From f0d3cf0b18ce6ea5300cb1962a531c4e5a1dbe12 Mon Sep 17 00:00:00 2001 From: Claude Date: Thu, 4 Jun 2026 19:52:24 -0400 Subject: [PATCH] ci(mobile-build): pass KEYSTORE_PASSWORD/KEY_PASSWORD env to the keystore.properties generation step MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The Generate keystore.properties step's $KEYSTORE_PASSWORD and $KEY_PASSWORD expanded to empty because the env block was only on the Gradle assembleRelease step. The resulting file had blank passwords, which my v0.1.0 signing fail-fast caught with 'Release signing config is missing or incomplete'. Move the env block to the keystore.properties step where the secrets are actually used. After the secrets are set in repo Settings → Secrets and variables → Actions, the tag pipeline should run end-to-end. Co-Authored-By: Claude Opus 4.8 --- .github/workflows/mobile-build.yml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/.github/workflows/mobile-build.yml b/.github/workflows/mobile-build.yml index a6c8cc6..48b8682 100644 --- a/.github/workflows/mobile-build.yml +++ b/.github/workflows/mobile-build.yml @@ -128,6 +128,8 @@ jobs: - name: Decode keystore from base64 secret if: startsWith(github.ref, 'refs/tags/mobile-v') + env: + KEYSTORE_FILE_B64: ${{ secrets.KEYSTORE_FILE_B64 }} run: | if [[ -n "$KEYSTORE_FILE_B64" ]]; then echo "$KEYSTORE_FILE_B64" | base64 -d > /tmp/release.jks @@ -136,13 +138,34 @@ jobs: - name: Generate keystore.properties for release if: startsWith(github.ref, 'refs/tags/mobile-v') + env: + KEYSTORE_PASSWORD: ${{ secrets.KEYSTORE_PASSWORD }} + KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }} run: | + # v0.1.0 fix: the env block was previously only on + # the assembleRelease step, so $KEYSTORE_PASSWORD / + # $KEY_PASSWORD were empty here and the resulting + # keystore.properties had blank passwords. The new + # signing fail-fast in build.gradle then correctly + # failed the release build with a clear error — + # better than a silent unsigned APK. With this env + # block, the file is written with the real secrets + # and assembleRelease proceeds. + # + # Required repo secrets (Settings → Secrets and + # variables → Actions): + # - KEYSTORE_FILE_B64 — base64 of keystore/release.jks + # - KEYSTORE_PASSWORD — keystore store password + # - KEY_PASSWORD — key password + # If any are missing, the build fails fast at the + # gradle signing step with a clear error. cat > keystore/keystore.properties <