|
36 | 36 | - name: Set up Gradle |
37 | 37 | uses: gradle/actions/setup-gradle@ed408507eac070d1f99cc633dbcf757c94c7933a # v4.4.3 |
38 | 38 |
|
39 | | - - name: Cache Gradle |
40 | | - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 |
41 | | - with: |
42 | | - path: | |
43 | | - ~/.gradle |
44 | | - android/.gradle |
45 | | - key: gradle-${{ hashFiles('android/**.gradle*', 'android/**/gradle-wrapper.properties') }} |
46 | | - restore-keys: | |
47 | | - gradle- |
48 | | -
|
49 | 39 | - name: Decode Keystore |
50 | 40 | working-directory: android/app |
51 | 41 | run: | |
|
81 | 71 |
|
82 | 72 | - name: Build Android Release AAB |
83 | 73 | working-directory: android |
84 | | - run: ./gradlew bundleRelease |
| 74 | + run: | |
| 75 | + build_start=$(date +%s) |
| 76 | + ./gradlew bundleRelease --build-cache --parallel --max-workers=4 |
| 77 | + build_end=$(date +%s) |
| 78 | + echo "BUILD_DURATION_SECONDS=$((build_end - build_start))" >> "$GITHUB_ENV" |
| 79 | + shell: bash |
| 80 | + |
| 81 | + # Fail loudly if a cache/packaging bug dropped an ABI, instead of shipping an incomplete bundle. |
| 82 | + - name: Verify AAB contains all target ABIs |
| 83 | + working-directory: android |
| 84 | + run: | |
| 85 | + AAB=app/build/outputs/bundle/release/app-release.aab |
| 86 | + libs=$(unzip -l "$AAB") |
| 87 | + missing=0 |
| 88 | + for abi in armeabi-v7a arm64-v8a x86 x86_64; do |
| 89 | + if grep -q "base/lib/$abi/" <<< "$libs"; then |
| 90 | + echo " found: $abi" |
| 91 | + else |
| 92 | + echo " MISSING: $abi" |
| 93 | + missing=1 |
| 94 | + fi |
| 95 | + done |
| 96 | + if [ "$missing" -ne 0 ]; then |
| 97 | + echo "::error::AAB is missing one or more target ABIs." |
| 98 | + exit 1 |
| 99 | + fi |
| 100 | + shell: bash |
| 101 | + |
| 102 | + # Fail unless the AAB is signed by the official upload cert. Reads the keystore password |
| 103 | + # via `-storepass:env` (not a shell-quoted arg) since the secret has shell-special chars; |
| 104 | + # captures use `|| true` so an empty read can't trip `set -e -o pipefail`. |
| 105 | + - name: Verify AAB signing certificate |
| 106 | + working-directory: android |
| 107 | + env: |
| 108 | + KS_FILE: ${{ inputs.KEYSTORE_OFFICIAL }} |
| 109 | + KS_ALIAS: ${{ inputs.KEYSTORE_OFFICIAL_ALIAS }} |
| 110 | + KS_PASS: ${{ inputs.KEYSTORE_OFFICIAL_PASSWORD }} |
| 111 | + run: | |
| 112 | + AAB=app/build/outputs/bundle/release/app-release.aab |
| 113 | +
|
| 114 | + aab_out=$(keytool -printcert -jarfile "$AAB" 2>&1 || true) |
| 115 | + ks_out=$(keytool -list -v -keystore "app/$KS_FILE" -alias "$KS_ALIAS" -storepass:env KS_PASS 2>&1 || true) |
| 116 | +
|
| 117 | + aab_fp=$(printf '%s\n' "$aab_out" | grep -m1 'SHA256:' | tr -d '[:space:]' || true) |
| 118 | + ks_fp=$(printf '%s\n' "$ks_out" | grep -m1 'SHA256:' | tr -d '[:space:]' || true) |
| 119 | +
|
| 120 | + echo "AAB signer SHA-256: ${aab_fp:-<none>}" |
| 121 | + echo "Keystore cert SHA-256: ${ks_fp:-<none>}" |
| 122 | +
|
| 123 | + if [ -z "$aab_fp" ]; then |
| 124 | + printf '%s\n' "$aab_out" |
| 125 | + echo "::error::AAB is not signed (no SHA-256 readable) — refusing to ship an unsigned release bundle." |
| 126 | + exit 1 |
| 127 | + fi |
| 128 | + if [ -z "$ks_fp" ]; then |
| 129 | + printf '%s\n' "$ks_out" |
| 130 | + echo "::error::Could not read the official keystore certificate (keytool output above)." |
| 131 | + exit 1 |
| 132 | + fi |
| 133 | + if [ "$aab_fp" != "$ks_fp" ]; then |
| 134 | + echo "::error::AAB signing certificate ($aab_fp) does not match the official keystore ($ks_fp)." |
| 135 | + exit 1 |
| 136 | + fi |
| 137 | + echo "Signing certificate verified against the official keystore ($aab_fp)." |
| 138 | + shell: bash |
| 139 | + |
| 140 | + - name: Report build time |
| 141 | + if: ${{ always() && env.BUILD_DURATION_SECONDS != '' }} |
| 142 | + run: | |
| 143 | + mins=$((BUILD_DURATION_SECONDS / 60)) |
| 144 | + secs=$((BUILD_DURATION_SECONDS % 60)) |
| 145 | + { |
| 146 | + echo "### Android store build (bundleRelease)" |
| 147 | + echo "" |
| 148 | + echo "- Wall time: **${mins}m ${secs}s**" |
| 149 | + } >> "$GITHUB_STEP_SUMMARY" |
85 | 150 | shell: bash |
86 | 151 |
|
87 | 152 | - name: Upload sourcemaps/NDK symbols to Bugsnag |
|
0 commit comments