Handle unsigned builds on CI

We don't always have access to CI secrets, such as, when a certain CI action is triggered by a PR from an external repository then it won't have access to secrets and be signed. While we likely will allow for this in the future as all workflows do have to be approved, it is still important to not crash when keys are unavailable and have a graceful fallback for those situations.
2022-06-11 17:05:20 +05:30 · 2022-06-11 17:05:20 +05:30 · e3e92ce1d4
parent 8689886bbb
commit e3e92ce1d4
2 changed files with 33 additions and 7 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -7,6 +7,7 @@ jobs:
    runs-on: ubuntu-latest
    env:
      JVM_OPTS: -Xmx6G
+      IS_SKYLINE_SIGNED: ${{ secrets.KEYSTORE != '' }}

    steps:
      - name: Git Checkout
@ -44,33 +45,58 @@ jobs:
        run: echo "yes" | $ANDROID_HOME/tools/bin/sdkmanager "cmake;3.18.1" "ndk;25.0.8221429" --channel=3 | grep -v = || true

      - name: Decode Keystore
+        if: ${{ env.IS_SKYLINE_SIGNED == 'true' }}
        env:
          KEYSTORE_ENCODED: ${{ secrets.KEYSTORE }}
-        run: echo $KEYSTORE_ENCODED | base64 --decode > "$HOME/keystore.jks"
+        run: echo $KEYSTORE_ENCODED | base64 --decode > "/home/runner/keystore.jks"

      - name: Android Assemble
        env:
+          SIGNING_STORE_PATH: "/home/runner/keystore.jks"
          SIGNING_STORE_PASSWORD: ${{ secrets.SIGNING_STORE_PASSWORD }}
          SIGNING_KEY_ALIAS: ${{ secrets.SIGNING_KEY_ALIAS }}
          SIGNING_KEY_PASSWORD: ${{ secrets.SIGNING_KEY_PASSWORD }}
        run: ./gradlew --stacktrace --configuration-cache --build-cache --parallel --configure-on-demand assemble

-      - name: Rename APKs
+      - name: Rename APKs (Signed)
+        if: ${{ env.IS_SKYLINE_SIGNED == 'true' }}
        run: |
          mv app/build/outputs/apk/debug/app-debug.apk skyline-$GITHUB_RUN_NUMBER-debug.apk
          mv app/build/outputs/apk/release/app-release.apk skyline-$GITHUB_RUN_NUMBER-release.apk

-      - name: Upload Debug APK
+      - name: Upload Signed Debug APK
+        if: ${{ env.IS_SKYLINE_SIGNED == 'true' }}
        uses: actions/upload-artifact@v3
        with:
          name: skyline-${{ github.run_number }}-debug.apk
          path: skyline-${{ github.run_number }}-debug.apk

-      - name: Upload Release APK
+      - name: Upload Signed Release APK
+        if: ${{ env.IS_SKYLINE_SIGNED == 'true' }}
        uses: actions/upload-artifact@v3
        with:
          name: skyline-${{ github.run_number }}-release.apk
          path: skyline-${{ github.run_number }}-release.apk

+      - name: Rename APKs (Unsigned)
+        if: ${{ env.IS_SKYLINE_SIGNED == 'false' }}
+        run: |
+          mv app/build/outputs/apk/debug/app-debug.apk skyline-$GITHUB_RUN_NUMBER-unsigned-debug.apk
+          mv app/build/outputs/apk/release/app-release.apk skyline-$GITHUB_RUN_NUMBER-unsigned-release.apk
+
+      - name: Upload Unsigned Debug APK
+        if: ${{ env.IS_SKYLINE_SIGNED == 'false' }}
+        uses: actions/upload-artifact@v3
+        with:
+          name: skyline-${{ github.run_number }}-unsigned-debug.apk
+          path: skyline-${{ github.run_number }}-unsigned-debug.apk
+
+      - name: Upload Unsigned Release APK
+        if: ${{ env.IS_SKYLINE_SIGNED == 'false' }}
+        uses: actions/upload-artifact@v3
+        with:
+          name: skyline-${{ github.run_number }}-unsigned-release.apk
+          path: skyline-${{ github.run_number }}-unsigned-release.apk
+
      - name: Delete Build Folder
        run: rm -rf app/build/
--- a/app/build.gradle
+++ b/app/build.gradle
@ -43,7 +43,7 @@ android {

    signingConfigs {
        ci {
-            storeFile file("${System.getProperty("user.home")}/keystore.jks")
+            storeFile file(System.getenv("SIGNING_STORE_PATH") ?: "${System.getenv("user.home")}/keystore.jks")
            storePassword System.getenv("SIGNING_STORE_PASSWORD")
            keyAlias System.getenv("SIGNING_KEY_ALIAS")
            keyPassword System.getenv("SIGNING_KEY_PASSWORD")
@ -61,14 +61,14 @@ android {
            minifyEnabled true
            shrinkResources true
            proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'
-            signingConfig = System.getenv("CI") ? signingConfigs.ci : signingConfigs.debug
+            signingConfig = (System.getenv("CI") == "true") && (System.getenv("IS_SKYLINE_SIGNED") == "true") ? signingConfigs.ci : signingConfigs.debug
        }

        debug {
            debuggable true
            minifyEnabled false
            shrinkResources false
-            signingConfig = System.getenv("CI") ? signingConfigs.ci : signingConfigs.debug
+            signingConfig = (System.getenv("CI") == "true") && (System.getenv("IS_SKYLINE_SIGNED") == "true") ? signingConfigs.ci : signingConfigs.debug
        }
    }