ci(build): prevent gradle.properties corruption and improve key validation
Add newline prepending before appending properties to prevent concatenation with the last line of gradle.properties if it lacks a trailing newline. Replace single key check with a loop that validates all signing keys are correctly placed at column 0.
This commit is contained in:
@@ -134,11 +134,16 @@ jobs:
|
|||||||
echo "${{ secrets.ANDROID_KEYSTORE_BASE64 }}" | base64 -d > app/withyou-release-key.keystore
|
echo "${{ secrets.ANDROID_KEYSTORE_BASE64 }}" | base64 -d > app/withyou-release-key.keystore
|
||||||
|
|
||||||
# Append signing properties to gradle.properties (secrets appended after prebuild for better cache hit rate).
|
# Append signing properties to gradle.properties (secrets appended after prebuild for better cache hit rate).
|
||||||
# IMPORTANT: each echo line writes a column-0 string to gradle.properties — gradle.properties keys
|
# IMPORTANT 1: each echo line writes a column-0 string — gradle.properties keys cannot have
|
||||||
# cannot have leading whitespace (Gradle treats leading whitespace as part of the key name and
|
# leading whitespace, otherwise hasProperty() returns false and release signing breaks
|
||||||
# hasProperty() then returns false, breaking release signing — see app/build.gradle signingConfigs.release).
|
# (see app/build.gradle signingConfigs.release).
|
||||||
# NB: this block runs with `set -e` by default; if any echo fails the step aborts.
|
# IMPORTANT 2: prebuild emits gradle.properties WITHOUT a trailing newline (last line is
|
||||||
|
# `expo.inlineModules.watchedDirectories=[]`). A naive `>>` append concatenates the first
|
||||||
|
# new key onto that last line, corrupting MYAPP_UPLOAD_STORE_FILE. We unconditionally
|
||||||
|
# prepend a newline before the appended block to guarantee a clean line break.
|
||||||
|
# NB: this block runs with `set -e`; if any echo fails the step aborts.
|
||||||
{
|
{
|
||||||
|
printf '\n'
|
||||||
echo "MYAPP_UPLOAD_STORE_FILE=withyou-release-key.keystore"
|
echo "MYAPP_UPLOAD_STORE_FILE=withyou-release-key.keystore"
|
||||||
echo "MYAPP_UPLOAD_STORE_PASSWORD=${{ secrets.ANDROID_KEYSTORE_PASSWORD }}"
|
echo "MYAPP_UPLOAD_STORE_PASSWORD=${{ secrets.ANDROID_KEYSTORE_PASSWORD }}"
|
||||||
echo "MYAPP_UPLOAD_KEY_ALIAS=withyou-key"
|
echo "MYAPP_UPLOAD_KEY_ALIAS=withyou-key"
|
||||||
@@ -147,7 +152,10 @@ jobs:
|
|||||||
|
|
||||||
# CI build tuning (low-memory container): force single-worker, reduce JVM heap,
|
# CI build tuning (low-memory container): force single-worker, reduce JVM heap,
|
||||||
# plus restore properties that prebuild does NOT generate but the build needs.
|
# plus restore properties that prebuild does NOT generate but the build needs.
|
||||||
|
# printf '\n' below is defensive — even though the signing block above already
|
||||||
|
# ensured a trailing newline, both blocks should be independently safe.
|
||||||
{
|
{
|
||||||
|
printf '\n'
|
||||||
echo "org.gradle.daemon=false"
|
echo "org.gradle.daemon=false"
|
||||||
echo "org.gradle.parallel=false"
|
echo "org.gradle.parallel=false"
|
||||||
echo "org.gradle.configureondemand=false"
|
echo "org.gradle.configureondemand=false"
|
||||||
@@ -169,19 +177,26 @@ jobs:
|
|||||||
echo "=== app/build.gradle signing section ==="
|
echo "=== app/build.gradle signing section ==="
|
||||||
grep -A 20 'signingConfigs' app/build.gradle || echo "signingConfigs not found"
|
grep -A 20 'signingConfigs' app/build.gradle || echo "signingConfigs not found"
|
||||||
|
|
||||||
# Diagnostic: dump full gradle.properties + verify the signing property is readable
|
# Diagnostic: dump full gradle.properties + verify all 4 signing keys are at column 0.
|
||||||
|
# Each grep -c MUST print 1; 0 means the key was concatenated onto a previous line
|
||||||
|
# (typically because prebuild's gradle.properties had no trailing newline — see fix above).
|
||||||
echo "=== gradle.properties (final) ==="
|
echo "=== gradle.properties (final) ==="
|
||||||
cat gradle.properties
|
cat gradle.properties
|
||||||
echo "=== MYAPP_UPLOAD_STORE_FILE check ==="
|
echo "=== signing keys column-0 check (each must be 1) ==="
|
||||||
grep -c '^MYAPP_UPLOAD_STORE_FILE=' gradle.properties || echo "MISSING MYAPP_UPLOAD_STORE_FILE (column 0)"
|
for k in MYAPP_UPLOAD_STORE_FILE MYAPP_UPLOAD_STORE_PASSWORD MYAPP_UPLOAD_KEY_ALIAS MYAPP_UPLOAD_KEY_PASSWORD; do
|
||||||
|
count=$(grep -c "^${k}=" gradle.properties || true)
|
||||||
|
echo "${k}=${count}"
|
||||||
|
if [ "${count}" != "1" ]; then
|
||||||
|
echo "FATAL: ${k} not found at column 0 — release signing will fail."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
- name: Build Android release APK (arm64 only)
|
- name: Build Android release APK (arm64 only)
|
||||||
run: |
|
run: |
|
||||||
cd android
|
cd android
|
||||||
chmod +x gradlew
|
chmod +x gradlew
|
||||||
taskset -c 0-7 ./gradlew :app:assembleRelease -PreactNativeArchitectures=arm64-v8a --max-workers=1 --stacktrace --info -Dkotlin.daemon.jvm.options="-Xmx2g,XX:MaxMetaspaceSize=1g" 2>&1 | tee gradle-build.log
|
taskset -c 0-7 ./gradlew :app:assembleRelease -PreactNativeArchitectures=arm64-v8a --max-workers=1 -Dkotlin.daemon.jvm.options="-Xmx2g,XX:MaxMetaspaceSize=1g"
|
||||||
echo "===== Last 200 lines of build log ====="
|
|
||||||
tail -n 200 gradle-build.log
|
|
||||||
|
|
||||||
- name: Upload APK artifact
|
- name: Upload APK artifact
|
||||||
uses: actions/upload-artifact@v3
|
uses: actions/upload-artifact@v3
|
||||||
|
|||||||
Reference in New Issue
Block a user