fix(ci): correct release-pipeline repo URL and secret name

- scripts/write-update-manifest.sh: emit GitHub URLs under Heretek-AI/
  (the actual repo owner), not NousResearch/. The NousResearch org does
  not own hermes-mobile; the in-app updater would 404 against the old URL.
- keystore/README.md: the workflow consumes KEYSTORE_FILE_B64, not
  KEYSTORE_FILE. Drop the KEY_ALIAS row (alias is hardcoded to 'hermes'
  in the workflow). Note that CI overrides the keystore path to
  /tmp/release.jks.
- keystore/keystore.properties.template: comment that CI overwrites
  storeFile at runtime; do not commit the override.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Claude
2026-06-03 22:50:06 -04:00
parent 33b4f7f715
commit 67a5f27bec
3 changed files with 13 additions and 6 deletions
+9 -4
View File
@@ -40,14 +40,19 @@ Store the following in the repo's encrypted secrets:
| Secret | Value |
|---|---|
| `KEYSTORE_FILE` | base64 of `keystore/release.jks` |
| `KEYSTORE_FILE_B64` | base64 of `keystore/release.jks` (decoded to `/tmp/release.jks` in CI) |
| `KEYSTORE_PASSWORD` | the keystore password |
| `KEY_ALIAS` | `hermes` (the alias used at keytool) |
| `KEY_PASSWORD` | the key password (often the same as keystore) |
The `mobile-build.yml` workflow decodes `KEYSTORE_FILE` to a temp
The key alias `hermes` is hardcoded in the workflow (and in
`build.gradle`'s `signingConfig`), so it is not a secret.
The `mobile-build.yml` workflow decodes `KEYSTORE_FILE_B64` to a temp
file, exports the passwords as env vars, and `./gradlew assembleRelease`
picks them up via `signingConfigs.release.storeFile` etc.
picks them up via `signingConfigs.release.storeFile` etc. Note that
the CI path differs from the local path below — CI writes
`storeFile=/tmp/release.jks` to `keystore/keystore.properties`; local
dev uses `../../../keystore/release.jks`.
## Rotation policy
+2
View File
@@ -5,6 +5,8 @@
# Path to the keystore, relative to apps/mobile/android/.
# Default: ../../../keystore/release.jks
# CI (GitHub Actions) overwrites this file with storeFile=/tmp/release.jks
# after decoding $KEYSTORE_FILE_B64 — do not commit the override.
storeFile=../../../keystore/release.jks
# The keystore password (set when you ran keytool -genkey).
+2 -2
View File
@@ -15,7 +15,7 @@ set -euo pipefail
ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
APK_DIR="$ROOT/apps/mobile/android/app/build/outputs/apk/release"
VERSION_NAME="${GITHUB_REF_NAME#mobile-v}" # strip 'mobile-v' prefix
RELEASE_URL_BASE="https://github.com/NousResearch/hermes-mobile/releases/download/${GITHUB_REF_NAME:-mobile-v0.0.0}"
RELEASE_URL_BASE="https://github.com/Heretek-AI/hermes-mobile/releases/download/${GITHUB_REF_NAME:-mobile-v0.0.0}"
# Find the versionCode by parsing the gradle build output. We
# could also read it from the build.gradle, but this is robust
@@ -32,7 +32,7 @@ echo "{" > "$OUT"
echo " \"versionName\": \"$VERSION_NAME\"," >> "$OUT"
echo " \"versionCode\": $VERSION_CODE," >> "$OUT"
echo " \"url\": \"$RELEASE_URL_BASE/hermes-mobile-$VERSION_NAME-universal.apk\"," >> "$OUT"
echo " \"releaseNotes\": \"https://github.com/NousResearch/hermes-mobile/releases/tag/${GITHUB_REF_NAME:-mobile-v0.0.0}\"," >> "$OUT"
echo " \"releaseNotes\": \"https://github.com/Heretek-AI/hermes-mobile/releases/tag/${GITHUB_REF_NAME:-mobile-v0.0.0}\"," >> "$OUT"
echo " \"assets\": {" >> "$OUT"
FIRST=true