diff --git a/keystore/README.md b/keystore/README.md index b984b81..bfdb855 100644 --- a/keystore/README.md +++ b/keystore/README.md @@ -40,14 +40,19 @@ Store the following in the repo's encrypted secrets: | Secret | Value | |---|---| -| `KEYSTORE_FILE` | base64 of `keystore/release.jks` | +| `KEYSTORE_FILE_B64` | base64 of `keystore/release.jks` (decoded to `/tmp/release.jks` in CI) | | `KEYSTORE_PASSWORD` | the keystore password | -| `KEY_ALIAS` | `hermes` (the alias used at keytool) | | `KEY_PASSWORD` | the key password (often the same as keystore) | -The `mobile-build.yml` workflow decodes `KEYSTORE_FILE` to a temp +The key alias `hermes` is hardcoded in the workflow (and in +`build.gradle`'s `signingConfig`), so it is not a secret. + +The `mobile-build.yml` workflow decodes `KEYSTORE_FILE_B64` to a temp file, exports the passwords as env vars, and `./gradlew assembleRelease` -picks them up via `signingConfigs.release.storeFile` etc. +picks them up via `signingConfigs.release.storeFile` etc. Note that +the CI path differs from the local path below — CI writes +`storeFile=/tmp/release.jks` to `keystore/keystore.properties`; local +dev uses `../../../keystore/release.jks`. ## Rotation policy diff --git a/keystore/keystore.properties.template b/keystore/keystore.properties.template index 90ab366..56feff1 100644 --- a/keystore/keystore.properties.template +++ b/keystore/keystore.properties.template @@ -5,6 +5,8 @@ # Path to the keystore, relative to apps/mobile/android/. # Default: ../../../keystore/release.jks +# CI (GitHub Actions) overwrites this file with storeFile=/tmp/release.jks +# after decoding $KEYSTORE_FILE_B64 — do not commit the override. storeFile=../../../keystore/release.jks # The keystore password (set when you ran keytool -genkey). diff --git a/scripts/write-update-manifest.sh b/scripts/write-update-manifest.sh index 94722a4..cc9e0c3 100755 --- a/scripts/write-update-manifest.sh +++ b/scripts/write-update-manifest.sh @@ -15,7 +15,7 @@ set -euo pipefail ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" APK_DIR="$ROOT/apps/mobile/android/app/build/outputs/apk/release" VERSION_NAME="${GITHUB_REF_NAME#mobile-v}" # strip 'mobile-v' prefix -RELEASE_URL_BASE="https://github.com/NousResearch/hermes-mobile/releases/download/${GITHUB_REF_NAME:-mobile-v0.0.0}" +RELEASE_URL_BASE="https://github.com/Heretek-AI/hermes-mobile/releases/download/${GITHUB_REF_NAME:-mobile-v0.0.0}" # Find the versionCode by parsing the gradle build output. We # could also read it from the build.gradle, but this is robust @@ -32,7 +32,7 @@ echo "{" > "$OUT" echo " \"versionName\": \"$VERSION_NAME\"," >> "$OUT" echo " \"versionCode\": $VERSION_CODE," >> "$OUT" echo " \"url\": \"$RELEASE_URL_BASE/hermes-mobile-$VERSION_NAME-universal.apk\"," >> "$OUT" -echo " \"releaseNotes\": \"https://github.com/NousResearch/hermes-mobile/releases/tag/${GITHUB_REF_NAME:-mobile-v0.0.0}\"," >> "$OUT" +echo " \"releaseNotes\": \"https://github.com/Heretek-AI/hermes-mobile/releases/tag/${GITHUB_REF_NAME:-mobile-v0.0.0}\"," >> "$OUT" echo " \"assets\": {" >> "$OUT" FIRST=true