chore(android): rename the RuStore signing secrets ANDROID_* -> ANDROID_RUSTORE_*
CI / changes (pull_request) Successful in 2s
CI / unit (pull_request) Successful in 11s
CI / integration (pull_request) Successful in 23s
CI / ui (pull_request) Successful in 1m15s
CI / conformance (pull_request) Successful in 10s
CI / gate (pull_request) Successful in 0s
CI / deploy (pull_request) Successful in 1m59s
CI / changes (pull_request) Successful in 2s
CI / unit (pull_request) Successful in 11s
CI / integration (pull_request) Successful in 23s
CI / ui (pull_request) Successful in 1m15s
CI / conformance (pull_request) Successful in 10s
CI / gate (pull_request) Successful in 0s
CI / deploy (pull_request) Successful in 1m59s
The signing key is store-specific: RuStore self-signs (the cert is the app cert), while Google Play re-signs via Play App Signing (the uploaded key is only the upload key). Keep a separate key per store and name the secrets accordingly. Only the Gitea secret names change; build.gradle keeps the store-agnostic env contract (ANDROID_KEYSTORE_*), so the same build serves a future Google key from its own workflow. New names: ANDROID_RUSTORE_KEYSTORE_BASE64 / _KEYSTORE_PASSWORD / _KEY_ALIAS / _KEY_PASSWORD.
This commit is contained in:
@@ -3,7 +3,7 @@
|
|||||||
# a PR. It builds the native-flavoured SPA, bundles the offline dictionaries into the APK assets, and
|
# a PR. It builds the native-flavoured SPA, bundles the offline dictionaries into the APK assets, and
|
||||||
# assembles a release APK, uploaded as a run artifact (RuStore upload stays manual for the MVP).
|
# assembles a release APK, uploaded as a run artifact (RuStore upload stays manual for the MVP).
|
||||||
#
|
#
|
||||||
# Signing degrades gracefully: with the ANDROID_KEYSTORE_* secrets present the APK is signed; without
|
# Signing degrades gracefully: with the ANDROID_RUSTORE_* secrets present the APK is signed; without
|
||||||
# them build.gradle produces an UNSIGNED release APK (so a dry run still proves the whole pipeline).
|
# them build.gradle produces an UNSIGNED release APK (so a dry run still proves the whole pipeline).
|
||||||
# The keystore is a publication prerequisite — see deploy/README.md (Android build/release runbook).
|
# The keystore is a publication prerequisite — see deploy/README.md (Android build/release runbook).
|
||||||
# The toolchain is self-provisioned here (JDK 21 + a cached Android SDK), so the runner host needs
|
# The toolchain is self-provisioned here (JDK 21 + a cached Android SDK), so the runner host needs
|
||||||
@@ -144,7 +144,7 @@ jobs:
|
|||||||
- name: Decode the release keystore
|
- name: Decode the release keystore
|
||||||
id: keystore
|
id: keystore
|
||||||
env:
|
env:
|
||||||
ANDROID_KEYSTORE_BASE64: ${{ secrets.ANDROID_KEYSTORE_BASE64 }}
|
ANDROID_KEYSTORE_BASE64: ${{ secrets.ANDROID_RUSTORE_KEYSTORE_BASE64 }}
|
||||||
run: |
|
run: |
|
||||||
if [ -n "$ANDROID_KEYSTORE_BASE64" ]; then
|
if [ -n "$ANDROID_KEYSTORE_BASE64" ]; then
|
||||||
printf '%s' "$ANDROID_KEYSTORE_BASE64" | base64 -d > "${GITHUB_WORKSPACE}/release.jks"
|
printf '%s' "$ANDROID_KEYSTORE_BASE64" | base64 -d > "${GITHUB_WORKSPACE}/release.jks"
|
||||||
@@ -152,16 +152,16 @@ jobs:
|
|||||||
echo "keystore decoded -> signed release build"
|
echo "keystore decoded -> signed release build"
|
||||||
else
|
else
|
||||||
echo "file=" >> "$GITHUB_OUTPUT"
|
echo "file=" >> "$GITHUB_OUTPUT"
|
||||||
echo "::warning::ANDROID_KEYSTORE_BASE64 is not set — building an UNSIGNED release APK (not installable/publishable)"
|
echo "::warning::ANDROID_RUSTORE_KEYSTORE_BASE64 secret is not set — building an UNSIGNED release APK (not installable/publishable)"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
- name: Assemble the release APK
|
- name: Assemble the release APK
|
||||||
working-directory: ui/android
|
working-directory: ui/android
|
||||||
env:
|
env:
|
||||||
ANDROID_KEYSTORE_FILE: ${{ steps.keystore.outputs.file }}
|
ANDROID_KEYSTORE_FILE: ${{ steps.keystore.outputs.file }}
|
||||||
ANDROID_KEYSTORE_PASSWORD: ${{ secrets.ANDROID_KEYSTORE_PASSWORD }}
|
ANDROID_KEYSTORE_PASSWORD: ${{ secrets.ANDROID_RUSTORE_KEYSTORE_PASSWORD }}
|
||||||
ANDROID_KEY_ALIAS: ${{ secrets.ANDROID_KEY_ALIAS }}
|
ANDROID_KEY_ALIAS: ${{ secrets.ANDROID_RUSTORE_KEY_ALIAS }}
|
||||||
ANDROID_KEY_PASSWORD: ${{ secrets.ANDROID_KEY_PASSWORD }}
|
ANDROID_KEY_PASSWORD: ${{ secrets.ANDROID_RUSTORE_KEY_PASSWORD }}
|
||||||
run: ./gradlew assembleRelease -PversionCode=${{ steps.prep.outputs.code }} -PversionName=${{ steps.prep.outputs.name }} --console=plain
|
run: ./gradlew assembleRelease -PversionCode=${{ steps.prep.outputs.code }} -PversionName=${{ steps.prep.outputs.name }} --console=plain
|
||||||
|
|
||||||
- name: Upload the APK artifact
|
- name: Upload the APK artifact
|
||||||
|
|||||||
+2
-2
@@ -257,8 +257,8 @@ web/prod rollout — a signed APK uploaded to RuStore by hand. The build/release
|
|||||||
the SDK is missing or unreadable.
|
the SDK is missing or unreadable.
|
||||||
- **Release keystore** (create once, **back up off-host** — losing it means the app can never be updated):
|
- **Release keystore** (create once, **back up off-host** — losing it means the app can never be updated):
|
||||||
`keytool -genkeypair -v -keystore erudit-release.jks -alias erudit -keyalg RSA -keysize 4096 -validity 10000`,
|
`keytool -genkeypair -v -keystore erudit-release.jks -alias erudit -keyalg RSA -keysize 4096 -validity 10000`,
|
||||||
then set the Gitea **secrets** `ANDROID_KEYSTORE_BASE64` (`base64 -w0 erudit-release.jks`),
|
then set the Gitea **secrets** `ANDROID_RUSTORE_KEYSTORE_BASE64` (`base64 -w0 erudit-release.jks`),
|
||||||
`ANDROID_KEYSTORE_PASSWORD`, `ANDROID_KEY_ALIAS`, `ANDROID_KEY_PASSWORD`. Set the `ANDROID_RUSTORE_URL`
|
`ANDROID_RUSTORE_KEYSTORE_PASSWORD`, `ANDROID_RUSTORE_KEY_ALIAS`, `ANDROID_RUSTORE_KEY_PASSWORD`. Set the `ANDROID_RUSTORE_URL`
|
||||||
variable to the store listing once published (empty until then — the in-app update button no-ops).
|
variable to the store listing once published (empty until then — the in-app update button no-ops).
|
||||||
- **Wire-break discipline:** the prod deploy that ships an incompatible wire change **also** bumps
|
- **Wire-break discipline:** the prod deploy that ships an incompatible wire change **also** bumps
|
||||||
`GATEWAY_MIN_CLIENT_VERSION` to that release (see Optional variables), so an old installed APK is turned
|
`GATEWAY_MIN_CLIENT_VERSION` to that release (see Optional variables), so an old installed APK is turned
|
||||||
|
|||||||
Reference in New Issue
Block a user