Decode keystore from base64 in nightly workflow

CreativeCodeCat · CreativeCodeCat · commit 1cd2f23691e4 · 2026-01-07T22:29:31.000Z
The nightly release workflow has been updated to decode the keystore from a base64 secret. Previously, the workflow relied on a different secret (`SIGNINGKEY_BASE64`) and set environment variables at the job level.

This change introduces a dedicated step to decode the `KEYSTORE_BASE64` secret into a `keystore.jks` file. The environment variables required for signing are now scoped to this decoding step and the subsequent build step, improving the clarity and security of the signing process.
diff --git a/.github/workflows/nightly-release.yml b/.github/workflows/nightly-release.yml
@@ -25,11 +25,6 @@ jobs:
   build:
     name: Build, Sign & Release
     runs-on: ubuntu-latest
-    env:
-      KEY_STORE_FILE: ${{ secrets.SIGNINGKEY_BASE64 }}       # optional if using a file from env
-      KEY_STORE_PASSWORD: ${{ secrets.KEY_STORE_PASSWORD }}
-      KEY_ALIAS: ${{ secrets.KEY_ALIAS }}
-      KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}
 
     needs: release
     steps:
@@ -51,10 +46,17 @@ jobs:
       - name: Stop Gradle daemons
         run: ./gradlew --stop
 
+      - name: Decode keystore
+        run: echo "${{ secrets.KEYSTORE_BASE64 }}" | base64 --decode > keystore.jks
+
       - name: Build with Gradle
         run: ./gradlew clean assembleNightlyRelease --refresh-dependencies --no-daemon
         env:
           JAVA_TOOL_OPTIONS: "-Dhttps.protocols=TLSv1.2"
+          KEY_STORE_FILE: keystore.jks
+          KEY_STORE_PASSWORD: ${{ secrets.KEYSTORE_PASSWORD }}
+          KEY_ALIAS: ${{ secrets.KEY_ALIAS }}
+          KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}
 
       - name: Extract Version
         id: extract_version
