ci(android): android.yml workflow — ktlint + detekt + unit tests + release APK

M8 phase 2.1. Runs on every push to dev/main + PR to main (path-filtered
on android/**). Tag pushes (v*) additionally build a signed release APK
attached to the existing Forgejo release as minstrel-android-<tag>.apk
during the side-by-side period; that name flips to minstrel-<tag>.apk
at M8 phase 14.4 cutover.

Reuses ANDROID_KEYSTORE_B64 + STORE/KEY_PASSWORD + KEY_ALIAS secrets so
signing matches flutter.yml — Android accepts upgrade in place at cutover
without uninstall.

runs-on: flutter-ci because that's the only proven-working runner label
on this Forgejo instance with docker. Switch to android-ci once that
label gets registered.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-05-21 22:22:49 -04:00
parent f2f6fa06a2
commit 2d990690ba
+128
View File
@@ -0,0 +1,128 @@
name: android
# Native Android (Kotlin/Compose/Media3) — M8 rewrite of the Flutter client.
# Lives side-by-side with flutter_client/ until cutover; both APKs ship from
# their respective release artifacts (minstrel-<tag>.apk = Flutter,
# minstrel-android-<tag>.apk = native) during the transition.
on:
push:
branches: [main, dev]
tags: ['v*']
paths:
- 'android/**'
- '.forgejo/workflows/android.yml'
pull_request:
branches: [main]
paths:
- 'android/**'
jobs:
build:
name: Build + lint + test
# Using flutter-ci runner label because it's the only proven-working
# label with docker that can pull our container.image. Switch to
# android-ci once the operator registers that runner label.
runs-on: flutter-ci
container:
image: git.fabledsword.com/bvandeusen/ci-android:35
defaults:
run:
working-directory: android
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Make gradlew executable
run: chmod +x ./gradlew
- name: Gradle wrapper validation
run: ./gradlew --version
- name: ktlint
run: ./gradlew ktlintCheck
- name: detekt
run: ./gradlew detekt
- name: Unit tests
run: ./gradlew testDebugUnitTest
- name: Assemble debug
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
run: ./gradlew assembleDebug
- name: Upload debug APK
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
uses: forgejo/upload-artifact@v3
with:
name: minstrel-android-debug-${{ github.sha }}
path: android/app/build/outputs/apk/debug/app-debug.apk
release:
name: Build signed release APK
needs: build
if: startsWith(github.ref, 'refs/tags/v')
runs-on: flutter-ci
container:
image: git.fabledsword.com/bvandeusen/ci-android:35
defaults:
run:
working-directory: android
env:
ANDROID_STORE_PASSWORD: ${{ secrets.ANDROID_STORE_PASSWORD }}
ANDROID_KEY_ALIAS: ${{ secrets.ANDROID_KEY_ALIAS }}
ANDROID_KEY_PASSWORD: ${{ secrets.ANDROID_KEY_PASSWORD }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Make gradlew executable
run: chmod +x ./gradlew
- name: Decode signing keystore
# Reuses the same keystore env-var contract as flutter.yml so the
# native APK is signed with the same key — Android will accept
# the upgrade in place at cutover without uninstall.
env:
ANDROID_KEYSTORE_B64: ${{ secrets.ANDROID_KEYSTORE_B64 }}
shell: bash
run: |
if [ -z "${ANDROID_KEYSTORE_B64}" ]; then
echo "::error::ANDROID_KEYSTORE_B64 missing"; exit 1
fi
KEYSTORE_PATH="${RUNNER_TEMP}/minstrel-release.keystore"
echo "${ANDROID_KEYSTORE_B64}" | base64 -d > "${KEYSTORE_PATH}"
echo "ANDROID_KEYSTORE_PATH=${KEYSTORE_PATH}" >> "${GITHUB_ENV}"
- name: Build release APK
run: ./gradlew assembleRelease
- name: Attach APK to release
# During the side-by-side period the asset name is
# minstrel-android-<tag>.apk so it doesn't collide with the
# Flutter app's minstrel-<tag>.apk. At cutover, flip this name
# to minstrel-<tag>.apk and deactivate the flutter.yml release-
# attach step (M8 phase 14.4).
shell: bash
env:
CI_TOKEN: ${{ secrets.CI_TOKEN }}
run: |
TAG="${GITHUB_REF#refs/tags/}"
REPO="${GITHUB_REPOSITORY}"
RELEASE_ID=$(curl -fsSL \
-H "Authorization: token ${CI_TOKEN}" \
"https://git.fabledsword.com/api/v1/repos/${REPO}/releases/tags/${TAG}" \
| grep -oP '"id":\s*\K[0-9]+' | head -1)
if [ -z "${RELEASE_ID}" ]; then
echo "::error::release for ${TAG} not found"; exit 1
fi
curl -fsSL \
-H "Authorization: token ${CI_TOKEN}" \
-F "attachment=@app/build/outputs/apk/release/app-release.apk" \
"https://git.fabledsword.com/api/v1/repos/${REPO}/releases/${RELEASE_ID}/assets?name=minstrel-android-${TAG}.apk"