name: sign-apk
on:
  workflow_dispatch:
    inputs:
      unsigned_apk:
        description: 'Path to unsigned APK (relative to repo root)'
        required: false
        default: 'Sune-unsigned.apk'
permissions: read-all
jobs:
  sign:
    runs-on: ubuntu-latest
    env:
      KEY_ALIAS: ${{ secrets.KEY_ALIAS }}
      KEYSTORE_PASS: ${{ secrets.KEYSTORE_PASS }}
      KEY_PASS: ${{ secrets.KEY_PASS }}
    steps:
      - uses: actions/checkout@v4
      - name: Setup Java 17
        uses: actions/setup-java@v4
        with:
          distribution: temurin
          java-version: '17'
      - name: Install prerequisites
        run: sudo apt-get update && sudo apt-get install -y unzip wget
      - name: Install Android commandline tools and SDK
        env:
          ANDROID_SDK_ROOT: ${{ runner.temp }}/android-sdk
        run: |
          set -e
          export ANDROID_SDK_ROOT="${ANDROID_SDK_ROOT}"
          mkdir -p "$ANDROID_SDK_ROOT"
          cd /tmp
          curl -fsSL -o commandlinetools.zip "https://dl.google.com/android/repository/commandlinetools-linux-9477386_latest.zip"
          unzip -q commandlinetools.zip -d "$ANDROID_SDK_ROOT/cmdline-tools"
          mkdir -p "$ANDROID_SDK_ROOT/cmdline-tools/latest"
          mv "$ANDROID_SDK_ROOT/cmdline-tools"/cmdline-tools/* "$ANDROID_SDK_ROOT/cmdline-tools/latest/" || true
          export PATH="$ANDROID_SDK_ROOT/cmdline-tools/latest/bin:$PATH"
          yes | sdkmanager --sdk_root="$ANDROID_SDK_ROOT" --licenses
          sdkmanager --sdk_root="$ANDROID_SDK_ROOT" "platform-tools" "platforms;android-33" "build-tools;33.0.2"
          echo "ANDROID_SDK_ROOT=$ANDROID_SDK_ROOT" >> $GITHUB_ENV
      - name: Decode keystore
        run: |
          echo "${{ secrets.JKS_BASE64 }}" | base64 --decode > sune-keystore.jks
          chmod 600 sune-keystore.jks
      - name: Prepare paths
        run: |
          UNSIGNED="${{ github.event.inputs.unsigned_apk || 'Sune-unsigned.apk' }}"
          OUT="app-release-aligned.apk"
          SIGNED="app-release-signed.apk"
          echo "UNSIGNED=$UNSIGNED" >> $GITHUB_ENV
          echo "OUT=$OUT" >> $GITHUB_ENV
          echo "SIGNED=$SIGNED" >> $GITHUB_ENV
      - name: Zipalign unsigned APK
        run: |
          if [ ! -f "$UNSIGNED" ]; then echo "Unsigned APK not found at $UNSIGNED" && exit 1; fi
          ZIPALIGN=""
          for f in "$ANDROID_SDK_ROOT"/build-tools/*/zipalign; do [ -x "$f" ] && ZIPALIGN="$f" && break; done
          if [ -z "$ZIPALIGN" ]; then if command -v zipalign >/dev/null 2>&1; then ZIPALIGN=$(command -v zipalign); else echo "zipalign not found" && ls -la "$ANDROID_SDK_ROOT"/build-tools || exit 1; fi; fi
          "$ZIPALIGN" -v -p 4 "$UNSIGNED" "$OUT"
      - name: Sign APK with apksigner
        run: |
          APKSIGNER=""
          for f in "$ANDROID_SDK_ROOT"/build-tools/*/apksigner; do [ -x "$f" ] && APKSIGNER="$f" && break; done
          if [ -z "$APKSIGNER" ]; then if command -v apksigner >/dev/null 2>&1; then APKSIGNER=$(command -v apksigner); else echo "apksigner not found" && ls -la "$ANDROID_SDK_ROOT"/build-tools || exit 1; fi; fi
          "$APKSIGNER" sign --ks sune-keystore.jks --ks-key-alias "$KEY_ALIAS" --ks-pass "pass:${KEYSTORE_PASS}" --key-pass "pass:${KEY_PASS}" "$OUT"
          mv "$OUT" "$SIGNED"
      - name: Verify signature
        run: |
          APKSIGNER=""
          for f in "$ANDROID_SDK_ROOT"/build-tools/*/apksigner; do [ -x "$f" ] && APKSIGNER="$f" && break; done
          if [ -z "$APKSIGNER" ]; then if command -v apksigner >/dev/null 2>&1; then APKSIGNER=$(command -v apksigner); else echo "apksigner not found for verify" && exit 1; fi; fi
          "$APKSIGNER" verify --verbose "$SIGNED"
      - name: Upload signed APK
        uses: actions/upload-artifact@v4
        with:
          name: sune-signed-apk
          path: app-release-signed.apk