ci(forgejo): verify signed APKs with unzip + aapt before upload
All checks were successful
Forgejo Release Builder / release (push) Successful in 4m48s

Fails the job if an artifact is not a valid zip or manifest (same class
of errors as Android 'package could not be parsed' after download).

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
littlecodedragon 2026-05-11 07:06:23 +02:00
parent 6316b85a09
commit e0f4262407

View file

@ -371,6 +371,33 @@ jobs:
"${apksigner_bin}" verify "${signed_apk}"
done
# Catch corrupt / non-APK artifacts before upload (e.g. truncated build output). Same
# manifest parse path the installer uses for "Paket konnte nicht geparst werden".
aapt_bin=""
if [ -n "${ANDROID_HOME:-}" ] && [ -d "${ANDROID_HOME}/build-tools" ]; then
aapt_bin="$(ls -1 "${ANDROID_HOME}"/build-tools/*/aapt 2>/dev/null | sort -V | tail -n 1 || true)"
fi
if [ -z "${aapt_bin}" ] || [ ! -x "${aapt_bin}" ]; then
echo "aapt not found under ANDROID_HOME; cannot verify APK manifests."
exit 1
fi
for signed_apk in Komikku-*.apk; do
case "${signed_apk}" in *-unsigned.apk) continue ;; esac
echo "Verifying installable APK: ${signed_apk}"
if ! unzip -tqq "${signed_apk}" >/dev/null 2>&1; then
echo "ERROR: ${signed_apk} is not a valid zip (truncated or corrupt build output?)."
exit 1
fi
first_line="$("${aapt_bin}" dump badging "${signed_apk}" 2>/dev/null | head -n 1 || true)"
if ! printf '%s\n' "${first_line}" | grep -q '^package:'; then
echo "ERROR: ${signed_apk} failed manifest parse (first line: ${first_line:-<empty>})."
echo "First 64 bytes (expect PK zip header 504b0304):"
head -c 64 "${signed_apk}" | hexdump -C || true
exit 1
fi
sha256sum "${signed_apk}"
done
- name: Create Obtainium-friendly aliases
shell: bash
run: |