name: sign-apk
on:
  workflow_dispatch:
    inputs:
      unsigned_apk:
        description: 'Path to unsigned APK (relative to repo root)'
        required: false
        default: 'Sune-unsigned.apk'
permissions: read-all
jobs:
  sign:
    runs-on: ubuntu-latest
    env:
      KEY_ALIAS: ${{ secrets.KEY_ALIAS }}
      KEYSTORE_PASS: ${{ secrets.KEYSTORE_PASS }}
      KEY_PASS: ${{ secrets.KEY_PASS }}
    steps:
      - uses: actions/checkout@v4

      - name: Setup Java 17
        uses: actions/setup-java@v4
        with:
          distribution: temurin
          java-version: '17'

      - name: Install prerequisites
        run: sudo apt-get update && sudo apt-get install -y unzip wget zipalign || true

      - name: Install Android commandline tools + build-tools
        env:
          ANDROID_SDK_ROOT: ${{ runner.temp }}/android-sdk
        run: |
          set -e
          mkdir -p "$ANDROID_SDK_ROOT"
          cd /tmp
          curl -fsSL -o commandlinetools.zip "https://dl.google.com/android/repository/commandlinetools-linux-9477386_latest.zip"
          unzip -q commandlinetools.zip -d "$ANDROID_SDK_ROOT/cmdline-tools"
          mkdir -p "$ANDROID_SDK_ROOT/cmdline-tools/latest"
          mv "$ANDROID_SDK_ROOT/cmdline-tools"/cmdline-tools/* "$ANDROID_SDK_ROOT/cmdline-tools/latest/" || true
          export PATH="$ANDROID_SDK_ROOT/cmdline-tools/latest/bin:$PATH"
          yes | sdkmanager --sdk_root="$ANDROID_SDK_ROOT" --licenses
          sdkmanager --sdk_root="$ANDROID_SDK_ROOT" "platform-tools" "build-tools;33.0.2"
          echo "ANDROID_SDK_ROOT=$ANDROID_SDK_ROOT" >> $GITHUB_ENV
          echo "$ANDROID_SDK_ROOT/platform-tools" >> $GITHUB_PATH
          echo "$ANDROID_SDK_ROOT/cmdline-tools/latest/bin" >> $GITHUB_PATH

      - name: Decode keystore
        run: |
          echo "${{ secrets.JKS_BASE64 }}" | base64 --decode > sune-keystore.jks
          chmod 600 sune-keystore.jks

      - name: Prepare paths
        run: |
          UNSIGNED="${{ github.event.inputs.unsigned_apk || 'app-release-unsigned.apk' }}"
          OUT="app-release-aligned.apk"
          SIGNED="app-release-signed.apk"
          echo "UNSIGNED=$UNSIGNED" >> $GITHUB_ENV
          echo "OUT=$OUT" >> $GITHUB_ENV
          echo "SIGNED=$SIGNED" >> $GITHUB_ENV

      - name: Zipalign unsigned APK
        run: |
          if [ ! -f "$UNSIGNED" ]; then echo "Unsigned APK not found at $UNSIGNED" && exit 1; fi
          zipalign -v -p 4 "$UNSIGNED" "$OUT"

      - name: Sign APK with apksigner
        run: |
          apksigner sign \
            --ks sune-keystore.jks \
            --ks-key-alias "$KEY_ALIAS" \
            --ks-pass "pass:${KEYSTORE_PASS}" \
            --key-pass "pass:${KEY_PASS}" \
            "$OUT"
          mv "$OUT" "$SIGNED"

      - name: Verify signature
        run: |
          apksigner verify --verbose "$SIGNED"

      - name: Upload signed APK
        uses: actions/upload-artifact@v4
        with:
          name: sune-signed-apk
          path: app-release-signed.apk