ci(mobile-build): pass KEYSTORE_PASSWORD/KEY_PASSWORD env to the keystore.properties generation step

The Generate keystore.properties step's $KEYSTORE_PASSWORD and
$KEY_PASSWORD expanded to empty because the env block was only
on the Gradle assembleRelease step. The resulting file had
blank passwords, which my v0.1.0 signing fail-fast caught with
'Release signing config is missing or incomplete'.

Move the env block to the keystore.properties step where the
secrets are actually used. After the secrets are set in repo
Settings → Secrets and variables → Actions, the tag pipeline
should run end-to-end.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Claude
2026-06-04 19:52:24 -04:00
parent 2c320f6f2c
commit f0d3cf0b18
+23
View File
@@ -128,6 +128,8 @@ jobs:
- name: Decode keystore from base64 secret
if: startsWith(github.ref, 'refs/tags/mobile-v')
env:
KEYSTORE_FILE_B64: ${{ secrets.KEYSTORE_FILE_B64 }}
run: |
if [[ -n "$KEYSTORE_FILE_B64" ]]; then
echo "$KEYSTORE_FILE_B64" | base64 -d > /tmp/release.jks
@@ -136,13 +138,34 @@ jobs:
- name: Generate keystore.properties for release
if: startsWith(github.ref, 'refs/tags/mobile-v')
env:
KEYSTORE_PASSWORD: ${{ secrets.KEYSTORE_PASSWORD }}
KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}
run: |
# v0.1.0 fix: the env block was previously only on
# the assembleRelease step, so $KEYSTORE_PASSWORD /
# $KEY_PASSWORD were empty here and the resulting
# keystore.properties had blank passwords. The new
# signing fail-fast in build.gradle then correctly
# failed the release build with a clear error —
# better than a silent unsigned APK. With this env
# block, the file is written with the real secrets
# and assembleRelease proceeds.
#
# Required repo secrets (Settings → Secrets and
# variables → Actions):
# - KEYSTORE_FILE_B64 — base64 of keystore/release.jks
# - KEYSTORE_PASSWORD — keystore store password
# - KEY_PASSWORD — key password
# If any are missing, the build fails fast at the
# gradle signing step with a clear error.
cat > keystore/keystore.properties <<EOF
storeFile=/tmp/release.jks
storePassword=$KEYSTORE_PASSWORD
keyAlias=hermes
keyPassword=$KEY_PASSWORD
EOF
echo "wrote keystore.properties (size $(wc -c < keystore/keystore.properties) bytes)"
- name: Generate F-Droid keystore.properties (no signing)
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'