From 67ee8cce5bfc056e7dfe47eb9c154662e4cc449f Mon Sep 17 00:00:00 2001 From: Ivan Date: Sun, 3 May 2026 00:33:29 -0500 Subject: [PATCH] fix(workflows): update APK signing and build conditions for dev and master branches --- .github/workflows/android-apk-tag.yml | 42 ++++++++++++--------------- .github/workflows/android-build.yml | 12 ++++---- 2 files changed, 25 insertions(+), 29 deletions(-) diff --git a/.github/workflows/android-apk-tag.yml b/.github/workflows/android-apk-tag.yml index 0b33470..3c2d9a5 100644 --- a/.github/workflows/android-apk-tag.yml +++ b/.github/workflows/android-apk-tag.yml @@ -91,10 +91,10 @@ jobs: echo "ready=false" >> "${GITHUB_OUTPUT}" fi - - name: Require signing secrets for master release tags - if: ${{ steps.track.outputs.track == 'master' && steps.android_signing.outputs.ready != 'true' }} + - name: Require signing secrets for dev and master tag APKs + if: ${{ (steps.track.outputs.track == 'master' || steps.track.outputs.track == 'dev') && steps.android_signing.outputs.ready != 'true' }} run: | - echo "::error::Tagged master build needs release signing. Set secrets ANDROID_SIGNING_KEYSTORE_BASE64, ANDROID_SIGNING_KEYSTORE_PASSWORD, and ANDROID_SIGNING_KEY_ALIAS (see android-build.yml header)." + echo "::error::Tagged dev (RC) and master builds need release signing so draft APKs match production keys (upgrade in place). Set secrets ANDROID_SIGNING_KEYSTORE_BASE64, ANDROID_SIGNING_KEYSTORE_PASSWORD, ANDROID_SIGNING_KEY_ALIAS, and optionally ANDROID_SIGNING_KEY_PASSWORD (see android-build.yml header)." exit 1 - name: Set up Java @@ -209,6 +209,13 @@ jobs: chmod +x gradlew ./gradlew --no-daemon :app:lintDebug + - name: Build release APK + if: ${{ steps.track.outputs.track == 'master' || steps.track.outputs.track == 'dev' }} + working-directory: android + run: | + chmod +x gradlew + ./gradlew --no-daemon :app:assembleRelease + - name: Build debug APK if: ${{ steps.track.outputs.track != 'master' }} working-directory: android @@ -216,15 +223,8 @@ jobs: chmod +x gradlew ./gradlew --no-daemon :app:assembleDebug - - name: Build release APK - if: ${{ steps.track.outputs.track == 'master' }} - working-directory: android - run: | - chmod +x gradlew - ./gradlew --no-daemon :app:assembleRelease - - name: Sign release APKs - if: ${{ steps.track.outputs.track == 'master' && steps.android_signing.outputs.ready == 'true' }} + if: ${{ (steps.track.outputs.track == 'master' || steps.track.outputs.track == 'dev') && steps.android_signing.outputs.ready == 'true' }} env: KS_B64: ${{ secrets.ANDROID_SIGNING_KEYSTORE_BASE64 }} SIGNING_KEYSTORE_PATH: ${{ runner.temp }}/meshchatx-release.jks @@ -266,7 +266,7 @@ jobs: if-no-files-found: warn - name: Upload release APK - if: ${{ steps.track.outputs.track == 'master' }} + if: ${{ steps.track.outputs.track == 'master' || steps.track.outputs.track == 'dev' }} uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 with: name: meshchatx-android-release-${{ github.ref_name }}-${{ github.run_id }} @@ -278,18 +278,14 @@ jobs: run: | set -euo pipefail mkdir -p android-apks-for-draft - if [[ "${{ steps.track.outputs.track }}" == "dev" ]]; then - cp -v android/app/build/outputs/apk/debug/*.apk android-apks-for-draft/ - else - shopt -s nullglob - signed=(android/app/build/outputs/apk/release/*-signed.apk) - shopt -u nullglob - if [[ ${#signed[@]} -eq 0 ]]; then - echo "::error::Expected *-signed.apk under android/app/build/outputs/apk/release/" >&2 - exit 1 - fi - cp -v "${signed[@]}" android-apks-for-draft/ + shopt -s nullglob + signed=(android/app/build/outputs/apk/release/*-signed.apk) + shopt -u nullglob + if [[ ${#signed[@]} -eq 0 ]]; then + echo "::error::Expected *-signed.apk under android/app/build/outputs/apk/release/ (dev and master draft releases use the same release-signed APK)." >&2 + exit 1 fi + cp -v "${signed[@]}" android-apks-for-draft/ - name: Upload Android APK bundle for draft if: ${{ steps.track.outputs.track == 'dev' || steps.track.outputs.track == 'master' }} diff --git a/.github/workflows/android-build.yml b/.github/workflows/android-build.yml index 37b301b..86372e0 100644 --- a/.github/workflows/android-build.yml +++ b/.github/workflows/android-build.yml @@ -119,10 +119,10 @@ jobs: echo "ready=false" >> "${GITHUB_OUTPUT}" fi - - name: Require signing secrets for master release tags - if: ${{ github.ref_type == 'tag' && steps.track.outputs.track == 'master' && steps.android_signing.outputs.ready != 'true' }} + - name: Require signing secrets for dev and master tag builds + if: ${{ github.ref_type == 'tag' && (steps.track.outputs.track == 'master' || steps.track.outputs.track == 'dev') && steps.android_signing.outputs.ready != 'true' }} run: | - echo "::error::Tagged master build needs release signing. Set secrets ANDROID_SIGNING_KEYSTORE_BASE64, ANDROID_SIGNING_KEYSTORE_PASSWORD, and ANDROID_SIGNING_KEY_ALIAS (see workflow header)." + echo "::error::Tagged dev (RC) and master builds need release signing. Set secrets ANDROID_SIGNING_KEYSTORE_BASE64, ANDROID_SIGNING_KEYSTORE_PASSWORD, and ANDROID_SIGNING_KEY_ALIAS (see workflow header)." exit 1 - name: Set up Java @@ -245,14 +245,14 @@ jobs: ./gradlew --no-daemon :app:assembleDebug - name: Build release APK - if: ${{ (github.ref_type == 'tag' && steps.track.outputs.track == 'master') || (github.ref_type != 'tag' && (github.event_name != 'workflow_dispatch' || inputs.build_release)) }} + if: ${{ (github.ref_type == 'tag' && (steps.track.outputs.track == 'master' || steps.track.outputs.track == 'dev')) || (github.ref_type != 'tag' && (github.event_name != 'workflow_dispatch' || inputs.build_release)) }} working-directory: android run: | chmod +x gradlew ./gradlew --no-daemon :app:assembleRelease - name: Sign release APKs - if: ${{ github.ref_type == 'tag' && steps.track.outputs.track == 'master' && steps.android_signing.outputs.ready == 'true' }} + if: ${{ github.ref_type == 'tag' && (steps.track.outputs.track == 'master' || steps.track.outputs.track == 'dev') && steps.android_signing.outputs.ready == 'true' }} env: KS_B64: ${{ secrets.ANDROID_SIGNING_KEYSTORE_BASE64 }} SIGNING_KEYSTORE_PATH: ${{ runner.temp }}/meshchatx-release.jks @@ -294,7 +294,7 @@ jobs: if-no-files-found: warn - name: Upload release APK - if: ${{ (github.ref_type == 'tag' && steps.track.outputs.track == 'master') || (github.ref_type != 'tag' && (github.event_name != 'workflow_dispatch' || inputs.build_release)) }} + if: ${{ (github.ref_type == 'tag' && (steps.track.outputs.track == 'master' || steps.track.outputs.track == 'dev')) || (github.ref_type != 'tag' && (github.event_name != 'workflow_dispatch' || inputs.build_release)) }} uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 with: name: meshchatx-android-release-${{ github.ref_name }}-${{ github.run_id }}