diff --git a/.gitea/workflows/android-build.yaml b/.gitea/workflows/android-build.yaml index d995407..7a5b674 100644 --- a/.gitea/workflows/android-build.yaml +++ b/.gitea/workflows/android-build.yaml @@ -3,7 +3,7 @@ # a PR. It builds the native-flavoured SPA, bundles the offline dictionaries into the APK assets, and # assembles a release APK, uploaded as a run artifact (RuStore upload stays manual for the MVP). # -# Signing degrades gracefully: with the ANDROID_KEYSTORE_* secrets present the APK is signed; without +# Signing degrades gracefully: with the ANDROID_RUSTORE_* secrets present the APK is signed; without # them build.gradle produces an UNSIGNED release APK (so a dry run still proves the whole pipeline). # The keystore is a publication prerequisite — see deploy/README.md (Android build/release runbook). # The toolchain is self-provisioned here (JDK 21 + a cached Android SDK), so the runner host needs @@ -144,7 +144,7 @@ jobs: - name: Decode the release keystore id: keystore env: - ANDROID_KEYSTORE_BASE64: ${{ secrets.ANDROID_KEYSTORE_BASE64 }} + ANDROID_KEYSTORE_BASE64: ${{ secrets.ANDROID_RUSTORE_KEYSTORE_BASE64 }} run: | if [ -n "$ANDROID_KEYSTORE_BASE64" ]; then printf '%s' "$ANDROID_KEYSTORE_BASE64" | base64 -d > "${GITHUB_WORKSPACE}/release.jks" @@ -152,16 +152,16 @@ jobs: echo "keystore decoded -> signed release build" else echo "file=" >> "$GITHUB_OUTPUT" - echo "::warning::ANDROID_KEYSTORE_BASE64 is not set — building an UNSIGNED release APK (not installable/publishable)" + echo "::warning::ANDROID_RUSTORE_KEYSTORE_BASE64 secret is not set — building an UNSIGNED release APK (not installable/publishable)" fi - name: Assemble the release APK working-directory: ui/android env: ANDROID_KEYSTORE_FILE: ${{ steps.keystore.outputs.file }} - ANDROID_KEYSTORE_PASSWORD: ${{ secrets.ANDROID_KEYSTORE_PASSWORD }} - ANDROID_KEY_ALIAS: ${{ secrets.ANDROID_KEY_ALIAS }} - ANDROID_KEY_PASSWORD: ${{ secrets.ANDROID_KEY_PASSWORD }} + ANDROID_KEYSTORE_PASSWORD: ${{ secrets.ANDROID_RUSTORE_KEYSTORE_PASSWORD }} + ANDROID_KEY_ALIAS: ${{ secrets.ANDROID_RUSTORE_KEY_ALIAS }} + ANDROID_KEY_PASSWORD: ${{ secrets.ANDROID_RUSTORE_KEY_PASSWORD }} run: ./gradlew assembleRelease -PversionCode=${{ steps.prep.outputs.code }} -PversionName=${{ steps.prep.outputs.name }} --console=plain - name: Upload the APK artifact diff --git a/deploy/README.md b/deploy/README.md index ec4417b..0b72f4a 100644 --- a/deploy/README.md +++ b/deploy/README.md @@ -257,8 +257,8 @@ web/prod rollout — a signed APK uploaded to RuStore by hand. The build/release the SDK is missing or unreadable. - **Release keystore** (create once, **back up off-host** — losing it means the app can never be updated): `keytool -genkeypair -v -keystore erudit-release.jks -alias erudit -keyalg RSA -keysize 4096 -validity 10000`, - then set the Gitea **secrets** `ANDROID_KEYSTORE_BASE64` (`base64 -w0 erudit-release.jks`), - `ANDROID_KEYSTORE_PASSWORD`, `ANDROID_KEY_ALIAS`, `ANDROID_KEY_PASSWORD`. Set the `ANDROID_RUSTORE_URL` + then set the Gitea **secrets** `ANDROID_RUSTORE_KEYSTORE_BASE64` (`base64 -w0 erudit-release.jks`), + `ANDROID_RUSTORE_KEYSTORE_PASSWORD`, `ANDROID_RUSTORE_KEY_ALIAS`, `ANDROID_RUSTORE_KEY_PASSWORD`. Set the `ANDROID_RUSTORE_URL` variable to the store listing once published (empty until then — the in-app update button no-ops). - **Wire-break discipline:** the prod deploy that ships an incompatible wire change **also** bumps `GATEWAY_MIN_CLIENT_VERSION` to that release (see Optional variables), so an old installed APK is turned