diff --git a/.gitea/workflows/build-android.yml b/.gitea/workflows/build-android.yml index 16130ee..f27cf42 100644 --- a/.gitea/workflows/build-android.yml +++ b/.gitea/workflows/build-android.yml @@ -23,6 +23,12 @@ jobs: ANDROID_SDK_PLATFORM: 'android-34' ANDROID_BUILD_TOOLS: '34.0.0' ANDROID_NDK_VERSION: '26.1.10909125' + # Surfaced at job level (not step level) so the `if: env.X != ''` + # check on the Decode step actually sees it — step-level env is + # NOT available in that step's own `if:` expression, which + # silently skipped the decode and produced debug-signed release + # APKs until it was noticed. + ANDROID_KEYSTORE_BASE64: ${{ secrets.ANDROID_KEYSTORE_BASE64 }} steps: - name: Checkout uses: actions/checkout@v4 @@ -108,15 +114,23 @@ jobs: - name: Decode signing keystore id: keystore - if: ${{ env.ANDROID_KEYSTORE_BASE64 != '' }} - env: - ANDROID_KEYSTORE_BASE64: ${{ secrets.ANDROID_KEYSTORE_BASE64 }} + if: env.ANDROID_KEYSTORE_BASE64 != '' run: | + set -euo pipefail mkdir -p android/keystore echo "$ANDROID_KEYSTORE_BASE64" | base64 -d > android/keystore/release.jks echo "path=$(pwd)/android/keystore/release.jks" >> "$GITHUB_OUTPUT" echo "present=true" >> "$GITHUB_OUTPUT" + - name: Guard release tag against missing keystore + # Release tags MUST produce a release-signed APK, otherwise existing + # installs can't upgrade (signature mismatch). Fail loudly instead + # of silently falling back to the debug signing config. + if: ${{ steps.label.outputs.is_release == 'true' && steps.keystore.outputs.present != 'true' }} + run: | + echo "::error::Release tag ${{ gitea.ref_name }} requires ANDROID_KEYSTORE_BASE64 (plus KEYSTORE_PASSWORD, KEY_ALIAS, KEY_PASSWORD) to be configured in Gitea → Settings → Secrets." + exit 1 + - name: Build APK working-directory: android env: