Skip to content

Commit cd49f7e

Browse files
authored
Merge pull request #494 from DevKor-github/codexd/452-signed-release-aab
docs: add signed AAB blocker plan
2 parents 3944787 + 8a4b088 commit cd49f7e

4 files changed

Lines changed: 108 additions & 4 deletions

File tree

docs/Android-Release-Configuration.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ Android release builds must include the production Firebase client config so Fir
66

77
- `ANDROID_GOOGLE_SERVICES_JSON_B64`: base64-encoded contents of the production Android `google-services.json` for Firebase project `ontime-c63f1`.
88

9-
The release verification workflow decodes this secret to `android/app/src/release/google-services.json` before running the Android release build. Generated `google-services.json` files are ignored and must not be committed.
9+
The Android Play Internal Deploy workflow decodes this secret to `android/app/src/release/google-services.json` before running the Android release build. Generated `google-services.json` files are ignored and must not be committed.
1010

1111
The decoded file must include an Android client whose package name is `club.devkor.ontime`. Gradle validates this package match for release builds and through the focused validation task below.
1212

@@ -90,4 +90,4 @@ Release SHA-1 and SHA-256 fingerprints must be added to Firebase after the relea
9090

9191
## Verification
9292

93-
Use the `Android Release Verification` GitHub Actions workflow to confirm CI can reproduce the release build with the configured secret. For production readiness, also install a real Android release build and verify Firebase initializes and FCM token registration reaches the backend.
93+
Use the `Android Play Internal Deploy` GitHub Actions workflow to confirm CI can reproduce the signed release build with the configured secrets. For production readiness, also install a real Android release build and verify Firebase initializes and FCM token registration reaches the backend.

docs/Android-Signing-Setup.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -76,8 +76,8 @@ The Gradle build also accepts the legacy `ONTIME_ANDROID_KEYSTORE_PATH`,
7676
## Configure CI Release Signing
7777

7878
For GitHub Actions deploys, base64-encode the upload keystore and store it as
79-
the `ANDROID_UPLOAD_KEYSTORE_B64` secret in the protected `release`
80-
environment:
79+
the `ANDROID_UPLOAD_KEYSTORE_B64` secret in the protected `staging`
80+
environment used by the Android Play Internal Deploy workflow:
8181

8282
```sh
8383
base64 -i ~/secure/ontime-upload.jks | pbcopy

docs/Home.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@ Welcome to the OnTime-front project documentation! This wiki contains everything
1111
- [Release Checklist](./Release-Checklist.md) - Reusable release gates,
1212
verification commands, store checks, and rollout handoff
1313
- [Android Release Signing](./Android-Release-Signing.md) - Required keystore inputs and release signing validation
14+
- [Android Release Configuration](./Android-Release-Configuration.md) - Firebase config, signed AAB workflow, and Play internal deploy setup
1415
- [iOS Release Configuration](./iOS-Release-Configuration.md) - Required Dart defines and archive validation
1516
- [Google Play Data Safety Worksheet](./Google-Play-Data-Safety.md) - Source-backed Data safety evidence and pending owner inputs
1617
- [Play Pre-Launch Report](./Play-Pre-Launch-Report.md) - Google Play report runbook, triage gate, and evidence template
Lines changed: 103 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,103 @@
1+
# Issue #452 Signed Release AAB Plan
2+
3+
Parent track: #467
4+
Sub-issue: #452 - Build a signed release Android App Bundle
5+
6+
## Current Status
7+
8+
#452 remains externally blocked until all prerequisites are complete and release
9+
secrets are available to the release owner or the protected GitHub Actions
10+
environment.
11+
12+
Prerequisite status checked on 2026-05-10:
13+
14+
- #450 release signing ownership and secret process: closed.
15+
- #451 release Firebase/Google services config process: closed.
16+
- #453 initial production versioning: open, so #452 must not be closed.
17+
18+
The repository already has Gradle checks for release Firebase config and release
19+
signing inputs, plus the `Android Play Internal Deploy` workflow that builds a
20+
signed AAB when the configured environment secrets and variables are present.
21+
22+
## Decision-Complete Plan
23+
24+
1. Wait for #453 to close with the approved public `versionName` and Android
25+
`versionCode` rule for the first production upload.
26+
2. Confirm the `staging` GitHub environment has these secrets:
27+
- `ANDROID_GOOGLE_SERVICES_JSON_B64`
28+
- `ANDROID_UPLOAD_KEYSTORE_B64`
29+
- `ANDROID_KEYSTORE_PASSWORD`
30+
- `ANDROID_KEY_ALIAS`
31+
- `ANDROID_KEY_PASSWORD`
32+
- `GOOGLE_PLAY_SERVICE_ACCOUNT_JSON`
33+
3. Confirm the `staging` GitHub environment has `REST_API_URL` set to the
34+
approved release-candidate API base URL.
35+
4. From `main`, run the `Android Play Internal Deploy` workflow.
36+
5. Confirm the workflow passes:
37+
- `flutter pub get`
38+
- `dart run build_runner build --delete-conflicting-outputs`
39+
- generated-file drift check
40+
- `flutter analyze`
41+
- `flutter test`
42+
- `flutter build appbundle --release`
43+
6. Record the signed AAB evidence:
44+
- workflow run URL
45+
- artifact name: `ontime-android-release-aab`
46+
- artifact path inside the run: `build/app/outputs/bundle/release/app-release.aab`
47+
- version name
48+
- generated Android version code
49+
- target environment and `REST_API_URL` ownership confirmation
50+
7. Keep #452 open if any required secret, environment variable, versioning
51+
decision, or Play upload permission is unavailable.
52+
53+
## Local Build Alternative
54+
55+
Use this only when the release owner has local access to the upload keystore,
56+
passwords, production Firebase config, and approved version values:
57+
58+
```sh
59+
flutter pub get
60+
dart run build_runner build --delete-conflicting-outputs
61+
flutter analyze
62+
flutter test
63+
64+
mkdir -p android/app/src/release
65+
base64 --decode android-google-services.json.b64 > android/app/src/release/google-services.json
66+
67+
export ANDROID_KEYSTORE_PATH=/absolute/path/to/ontime-upload.jks
68+
export ANDROID_KEYSTORE_PASSWORD='<keystore-password>'
69+
export ANDROID_KEY_ALIAS=ontime
70+
export ANDROID_KEY_PASSWORD='<key-password>'
71+
72+
flutter build appbundle --release \
73+
--build-name=<approved version name> \
74+
--build-number=<approved monotonic Android versionCode> \
75+
--dart-define=ENV=staging \
76+
--dart-define=REST_API_URL=<approved release-candidate api url>
77+
```
78+
79+
On macOS, use `base64 -D` instead of `base64 --decode`.
80+
81+
## Handoff Evidence Template
82+
83+
```text
84+
#452 signed AAB evidence
85+
- Workflow run URL:
86+
- Git commit SHA:
87+
- Version name:
88+
- Android version code:
89+
- Build environment: staging
90+
- REST_API_URL owner-confirmed: yes/no
91+
- AAB artifact name: ontime-android-release-aab
92+
- AAB artifact path: build/app/outputs/bundle/release/app-release.aab
93+
- Follow-up issue unblocked: #456
94+
- Remaining blockers, if any:
95+
```
96+
97+
## Out Of Scope
98+
99+
- Choosing or changing the production version; that belongs to #453.
100+
- Creating, rotating, or disclosing signing keys.
101+
- Committing `google-services.json`, keystores, passwords, or generated AABs.
102+
- Verifying Play App Signing fingerprints; that belongs to #454.
103+
- Device smoke testing; that belongs to #456.

0 commit comments

Comments
 (0)