Skip to content

Commit 6c78138

Browse files
authored
ci: speed up and harden the Android store build (#7389)
1 parent e9c0c89 commit 6c78138

2 files changed

Lines changed: 77 additions & 12 deletions

File tree

.github/actions/build-android/action.yml

Lines changed: 76 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -36,16 +36,6 @@ runs:
3636
- name: Set up Gradle
3737
uses: gradle/actions/setup-gradle@ed408507eac070d1f99cc633dbcf757c94c7933a # v4.4.3
3838

39-
- name: Cache Gradle
40-
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
41-
with:
42-
path: |
43-
~/.gradle
44-
android/.gradle
45-
key: gradle-${{ hashFiles('android/**.gradle*', 'android/**/gradle-wrapper.properties') }}
46-
restore-keys: |
47-
gradle-
48-
4939
- name: Decode Keystore
5040
working-directory: android/app
5141
run: |
@@ -81,7 +71,82 @@ runs:
8171

8272
- name: Build Android Release AAB
8373
working-directory: android
84-
run: ./gradlew bundleRelease
74+
run: |
75+
build_start=$(date +%s)
76+
./gradlew bundleRelease --build-cache --parallel --max-workers=4
77+
build_end=$(date +%s)
78+
echo "BUILD_DURATION_SECONDS=$((build_end - build_start))" >> "$GITHUB_ENV"
79+
shell: bash
80+
81+
# Fail loudly if a cache/packaging bug dropped an ABI, instead of shipping an incomplete bundle.
82+
- name: Verify AAB contains all target ABIs
83+
working-directory: android
84+
run: |
85+
AAB=app/build/outputs/bundle/release/app-release.aab
86+
libs=$(unzip -l "$AAB")
87+
missing=0
88+
for abi in armeabi-v7a arm64-v8a x86 x86_64; do
89+
if grep -q "base/lib/$abi/" <<< "$libs"; then
90+
echo " found: $abi"
91+
else
92+
echo " MISSING: $abi"
93+
missing=1
94+
fi
95+
done
96+
if [ "$missing" -ne 0 ]; then
97+
echo "::error::AAB is missing one or more target ABIs."
98+
exit 1
99+
fi
100+
shell: bash
101+
102+
# Fail unless the AAB is signed by the official upload cert. Reads the keystore password
103+
# via `-storepass:env` (not a shell-quoted arg) since the secret has shell-special chars;
104+
# captures use `|| true` so an empty read can't trip `set -e -o pipefail`.
105+
- name: Verify AAB signing certificate
106+
working-directory: android
107+
env:
108+
KS_FILE: ${{ inputs.KEYSTORE_OFFICIAL }}
109+
KS_ALIAS: ${{ inputs.KEYSTORE_OFFICIAL_ALIAS }}
110+
KS_PASS: ${{ inputs.KEYSTORE_OFFICIAL_PASSWORD }}
111+
run: |
112+
AAB=app/build/outputs/bundle/release/app-release.aab
113+
114+
aab_out=$(keytool -printcert -jarfile "$AAB" 2>&1 || true)
115+
ks_out=$(keytool -list -v -keystore "app/$KS_FILE" -alias "$KS_ALIAS" -storepass:env KS_PASS 2>&1 || true)
116+
117+
aab_fp=$(printf '%s\n' "$aab_out" | grep -m1 'SHA256:' | tr -d '[:space:]' || true)
118+
ks_fp=$(printf '%s\n' "$ks_out" | grep -m1 'SHA256:' | tr -d '[:space:]' || true)
119+
120+
echo "AAB signer SHA-256: ${aab_fp:-<none>}"
121+
echo "Keystore cert SHA-256: ${ks_fp:-<none>}"
122+
123+
if [ -z "$aab_fp" ]; then
124+
printf '%s\n' "$aab_out"
125+
echo "::error::AAB is not signed (no SHA-256 readable) — refusing to ship an unsigned release bundle."
126+
exit 1
127+
fi
128+
if [ -z "$ks_fp" ]; then
129+
printf '%s\n' "$ks_out"
130+
echo "::error::Could not read the official keystore certificate (keytool output above)."
131+
exit 1
132+
fi
133+
if [ "$aab_fp" != "$ks_fp" ]; then
134+
echo "::error::AAB signing certificate ($aab_fp) does not match the official keystore ($ks_fp)."
135+
exit 1
136+
fi
137+
echo "Signing certificate verified against the official keystore ($aab_fp)."
138+
shell: bash
139+
140+
- name: Report build time
141+
if: ${{ always() && env.BUILD_DURATION_SECONDS != '' }}
142+
run: |
143+
mins=$((BUILD_DURATION_SECONDS / 60))
144+
secs=$((BUILD_DURATION_SECONDS % 60))
145+
{
146+
echo "### Android store build (bundleRelease)"
147+
echo ""
148+
echo "- Wall time: **${mins}m ${secs}s**"
149+
} >> "$GITHUB_STEP_SUMMARY"
85150
shell: bash
86151

87152
- name: Upload sourcemaps/NDK symbols to Bugsnag

.github/workflows/build-android.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -44,7 +44,7 @@ jobs:
4444

4545
- name: Build Android
4646
uses: ./.github/actions/build-android
47-
timeout-minutes: 40
47+
timeout-minutes: 60
4848
with:
4949
GOOGLE_SERVICES_ANDROID: ${{ secrets.GOOGLE_SERVICES_ANDROID }}
5050
KEYSTORE_OFFICIAL_BASE64: ${{ secrets.KEYSTORE_OFFICIAL_BASE64 }}

0 commit comments

Comments
 (0)