote_production:
     name: Promote Beta to Production Play Store
-    uses: openMF/mifos-x-actionhub/.github/workflows/promote-to-production.yaml@main
+    uses: openMF/mifos-x-actionhub/.github/workflows/promote-to-production.yaml@v1.0.7
     secrets:
       playstore_creds: ${{ secrets.PLAYSTORECREDS }}

.github/workflows/tag-weekly-release.yml

@@ -13,11 +13,11 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Set up JDK 17
+      - name: Set up JDK 21
         uses: actions/setup-java@v4.2.2
         with:
           distribution: 'temurin'
-          java-version: '17'
+          java-version: '21'
 
       - name: Tag Weekly Release
         env:

.run/cmp-desktop.run.xml

@@ -1,6 +1,11 @@
 <component name="ProjectRunConfigurationManager">
   <configuration default="false" name="cmp-desktop" type="GradleRunConfiguration" factoryName="Gradle">
     <ExternalSystemSettings>
+      <option name="env">
+        <map>
+          <entry key="DEVELOPER_DIR" value="/Applications/Xcode.app/Contents/Developer" />
+        </map>
+      </option>
       <option name="executionName" />
       <option name="externalProjectPath" value="$PROJECT_DIR$" />
       <option name="externalSystemIdString" value="GRADLE" />

build-logic/convention/build.gradle.kts

@@ -9,12 +9,12 @@ group = "org.mifos.mobile.buildlogic"
 // Configure the build-logic plugins to target JDK 17
 // This matches the JDK used to build the project, and is not related to what is running on device.
 java {
-    sourceCompatibility = JavaVersion.VERSION_17
-    targetCompatibility = JavaVersion.VERSION_17
+    sourceCompatibility = JavaVersion.VERSION_21
+    targetCompatibility = JavaVersion.VERSION_21
 }
 tasks.withType<KotlinCompile>().configureEach {
     kotlinOptions {
-        jvmTarget = JavaVersion.VERSION_17.toString()
+        jvmTarget = JavaVersion.VERSION_21.toString()
     }
 }
 

build-logic/convention/src/main/kotlin/org/mifos/mobile/Detekt.kt

@@ -8,7 +8,7 @@ import org.gradle.kotlin.dsl.named
 
 internal fun Project.configureDetekt(extension: DetektExtension) = extension.apply {
     tasks.named<Detekt>("detekt") {
-        jvmTarget = "17"
+        jvmTarget = "21"
         source(files(rootDir))
         include("**/*.kt")
         exclude("**/*.kts")

build-logic/convention/src/main/kotlin/org/mifos/mobile/KotlinAndroid.kt

@@ -28,8 +28,8 @@ internal fun Project.configureKotlinAndroid(
         compileOptions {
             // Up to Java 11 APIs are available through desugaring
             // https://developer.android.com/studio/write/java11-minimal-support-table
-            sourceCompatibility = JavaVersion.VERSION_17
-            targetCompatibility = JavaVersion.VERSION_17
+            sourceCompatibility = JavaVersion.VERSION_21
+            targetCompatibility = JavaVersion.VERSION_21
             isCoreLibraryDesugaringEnabled = true
         }
     }
@@ -48,8 +48,8 @@ internal fun Project.configureKotlinJvm() {
     extensions.configure<JavaPluginExtension> {
         // Up to Java 11 APIs are available through desugaring
         // https://developer.android.com/studio/write/java11-minimal-support-table
-        sourceCompatibility = JavaVersion.VERSION_17
-        targetCompatibility = JavaVersion.VERSION_17
+        sourceCompatibility = JavaVersion.VERSION_21
+        targetCompatibility = JavaVersion.VERSION_21
     }
 
     configureKotlin()
@@ -62,8 +62,8 @@ private fun Project.configureKotlin() {
     // Use withType to workaround https://youtrack.jetbrains.com/issue/KT-55947
     tasks.withType<KotlinCompile>().configureEach {
         compilerOptions {
-            // Set JVM target to 17
-            jvmTarget = JvmTarget.JVM_17
+            // Set JVM target to 21
+            jvmTarget = JvmTarget.JVM_21
             // Treat all Kotlin warnings as errors (disabled by default)
             // Override by setting warningsAsErrors=true in your ~/.gradle/gradle.properties
             val warningsAsErrors: String? by project

cmp-desktop/build.gradle.kts

@@ -21,7 +21,7 @@ kotlin {
         withJava()
     }
 
-    jvmToolchain(17)
+    jvmToolchain(21)
 
     sourceSets {
         jvmMain.dependencies {
@@ -46,8 +46,19 @@ val appVersion: String = libs.versions.packageVersion.get()
 compose.desktop {
     application {
         mainClass = "MainKt"
+
+        val buildNumber: String = (project.findProperty("buildNumber") as String?) ?: "1"
+        val isAppStoreRelease: Boolean =
+            (project.findProperty("macOsAppStoreRelease") as String?)?.toBoolean() ?: false
+
         nativeDistributions {
-            targetFormats(TargetFormat.Dmg, TargetFormat.Msi, TargetFormat.Exe, TargetFormat.Deb)
+            targetFormats(
+                TargetFormat.Pkg,
+                TargetFormat.Dmg,
+                TargetFormat.Msi,
+                TargetFormat.Exe,
+                TargetFormat.Deb
+            )
             packageName = appName
             packageVersion = appVersion
             description = "Desktop Application"
@@ -55,16 +66,39 @@ compose.desktop {
             vendor = "Mifos Initiative"
             licenseFile.set(project.file("../LICENSE"))
             includeAllModules = true
+            outputBaseDir.set(project.layout.buildDirectory.dir("release"))
 
             macOS {
                 bundleID = packageNameSpace
                 dockName = appName
                 iconFile.set(project.file("icons/ic_launcher.icns"))
-                notarization {
-                    val providers = project.providers
-                    appleID.set(providers.environmentVariable("NOTARIZATION_APPLE_ID"))
-                    password.set(providers.environmentVariable("NOTARIZATION_PASSWORD"))
-                    teamID.set(providers.environmentVariable("NOTARIZATION_TEAM_ID"))
+                minimumSystemVersion = "12.0"
+                appStore = isAppStoreRelease
+
+                infoPlist {
+                    packageBuildVersion = buildNumber
+                    extraKeysRawXml = """
+                    <key>ITSAppUsesNonExemptEncryption</key>
+                    <false/>
+                """.trimIndent()
+                }
+
+                if (isAppStoreRelease) {
+                    signing {
+                        sign.set(true)
+                        identity.set("The Mifos Initiative")
+                    }
+                    provisioningProfile.set(project.file("embedded.provisionprofile"))
+                    runtimeProvisioningProfile.set(project.file("runtime.provisionprofile"))
+                    entitlementsFile.set(project.file("entitlements.plist"))
+                    runtimeEntitlementsFile.set(project.file("runtime-entitlements.plist"))
+                } else {
+                    notarization {
+                        val providers = project.providers
+                        appleID.set(providers.environmentVariable("NOTARIZATION_APPLE_ID"))
+                        password.set(providers.environmentVariable("NOTARIZATION_PASSWORD"))
+                        teamID.set(providers.environmentVariable("NOTARIZATION_TEAM_ID"))
+                    }
                 }
             }
 
@@ -82,9 +116,36 @@ compose.desktop {
             }
         }
         buildTypes.release.proguard {
-            configurationFiles.from(file("compose-desktop.pro"))
-            obfuscate.set(true)
-            optimize.set(true)
+            isEnabled = false
+//            configurationFiles.from(file("compose-desktop.pro"))
+//            obfuscate.set(true)
+//            optimize.set(true)
         }
     }
 }
+
+/**
+ * Removes the `com.apple.quarantine` extended attribute from the built `.app`.
+ *
+ * Why:
+ * Gatekeeper may mark files from the Internet with `com.apple.quarantine`.
+ * If any such file ends up inside the `.app`, App Store validation can fail.
+ */
+val unquarantineApp = tasks.register<Exec>("unquarantineMacApp") {
+    group = "macOS"
+    description = "Remove com.apple.quarantine from the built .app before signing"
+    onlyIf { org.gradle.internal.os.OperatingSystem.current().isMacOsX }
+
+    dependsOn("createReleaseDistributable")
+
+    val appName = "$appName.app" // set to your final .app name
+    val appPath = layout.buildDirectory
+        .dir("release/main-release/app/$appName")
+        .map { it.asFile.absolutePath }
+
+    commandLine("xattr", "-dr", "com.apple.quarantine", appPath.get())
+}
+
+tasks.matching { it.name == "packageReleasePkg" }.configureEach {
+    dependsOn(unquarantineApp)
+}

cmp-desktop/entitlements.plist

@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.app-sandbox</key><true/>
+    <key>com.apple.security.cs.allow-jit</key><true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
+    <key>com.apple.security.cs.disable-library-validation</key><true/>
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key><true/>
+    <key>com.apple.security.cs.debugger</key><true/>
+    <key>com.apple.security.device.audio-input</key><true/>
+    <key>com.apple.application-identifier</key><string>L432S2FZP5.org.mifos.mobile</string>
+    <key>com.apple.developer.team-identifier</key><string>L432S2FZP5</string>
+    <!-- Add more entitlements as needed -->
+</dict>
+</plist>

cmp-desktop/runtime-entitlements.plist

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.app-sandbox</key><true/>
+    <key>com.apple.security.cs.allow-jit</key><true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
+    <key>com.apple.security.cs.disable-library-validation</key><true/>
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key><true/>
+    <key>com.apple.security.cs.debugger</key><true/>
+    <key>com.apple.security.device.audio-input</key><true/>
+</dict>
+</plist>

core/database/build.gradle.kts

@@ -32,8 +32,8 @@ android {
     }
 
     compileOptions {
-        sourceCompatibility = JavaVersion.VERSION_17
-        targetCompatibility = JavaVersion.VERSION_17
+        sourceCompatibility = JavaVersion.VERSION_21
+        targetCompatibility = JavaVersion.VERSION_21
     }
 }
 

fastlane/metadata/ios/en-US/support_url.txt

@@ -1 +1 @@
-https://github.com/openMF/mifos-mobile
+https://mifos.org/resources/support/