From 9b12e9c639db9a370699b049f881a921e5352b85 Mon Sep 17 00:00:00 2001
From: Cross2pro <qq1091192337@gmail.com>
Date: Tue, 11 Nov 2025 21:15:31 +0800
Subject: [PATCH] Handle missing signing secrets in CI

---
 .github/workflows/android-build.yml | 85 +++++++++++++++++++++++++++++
 1 file changed, 85 insertions(+)
 create mode 100644 .github/workflows/android-build.yml

diff --git a/.github/workflows/android-build.yml b/.github/workflows/android-build.yml
new file mode 100644
index 0000000..596c2c8
--- /dev/null
+++ b/.github/workflows/android-build.yml
@@ -0,0 +1,85 @@
+name: Android Build
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    env:
+      ANDROID_KEYSTORE_BASE64: ${{ secrets.ANDROID_KEYSTORE_BASE64 }}
+      ANDROID_KEYSTORE_PASSWORD: ${{ secrets.ANDROID_KEYSTORE_PASSWORD }}
+      ANDROID_KEY_ALIAS: ${{ secrets.ANDROID_KEY_ALIAS }}
+      ANDROID_KEY_PASSWORD: ${{ secrets.ANDROID_KEY_PASSWORD }}
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Set up JDK 11
+        uses: actions/setup-java@v4
+        with:
+          distribution: temurin
+          java-version: '11'
+          cache: gradle
+
+      - name: Make Gradle wrapper executable
+        run: chmod +x gradlew
+
+      - name: Validate signing secrets
+        id: signing
+        run: |
+          missing=()
+          for var in ANDROID_KEYSTORE_BASE64 ANDROID_KEYSTORE_PASSWORD ANDROID_KEY_ALIAS ANDROID_KEY_PASSWORD; do
+            if [ -z "${!var}" ]; then
+              missing+=("$var")
+            fi
+          done
+
+          if [ ${#missing[@]} -gt 0 ]; then
+            echo "Signing secrets are not fully configured: ${missing[*]}" >&2
+            echo "signing_ready=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "signing_ready=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Skip signed build (missing secrets)
+        if: steps.signing.outputs.signing_ready != 'true'
+        run: echo 'Skipping signed release build because required signing secrets are not configured.'
+
+      - name: Decode release keystore
+        if: steps.signing.outputs.signing_ready == 'true'
+        run: |
+          echo "$ANDROID_KEYSTORE_BASE64" | base64 --decode > release.keystore
+
+      - name: Build signed release with Gradle
+        if: steps.signing.outputs.signing_ready == 'true'
+        env:
+          ANDROID_KEYSTORE_PATH: ${{ github.workspace }}/release.keystore
+        run: |
+          for var in ANDROID_KEYSTORE_PASSWORD ANDROID_KEY_ALIAS ANDROID_KEY_PASSWORD; do
+            if [ -z "${!var}" ]; then
+              echo "$var secret is not configured." >&2
+              exit 1
+            fi
+          done
+          ./gradlew --no-daemon clean assembleRelease \
+            -Pandroid.injected.signing.store.file="$ANDROID_KEYSTORE_PATH" \
+            -Pandroid.injected.signing.store.password="$ANDROID_KEYSTORE_PASSWORD" \
+            -Pandroid.injected.signing.key.alias="$ANDROID_KEY_ALIAS" \
+            -Pandroid.injected.signing.key.password="$ANDROID_KEY_PASSWORD"
+
+      - name: Upload signed APK artifact
+        if: steps.signing.outputs.signing_ready == 'true'
+        uses: actions/upload-artifact@v4
+        with:
+          name: app-release-signed
+          path: app/build/outputs/apk/release/app-release.apk
+
+      - name: Publish signed APK to GitHub Release
+        if: steps.signing.outputs.signing_ready == 'true' && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
+        uses: softprops/action-gh-release@v1
+        with:
+          files: app/build/outputs/apk/release/app-release.apk