Prepare Build For Release #5
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Prepare Build For Release | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| version: | |
| description: 'Version to tag (e.g., v1.0.0)' | |
| required: true | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| # Minimal permissions for build job - only read access needed | |
| contents: read | |
| # Required by attest-build-provenance action | |
| id-token: write | |
| attestations: write | |
| artifact-metadata: write | |
| env: | |
| # Github docs state that Secrets cannot be directly referenced in if: conditionals, we will use this ENV | |
| SIGNING_ENABLED: ${{ secrets.KEYSTORE_BASE64 && 'true' || '' }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| # Set up JDK 17 for Android build compatibility | |
| - name: Set up JDK 17 | |
| uses: actions/setup-java@v5 | |
| with: | |
| java-version: '17' | |
| distribution: 'temurin' | |
| # Configure Gradle with caching for faster builds | |
| - name: Setup Gradle | |
| uses: gradle/actions/setup-gradle@v5 | |
| # Decode and setup the signing keystore if secrets are configured | |
| # To enable signing, add these secrets to your repository: | |
| # - KEYSTORE_BASE64: Base64 encoded keystore file | |
| # - KEYSTORE_PASSWORD: Password for the keystore | |
| # - KEY_ALIAS: Alias of the signing key | |
| # - KEY_PASSWORD: Password for the signing key | |
| - name: Setup signing keystore | |
| if: ${{ env.SIGNING_ENABLED == 'true' }} | |
| run: | | |
| echo "${{ secrets.KEYSTORE_BASE64 }}" | base64 -d > app/keystore.jks | |
| # Warn when signing secrets are not configured (debug signing will be used) | |
| - name: Warn if using debug signing | |
| if: ${{ env.SIGNING_ENABLED != 'true' }} | |
| run: | | |
| echo "::warning::Signing secrets not configured. APK will be signed with debug key. To enable release signing, add KEYSTORE_BASE64, KEYSTORE_PASSWORD, KEY_ALIAS, and KEY_PASSWORD secrets." | |
| # Build the release APK using Gradle | |
| # Uses signing config if keystore is available, otherwise uses debug signing | |
| - name: Build release APK | |
| env: | |
| KEYSTORE_PASSWORD: ${{ secrets.KEYSTORE_PASSWORD }} | |
| KEY_ALIAS: ${{ secrets.KEY_ALIAS }} | |
| KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }} | |
| run: ./gradlew assembleRelease | |
| # Upload APK as artifact for download from workflow runs | |
| - name: Upload APK artifact | |
| uses: actions/upload-artifact@v6 | |
| with: | |
| name: app-release | |
| path: app/build/outputs/apk/release/*.apk | |
| if-no-files-found: error | |
| # Generate build provenance attestations so we can confirm a given binary was built using github action | |
| - name: Attest APK Builds | |
| uses: actions/attest-build-provenance@v3 | |
| with: | |
| subject-path: app/build/outputs/apk/release/*.apk | |
| # Clean up keystore file after build for security | |
| - name: Cleanup keystore | |
| if: ${{ always() && env.SIGNING_ENABLED == 'true' }} | |
| run: rm -f app/keystore.jks | |
| release: | |
| needs: build | |
| runs-on: ubuntu-latest | |
| permissions: | |
| # Required for gh CLI to create draft releases and upload assets | |
| contents: write | |
| steps: | |
| # Checkout required for gh CLI to work with the repository | |
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| # Download the APK built in the build job | |
| - name: Download APK artifact | |
| uses: actions/download-artifact@v7 | |
| with: | |
| name: app-release | |
| path: release-apk | |
| # Create a tag for the release | |
| - name: Create version tag | |
| run: | | |
| git tag ${{ github.event.inputs.version }} | |
| git push origin ${{ github.event.inputs.version }} | |
| # Create a draft release with the APK | |
| # Draft releases allow maintainers to review before publishing | |
| - name: Create draft release | |
| env: | |
| GH_TOKEN: ${{ github.token }} # User token must have WRITE permission granted | |
| run: | | |
| gh release create ${{ github.event.inputs.version }} release-apk/*.apk --draft --generate-notes |