name: publish permissions: contents: write packages: write on: push: tags: - '[0-9]*.[0-9]*.[0-9]*' workflow_dispatch: inputs: track: type: choice description: "Google Play release track" options: - none - internal - alpha - beta - production default: none required: true release_type: type: choice description: "GitHub release type" options: - none - release default: release required: true tag_name: description: "Tag name for release" required: false default: 1.1.1 workflow_call: inputs: flavor: type: string description: "Product flavor" required: false default: standalone jobs: build-fdroid: if: >- ${{ github.event_name == 'push' || inputs.release_type != 'none' }} uses: ./.github/workflows/build.yml secrets: inherit with: build_type: ${{ github.event_name == 'push' && 'release' || inputs.release_type }} flavor: fdroid build-standalone: if: >- ${{ github.event_name == 'push' || inputs.release_type != 'none' }} uses: ./.github/workflows/build.yml secrets: inherit with: build_type: ${{ github.event_name == 'push' && 'release' || inputs.release_type }} flavor: standalone publish-github: if: >- ${{ github.event_name == 'push' || inputs.release_type != 'none' }} needs: - build-fdroid - build-standalone name: publish-github runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 with: ref: ${{ github.event_name == 'push' && github.ref || 'master' }} - name: Install system dependencies run: | sudo apt update && sudo apt install -y gh apksigner - name: Set latest tag uses: rickstaa/action-create-tag@v1 id: tag_creation with: tag: "latest" message: "Automated tag for HEAD commit" force_push_tag: true github_token: ${{ github.token }} tag_exists_error: false - name: Get latest release id: latest_release uses: kaliber5/action-get-release@v1 with: token: ${{ github.token }} latest: true - name: Generate Changelog id: changelog uses: requarks/changelog-action@v1 with: token: ${{ github.token }} toTag: ${{ steps.latest_release.outputs.tag_name }} fromTag: "latest" writeToFile: false - name: Make download dir run: mkdir ${{ github.workspace }}/temp - name: Download artifacts uses: actions/download-artifact@v8 with: pattern: android_artifacts_* path: ${{ github.workspace }}/temp merge-multiple: true - name: Set version release notes if: ${{ github.event_name == 'push' || inputs.release_type == 'release' }} run: | VERSION_CODE=$(sed -nE 's/.*const val VERSION_CODE[[:space:]]*=[[:space:]]*([0-9]+).*/\1/p' buildSrc/src/main/kotlin/Constants.kt) RELEASE_NOTES="$(cat ${{ github.workspace }}/fastlane/metadata/android/en-US/changelogs/${VERSION_CODE}.txt || echo "No changelog found for ${VERSION_CODE}")" echo "RELEASE_NOTES<> $GITHUB_ENV echo "$RELEASE_NOTES" >> $GITHUB_ENV echo "EOF" >> $GITHUB_ENV - name: Get checksum id: checksum run: | file_path=$(find ${{ github.workspace }}/temp -type f -iname "*.apk" | head -n 1) if [ -z "$file_path" ]; then echo "No APK file found" exit 1 fi checksum=$(apksigner verify --print-certs "$file_path" | grep -Po "(?<=SHA-256 digest:) .*" | tr -d "[:blank:]") echo "checksum=$checksum" >> $GITHUB_OUTPUT - name: Create Release id: create_release uses: softprops/action-gh-release@v3 with: body: | ${{ env.RELEASE_NOTES }} SHA-256 fingerprints for the 4096-bit signing certificate: ```sh ${{ steps.checksum.outputs.checksum }} ``` To verify fingerprint: ```sh apksigner verify --print-certs [path to APK file] | grep SHA-256 ``` ### Changelog ${{ steps.changelog.outputs.changes }} tag_name: ${{ github.event_name == 'push' && github.ref_name || github.event.inputs.tag_name }} name: ${{ github.event_name == 'push' && github.ref_name || github.event.inputs.tag_name }} draft: false prerelease: false make_latest: true files: | ${{ github.workspace }}/temp/**/*.apk env: GITHUB_TOKEN: ${{ secrets.PAT }} publish-fdroid-public: runs-on: ubuntu-latest if: >- ${{ github.event_name == 'push' || inputs.release_type != 'none' }} needs: - publish-github steps: - name: Dispatch update for fdroid repo uses: peter-evans/repository-dispatch@v4 with: token: ${{ secrets.PAT }} repository: wgtunnel/fdroid event-type: fdroid-update publish-play: if: ${{ github.event_name == 'push' || inputs.track != 'none' }} name: Publish to Google Play runs-on: ubuntu-latest env: SIGNING_KEY_ALIAS: ${{ secrets.SIGNING_KEY_ALIAS }} SIGNING_KEY_PASSWORD: ${{ secrets.SIGNING_KEY_PASSWORD }} SIGNING_STORE_PASSWORD: ${{ secrets.SIGNING_STORE_PASSWORD }} KEY_STORE_FILE: 'android_keystore.jks' KEY_STORE_LOCATION: ${{ github.workspace }}/app/keystore/ steps: - uses: actions/checkout@v6 - name: Set up JDK 17 uses: actions/setup-java@v5 with: distribution: 'temurin' java-version: '17' cache: gradle - name: Grant execute permission for gradlew run: chmod +x gradlew # Here we need to decode keystore.jks from base64 string and place it # in the folder specified in the release signing configuration - name: Decode Keystore id: decode_keystore uses: timheuer/base64-to-file@v2.0 with: fileName: ${{ env.KEY_STORE_FILE }} fileDir: ${{ env.KEY_STORE_LOCATION }} encodedString: ${{ secrets.KEYSTORE }} # create keystore path for gradle to read - name: Create keystore path env var run: | store_path=${{ env.KEY_STORE_LOCATION }}${{ env.KEY_STORE_FILE }} echo "KEY_STORE_PATH=$store_path" >> $GITHUB_ENV - name: Create service_account.json id: createServiceAccount run: echo '${{ secrets.SERVICE_ACCOUNT_JSON }}' > service_account.json - name: Deploy with fastlane uses: ruby/setup-ruby@v1 with: ruby-version: '3.2' # Not needed with a .ruby-version file bundler-cache: true - name: Distribute app to Prod track 🚀 run: | track=${{ github.event_name == 'push' && 'production' || inputs.track }} (cd ${{ github.workspace }} && bundle install && bundle exec fastlane $track --verbose)