Skip to content

Prepare Build For Release #5

Prepare Build For Release

Prepare Build For Release #5

Workflow file for this run

name: Prepare Build For Release
on:
workflow_dispatch:
inputs:
version:
description: 'Version to tag (e.g., v1.0.0)'
required: true
jobs:
build:
runs-on: ubuntu-latest
permissions:
# Minimal permissions for build job - only read access needed
contents: read
# Required by attest-build-provenance action
id-token: write
attestations: write
artifact-metadata: write
env:
# Github docs state that Secrets cannot be directly referenced in if: conditionals, we will use this ENV
SIGNING_ENABLED: ${{ secrets.KEYSTORE_BASE64 && 'true' || '' }}
steps:
- name: Checkout repository
uses: actions/checkout@v6
# Set up JDK 17 for Android build compatibility
- name: Set up JDK 17
uses: actions/setup-java@v5
with:
java-version: '17'
distribution: 'temurin'
# Configure Gradle with caching for faster builds
- name: Setup Gradle
uses: gradle/actions/setup-gradle@v5
# Decode and setup the signing keystore if secrets are configured
# To enable signing, add these secrets to your repository:
# - KEYSTORE_BASE64: Base64 encoded keystore file
# - KEYSTORE_PASSWORD: Password for the keystore
# - KEY_ALIAS: Alias of the signing key
# - KEY_PASSWORD: Password for the signing key
- name: Setup signing keystore
if: ${{ env.SIGNING_ENABLED == 'true' }}
run: |
echo "${{ secrets.KEYSTORE_BASE64 }}" | base64 -d > app/keystore.jks
# Warn when signing secrets are not configured (debug signing will be used)
- name: Warn if using debug signing
if: ${{ env.SIGNING_ENABLED != 'true' }}
run: |
echo "::warning::Signing secrets not configured. APK will be signed with debug key. To enable release signing, add KEYSTORE_BASE64, KEYSTORE_PASSWORD, KEY_ALIAS, and KEY_PASSWORD secrets."
# Build the release APK using Gradle
# Uses signing config if keystore is available, otherwise uses debug signing
- name: Build release APK
env:
KEYSTORE_PASSWORD: ${{ secrets.KEYSTORE_PASSWORD }}
KEY_ALIAS: ${{ secrets.KEY_ALIAS }}
KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}
run: ./gradlew assembleRelease
# Upload APK as artifact for download from workflow runs
- name: Upload APK artifact
uses: actions/upload-artifact@v6
with:
name: app-release
path: app/build/outputs/apk/release/*.apk
if-no-files-found: error
# Generate build provenance attestations so we can confirm a given binary was built using github action
- name: Attest APK Builds
uses: actions/attest-build-provenance@v3
with:
subject-path: app/build/outputs/apk/release/*.apk
# Clean up keystore file after build for security
- name: Cleanup keystore
if: ${{ always() && env.SIGNING_ENABLED == 'true' }}
run: rm -f app/keystore.jks
release:
needs: build
runs-on: ubuntu-latest
permissions:
# Required for gh CLI to create draft releases and upload assets
contents: write
steps:
# Checkout required for gh CLI to work with the repository
- name: Checkout repository
uses: actions/checkout@v6
# Download the APK built in the build job
- name: Download APK artifact
uses: actions/download-artifact@v7
with:
name: app-release
path: release-apk
# Create a tag for the release
- name: Create version tag
run: |
git tag ${{ github.event.inputs.version }}
git push origin ${{ github.event.inputs.version }}
# Create a draft release with the APK
# Draft releases allow maintainers to review before publishing
- name: Create draft release
env:
GH_TOKEN: ${{ github.token }} # User token must have WRITE permission granted
run: |
gh release create ${{ github.event.inputs.version }} release-apk/*.apk --draft --generate-notes