build(deps): bump step-security/harden-runner from 2.12.0 to 2.14.0 #7

Workflow file for this run

	name: Build & Sign APK

	on:
	push:
	branches: [ main, develop ]
	tags: [ 'v*' ]
	paths-ignore:
	- '**.md'
	- 'docs/**'
	- '.github/workflows/convert-models.yml'
	- 'app/src/main/assets/models/**'
	- 'images/**'
	- 'LICENSE'
	- '.editorconfig'
	- '.gitignore'
	- '.gitattributes'
	pull_request:
	branches: [ main ]
	paths-ignore:
	- '**.md'
	- 'docs/**'
	- '.github/workflows/convert-models.yml'
	- 'app/src/main/assets/models/**'
	- 'images/**'
	workflow_dispatch:

	env:
	JAVA_VERSION: '21'
	JAVA_DISTRIBUTION: 'temurin'

	permissions:
	contents: read

	jobs:
	build:
	runs-on: ubuntu-latest
	permissions:
	contents: write
	id-token: write
	outputs:
	apk-path: ${{ steps.find-apk.outputs.path }}
	apk-name: ${{ steps.find-apk.outputs.name }}

	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
	with:
	egress-policy: audit

	- name: Checkout
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	submodules: recursive
	persist-credentials: true
	token: ${{ secrets.GITHUB_TOKEN }}

	- name: Setup Java
	uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
	with:
	java-version: ${{ env.JAVA_VERSION }}
	distribution: ${{ env.JAVA_DISTRIBUTION }}

	- name: Setup Gradle
	uses: gradle/actions/setup-gradle@ac638b010cf58a27ee6c972d7336334ccaf61c96 # v4.4.1
	with:
	cache-read-only: ${{ github.ref != 'refs/heads/main' }}
	dependency-graph: generate-and-submit

	- name: Validate Gradle Wrapper
	uses: gradle/actions/wrapper-validation@ac638b010cf58a27ee6c972d7336334ccaf61c96 # v4.4.1

	- name: Build Unsigned Release APK
	run: ./gradlew assembleRelease --no-daemon --parallel

	- name: Decode Keystore
	env:
	KEYSTORE_BASE64: ${{ secrets.KEYSTORE_BASE64 }}
	run: \|
	KEYSTORE_PATH="${{ runner.temp }}/release.keystore"
	echo "$KEYSTORE_BASE64" \| base64 -d > "$KEYSTORE_PATH"
	chmod 600 "$KEYSTORE_PATH"
	echo "KEYSTORE_PATH=$KEYSTORE_PATH" >> $GITHUB_ENV

	- name: Sign APK with v2+v3
	env:
	KEYSTORE_PASSWORD: ${{ secrets.KEYSTORE_PASSWORD }}
	KEY_ALIAS: ${{ secrets.KEY_ALIAS }}
	KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}
	run: \|
	BUILD_TOOLS=$(ls -1 $ANDROID_HOME/build-tools \| sort -V \| tail -1)
	APKSIGNER="$ANDROID_HOME/build-tools/$BUILD_TOOLS/apksigner"
	ZIPALIGN="$ANDROID_HOME/build-tools/$BUILD_TOOLS/zipalign"

	APK_UNSIGNED=$(find app/build/outputs/apk/release -name "*.apk" \| head -1)
	APK_ALIGNED="${{ runner.temp }}/app-aligned.apk"
	APK_SIGNED="app/build/outputs/apk/release/app-release.apk"

	# Zipalign
	$ZIPALIGN -v -p 4 "$APK_UNSIGNED" "$APK_ALIGNED"

	# Sign with v2+v3
	$APKSIGNER sign \
	--ks "$KEYSTORE_PATH" \
	--ks-key-alias "$KEY_ALIAS" \
	--ks-pass pass:"$KEYSTORE_PASSWORD" \
	--key-pass pass:"$KEY_PASSWORD" \
	--v1-signing-enabled false \
	--v2-signing-enabled true \
	--v3-signing-enabled true \
	--v4-signing-enabled false \
	--out "$APK_SIGNED" \
	"$APK_ALIGNED"

	rm -f "$APK_ALIGNED"

	- name: Verify APK Signature
	run: \|
	BUILD_TOOLS=$(ls -1 $ANDROID_HOME/build-tools \| sort -V \| tail -1)
	APKSIGNER="$ANDROID_HOME/build-tools/$BUILD_TOOLS/apksigner"

	echo "=== Signature Verification ==="
	$APKSIGNER verify --verbose --print-certs \
	app/build/outputs/apk/release/app-release.apk

	echo ""
	echo "=== Verify v2/v3 Schemes ==="
	$APKSIGNER verify -v app/build/outputs/apk/release/app-release.apk 2>&1 \| \
	grep -E "(Verified using\|v[123] scheme)" \|\| true

	- name: Find APK
	id: find-apk
	run: \|
	APK_PATH="app/build/outputs/apk/release/app-release.apk"
	APK_NAME="ppocrv5-$(git describe --tags --always 2>/dev/null \|\| echo ${{ github.sha }}).apk"
	echo "path=$APK_PATH" >> $GITHUB_OUTPUT
	echo "name=$APK_NAME" >> $GITHUB_OUTPUT

	- name: Cleanup Secrets
	if: always()
	run: \|
	shred -u "$KEYSTORE_PATH" 2>/dev/null \|\| rm -f "$KEYSTORE_PATH"

	- name: Upload APK
	uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
	with:
	name: ${{ steps.find-apk.outputs.name }}
	path: ${{ steps.find-apk.outputs.path }}
	retention-days: 14
	compression-level: 0

	release:
	needs: build
	if: startsWith(github.ref, 'refs/tags/v')
	runs-on: ubuntu-latest
	permissions:
	contents: write

	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
	with:
	egress-policy: audit

	- name: Download APK
	uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
	with:
	name: ${{ needs.build.outputs.apk-name }}

	- name: Create Release
	uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2.2.2
	with:
	files: "*.apk"
	generate_release_notes: true
	fail_on_unmatched_files: true

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

build(deps): bump step-security/harden-runner from 2.12.0 to 2.14.0 #7

Workflow file

build(deps): bump step-security/harden-runner from 2.12.0 to 2.14.0 #7

Uh oh!

Workflow file for this run