name: Build Android APK on: push: branches: - "**" workflow_dispatch: inputs: release_tag: description: "Release tag (example: v1.0.10)" required: false jobs: build-apk: runs-on: ubuntu-latest env: BASE_URL: ${{ secrets.BASE_URL }} GOOGLE_SERVER_CLIENT_ID: ${{ secrets.GOOGLE_SERVER_CLIENT_ID }} GOOGLE_CLIENT_ID: ${{ secrets.GOOGLE_CLIENT_ID }} TOKEN: ${{ secrets.TOKEN }} RELEASE_TAG: ${{ github.event.inputs.release_tag || '' }} ANDROID_KEYSTORE_BASE64: ${{ secrets.ANDROID_KEYSTORE_BASE64 }} ANDROID_KEYSTORE_PASSWORD: ${{ secrets.ANDROID_KEYSTORE_PASSWORD }} ANDROID_KEY_ALIAS: ${{ secrets.ANDROID_KEY_ALIAS }} ANDROID_KEY_PASSWORD: ${{ secrets.ANDROID_KEY_PASSWORD }} EXPECTED_ANDROID_SHA1: ${{ secrets.EXPECTED_ANDROID_SHA1 }} steps: - name: Checkout uses: actions/checkout@v4 - name: Setup Java uses: actions/setup-java@v4 with: distribution: temurin java-version: "17" - name: Setup Flutter uses: subosito/flutter-action@v2 with: channel: stable - name: Setup Android SDK uses: android-actions/setup-android@v3 - name: Install Android SDK packages run: | sdkmanager "platform-tools" "platforms;android-35" "build-tools;35.0.0" set +e yes | sdkmanager --licenses >/dev/null 2>&1 LICENSE_EXIT=$? set -e if [ "$LICENSE_EXIT" -ne 0 ] && [ "$LICENSE_EXIT" -ne 141 ]; then echo "sdkmanager --licenses failed with exit code $LICENSE_EXIT" exit "$LICENSE_EXIT" fi - name: Show Flutter and Dart version run: | flutter --version flutter doctor -v - name: Install dependencies run: flutter pub get - name: Install release tooling run: sudo apt-get update && sudo apt-get install -y jq - name: Prepare Android release signing run: | if [ -n "${ANDROID_KEYSTORE_BASE64}" ] && [ -n "${ANDROID_KEYSTORE_PASSWORD}" ] && [ -n "${ANDROID_KEY_ALIAS}" ] && [ -n "${ANDROID_KEY_PASSWORD}" ]; then echo "Preparing release keystore from secrets" if ! python3 - <<'PY' import base64 import os import re import sys s = os.environ.get("ANDROID_KEYSTORE_BASE64", "") if not s: print("ANDROID_KEYSTORE_BASE64 is empty") sys.exit(1) # Normalize common copy/paste formats. s = s.strip().strip('"').strip("'") s = s.replace("\\n", "") s = re.sub(r"^data:[^,]*,", "", s) s = re.sub(r"\s+", "", s) if not s: print("ANDROID_KEYSTORE_BASE64 is empty after normalization") sys.exit(1) def try_decode(value: str, urlsafe: bool, validate: bool): value = value + ("=" * (-len(value) % 4)) if urlsafe: value = value.replace("-", "+").replace("_", "/") return base64.b64decode(value, validate=validate) decoded = None errors = [] for urlsafe in (False, True): for validate in (True, False): try: decoded = try_decode(s, urlsafe=urlsafe, validate=validate) if decoded: break except Exception as e: errors.append(str(e)) if decoded: break if not decoded: print("Failed to decode ANDROID_KEYSTORE_BASE64") print("Tip: generate with: base64 < release.jks | tr -d '\\n'") if errors: print("Last decode error:", errors[-1]) sys.exit(1) with open("android/release.keystore", "wb") as f: f.write(decoded) print(f"Decoded keystore bytes: {len(decoded)}") PY then echo "Keystore decoding failed" exit 1 fi if [ ! -s android/release.keystore ]; then echo "Decoded keystore file is empty" exit 1 fi if ! keytool -list -keystore android/release.keystore -storepass "${ANDROID_KEYSTORE_PASSWORD}" >/dev/null 2>&1; then echo "Decoded keystore is invalid or ANDROID_KEYSTORE_PASSWORD is incorrect" exit 1 fi { echo "storeFile=release.keystore" echo "storePassword=${ANDROID_KEYSTORE_PASSWORD}" echo "keyAlias=${ANDROID_KEY_ALIAS}" echo "keyPassword=${ANDROID_KEY_PASSWORD}" } > android/key.properties else echo "Release signing secrets are required for tagged release builds." echo "Please configure: ANDROID_KEYSTORE_BASE64, ANDROID_KEYSTORE_PASSWORD, ANDROID_KEY_ALIAS, ANDROID_KEY_PASSWORD" exit 1 fi - name: Build release APK run: | BASE_URL_VALUE="${BASE_URL:-http://127.0.0.1:8000}" FLUTTER_CMD=( flutter build apk --release --dart-define=BASE_URL=${BASE_URL_VALUE} ) if [ -n "${GOOGLE_SERVER_CLIENT_ID}" ]; then FLUTTER_CMD+=(--dart-define=GOOGLE_SERVER_CLIENT_ID=${GOOGLE_SERVER_CLIENT_ID}) fi if [ -n "${GOOGLE_CLIENT_ID}" ]; then FLUTTER_CMD+=(--dart-define=GOOGLE_CLIENT_ID=${GOOGLE_CLIENT_ID}) fi "${FLUTTER_CMD[@]}" - name: Verify APK signing certificate run: | APK_PATH="build/app/outputs/flutter-apk/app-release.apk" APKSIGNER_PATH="${ANDROID_SDK_ROOT}/build-tools/35.0.0/apksigner" if [ ! -f "$APK_PATH" ]; then echo "APK not found at $APK_PATH" exit 1 fi if [ ! -x "$APKSIGNER_PATH" ]; then echo "apksigner not found at $APKSIGNER_PATH" exit 1 fi CERT_OUTPUT="$($APKSIGNER_PATH verify --print-certs "$APK_PATH")" echo "$CERT_OUTPUT" if [ -n "${EXPECTED_ANDROID_SHA1}" ]; then APK_SHA1=$(echo "$CERT_OUTPUT" | sed -n 's/.*certificate SHA-1 digest: //p' | head -n1 | tr '[:lower:]' '[:upper:]') EXPECTED_SHA1_UPPER=$(echo "${EXPECTED_ANDROID_SHA1}" | tr '[:lower:]' '[:upper:]') if [ "$APK_SHA1" != "$EXPECTED_SHA1_UPPER" ]; then echo "APK SHA-1 mismatch" echo "Expected: $EXPECTED_SHA1_UPPER" echo "Actual : $APK_SHA1" exit 1 fi fi - name: Create or update Gitea release and upload APK if: ${{ env.RELEASE_TAG != '' }} run: | if [ -z "${TOKEN}" ]; then echo "Missing required secret: TOKEN" exit 1 fi if [ -z "${RELEASE_TAG}" ]; then echo "Missing required workflow input: release_tag" exit 1 fi APK_PATH="build/app/outputs/flutter-apk/app-release.apk" if [ ! -f "$APK_PATH" ]; then echo "APK not found at $APK_PATH" exit 1 fi OWNER_REPO="${GITHUB_REPOSITORY}" OWNER="${OWNER_REPO%%/*}" REPO="${OWNER_REPO##*/}" TAG="${RELEASE_TAG}" API_BASE="${GITHUB_SERVER_URL}/api/v1" RELEASE_JSON=$(curl -sS -X POST \ -H "Authorization: token ${TOKEN}" \ -H "Content-Type: application/json" \ "${API_BASE}/repos/${OWNER}/${REPO}/releases" \ -d "{\"tag_name\":\"${TAG}\",\"name\":\"${TAG}\",\"draft\":false,\"prerelease\":false}" \ || true) RELEASE_ID=$(echo "$RELEASE_JSON" | jq -r '.id // empty') if [ -z "$RELEASE_ID" ]; then # Fallback: release may already exist for the tag RELEASE_JSON=$(curl -sS \ -H "Authorization: token ${TOKEN}" \ "${API_BASE}/repos/${OWNER}/${REPO}/releases/tags/${TAG}") RELEASE_ID=$(echo "$RELEASE_JSON" | jq -r '.id // empty') fi if [ -z "$RELEASE_ID" ]; then echo "Could not resolve release ID for tag ${TAG}" echo "$RELEASE_JSON" exit 1 fi curl -sS -X POST \ -H "Authorization: token ${TOKEN}" \ -F "attachment=@${APK_PATH}" \ "${API_BASE}/repos/${OWNER}/${REPO}/releases/${RELEASE_ID}/assets?name=reader-app-${TAG}.apk" - name: Skip release upload (no release_tag) if: ${{ env.RELEASE_TAG == '' }} run: echo "No release_tag provided. Build completed without creating a release."