Skip to content

Explain Android app signing key configuration and secret management #5090

Explain Android app signing key configuration and secret management

Explain Android app signing key configuration and secret management #5090

Workflow file for this run

# NOTE: This name appears in GitHub's Checks API and in workflow's status badge.
name: ci-build
# Trigger the workflow when:
on:
# A push occurs to one of the matched branches.
push:
branches:
- master
- stable/*
# Or when a pull request event occurs for a pull request against one of the
# matched branches.
pull_request:
branches:
- master
- stable/*
# Explicitly disable secrets.GITHUB_TOKEN permissions.
permissions: {}
jobs:
build:
# NOTE: This name appears in GitHub's Checks API.
name: build
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up OpenJDK 17
uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: '17'
- name: Set up Node.js 18
uses: actions/setup-node@v4
with:
node-version: '18.x'
cache: yarn
- name: Install dependencies
run: yarn install --frozen-lockfile
- name: Set workflow variables
# Id is needed to access output in a next step.
id: vars
run: |
echo "SHORT_SHA=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT"
- name: Build web ROSE Wallet
run: yarn build
- name: Build extension ROSE Wallet
run: yarn build:ext
- name: Sync Capacitor for Android
run: yarn cap sync android
- name: Accept SDK licenses
run: yes | "$ANDROID_SDK_ROOT/cmdline-tools/latest/bin/sdkmanager" --licenses
# Capacitor v6 sets a deployment target of Android 14 (SDK 34)
- name: Install SDK components
run: |
"$ANDROID_SDK_ROOT/cmdline-tools/latest/bin/sdkmanager" "platform-tools" "platforms;android-34" "build-tools;34.0.0"
- name: Build Android App Bundle (AAB)
if: github.event_name == 'push'
run: ./gradlew bundleRelease
working-directory: android
- name: Build Android Package (APK)
run: ./gradlew assembleRelease
working-directory: android
- name: Decode and Save Keystore File
run: |
echo "${{ secrets.KEYSTORE_FILE }}" | base64 --decode > "android/release.jks"
- name: Sign AAB using jarsigner
if: github.event_name == 'push'
run: |
jarsigner -verbose -keystore "android/release.jks" -storepass "${{ secrets.KEYSTORE_PASSWORD }}" -keypass "${{ secrets.KEYSTORE_PASSWORD }}" -signedjar "android/app/build/outputs/bundle/release/app-release-signed.aab" "android/app/build/outputs/bundle/release/app-release.aab" "${{ secrets.KEY_ALIAS }}"
# Targeting version 30 and above we need to align the APK so that all uncompressed data starts on a 4-byte boundary
- name: Zipalign APK
run: |
"$ANDROID_SDK_ROOT/build-tools/31.0.0/zipalign" -v 4 "android/app/build/outputs/apk/release/app-release-unsigned.apk" "android/app/build/outputs/apk/release/app-release-aligned.apk"
- name: Sign APK using apksigner
run: |
"$ANDROID_SDK_ROOT/build-tools/31.0.0/apksigner" sign --ks "android/release.jks" --ks-pass "pass:${{ secrets.KEYSTORE_PASSWORD }}" --key-pass "pass:${{ secrets.KEYSTORE_PASSWORD }}" --ks-key-alias "${{ secrets.KEY_ALIAS }}" "android/app/build/outputs/apk/release/app-release-aligned.apk"
- name: Upload Android AAB build artifacts
if: github.event_name == 'push'
uses: actions/upload-artifact@v4
with:
name: rose-wallet-android-${{ steps.vars.outputs.SHORT_SHA }}.aab
path: android/app/build/outputs/bundle/release/app-release-signed.aab
- name: Upload Android APK build artifacts
if: github.event_name == 'push'
uses: actions/upload-artifact@v4
with:
name: rose-wallet-android-${{ steps.vars.outputs.SHORT_SHA }}.apk
path: android/app/build/outputs/apk/release/app-release-aligned.apk
- name: Upload web ROSE Wallet build artifacts
if: github.event_name == 'push'
uses: actions/upload-artifact@v4
with:
name: rose-wallet-web-${{ steps.vars.outputs.SHORT_SHA }}
path: build
- name: Upload extension ROSE Wallet build artifacts
if: github.event_name == 'push'
uses: actions/upload-artifact@v4
with:
name: rose-wallet-ext-${{ steps.vars.outputs.SHORT_SHA }}
path: build-ext