2500914498
Update installs were failing at the system scanner step because every
release APK was signed with a different signature: build.gradle.kts
fell back to signingConfigs.getByName("debug"), and the debug
keystore is generated per-machine — so every CI runner had a fresh
random key. Android refuses to upgrade an installed app when the
signature doesn't match, hence the "App not installed" failure
after the scan.
Two-part fix:
1. build.gradle.kts now defines a real "release" signing config when
ANDROID_KEYSTORE_PATH is exported (with the matching password +
alias env vars). Without those, falls through to the debug
keystore so local `flutter run --release` still works.
2. flutter.yml decodes ANDROID_KEYSTORE_B64 (CI secret, base64 of the
real release keystore) into a tmp path before the release-APK
build step, then exports ANDROID_KEYSTORE_PATH + the three
password/alias secrets as env vars. CI now hard-errors if the
keystore secret is missing on a tagged build — we don't want
another silent debug-keystore release.
OPERATOR ACTION REQUIRED before the next tag:
1. Generate a release keystore (one-time):
keytool -genkey -v -keystore minstrel-release.keystore \
-alias minstrel -keyalg RSA -keysize 2048 -validity 10000
2. Base64 it:
base64 -w0 minstrel-release.keystore > keystore.b64
3. In Forgejo, add four repo secrets:
ANDROID_KEYSTORE_B64 = contents of keystore.b64
ANDROID_KEY_ALIAS = minstrel
ANDROID_STORE_PASSWORD = the password you set
ANDROID_KEY_PASSWORD = same password (or different alias pwd)
4. Keep minstrel-release.keystore offline and backed up — losing it
means you can never sign an upgrade for any existing install.
5. Existing installs from prior debug-keyed releases must be
uninstalled before installing the first key-signed release. This
is a one-time transition; future tagged builds will upgrade
cleanly.
144 lines
5.5 KiB
YAML
144 lines
5.5 KiB
YAML
name: flutter
|
|
|
|
# Analyze + test + build the Flutter mobile client. Only runs when the
|
|
# diff touches flutter_client/ or one of the shared web inputs the
|
|
# sync_shared.sh script copies. Other pushes skip — this workflow is
|
|
# independent from the Go/web test.yml and release.yml.
|
|
|
|
on:
|
|
push:
|
|
branches: [dev, main]
|
|
tags: ['v*']
|
|
paths:
|
|
- 'flutter_client/**'
|
|
- 'web/src/lib/styles/tokens.json'
|
|
- 'web/src/lib/styles/error-copy.json'
|
|
- 'web/static/placeholders/album-fallback.svg'
|
|
- '.forgejo/workflows/flutter.yml'
|
|
pull_request:
|
|
branches: [main]
|
|
paths:
|
|
- 'flutter_client/**'
|
|
- 'web/src/lib/styles/tokens.json'
|
|
- 'web/src/lib/styles/error-copy.json'
|
|
- 'web/static/placeholders/album-fallback.svg'
|
|
- '.forgejo/workflows/flutter.yml'
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
analyze-test-build:
|
|
# flutter-ci runner image (CI-Runner/CI-flutter/Dockerfile) bakes in
|
|
# Flutter SDK + Android cmdline-tools + platform-34 + build-tools 34.0.0
|
|
# + JDK 17 + a non-root `runner` user. No setup-action ceremony needed.
|
|
runs-on: flutter-ci
|
|
|
|
defaults:
|
|
run:
|
|
working-directory: flutter_client
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Sync shared assets from web/
|
|
run: ./tool/sync_shared.sh
|
|
|
|
- name: Verify generated tokens.dart matches JSON
|
|
shell: bash
|
|
run: |
|
|
dart run tool/gen_tokens.dart
|
|
if ! git diff --exit-code lib/theme/tokens.dart; then
|
|
echo "::error::lib/theme/tokens.dart is out of sync with shared/fabledsword.tokens.json"
|
|
echo "Run: cd flutter_client && dart run tool/gen_tokens.dart"
|
|
exit 1
|
|
fi
|
|
|
|
- name: Pub get
|
|
run: flutter pub get
|
|
|
|
- name: Codegen (drift, etc.)
|
|
# build_runner generates *.g.dart files (drift schemas, etc.)
|
|
# which are gitignored. Must run before analyze + test so the
|
|
# generated symbols exist.
|
|
run: dart run build_runner build --delete-conflicting-outputs
|
|
|
|
- name: Analyze
|
|
run: flutter analyze --fatal-infos
|
|
|
|
- name: Test
|
|
run: flutter test --reporter compact
|
|
|
|
- name: Build debug APK
|
|
if: github.event_name == 'push' && !startsWith(github.ref, 'refs/tags/')
|
|
run: flutter build apk --debug
|
|
|
|
- name: Decode signing keystore
|
|
if: startsWith(github.ref, 'refs/tags/v')
|
|
# Reconstructs the release keystore from a base64-encoded
|
|
# CI secret so every tagged build is signed with the same
|
|
# key. Without this, each CI runner would generate its own
|
|
# debug keystore and Android would refuse to upgrade an
|
|
# existing install (signature mismatch).
|
|
shell: bash
|
|
env:
|
|
ANDROID_KEYSTORE_B64: ${{ secrets.ANDROID_KEYSTORE_B64 }}
|
|
run: |
|
|
if [ -z "${ANDROID_KEYSTORE_B64}" ]; then
|
|
echo "::error::ANDROID_KEYSTORE_B64 secret is missing — release builds need a consistent signing key"
|
|
exit 1
|
|
fi
|
|
KEYSTORE_PATH="${RUNNER_TEMP}/minstrel-release.keystore"
|
|
echo "${ANDROID_KEYSTORE_B64}" | base64 -d > "${KEYSTORE_PATH}"
|
|
echo "ANDROID_KEYSTORE_PATH=${KEYSTORE_PATH}" >> "${GITHUB_ENV}"
|
|
|
|
- name: Build release APK
|
|
if: startsWith(github.ref, 'refs/tags/v')
|
|
# Inject the tag (sans leading 'v') as the build's --build-name
|
|
# so PackageInfo.version matches what /api/client/version
|
|
# reports — otherwise the in-app update banner would always
|
|
# think the user is behind because pubspec.yaml's static
|
|
# version drifts from the actual release tag.
|
|
#
|
|
# ANDROID_KEYSTORE_PATH is set by the previous step;
|
|
# build.gradle.kts picks it up and signs the release APK with
|
|
# the operator's persistent keystore.
|
|
shell: bash
|
|
env:
|
|
ANDROID_STORE_PASSWORD: ${{ secrets.ANDROID_STORE_PASSWORD }}
|
|
ANDROID_KEY_ALIAS: ${{ secrets.ANDROID_KEY_ALIAS }}
|
|
ANDROID_KEY_PASSWORD: ${{ secrets.ANDROID_KEY_PASSWORD }}
|
|
run: |
|
|
TAG="${GITHUB_REF#refs/tags/v}"
|
|
flutter build apk --release --build-name="${TAG}"
|
|
|
|
- name: Upload debug APK artifact
|
|
if: github.event_name == 'push' && !startsWith(github.ref, 'refs/tags/')
|
|
uses: forgejo/upload-artifact@v3
|
|
with:
|
|
name: minstrel-debug-${{ github.sha }}
|
|
path: flutter_client/build/app/outputs/flutter-apk/app-debug.apk
|
|
|
|
- name: Attach release APK to release
|
|
if: startsWith(github.ref, 'refs/tags/v')
|
|
shell: bash
|
|
env:
|
|
CI_TOKEN: ${{ secrets.CI_TOKEN }}
|
|
run: |
|
|
TAG="${GITHUB_REF#refs/tags/}"
|
|
REPO="${GITHUB_REPOSITORY}"
|
|
# Look up the release ID for this tag. The release object must
|
|
# exist already — operator creates it (or release.yml will, in
|
|
# a future enhancement) before pushing the tag.
|
|
RELEASE_ID=$(curl -fsSL \
|
|
-H "Authorization: token ${CI_TOKEN}" \
|
|
"https://git.fabledsword.com/api/v1/repos/${REPO}/releases/tags/${TAG}" \
|
|
| grep -oP '"id":\s*\K[0-9]+' | head -1)
|
|
if [ -z "${RELEASE_ID}" ]; then
|
|
echo "::error::release for tag ${TAG} not found"
|
|
exit 1
|
|
fi
|
|
curl -fsSL \
|
|
-H "Authorization: token ${CI_TOKEN}" \
|
|
-F "attachment=@build/app/outputs/flutter-apk/app-release.apk" \
|
|
"https://git.fabledsword.com/api/v1/repos/${REPO}/releases/${RELEASE_ID}/assets?name=minstrel-${TAG}.apk"
|