261 lines
8.2 KiB
YAML
261 lines
8.2 KiB
YAML
name: Build Android APK
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- "**"
|
|
workflow_dispatch:
|
|
inputs:
|
|
release_tag:
|
|
description: "Release tag (example: v1.0.10)"
|
|
required: false
|
|
|
|
jobs:
|
|
build-apk:
|
|
runs-on: ubuntu-latest
|
|
|
|
env:
|
|
BASE_URL: ${{ secrets.BASE_URL }}
|
|
GOOGLE_SERVER_CLIENT_ID: ${{ secrets.GOOGLE_SERVER_CLIENT_ID }}
|
|
GOOGLE_CLIENT_ID: ${{ secrets.GOOGLE_CLIENT_ID }}
|
|
TOKEN: ${{ secrets.TOKEN }}
|
|
RELEASE_TAG: ${{ github.event.inputs.release_tag || '' }}
|
|
ANDROID_KEYSTORE_BASE64: ${{ secrets.ANDROID_KEYSTORE_BASE64 }}
|
|
ANDROID_KEYSTORE_PASSWORD: ${{ secrets.ANDROID_KEYSTORE_PASSWORD }}
|
|
ANDROID_KEY_ALIAS: ${{ secrets.ANDROID_KEY_ALIAS }}
|
|
ANDROID_KEY_PASSWORD: ${{ secrets.ANDROID_KEY_PASSWORD }}
|
|
EXPECTED_ANDROID_SHA1: ${{ secrets.EXPECTED_ANDROID_SHA1 }}
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Setup Java
|
|
uses: actions/setup-java@v4
|
|
with:
|
|
distribution: temurin
|
|
java-version: "17"
|
|
|
|
- name: Setup Flutter
|
|
uses: subosito/flutter-action@v2
|
|
with:
|
|
channel: stable
|
|
|
|
- name: Setup Android SDK
|
|
uses: android-actions/setup-android@v3
|
|
|
|
- name: Install Android SDK packages
|
|
run: |
|
|
sdkmanager "platform-tools" "platforms;android-35" "build-tools;35.0.0"
|
|
|
|
set +e
|
|
yes | sdkmanager --licenses >/dev/null 2>&1
|
|
LICENSE_EXIT=$?
|
|
set -e
|
|
|
|
if [ "$LICENSE_EXIT" -ne 0 ] && [ "$LICENSE_EXIT" -ne 141 ]; then
|
|
echo "sdkmanager --licenses failed with exit code $LICENSE_EXIT"
|
|
exit "$LICENSE_EXIT"
|
|
fi
|
|
|
|
- name: Show Flutter and Dart version
|
|
run: |
|
|
flutter --version
|
|
flutter doctor -v
|
|
|
|
- name: Install dependencies
|
|
run: flutter pub get
|
|
|
|
- name: Install release tooling
|
|
run: sudo apt-get update && sudo apt-get install -y jq
|
|
|
|
- name: Prepare Android release signing
|
|
run: |
|
|
if [ -n "${ANDROID_KEYSTORE_BASE64}" ] && [ -n "${ANDROID_KEYSTORE_PASSWORD}" ] && [ -n "${ANDROID_KEY_ALIAS}" ] && [ -n "${ANDROID_KEY_PASSWORD}" ]; then
|
|
echo "Preparing release keystore from secrets"
|
|
|
|
if ! python3 - <<'PY'
|
|
import base64
|
|
import os
|
|
import re
|
|
import sys
|
|
|
|
s = os.environ.get("ANDROID_KEYSTORE_BASE64", "")
|
|
if not s:
|
|
print("ANDROID_KEYSTORE_BASE64 is empty")
|
|
sys.exit(1)
|
|
|
|
# Normalize common copy/paste formats.
|
|
s = s.strip().strip('"').strip("'")
|
|
s = s.replace("\\n", "")
|
|
s = re.sub(r"^data:[^,]*,", "", s)
|
|
s = re.sub(r"\s+", "", s)
|
|
|
|
if not s:
|
|
print("ANDROID_KEYSTORE_BASE64 is empty after normalization")
|
|
sys.exit(1)
|
|
|
|
def try_decode(value: str, urlsafe: bool, validate: bool):
|
|
value = value + ("=" * (-len(value) % 4))
|
|
if urlsafe:
|
|
value = value.replace("-", "+").replace("_", "/")
|
|
return base64.b64decode(value, validate=validate)
|
|
|
|
decoded = None
|
|
errors = []
|
|
for urlsafe in (False, True):
|
|
for validate in (True, False):
|
|
try:
|
|
decoded = try_decode(s, urlsafe=urlsafe, validate=validate)
|
|
if decoded:
|
|
break
|
|
except Exception as e:
|
|
errors.append(str(e))
|
|
if decoded:
|
|
break
|
|
|
|
if not decoded:
|
|
print("Failed to decode ANDROID_KEYSTORE_BASE64")
|
|
print("Tip: generate with: base64 < release.jks | tr -d '\\n'")
|
|
if errors:
|
|
print("Last decode error:", errors[-1])
|
|
sys.exit(1)
|
|
|
|
with open("android/release.keystore", "wb") as f:
|
|
f.write(decoded)
|
|
|
|
print(f"Decoded keystore bytes: {len(decoded)}")
|
|
PY
|
|
then
|
|
echo "Keystore decoding failed"
|
|
exit 1
|
|
fi
|
|
|
|
if [ ! -s android/release.keystore ]; then
|
|
echo "Decoded keystore file is empty"
|
|
exit 1
|
|
fi
|
|
|
|
if ! keytool -list -keystore android/release.keystore -storepass "${ANDROID_KEYSTORE_PASSWORD}" >/dev/null 2>&1; then
|
|
echo "Decoded keystore is invalid or ANDROID_KEYSTORE_PASSWORD is incorrect"
|
|
exit 1
|
|
fi
|
|
|
|
{
|
|
echo "storeFile=release.keystore"
|
|
echo "storePassword=${ANDROID_KEYSTORE_PASSWORD}"
|
|
echo "keyAlias=${ANDROID_KEY_ALIAS}"
|
|
echo "keyPassword=${ANDROID_KEY_PASSWORD}"
|
|
} > android/key.properties
|
|
else
|
|
echo "Release signing secrets are required for tagged release builds."
|
|
echo "Please configure: ANDROID_KEYSTORE_BASE64, ANDROID_KEYSTORE_PASSWORD, ANDROID_KEY_ALIAS, ANDROID_KEY_PASSWORD"
|
|
exit 1
|
|
fi
|
|
|
|
- name: Build release APK
|
|
run: |
|
|
BASE_URL_VALUE="${BASE_URL:-http://127.0.0.1:8000}"
|
|
|
|
FLUTTER_CMD=(
|
|
flutter build apk --release
|
|
--dart-define=BASE_URL=${BASE_URL_VALUE}
|
|
)
|
|
|
|
if [ -n "${GOOGLE_SERVER_CLIENT_ID}" ]; then
|
|
FLUTTER_CMD+=(--dart-define=GOOGLE_SERVER_CLIENT_ID=${GOOGLE_SERVER_CLIENT_ID})
|
|
fi
|
|
|
|
if [ -n "${GOOGLE_CLIENT_ID}" ]; then
|
|
FLUTTER_CMD+=(--dart-define=GOOGLE_CLIENT_ID=${GOOGLE_CLIENT_ID})
|
|
fi
|
|
|
|
"${FLUTTER_CMD[@]}"
|
|
|
|
- name: Verify APK signing certificate
|
|
run: |
|
|
APK_PATH="build/app/outputs/flutter-apk/app-release.apk"
|
|
APKSIGNER_PATH="${ANDROID_SDK_ROOT}/build-tools/35.0.0/apksigner"
|
|
|
|
if [ ! -f "$APK_PATH" ]; then
|
|
echo "APK not found at $APK_PATH"
|
|
exit 1
|
|
fi
|
|
|
|
if [ ! -x "$APKSIGNER_PATH" ]; then
|
|
echo "apksigner not found at $APKSIGNER_PATH"
|
|
exit 1
|
|
fi
|
|
|
|
CERT_OUTPUT="$($APKSIGNER_PATH verify --print-certs "$APK_PATH")"
|
|
echo "$CERT_OUTPUT"
|
|
|
|
if [ -n "${EXPECTED_ANDROID_SHA1}" ]; then
|
|
APK_SHA1=$(echo "$CERT_OUTPUT" | sed -n 's/.*certificate SHA-1 digest: //p' | head -n1 | tr '[:lower:]' '[:upper:]')
|
|
EXPECTED_SHA1_UPPER=$(echo "${EXPECTED_ANDROID_SHA1}" | tr '[:lower:]' '[:upper:]')
|
|
|
|
if [ "$APK_SHA1" != "$EXPECTED_SHA1_UPPER" ]; then
|
|
echo "APK SHA-1 mismatch"
|
|
echo "Expected: $EXPECTED_SHA1_UPPER"
|
|
echo "Actual : $APK_SHA1"
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
- name: Create or update Gitea release and upload APK
|
|
if: ${{ env.RELEASE_TAG != '' }}
|
|
run: |
|
|
if [ -z "${TOKEN}" ]; then
|
|
echo "Missing required secret: TOKEN"
|
|
exit 1
|
|
fi
|
|
|
|
if [ -z "${RELEASE_TAG}" ]; then
|
|
echo "Missing required workflow input: release_tag"
|
|
exit 1
|
|
fi
|
|
|
|
APK_PATH="build/app/outputs/flutter-apk/app-release.apk"
|
|
if [ ! -f "$APK_PATH" ]; then
|
|
echo "APK not found at $APK_PATH"
|
|
exit 1
|
|
fi
|
|
|
|
OWNER_REPO="${GITHUB_REPOSITORY}"
|
|
OWNER="${OWNER_REPO%%/*}"
|
|
REPO="${OWNER_REPO##*/}"
|
|
TAG="${RELEASE_TAG}"
|
|
API_BASE="${GITHUB_SERVER_URL}/api/v1"
|
|
|
|
RELEASE_JSON=$(curl -sS -X POST \
|
|
-H "Authorization: token ${TOKEN}" \
|
|
-H "Content-Type: application/json" \
|
|
"${API_BASE}/repos/${OWNER}/${REPO}/releases" \
|
|
-d "{\"tag_name\":\"${TAG}\",\"name\":\"${TAG}\",\"draft\":false,\"prerelease\":false}" \
|
|
|| true)
|
|
|
|
RELEASE_ID=$(echo "$RELEASE_JSON" | jq -r '.id // empty')
|
|
|
|
if [ -z "$RELEASE_ID" ]; then
|
|
# Fallback: release may already exist for the tag
|
|
RELEASE_JSON=$(curl -sS \
|
|
-H "Authorization: token ${TOKEN}" \
|
|
"${API_BASE}/repos/${OWNER}/${REPO}/releases/tags/${TAG}")
|
|
RELEASE_ID=$(echo "$RELEASE_JSON" | jq -r '.id // empty')
|
|
fi
|
|
|
|
if [ -z "$RELEASE_ID" ]; then
|
|
echo "Could not resolve release ID for tag ${TAG}"
|
|
echo "$RELEASE_JSON"
|
|
exit 1
|
|
fi
|
|
|
|
curl -sS -X POST \
|
|
-H "Authorization: token ${TOKEN}" \
|
|
-F "attachment=@${APK_PATH}" \
|
|
"${API_BASE}/repos/${OWNER}/${REPO}/releases/${RELEASE_ID}/assets?name=reader-app-${TAG}.apk"
|
|
|
|
- name: Skip release upload (no release_tag)
|
|
if: ${{ env.RELEASE_TAG == '' }}
|
|
run: echo "No release_tag provided. Build completed without creating a release."
|