refactor: Improve GitHub Actions workflow for Android builds

eby-dev · eby-dev · commit 9f2f530eb174 · 2025-07-26T19:07:55.000+07:00
This commit refactors the Android build workflow in `.github/workflows/android.yml` with the following improvements:

- **Secrets Handling:**
    - Secrets (keystore and Google Play JSON) are now downloaded as artifacts in the `build` job instead of being decoded in each job. This reduces redundancy and improves security by minimizing exposure of secrets.
    - The `setup` job now uploads secrets as artifacts.
- **Dependency on `setup`:**
    - The `unit-test` and `code-analysis` jobs now explicitly depend on the `setup` job, ensuring secrets are available before these jobs run.
- **Workflow Optimization:**
    - Added `fetch-depth: 1` and `persist-credentials: false` to `actions/checkout@v3` for faster checkouts and improved security.
    - Renamed "Setup Ruby" step to "Setup Ruby &amp; Dependencies" for clarity.
- **Path Correction:**
    - Corrected the path for `KEYSTORE_FILE` in `local.properties` to point to the root level where it's downloaded.
- **Cleanup:**
    - Removed debugging steps for `ls -la app` and `cat local.properties`.
diff --git a/.github/workflows/android.yml b/.github/workflows/android.yml
@@ -23,6 +23,9 @@ jobs:
     steps:
       - name: Checkout Repository
         uses: actions/checkout@v3
+        with:
+          fetch-depth: 1
+          persist-credentials: false
 
       - name: Setup JDK 17
         uses: actions/setup-java@v3
@@ -33,7 +36,7 @@ jobs:
       - name: Setup Android SDK
         uses: android-actions/setup-android@v3
 
-      - name: Setup Ruby
+      - name: Setup Ruby & Dependencies
         uses: ruby/setup-ruby@v1
         with:
           ruby-version: '3.1'
@@ -51,12 +54,20 @@ jobs:
           bundle install
 
       - name: Decode Keystore File
-        run: echo "${{ secrets.KEYSTORE_FILE }}" | base64 -d > app/${{ env.KEYSTORE_FILE }}
+        run: echo "${{ secrets.KEYSTORE_FILE }}" | base64 -d > ${{ env.KEYSTORE_FILE }}
 
       - name: Create Google Service Account JSON
         run: |
           mkdir -p app
-          echo "${{ secrets.GOOGLE_PLAY_JSON }}" | base64 --decode > ${{ env.GOOGLE_PLAY_JSON_PATH }}
+          echo "${{ secrets.GOOGLE_PLAY_JSON }}" | base64 -d > ${{ env.GOOGLE_PLAY_JSON_PATH }}
+
+      - name: Upload Secrets
+        uses: actions/upload-artifact@v4
+        with:
+          name: secrets
+          path: |
+            ${{ env.KEYSTORE_FILE }}
+            ${{ env.GOOGLE_PLAY_JSON_PATH }}
 
   build:
     name: Build AAB
@@ -65,14 +76,17 @@ jobs:
 
     steps:
       - uses: actions/checkout@v3
+        with:
+          fetch-depth: 1
+          persist-credentials: false
 
       - name: Setup JDK 17
         uses: actions/setup-java@v3
         with:
           java-version: '17'
           distribution: 'temurin'
 
-      - name: Setup Ruby
+      - name: Setup Ruby & Dependencies
         uses: ruby/setup-ruby@v1
         with:
           ruby-version: '3.1'
@@ -89,27 +103,18 @@ jobs:
           bundle config set path 'vendor/bundle'
           bundle install
 
-      - name: Decode Keystore File
-        run: echo "${{ secrets.KEYSTORE_FILE }}" | base64 -d > app/${{ env.KEYSTORE_FILE }}
-
-      - name: Debug keystore file
-        run: ls -la app
+      - name: Download Secrets
+        uses: actions/download-artifact@v4
+        with:
+          name: secrets
 
       - name: Write local.properties
         run: |
           echo "sdk.dir=$ANDROID_HOME" > local.properties
-          echo "KEYSTORE_FILE=app/${{ env.KEYSTORE_FILE }}" >> local.properties
+          echo "KEYSTORE_FILE=${{ env.KEYSTORE_FILE }}" >> local.properties
           echo "KEYSTORE_PASSWORD=${{ env.KEYSTORE_PASSWORD }}" >> local.properties
           echo "KEY_ALIAS=${{ env.KEY_ALIAS }}" >> local.properties
           echo "KEY_PASSWORD=${{ env.KEY_PASSWORD }}" >> local.properties
-          
-      - name: Debug local.properties
-        run: cat local.properties
-
-      - name: Create Google Service Account JSON
-        run: |
-          mkdir -p app
-          echo "${{ secrets.GOOGLE_PLAY_JSON }}" | base64 --decode > ${{ env.GOOGLE_PLAY_JSON_PATH }}
 
       - name: Grant execute permission for gradlew
         run: chmod +x ./gradlew
@@ -125,10 +130,12 @@ jobs:
   unit-test:
     name: Unit Tests
     runs-on: ubuntu-latest
-    needs: build
+    needs: setup
 
     steps:
       - uses: actions/checkout@v3
+        with:
+          fetch-depth: 1
 
       - uses: ruby/setup-ruby@v1
         with:
@@ -149,10 +156,12 @@ jobs:
   code-analysis:
     name: Lint & Check
     runs-on: ubuntu-latest
-    needs: build
+    needs: setup
 
     steps:
       - uses: actions/checkout@v3
+        with:
+          fetch-depth: 1
 
       - uses: actions/setup-java@v3
         with:
@@ -177,17 +186,23 @@ jobs:
 
     steps:
       - uses: actions/checkout@v3
+        with:
+          fetch-depth: 1
+
       - uses: ruby/setup-ruby@v1
         with:
           ruby-version: '3.1'
           bundler-cache: true
+
       - uses: actions/cache@v4
         with:
           path: vendor/bundle
           key: ${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}
+
       - run: |
           bundle config set path 'vendor/bundle'
           bundle install
+
       - run: bundle exec fastlane deployRelease
 
   deploy-beta:
@@ -198,17 +213,23 @@ jobs:
 
     steps:
       - uses: actions/checkout@v3
+        with:
+          fetch-depth: 1
+
       - uses: ruby/setup-ruby@v1
         with:
           ruby-version: '3.1'
           bundler-cache: true
+
       - uses: actions/cache@v4
         with:
           path: vendor/bundle
           key: ${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}
+
       - run: |
           bundle config set path 'vendor/bundle'
           bundle install
+
       - run: bundle exec fastlane deployBeta
 
   deploy-firebase-internal:
@@ -219,15 +240,21 @@ jobs:
 
     steps:
       - uses: actions/checkout@v3
+        with:
+          fetch-depth: 1
+
       - uses: ruby/setup-ruby@v1
         with:
           ruby-version: '3.1'
           bundler-cache: true
+
       - uses: actions/cache@v4
         with:
           path: vendor/bundle
           key: ${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}
+
       - run: |
           bundle config set path 'vendor/bundle'
           bundle install
+
       - run: bundle exec fastlane deployFirebase --verbose
