Move signing environment variables to job level

CreativeCodeCat · CreativeCodeCat · commit 5b819d3143b4 · 2026-01-07T16:35:03.000Z
This commit refactors the GitHub Actions workflows by moving the signing key environment variables from individual build steps to the job level. This change simplifies the workflow files and reduces redundancy.

The `KEY_STORE_FILE`, `KEY_STORE_PASSWORD`, `KEY_ALIAS`, and `KEY_PASSWORD` environment variables are now defined once per job, making them available to all steps within that job.

This refactoring affects the following CI workflows:
- `nightly-release.yml`
- `android-release_ci.yml`
- `android-branch_ci.yml`
- `android-pr_ci.yml`
- `android-main_ci.yml`
diff --git a/.github/workflows/android-branch_ci.yml b/.github/workflows/android-branch_ci.yml
@@ -13,6 +13,12 @@ jobs:
   build:
     name: Build, Sign & Upload
     runs-on: ubuntu-latest
+    env:
+      KEY_STORE_FILE: ${{ secrets.SIGNINGKEY_BASE64 }}       # optional if using a file from env
+      KEY_STORE_PASSWORD: ${{ secrets.KEY_STORE_PASSWORD }}
+      KEY_ALIAS: ${{ secrets.KEY_ALIAS }}
+      KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}
+
     steps:
       - name: Checkout project
         uses: actions/checkout@v6.0.1
@@ -37,10 +43,6 @@ jobs:
         run: ./gradlew clean assembleProdDebug --refresh-dependencies --no-daemon
         env:
           JAVA_TOOL_OPTIONS: "-Dhttps.protocols=TLSv1.2"
-          KEY_STORE_FILE: ${{ secrets.SIGNINGKEY_BASE64 }}       # optional if using a file from env
-          KEY_STORE_PASSWORD: ${{ secrets.KEY_STORE_PASSWORD }}
-          KEY_ALIAS: ${{ secrets.KEY_ALIAS }}
-          KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}
 
       - name: Upload Artifact
         uses: actions/upload-artifact@v6.0.0
diff --git a/.github/workflows/android-main_ci.yml b/.github/workflows/android-main_ci.yml
@@ -11,6 +11,12 @@ jobs:
   build:
     name: Build, Sign & Upload
     runs-on: ubuntu-latest
+    env:
+      KEY_STORE_FILE: ${{ secrets.SIGNINGKEY_BASE64 }}       # optional if using a file from env
+      KEY_STORE_PASSWORD: ${{ secrets.KEY_STORE_PASSWORD }}
+      KEY_ALIAS: ${{ secrets.KEY_ALIAS }}
+      KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}
+
     steps:
       - name: Checkout project
         uses: actions/checkout@v6.0.1
@@ -34,8 +40,4 @@ jobs:
       - name: Build with Gradle
         run: ./gradlew clean assembleProdDebug --refresh-dependencies --no-daemon
         env:
-          JAVA_TOOL_OPTIONS: "-Dhttps.protocols=TLSv1.2"
-          KEY_STORE_FILE: ${{ secrets.SIGNINGKEY_BASE64 }}       # optional if using a file from env
-          KEY_STORE_PASSWORD: ${{ secrets.KEY_STORE_PASSWORD }}
-          KEY_ALIAS: ${{ secrets.KEY_ALIAS }}
-          KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}
+          JAVA_TOOL_OPTIONS: "-Dhttps.protocols=TLSv1.2"
diff --git a/.github/workflows/android-pr_ci.yml b/.github/workflows/android-pr_ci.yml
@@ -11,6 +11,12 @@ jobs:
   build:
     name: Build, Sign & Upload
     runs-on: ubuntu-latest
+    env:
+      KEY_STORE_FILE: ${{ secrets.SIGNINGKEY_BASE64 }}       # optional if using a file from env
+      KEY_STORE_PASSWORD: ${{ secrets.KEY_STORE_PASSWORD }}
+      KEY_ALIAS: ${{ secrets.KEY_ALIAS }}
+      KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}
+
     steps:
       - name: Checkout project
         uses: actions/checkout@v6.0.1
@@ -35,10 +41,6 @@ jobs:
         run: ./gradlew clean assembleProdDebug --refresh-dependencies --no-daemon
         env:
           JAVA_TOOL_OPTIONS: "-Dhttps.protocols=TLSv1.2"
-          KEY_STORE_FILE: ${{ secrets.SIGNINGKEY_BASE64 }}       # optional if using a file from env
-          KEY_STORE_PASSWORD: ${{ secrets.KEY_STORE_PASSWORD }}
-          KEY_ALIAS: ${{ secrets.KEY_ALIAS }}
-          KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}
 
       - name: Upload Artifact
         uses: actions/upload-artifact@v6.0.0
diff --git a/.github/workflows/android-release_ci.yml b/.github/workflows/android-release_ci.yml
@@ -11,6 +11,12 @@ jobs:
     name: Build, Sign & Release
     if: "!startsWith(github.ref_name, 'nightly')"
     runs-on: ubuntu-latest
+    env:
+      KEY_STORE_FILE: ${{ secrets.SIGNINGKEY_BASE64 }}       # optional if using a file from env
+      KEY_STORE_PASSWORD: ${{ secrets.KEY_STORE_PASSWORD }}
+      KEY_ALIAS: ${{ secrets.KEY_ALIAS }}
+      KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}
+
     steps:
       - name: Checkout project
         uses: actions/checkout@v6.0.1
@@ -35,10 +41,6 @@ jobs:
         run: ./gradlew clean assembleProdRelease --refresh-dependencies --no-daemon && ./gradlew clean bundleProdRelease --refresh-dependencies --no-daemon
         env:
           JAVA_TOOL_OPTIONS: "-Dhttps.protocols=TLSv1.2"
-          KEY_STORE_FILE: ${{ secrets.SIGNINGKEY_BASE64 }}       # optional if using a file from env
-          KEY_STORE_PASSWORD: ${{ secrets.KEY_STORE_PASSWORD }}
-          KEY_ALIAS: ${{ secrets.KEY_ALIAS }}
-          KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}
 
       - name: Release to GitHub
         uses: svenstaro/upload-release-action@2.11.3
diff --git a/.github/workflows/nightly-release.yml b/.github/workflows/nightly-release.yml
@@ -25,6 +25,12 @@ jobs:
   build:
     name: Build, Sign & Release
     runs-on: ubuntu-latest
+    env:
+      KEY_STORE_FILE: ${{ secrets.SIGNINGKEY_BASE64 }}       # optional if using a file from env
+      KEY_STORE_PASSWORD: ${{ secrets.KEY_STORE_PASSWORD }}
+      KEY_ALIAS: ${{ secrets.KEY_ALIAS }}
+      KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}
+
     needs: release
     steps:
       - name: Checkout project
@@ -49,10 +55,6 @@ jobs:
         run: ./gradlew clean assembleNightlyRelease --refresh-dependencies --no-daemon
         env:
           JAVA_TOOL_OPTIONS: "-Dhttps.protocols=TLSv1.2"
-          KEY_STORE_FILE: ${{ secrets.SIGNINGKEY_BASE64 }}       # optional if using a file from env
-          KEY_STORE_PASSWORD: ${{ secrets.KEY_STORE_PASSWORD }}
-          KEY_ALIAS: ${{ secrets.KEY_ALIAS }}
-          KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}
 
       - name: Extract Version
         id: extract_version
