Update and rename init.yml to sign.yml

2026-01-13 23:57:56 +00:00 · 2025-08-18 00:11:23 -07:00
parent 01c5ea63d6
commit a6d9c6ca38
2 changed files with 84 additions and 25 deletions
--- a/.github/workflows/sign.yml
+++ b/.github/workflows/sign.yml
@@ -0,0 +1,84 @@
+name: sign-apk
+on:
+  workflow_dispatch:
+    inputs:
+      unsigned_apk:
+        description: 'Path to unsigned APK (relative to repo root)'
+        required: false
+        default: 'Sune-unsigned.apk'
+permissions: read-all
+jobs:
+  sign:
+    runs-on: ubuntu-latest
+    env:
+      KEY_ALIAS: ${{ secrets.KEY_ALIAS }}
+      KEYSTORE_PASS: ${{ secrets.KEYSTORE_PASS }}
+      KEY_PASS: ${{ secrets.KEY_PASS }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Java 17
+        uses: actions/setup-java@v4
+        with:
+          distribution: temurin
+          java-version: '17'
+
+      - name: Install prerequisites
+        run: sudo apt-get update && sudo apt-get install -y unzip wget zipalign || true
+
+      - name: Install Android commandline tools + build-tools
+        env:
+          ANDROID_SDK_ROOT: ${{ runner.temp }}/android-sdk
+        run: |
+          set -e
+          mkdir -p "$ANDROID_SDK_ROOT"
+          cd /tmp
+          curl -fsSL -o commandlinetools.zip "https://dl.google.com/android/repository/commandlinetools-linux-9477386_latest.zip"
+          unzip -q commandlinetools.zip -d "$ANDROID_SDK_ROOT/cmdline-tools"
+          mkdir -p "$ANDROID_SDK_ROOT/cmdline-tools/latest"
+          mv "$ANDROID_SDK_ROOT/cmdline-tools"/cmdline-tools/* "$ANDROID_SDK_ROOT/cmdline-tools/latest/" || true
+          export PATH="$ANDROID_SDK_ROOT/cmdline-tools/latest/bin:$PATH"
+          yes | sdkmanager --sdk_root="$ANDROID_SDK_ROOT" --licenses
+          sdkmanager --sdk_root="$ANDROID_SDK_ROOT" "platform-tools" "build-tools;33.0.2"
+          echo "ANDROID_SDK_ROOT=$ANDROID_SDK_ROOT" >> $GITHUB_ENV
+          echo "$ANDROID_SDK_ROOT/platform-tools" >> $GITHUB_PATH
+          echo "$ANDROID_SDK_ROOT/cmdline-tools/latest/bin" >> $GITHUB_PATH
+
+      - name: Decode keystore
+        run: |
+          echo "${{ secrets.JKS_BASE64 }}" | base64 --decode > sune-keystore.jks
+          chmod 600 sune-keystore.jks
+
+      - name: Prepare paths
+        run: |
+          UNSIGNED="${{ github.event.inputs.unsigned_apk || 'app-release-unsigned.apk' }}"
+          OUT="app-release-aligned.apk"
+          SIGNED="app-release-signed.apk"
+          echo "UNSIGNED=$UNSIGNED" >> $GITHUB_ENV
+          echo "OUT=$OUT" >> $GITHUB_ENV
+          echo "SIGNED=$SIGNED" >> $GITHUB_ENV
+
+      - name: Zipalign unsigned APK
+        run: |
+          if [ ! -f "$UNSIGNED" ]; then echo "Unsigned APK not found at $UNSIGNED" && exit 1; fi
+          zipalign -v -p 4 "$UNSIGNED" "$OUT"
+
+      - name: Sign APK with apksigner
+        run: |
+          apksigner sign \
+            --ks sune-keystore.jks \
+            --ks-key-alias "$KEY_ALIAS" \
+            --ks-pass "pass:${KEYSTORE_PASS}" \
+            --key-pass "pass:${KEY_PASS}" \
+            "$OUT"
+          mv "$OUT" "$SIGNED"
+
+      - name: Verify signature
+        run: |
+          apksigner verify --verbose "$SIGNED"
+
+      - name: Upload signed APK
+        uses: actions/upload-artifact@v4
+        with:
+          name: sune-signed-apk
+          path: app-release-signed.apk