AutiSense/.github/workflows/android-twa-release.yml at main · Partha-dev01/AutiSense · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
# Android TWA (Trusted Web Activity) build + publish to GitHub Releases.
#
# Uses Bubblewrap (@bubblewrap/cli) to build a signed APK/AAB from twa/twa-manifest.json
# (which wraps https://autisense.imaginaerium.in into package in.imaginaerium.autisense)
# and uploads the artifacts to the GitHub Release for the pushed tag.
#
# SECRETS (all REQUIRED for a signed release build):
#   ANDROID_KEYSTORE_B64       base64 of the signing keystore (.jks/.keystore).
#                              Generate locally:  base64 -w0 android.keystore > ks.b64
#   ANDROID_KEYSTORE_PASSWORD  keystore (store) password
#   ANDROID_KEY_ALIAS          key alias inside the keystore
#   ANDROID_KEY_PASSWORD       password for that key
#
# IMPORTANT: the SHA-256 fingerprint of THIS keystore must match the one published in
# the site's /.well-known/assetlinks.json (Digital Asset Links), or the TWA will show
# the browser address bar instead of running full-screen. Re-run assetlinks generation
# (bubblewrap fingerprint) whenever the signing key changes.

name: Android TWA Release

on:
  push:
    tags:
      - "v*"
  workflow_dispatch:

permissions:
  contents: write

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 30

    steps:
      - name: Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - name: Setup JDK 17
        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
        with:
          distribution: temurin
          java-version: "17"

      - name: Setup Node
        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: 20

      - name: Setup Android SDK
        uses: android-actions/setup-android@40fd30fb8d7440372e1316f5d1809ec01dcd3699 # v4.0.1

      - name: Install Bubblewrap CLI
        run: npm i -g @bubblewrap/cli

      - name: Configure Bubblewrap (non-interactive JDK + SDK)
        run: |
          # Bubblewrap's loadOrCreateConfig() runs before every command and PROMPTS
          # ("install the JDK? (Y/n)") when jdkPath/androidSdkPath are unset -> exit 130
          # on a runner with no TTY. Pre-write the config with the runner's own JDK 17
          # (from setup-java) and Android SDK (from setup-android) so it never prompts.
          mkdir -p "$HOME/.bubblewrap"
          cat > "$HOME/.bubblewrap/config.json" <<EOF
          {"jdkPath":"$JAVA_HOME","androidSdkPath":"$ANDROID_SDK_ROOT"}
          EOF

      - name: Restore signing keystore
        env:
          ANDROID_KEYSTORE_B64: ${{ secrets.ANDROID_KEYSTORE_B64 }}
        run: |
          # twa-manifest.json signingKey.path is "../android.keystore" (relative to twa/),
          # which resolves to the repo root. Decode the keystore there so it matches.
          echo "$ANDROID_KEYSTORE_B64" | base64 -d > "$GITHUB_WORKSPACE/android.keystore"

      - name: Generate Android project from manifest
        working-directory: ./twa
        run: |
          # The twa/ folder only holds twa-manifest.json (no generated Gradle project).
          # `bubblewrap build` needs the Android project to exist. `update` regenerates
          # project files from the manifest; --skipVersionUpgrade suppresses its
          # interactive "versionName for the new App version?" prompt (exit 130 in CI).
          bubblewrap update --manifest="./twa-manifest.json" --skipVersionUpgrade

      - name: Build signed TWA (APK + AAB)
        working-directory: ./twa
        env:
          # Bubblewrap reads these for non-interactive signing.
          BUBBLEWRAP_KEYSTORE_PASSWORD: ${{ secrets.ANDROID_KEYSTORE_PASSWORD }}
          BUBBLEWRAP_KEY_PASSWORD: ${{ secrets.ANDROID_KEY_PASSWORD }}
          # Pass the alias via env (not inline ${{ }}) so the secret is never
          # interpolated into the shell script before the shell parses it.
          ANDROID_KEY_ALIAS: ${{ secrets.ANDROID_KEY_ALIAS }}
        run: |
          bubblewrap build \
            --manifest="./twa-manifest.json" \
            --signingKeyPath="$GITHUB_WORKSPACE/android.keystore" \
            --signingKeyAlias="$ANDROID_KEY_ALIAS" \
            --skipPwaValidation

      - name: Publish artifacts to GitHub Release
        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0
        with:
          # Publish to the release for the pushed tag (e.g. v1.2.0), matching the
          # desktop workflow. On a v* tag push github.ref_name is the tag name.
          # (workflow_dispatch has no tag ref — cut releases via a tag push.)
          tag_name: ${{ github.ref_name }}
          files: |
            twa/app-release-signed.apk
            twa/app-release-bundle.aab
          fail_on_unmatched_files: false