diff --git a/.github/workflows/init.yml b/.github/workflows/init.yml deleted file mode 100644 index 1278714..0000000 --- a/.github/workflows/init.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: bubblewrap-init-and-commit -on: - workflow_dispatch: -permissions: write-all -jobs: - build-push: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - token: ${{ secrets.GITHUB_TOKEN }} - - uses: actions/setup-node@v4 - with: - node-version: '22' - - name: Install Bubblewrap - run: npm install -g @bubblewrap/cli - - name: Run bubblewrap init - run: | - bubblewrap help - - run: | - git config user.name "github-actions" - git config user.email "github-actions@github.com" - git add . - git commit -m "This build was committed by a bot." - git push diff --git a/.github/workflows/sign.yml b/.github/workflows/sign.yml new file mode 100644 index 0000000..0315f42 --- /dev/null +++ b/.github/workflows/sign.yml @@ -0,0 +1,84 @@ +name: sign-apk +on: + workflow_dispatch: + inputs: + unsigned_apk: + description: 'Path to unsigned APK (relative to repo root)' + required: false + default: 'Sune-unsigned.apk' +permissions: read-all +jobs: + sign: + runs-on: ubuntu-latest + env: + KEY_ALIAS: ${{ secrets.KEY_ALIAS }} + KEYSTORE_PASS: ${{ secrets.KEYSTORE_PASS }} + KEY_PASS: ${{ secrets.KEY_PASS }} + steps: + - uses: actions/checkout@v4 + + - name: Setup Java 17 + uses: actions/setup-java@v4 + with: + distribution: temurin + java-version: '17' + + - name: Install prerequisites + run: sudo apt-get update && sudo apt-get install -y unzip wget zipalign || true + + - name: Install Android commandline tools + build-tools + env: + ANDROID_SDK_ROOT: ${{ runner.temp }}/android-sdk + run: | + set -e + mkdir -p "$ANDROID_SDK_ROOT" + cd /tmp + curl -fsSL -o commandlinetools.zip "https://dl.google.com/android/repository/commandlinetools-linux-9477386_latest.zip" + unzip -q commandlinetools.zip -d "$ANDROID_SDK_ROOT/cmdline-tools" + mkdir -p "$ANDROID_SDK_ROOT/cmdline-tools/latest" + mv "$ANDROID_SDK_ROOT/cmdline-tools"/cmdline-tools/* "$ANDROID_SDK_ROOT/cmdline-tools/latest/" || true + export PATH="$ANDROID_SDK_ROOT/cmdline-tools/latest/bin:$PATH" + yes | sdkmanager --sdk_root="$ANDROID_SDK_ROOT" --licenses + sdkmanager --sdk_root="$ANDROID_SDK_ROOT" "platform-tools" "build-tools;33.0.2" + echo "ANDROID_SDK_ROOT=$ANDROID_SDK_ROOT" >> $GITHUB_ENV + echo "$ANDROID_SDK_ROOT/platform-tools" >> $GITHUB_PATH + echo "$ANDROID_SDK_ROOT/cmdline-tools/latest/bin" >> $GITHUB_PATH + + - name: Decode keystore + run: | + echo "${{ secrets.JKS_BASE64 }}" | base64 --decode > sune-keystore.jks + chmod 600 sune-keystore.jks + + - name: Prepare paths + run: | + UNSIGNED="${{ github.event.inputs.unsigned_apk || 'app-release-unsigned.apk' }}" + OUT="app-release-aligned.apk" + SIGNED="app-release-signed.apk" + echo "UNSIGNED=$UNSIGNED" >> $GITHUB_ENV + echo "OUT=$OUT" >> $GITHUB_ENV + echo "SIGNED=$SIGNED" >> $GITHUB_ENV + + - name: Zipalign unsigned APK + run: | + if [ ! -f "$UNSIGNED" ]; then echo "Unsigned APK not found at $UNSIGNED" && exit 1; fi + zipalign -v -p 4 "$UNSIGNED" "$OUT" + + - name: Sign APK with apksigner + run: | + apksigner sign \ + --ks sune-keystore.jks \ + --ks-key-alias "$KEY_ALIAS" \ + --ks-pass "pass:${KEYSTORE_PASS}" \ + --key-pass "pass:${KEY_PASS}" \ + "$OUT" + mv "$OUT" "$SIGNED" + + - name: Verify signature + run: | + apksigner verify --verbose "$SIGNED" + + - name: Upload signed APK + uses: actions/upload-artifact@v4 + with: + name: sune-signed-apk + path: app-release-signed.apk