CI: publish only signed release APKs
All checks were successful
Forgejo Release Builder / release (push) Successful in 17m24s

Prevent unsigned artifacts from being published as Obtainium aliases and fail fast when signing secrets are missing so releases remain installable.

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
littlecodedragon 2026-05-09 07:55:21 +02:00
parent 7e3738551b
commit a2f9003008

View file

@ -188,7 +188,7 @@ jobs:
zip -qr "Komikku-mapping-${version_tag}.zip" app/build/outputs/mapping/release
fi
- name: Sign APKs (optional)
- name: Sign APKs
shell: bash
env:
SIGNING_KEYSTORE_B64: ${{ secrets.SIGNING_KEYSTORE_B64 }}
@ -199,8 +199,9 @@ jobs:
set -euo pipefail
if [ -z "${SIGNING_KEYSTORE_B64}" ] || [ -z "${SIGNING_KEYSTORE_PASSWORD}" ] || [ -z "${SIGNING_KEY_ALIAS}" ] || [ -z "${SIGNING_KEY_PASSWORD}" ]; then
echo "Signing secrets not fully set; keeping unsigned APKs."
exit 0
echo "Signing secrets are required for installable release APKs."
echo "Set SIGNING_KEYSTORE_B64, SIGNING_KEYSTORE_PASSWORD, SIGNING_KEY_ALIAS, SIGNING_KEY_PASSWORD."
exit 1
fi
keystore_file="$(mktemp)"
@ -244,13 +245,12 @@ jobs:
fi
}
# Prefer signed APKs; fallback to unsigned when signing is not configured.
# Only publish signed APK aliases.
alias_asset "$(ls -1t Komikku-arm64-v8a-*.apk 2>/dev/null | head -n1)" "Komikku-arm64-v8a.apk"
alias_asset "$(ls -1t Komikku-arm64-v8a-*-unsigned.apk 2>/dev/null | head -n1)" "Komikku-arm64-v8a.apk"
for candidate in Komikku-*.apk; do
case "$candidate" in
*arm64-v8a*|*armeabi-v7a*|*x86_64*|*x86*)
*arm64-v8a*|*armeabi-v7a*|*x86_64*|*x86*|*-unsigned.apk)
;;
*)
alias_asset "$candidate" "Komikku-universal.apk"
@ -513,10 +513,7 @@ jobs:
[ -e "$file" ] || continue
if [ "${file#*-unsigned.apk}" != "${file}" ]; then
signed_candidate="${file/-unsigned.apk/.apk}"
if [ -e "${signed_candidate}" ]; then
continue
fi
continue
fi
asset_name="$(basename "$file")"