Add optional APK signing via Forgejo secrets.
All checks were successful
Forgejo Release Builder / release (push) Successful in 22m39s
All checks were successful
Forgejo Release Builder / release (push) Successful in 22m39s
Decode keystore from secrets, sign unsigned APK artifacts with apksigner when configured, and prefer uploading signed APKs.
This commit is contained in:
parent
55d7525d26
commit
f37086978d
1 changed files with 50 additions and 0 deletions
|
|
@ -135,6 +135,49 @@ jobs:
|
|||
zip -qr "Komikku-mapping-${version_tag}.zip" app/build/outputs/mapping/release
|
||||
fi
|
||||
|
||||
- name: Sign APKs (optional)
|
||||
shell: bash
|
||||
env:
|
||||
SIGNING_KEYSTORE_B64: ${{ secrets.SIGNING_KEYSTORE_B64 }}
|
||||
SIGNING_KEYSTORE_PASSWORD: ${{ secrets.SIGNING_KEYSTORE_PASSWORD }}
|
||||
SIGNING_KEY_ALIAS: ${{ secrets.SIGNING_KEY_ALIAS }}
|
||||
SIGNING_KEY_PASSWORD: ${{ secrets.SIGNING_KEY_PASSWORD }}
|
||||
run: |
|
||||
set -euo pipefail
|
||||
|
||||
if [ -z "${SIGNING_KEYSTORE_B64}" ] || [ -z "${SIGNING_KEYSTORE_PASSWORD}" ] || [ -z "${SIGNING_KEY_ALIAS}" ] || [ -z "${SIGNING_KEY_PASSWORD}" ]; then
|
||||
echo "Signing secrets not fully set; keeping unsigned APKs."
|
||||
exit 0
|
||||
fi
|
||||
|
||||
keystore_file="$(mktemp)"
|
||||
printf '%s' "${SIGNING_KEYSTORE_B64}" | base64 -d > "${keystore_file}"
|
||||
|
||||
apksigner_bin=""
|
||||
if command -v apksigner >/dev/null 2>&1; then
|
||||
apksigner_bin="$(command -v apksigner)"
|
||||
elif [ -n "${ANDROID_HOME:-}" ] && [ -d "${ANDROID_HOME}/build-tools" ]; then
|
||||
apksigner_bin="$(ls -1 "${ANDROID_HOME}"/build-tools/*/apksigner 2>/dev/null | sort -V | tail -n 1 || true)"
|
||||
fi
|
||||
|
||||
if [ -z "${apksigner_bin}" ]; then
|
||||
echo "apksigner not found in PATH or ANDROID_HOME/build-tools."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
for unsigned_apk in Komikku-*-unsigned.apk; do
|
||||
[ -e "${unsigned_apk}" ] || continue
|
||||
signed_apk="${unsigned_apk/-unsigned.apk/.apk}"
|
||||
"${apksigner_bin}" sign \
|
||||
--ks "${keystore_file}" \
|
||||
--ks-key-alias "${SIGNING_KEY_ALIAS}" \
|
||||
--ks-pass "pass:${SIGNING_KEYSTORE_PASSWORD}" \
|
||||
--key-pass "pass:${SIGNING_KEY_PASSWORD}" \
|
||||
--out "${signed_apk}" \
|
||||
"${unsigned_apk}"
|
||||
"${apksigner_bin}" verify "${signed_apk}"
|
||||
done
|
||||
|
||||
- name: Create or update release
|
||||
id: release
|
||||
shell: bash
|
||||
|
|
@ -255,6 +298,13 @@ jobs:
|
|||
for file in Komikku-*.apk Komikku-mapping-*.zip; do
|
||||
[ -e "$file" ] || continue
|
||||
|
||||
if [ "${file#*-unsigned.apk}" != "${file}" ]; then
|
||||
signed_candidate="${file/-unsigned.apk/.apk}"
|
||||
if [ -e "${signed_candidate}" ]; then
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
|
||||
asset_name="$(basename "$file")"
|
||||
asset_id="$(
|
||||
python3 -c 'import json, sys; assets = json.load(open(sys.argv[1], encoding="utf-8")); name = sys.argv[2]; print(next((str(asset["id"]) for asset in assets if asset.get("name") == name), ""))' \
|
||||
|
|
|
|||
Loading…
Reference in a new issue