docs: document module build cache cleanup #153
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Reproducible APK Check | |
| # docs/archive/ROADMAP_RESEARCH_ADDENDUM_2026-05-17 §B.4 / N12.5 — build the | |
| # release APK twice from clean worktrees at the same commit and fail on | |
| # byte-level drift before F-Droid's rebuilder catches it. | |
| on: | |
| workflow_dispatch: | |
| workflow_call: | |
| push: | |
| branches: [ main, master ] | |
| paths: | |
| - ".github/workflows/reproducible-build.yml" | |
| - "scripts/verify-reproducible-apk.sh" | |
| - "app/**" | |
| - "gradle/**" | |
| - "gradle.properties" | |
| - "gradlew" | |
| - "gradlew.bat" | |
| - "settings.gradle.kts" | |
| - "build.gradle.kts" | |
| - "docs/REPRODUCIBLE_BUILDS.md" | |
| pull_request: | |
| branches: [ main, master ] | |
| paths: | |
| - ".github/workflows/reproducible-build.yml" | |
| - "scripts/verify-reproducible-apk.sh" | |
| - "app/**" | |
| - "gradle/**" | |
| - "gradle.properties" | |
| - "gradlew" | |
| - "gradlew.bat" | |
| - "settings.gradle.kts" | |
| - "build.gradle.kts" | |
| - "docs/REPRODUCIBLE_BUILDS.md" | |
| concurrency: | |
| group: reproducible-apk-${{ github.ref }} | |
| cancel-in-progress: true | |
| # Default GITHUB_TOKEN limited to read-only — this job only checks out | |
| # source, builds, and uploads artefacts. Restricting the token closes the | |
| # blast radius if a transitive action dependency is compromised. | |
| permissions: | |
| contents: read | |
| jobs: | |
| verify: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| with: | |
| submodules: recursive | |
| fetch-depth: 0 | |
| - uses: gradle/actions/wrapper-validation@48b5f213c81028ace310571dc5ec0fbbca0b2947 # v4 | |
| - name: Set up JDK 17 | |
| uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 | |
| with: | |
| java-version: 17 | |
| distribution: temurin | |
| - name: Set up CMake and Ninja | |
| uses: lukka/get-cmake@ea004816823209b8d1211e47b216185caee12cc5 # v4.0.2 | |
| - name: Cache Gradle | |
| uses: gradle/actions/setup-gradle@48b5f213c81028ace310571dc5ec0fbbca0b2947 # v4 | |
| - name: Verify release APK reproducibility | |
| run: bash scripts/verify-reproducible-apk.sh "$RUNNER_TEMP/reproducible-apk" | |
| - name: Upload reproducibility artifacts | |
| if: always() | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 | |
| with: | |
| name: reproducible-apk-${{ github.sha }} | |
| path: ${{ runner.temp }}/reproducible-apk/ |