From b219f0df970a1b92c1ae5c2f770a84485933990b Mon Sep 17 00:00:00 2001 From: UnschooledGamer <76094069+UnschooledGamer@users.noreply.github.com> Date: Thu, 9 Jul 2026 19:43:09 +0530 Subject: [PATCH 01/39] chore(on-demand-preview-releases-PR): fix perms --- .github/workflows/on-demand-preview-releases-PR.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/on-demand-preview-releases-PR.yml b/.github/workflows/on-demand-preview-releases-PR.yml index fb1010918..bdbbe7220 100644 --- a/.github/workflows/on-demand-preview-releases-PR.yml +++ b/.github/workflows/on-demand-preview-releases-PR.yml @@ -24,7 +24,7 @@ jobs: name: Trigger Preview Release (if conditions met) permissions: contents: read - pull_requests: write + pull-requests: write issues: write if: | github.event.pull_request.draft == false @@ -77,7 +77,7 @@ jobs: needs: job_trigger permissions: contents: read - pull_requests: read + pull-requests: read issues: read secrets: KEYSTORE_CONTENT: ${{ secrets.KEYSTORE_CONTENT }} From 4178fbe7696619a442b166915b7577e011e1754a Mon Sep 17 00:00:00 2001 From: UnschooledGamer <76094069+UnschooledGamer@users.noreply.github.com> Date: Thu, 9 Jul 2026 19:48:57 +0530 Subject: [PATCH 02/39] set contents read --- .github/workflows/on-demand-preview-releases-PR.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/.github/workflows/on-demand-preview-releases-PR.yml b/.github/workflows/on-demand-preview-releases-PR.yml index bdbbe7220..3e6398640 100644 --- a/.github/workflows/on-demand-preview-releases-PR.yml +++ b/.github/workflows/on-demand-preview-releases-PR.yml @@ -8,11 +8,8 @@ on: types: [labeled, synchronize] # defined at workflow-level as the workflow, Requires these permissions to function. -permissions: - contents: write # due to nightly workflow complaining, even tho release step isn't executed. - pull-requests: write - # All Pull Requests are issues, but not all issues are Pull Requests (like GitHub says 🙃) - issues: write +permissions: + contents: read concurrency: # Allow only one workflow per any non-`main` branch. From e043ab5310539c1f00bfeeca783a67932bba6e14 Mon Sep 17 00:00:00 2001 From: UnschooledGamer <76094069+UnschooledGamer@users.noreply.github.com> Date: Thu, 9 Jul 2026 21:33:00 +0530 Subject: [PATCH 03/39] refactor: nightly build workflow and add nightly release workflow --- .github/workflows/nightly-build.yml | 500 +++++++----------- .github/workflows/nightly-release.yml | 156 ++++++ .../on-demand-preview-releases-PR.yml | 4 +- 3 files changed, 351 insertions(+), 309 deletions(-) create mode 100644 .github/workflows/nightly-release.yml diff --git a/.github/workflows/nightly-build.yml b/.github/workflows/nightly-build.yml index 3f537dcfb..3b2e3e882 100644 --- a/.github/workflows/nightly-build.yml +++ b/.github/workflows/nightly-build.yml @@ -1,311 +1,197 @@ # Implement to use environment secrets someday, At the moment GH Actions doesn't support those in reusable workflows (ref: https://github.com/actions/runner/issues/1490) # at least that's what I found. - name: Nightly Build - on: - schedule: - # Fire every day at 7:00am UTC (Roughly before EU workday and after US workday) - - cron: "0 7 * * *" - push: - tags: - - nightly - workflow_call: - inputs: - is_PR: - default: false - type: boolean - description: If a Pull Request has triggered it. - is_trusted_pr: - default: false - type: boolean - description: If a Pull Request is from the same repository, and not a forked one. - PR_NUMBER: - required: true - type: number - description: The Pull Request that triggered this workflow - skip_tagging_and_releases: - required: false - default: true - type: boolean - description: Skips Tagging & releases, since workflow_call isn't available for github.event_name, default is true - secrets: - KEYSTORE_CONTENT: - required: true - description: Base64 encoded keystore file content - BUILD_JSON_CONTENT: - required: true - description: Base64 encoded build.json file content - outputs: - job_result: - description: "Build job result" - value: ${{ jobs.build.result }} - - workflow_dispatch: - inputs: - skip_tagging_and_releases: - required: false - default: true - type: boolean - description: Skips Tagging & releases, since workflow_call isn't available for github.event_name, default is true - - concurrency: - # Allow only one workflow per any non-`main` branch. - group: ${{ github.workflow }}-${{ github.ref_name }}-${{ github.ref_name == 'main' && github.sha || 'anysha' }}-${{ inputs.is_PR && 'is_PR' || 'not_PR'}} - cancel-in-progress: true - - permissions: - contents: read - - env: - STORE_FILE_PATH: /tmp/app-debug.keystore - BUILD_JSON_PATH: build.json - VERSION_LABEL: ${{ (inputs.is_PR && 'pr') || 'nightly' }} - DISCORD_RELEASE_NOTIFIER_ENABLED: "true" - jobs: - build: - timeout-minutes: 60 - runs-on: ubuntu-latest - if: github.repository_owner == 'Acode-Foundation' - - permissions: - pull-requests: read - - outputs: - updated_version: ${{ steps.update-version.outputs.UPDATED_VERSION}} - NORMAL_APK_PATH: ${{ steps.update-version.outputs.NORMAL_APK_PATH }} - FDROID_APK_PATH: ${{ steps.update-version.outputs.FDROID_APK_PATH }} - tag_commit: ${{ steps.check-nightly-tag-force-update.outputs.tag_commit }} - release_required: ${{ steps.check-nightly-tag-force-update.outputs.release_required }} - steps: - - name: Fast Fail if secrets are missing - if: ${{ env.KEYSTORE_CONTENT == '' || env.BUILD_JSON_CONTENT == '' }} - env: - KEYSTORE_CONTENT: ${{ secrets.KEYSTORE_CONTENT }} - BUILD_JSON_CONTENT: ${{ secrets.BUILD_JSON_CONTENT }} - run: | - echo "::error title=Missing Secrets::KEYSTORE_CONTENT or BUILD_JSON_CONTENT secrets are missing! Aborting workflow." - exit 1 - - - name: Logging & summaries - run: | - echo "::group::Logging" - echo "🎯 github trigger event name: ${{ github.event_name }}" - echo "is_PR: ${{ inputs.is_PR }} " - echo "PR_NUMBER: ${{ inputs.PR_NUMBER }}" - echo "env: STORE_FILE_PATH: ${{ env.STORE_FILE_PATH }}" - echo "env: BUILD_JSON_PATH: ${{ env.BUILD_JSON_PATH }}" - echo "env: VERSION_LABEL: ${{ env. VERSION_LABEL }}" - echo "github sha: ${{ github.sha }}" - echo "should not skip tags, releases: ${{ ! inputs.skip_tagging_and_releases }} " - echo "🤐 env: NORMAL_APK_PATH: ${{ env.NORMAL_APK_PATH }}" - echo "🤐 env: FDROID_APK_PATH: ${{ env.FDROID_APK_PATH }}" - echo "::endgroup::" - - echo "## 🚀 Build Type: ${{ env.VERSION_LABEL }}" >> $GITHUB_STEP_SUMMARY - echo "is_PR: ${{ inputs.is_PR || 'NOT a PR' }}" >> $GITHUB_STEP_SUMMARY - echo "PR_NUMBER: ${{ inputs.PR_NUMBER || 'not a PR' }}" >> $GITHUB_STEP_SUMMARY - echo "should not skip tags, releases: ${{ ! inputs.skip_tagging_and_releases }}" >> $GITHUB_STEP_SUMMARY - - - name: Checkout Repository - uses: actions/checkout@v7 - with: - fetch-depth: 0 # Required for tags - # persists credentials locally if tagging and releases are not skipped. - persist-credentials: ${{ ! inputs.skip_tagging_and_releases }} - ref: ${{ (inputs.is_PR && inputs.PR_NUMBER) && github.event.pull_request.head.sha || '' }} - - - name: Set up Java 21 - uses: actions/setup-java@v5 - with: - distribution: 'temurin' - java-version: '21' - cache: ${{ (!(inputs.is_PR && inputs.PR_NUMBER) && github.ref == 'refs/heads/main' && 'gradle') || '' }} - - - name: Set up Node.js - uses: actions/setup-node@v6 - with: - node-version: 'lts/*' # or '18.x' for latest stable - cache: ${{ (!(inputs.is_PR && inputs.PR_NUMBER) && github.ref == 'refs/heads/main' && 'npm') || '' }} - - - name: Add keystore and build.json from secrets - if: ${{ !inputs.is_PR || inputs.is_trusted_pr }} - run: | - echo "${{ secrets.KEYSTORE_CONTENT }}" | base64 -d > ${{ env.STORE_FILE_PATH }} - echo "${{ secrets.BUILD_JSON_CONTENT }}" | base64 -d > ${{ env.BUILD_JSON_PATH }} - echo "Keystore and build.json added successfully." - - - name: Export Commit Hash & prev tag - run: | - echo "GIT_COMMIT=$(git rev-parse HEAD)" >> $GITHUB_ENV - echo "PREV_TAG=$(git describe --tags --abbrev=0 || git rev-list --max-parents=0 HEAD)" >> $GITHUB_ENV - - - name: Extract versionCode and version from config.xml - id: extract_version - run: | - if [ ! -f config.xml ]; then - echo "config.xml not found!" - exit 1 - fi - VERSION_CODE=$(grep 'versionCode=' config.xml | sed -E 's/.*versionCode="([0-9]+)".*/\1/') - VERSION=$(grep -oP 'version="\K[0-9.]+' config.xml) - echo "VERSION_CODE=$VERSION_CODE" >> $GITHUB_OUTPUT - echo "VERSION=$VERSION" >> $GITHUB_OUTPUT - echo "Extracted Version Code: $VERSION_CODE" - echo "Extracted Version: $VERSION" - - - name: Append Commit Hash to Version and Update config.xml - id: update-version - run: | - SHORT_COMMIT_HASH=$(echo "${{ env.GIT_COMMIT }}" | cut -c 1-7) - if ${{ inputs.is_PR || false }}; then - PR_NUMBER=${{ inputs.PR_NUMBER }} - else - PR_NUMBER= - fi - UPDATED_VERSION="${{ steps.extract_version.outputs.VERSION }}-${{ env.VERSION_LABEL }}.${PR_NUMBER:-$SHORT_COMMIT_HASH}" - echo "Updated Version: $UPDATED_VERSION" - - # Update config.xml with the new version - sed -i "s/version=\"${{ steps.extract_version.outputs.VERSION }}\"/version=\"$UPDATED_VERSION\"/g" config.xml - echo "Updated version in config.xml" - # Output the updated version - echo "UPDATED_VERSION=$UPDATED_VERSION" >> $GITHUB_ENV - echo "UPDATED_VERSION=$UPDATED_VERSION" >> $GITHUB_OUTPUT - echo "NORMAL_APK_PATH=/tmp/acode-debug-normal-${UPDATED_VERSION}.apk" >> $GITHUB_ENV - echo "FDROID_APK_PATH=/tmp/acode-debug-fdroid-${UPDATED_VERSION}.apk" >> $GITHUB_ENV - - - name: Install Node.js Packages - run: npm install - - - name: Install Cordova CLI - run: npm install -g cordova - - - name: Run npm setup - run: npm run setup - - - name: Run npm build paid dev apk - run: | - node utils/storage_manager.mjs y - npm run build paid dev apk - mv platforms/android/app/build/outputs/apk/debug/app-debug.apk ${{ env.NORMAL_APK_PATH }} - echo "VERSION: $UPDATED_VERSION" >> $GITHUB_STEP_SUMMARY - - - name: Upload APK Artifact - uses: actions/upload-artifact@v7 - with: - name: app-debug-${{ env.GIT_COMMIT }} - path: ${{ env.NORMAL_APK_PATH }} - - - name: Run npm build paid dev apk fdroid (for F-Droid) - if: ${{ !inputs.is_PR }} - run: | - node utils/storage_manager.mjs y - npm run build paid dev apk fdroid - mv platforms/android/app/build/outputs/apk/debug/app-debug.apk ${{ env.FDROID_APK_PATH }} - - - name: Upload APK Artifact - uses: actions/upload-artifact@v7 - if: ${{ !inputs.is_PR }} - with: - name: app-debug-fdroid-${{ env.GIT_COMMIT }} - path: ${{ env.FDROID_APK_PATH }} - - - name: remove keystore and build.json - if: ${{ !inputs.is_PR || inputs.is_trusted_pr }} - run: | - rm $STORE_FILE_PATH $BUILD_JSON_PATH - echo "Keystore and build.json removed successfully." - - - name: Check Nightly Tag - if: ${{ !inputs.skip_tagging_and_releases && !inputs.is_PR }} - id: check-nightly-tag-force-update - run: | - if git show-ref --quiet refs/tags/nightly; then - TAG_COMMIT=$(git rev-parse nightly) - else - TAG_COMMIT="" - fi - - if [ "$TAG_COMMIT" != "${{ env.GIT_COMMIT }}" ]; then - echo "release_required=true" >> "$GITHUB_OUTPUT" - else - echo "release_required=false" >> "$GITHUB_OUTPUT" - fi - echo "tag_commit=$TAG_COMMIT" >> "$GITHUB_OUTPUT" - - release: - needs: build - runs-on: ubuntu-latest - if: ${{ github.repository_owner == 'Acode-Foundation' && !inputs.is_PR && !inputs.skip_tagging_and_releases && needs.build.outputs.release_required == 'true' }} - permissions: - contents: write +name: Nightly Build + +on: + workflow_call: + inputs: + is_PR: + default: false + type: boolean + description: If a Pull Request has triggered it. + is_trusted_pr: + default: false + type: boolean + description: If a Pull Request is from the same repository (not a fork). + PR_NUMBER: + required: false + type: number + description: Pull Request number (for PR builds) + secrets: + KEYSTORE_CONTENT: + required: true + BUILD_JSON_CONTENT: + required: true + outputs: + job_result: + description: Build job result + value: ${{ jobs.build.result }} + updated_version: + description: Computed build version + value: ${{ jobs.build.outputs.updated_version }} + git_commit: + description: Commit SHA used for artifact naming + value: ${{ jobs.build.outputs.git_commit }} + normal_artifact_name: + description: Artifact name for normal APK + value: ${{ jobs.build.outputs.normal_artifact_name }} + fdroid_artifact_name: + description: Artifact name for fdroid APK + value: ${{ jobs.build.outputs.fdroid_artifact_name }} + + workflow_dispatch: + +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.ref_name }}-${{ inputs.is_PR && 'is_PR' || 'not_PR' }} + cancel-in-progress: true + +env: + STORE_FILE_PATH: /tmp/app-debug.keystore + BUILD_JSON_PATH: build.json + VERSION_LABEL: ${{ inputs.is_PR && 'pr' || 'nightly' }} + +jobs: + build: + runs-on: ubuntu-latest + timeout-minutes: 60 + if: github.repository_owner == 'Acode-Foundation' + permissions: + contents: read + pull-requests: read + + outputs: + updated_version: ${{ steps.version.outputs.updated_version }} + git_commit: ${{ steps.meta.outputs.git_commit }} + normal_artifact_name: ${{ steps.meta.outputs.normal_artifact_name }} + fdroid_artifact_name: ${{ steps.meta.outputs.fdroid_artifact_name }} + + steps: + - name: Validate required secrets (Fast Fail If missing) + env: + KEYSTORE_CONTENT: ${{ secrets.KEYSTORE_CONTENT }} + BUILD_JSON_CONTENT: ${{ secrets.BUILD_JSON_CONTENT }} + run: | + [ -n "$KEYSTORE_CONTENT" ] && [ -n "$BUILD_JSON_CONTENT" ] || { echo "::error title=Missing secrets::KEYSTORE_CONTENT or BUILD_JSON_CONTENT is missing"; exit 1; } - outputs: - release_output_url: ${{ steps.release.outputs.url }} - RELEASE_NOTES: ${{ env.RELEASE_NOTES }} - steps: - - name: Checkout Repository - uses: actions/checkout@v7 - with: - fetch-depth: 0 - persist-credentials: true - - - name: Force-update nightly tag - run: | - git config --global user.name 'GitHub Actions' - git config --global user.email 'github-actions@github.com' - git tag -f nightly "${{ github.sha }}" - git push origin nightly --force - - - name: Download APK artifacts - uses: actions/download-artifact@v7 - with: - path: /tmp/artifacts - - # 🚨⚠️ WARNING: the GITHUB_TOKEN under this step, has access to write & read access to Contents, Pull Requests - # Which is why, it uses a fine-granted token with Read-Only Access to Public Repos Only. - - name: Generate Release Notes (Experimental) - id: gen-release-notes - continue-on-error: true - run: | - RELEASE_NOTES=$(node utils/scripts/generate-release-notes.js ${{ github.repository_owner }} Acode ${{ github.sha }} --format md --from-tag ${{ needs.build.outputs.tag_commit }} --important-only --quiet --changelog-only || true) - { - echo "RELEASE_NOTES<> $GITHUB_ENV - env: - GITHUB_TOKEN: ${{ secrets.NIGHTLY_RELEASE_NOTES_GH_TOKEN }} - - - name: Release Nightly Version - uses: softprops/action-gh-release@v3 - env: - FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true - with: - prerelease: true - name: ${{ needs.build.outputs.updated_version }} - tag_name: ${{ needs.build.outputs.updated_version }} - files: | - /tmp/artifacts/**/acode-debug-normal-*.apk - /tmp/artifacts/**/acode-debug-fdroid-*.apk - body: | - Automated Nightly (pre-release) Releases for Today - - [Compare Changes](https://github.com/${{ github.repository }}/compare/${{ needs.build.outputs.tag_commit }}...${{ github.sha }}) - - ${{ env.RELEASE_NOTES }} - - community-release-notifier: - needs: [build, release] -# Run only if push tags, or triggered by a schedule - if: ${{ github.repository_owner == 'Acode-Foundation' && (contains(fromJSON('["push", "schedule"]'), github.event_name) || ! inputs.skip_tagging_and_releases) && needs.release.outputs.release_output_url }} - uses: Acode-Foundation/acode/.github/workflows/community-release-notifier.yml@main - with: - tag_name: ${{ needs.build.outputs.updated_version }} - url: ${{ needs.release.outputs.release_output_url }} - body: ${{ needs.release.outputs.RELEASE_NOTES }} - secrets: - DISCORD_WEBHOOK_RELEASE_NOTES: ${{ secrets.DISCORD_WEBHOOK_RELEASE_NOTES }} - TELEGRAM_BOT_TOKEN: ${{ secrets.TELEGRAM_BOT_TOKEN }} - TELEGRAM_CHAT_ID: ${{ secrets.TELEGRAM_CHAT_ID }} - TELEGRAM_MESSAGE_THREAD_ID: ${{ secrets.TELEGRAM_MESSAGE_THREAD_ID }} + - name: Logging & summaries + run: | + echo "::group::Logging" + echo "🎯 github trigger event name: ${{ github.event_name }}" + echo "is_PR: ${{ inputs.is_PR }} " + echo "PR_NUMBER: ${{ inputs.PR_NUMBER }}" + echo "env: STORE_FILE_PATH: ${{ env.STORE_FILE_PATH }}" + echo "env: BUILD_JSON_PATH: ${{ env.BUILD_JSON_PATH }}" + echo "env: VERSION_LABEL: ${{ env.VERSION_LABEL }}" + echo "github sha: ${{ github.sha }}" + echo "should skip signing with our keys: ${{ inputs.is_PR && !inputs.is_trusted_pr && 'true' || 'false' }}" + echo "::endgroup::" + echo "## 🚀 Build Type: ${{ env.VERSION_LABEL }}" >> $GITHUB_STEP_SUMMARY + echo "is_PR: ${{ inputs.is_PR || 'NOT a PR' }}" >> $GITHUB_STEP_SUMMARY + echo "PR_NUMBER: ${{ inputs.PR_NUMBER || 'not a PR' }}" >> $GITHUB_STEP_SUMMARY + + - name: Checkout repository + uses: actions/checkout@v7 + with: + fetch-depth: 0 # Required for tags + persist-credentials: false + ref: ${{ (inputs.is_PR && inputs.PR_NUMBER) && github.event.pull_request.head.sha || '' }} + + - name: Setup Java + uses: actions/setup-java@v5 + with: + distribution: temurin + java-version: "21" + cache: ${{ (!(inputs.is_PR && inputs.PR_NUMBER) && github.ref == 'refs/heads/main' && 'gradle') || '' }} + + - name: Setup Node + uses: actions/setup-node@v6 + with: + node-version: "lts/*" # or '18.x' for latest stable + cache: ${{ (!(inputs.is_PR && inputs.PR_NUMBER) && github.ref == 'refs/heads/main' && 'npm') || '' }} + + - name: Compute metadata + id: meta + run: | + GIT_COMMIT="$(git rev-parse HEAD)" + echo "git_commit=$GIT_COMMIT" >> "$GITHUB_OUTPUT" + echo "normal_artifact_name=app-debug-$GIT_COMMIT" >> "$GITHUB_OUTPUT" + echo "fdroid_artifact_name=app-debug-fdroid-$GIT_COMMIT" >> "$GITHUB_OUTPUT" + + - name: Inject signing files + if: ${{ !inputs.is_PR || inputs.is_trusted_pr }} + run: | + echo "${{ secrets.KEYSTORE_CONTENT }}" | base64 -d > "${{ env.STORE_FILE_PATH }}" + echo "${{ secrets.BUILD_JSON_CONTENT }}" | base64 -d > "${{ env.BUILD_JSON_PATH }}" + + - name: Extract base version + id: base + run: | + VERSION=$(grep -oP 'version="\K[0-9.]+' config.xml) + echo "version=$VERSION" >> "$GITHUB_OUTPUT" + + - name: Compose and set build version in config.xml + id: version + run: | + SHORT="$(echo "${{ steps.meta.outputs.git_commit }}" | cut -c1-7)" + if ${{ inputs.is_PR || false }}; then + SUFFIX="${{ inputs.PR_NUMBER }}" + else + SUFFIX="$SHORT" + fi + UPDATED="${{ steps.base.outputs.version }}-${{ env.VERSION_LABEL }}.$SUFFIX" + sed -i "s/version=\"${{ steps.base.outputs.version }}\"/version=\"$UPDATED\"/g" config.xml + echo "updated_version=$UPDATED" >> "$GITHUB_OUTPUT" + echo "NORMAL_APK_PATH=/tmp/acode-debug-normal-$UPDATED.apk" >> "$GITHUB_ENV" + echo "FDROID_APK_PATH=/tmp/acode-debug-fdroid-$UPDATED.apk" >> "$GITHUB_ENV" + + - name: Install deps + run: | + npm install + npm install -g cordova + npm run setup + + - name: Build normal APK + run: | + node utils/storage_manager.mjs y + npm run build paid dev apk + mv platforms/android/app/build/outputs/apk/debug/app-debug.apk ${{ env.NORMAL_APK_PATH }} + + - name: Upload normal artifact + uses: actions/upload-artifact@v7 + with: + name: ${{ steps.meta.outputs.normal_artifact_name }} + path: ${{ env.NORMAL_APK_PATH }} + + - name: Build fdroid APK + if: ${{ !inputs.is_PR }} + run: | + node utils/storage_manager.mjs y + npm run build paid dev apk fdroid + mv platforms/android/app/build/outputs/apk/debug/app-debug.apk ${{ env.FDROID_APK_PATH }} + + - name: Upload fdroid artifact + if: ${{ !inputs.is_PR }} + uses: actions/upload-artifact@v7 + with: + name: ${{ steps.meta.outputs.fdroid_artifact_name }} + path: ${{ env.FDROID_APK_PATH }} + + - name: Cleanup signing files + if: ${{ !inputs.is_PR || inputs.is_trusted_pr }} + run: rm -f ${{ env.STORE_FILE_PATH }} ${{ env.BUILD_JSON_PATH }} + + - name: Post build summary (Table) + run: | + echo "## 🏗️ Build Summary" >> $GITHUB_STEP_SUMMARY + echo "| Key | Value |" >> $GITHUB_STEP_SUMMARY + echo "| --- | ----- |" >> $GITHUB_STEP_SUMMARY + echo "| Build Version | ${{ steps.version.outputs.updated_version }} |" >> $GITHUB_STEP_SUMMARY + echo "| Git Commit | ${{ steps.meta.outputs.git_commit }} |" >> $GITHUB_STEP_SUMMARY + echo "| Normal APK Artifact Name | ${{ steps.meta.outputs.normal_artifact_name }} |" >> $GITHUB_STEP_SUMMARY + echo "| F-Droid APK Artifact Name | ${{ steps.meta.outputs.fdroid_artifact_name || 'N/A' }} |" >> $GITHUB_STEP_SUMMARY + echo "| Normal APK Artifact signature | \`${{ steps.meta.outputs.normal_artifact_name }}.sha256\` |" >> $GITHUB_STEP_SUMMARY + echo "| F-Droid APK Artifact signature | \`${{ steps.meta.outputs.fdroid_artifact_name || 'N/A' }}.sha256\` |" >> $GITHUB_STEP_SUMMARY \ No newline at end of file diff --git a/.github/workflows/nightly-release.yml b/.github/workflows/nightly-release.yml new file mode 100644 index 000000000..4b1d307bc --- /dev/null +++ b/.github/workflows/nightly-release.yml @@ -0,0 +1,156 @@ +name: Nightly Release + +on: + schedule: + # Fire every day at 7:00am UTC (Roughly before EU workday and after US workday) + - cron: "0 7 * * *" + workflow_dispatch: + +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.ref_name }} + cancel-in-progress: true + +jobs: + build: + uses: Acode-Foundation/acode/.github/workflows/nightly-build.yml@main + permissions: + contents: read + pull-requests: read + secrets: + KEYSTORE_CONTENT: ${{ secrets.KEYSTORE_CONTENT }} + BUILD_JSON_CONTENT: ${{ secrets.BUILD_JSON_CONTENT }} + with: + is_PR: false + is_trusted_pr: false + + release: + needs: build + runs-on: ubuntu-latest + if: ${{ github.repository_owner == 'Acode-Foundation' && needs.build.result == 'success' }} + permissions: + contents: write + steps: + - name: Checkout repository + uses: actions/checkout@v7 + with: + fetch-depth: 0 # Required for tags + persist-credentials: true + + - name: Install cosign + uses: sigstore/cosign-installer@v4.1.0 + + - name: Generate sha256 files (per APK) + shell: bash + run: | + find /tmp/artifacts -type f -name "*.apk" | while read -r f; do + sha256sum "$f" > "${f}.sha256" + done + + - name: Keyless sign each APK with cosign + env: + COSIGN_EXPERIMENTAL: "true" + shell: bash + run: | + find /tmp/artifacts -type f -name "*.apk" | while read -r f; do + # Produces: .sig and .pem + cosign sign-blob --yes "$f" \ + --output-signature "${f}.sig" \ + --output-certificate "${f}.pem" + done + + - name: Create provenance attestation (per APK) + env: + COSIGN_EXPERIMENTAL: "true" + shell: bash + run: | + find /tmp/artifacts -type f -name "*.apk" | while read -r f; do + DIGEST="$(sha256sum "$f" | awk '{print $1}')" + PRED="$(mktemp)" + cat > "$PRED" <> "$GITHUB_OUTPUT" + else + echo "tag_commit=$(git rev-list --max-parents=0 HEAD)" >> "$GITHUB_OUTPUT" + fi + + - name: Move nightly tag + run: | + git config --global user.name 'GitHub Actions' + git config --global user.email 'github-actions@github.com' + git tag -f nightly "${GITHUB_SHA}" + git push origin refs/tags/nightly --force + + - name: Download normal APK artifact + uses: actions/download-artifact@v4 + with: + name: app-debug-${{ github.sha }} + path: /tmp/artifacts/normal + + - name: Download fdroid APK artifact + uses: actions/download-artifact@v4 + with: + name: app-debug-fdroid-${{ github.sha }} + path: /tmp/artifacts/fdroid + + - name: Generate release notes + id: notes + continue-on-error: true + run: | + RELEASE_NOTES="$(node utils/scripts/generate-release-notes.js \ + ${{ github.repository_owner }} Acode ${{ github.sha }} \ + --format md --from-tag ${{ steps.prev.outputs.tag_commit }} --important-only --quiet || true)" + { + echo "RELEASE_NOTES<> "$GITHUB_ENV" + env: + GITHUB_TOKEN: ${{ secrets.NIGHTLY_RELEASE_NOTES_GH_TOKEN }} + + - name: Create nightly prerelease + uses: softprops/action-gh-release@v2 + with: + prerelease: true + tag_name: nightly-${{ github.sha }} + name: nightly-${{ github.sha }} + files: | + /tmp/artifacts/normal/*.apk + /tmp/artifacts/normal/*.apk.sha256 + /tmp/artifacts/normal/*.apk.sig + /tmp/artifacts/normal/*.apk.pem + /tmp/artifacts/normal/*.apk.jsonl + /tmp/artifacts/fdroid/*.apk + /tmp/artifacts/fdroid/*.apk.sha256 + /tmp/artifacts/fdroid/*.apk.sig + /tmp/artifacts/fdroid/*.apk.pem + /tmp/artifacts/fdroid/*.apk.jsonl + body: | + Automated Nightly pre-release + + [Compare Changes](https://github.com/${{ github.repository }}/compare/${{ steps.prev.outputs.tag_commit }}...${{ github.sha }}) + + ${{ env.RELEASE_NOTES }} \ No newline at end of file diff --git a/.github/workflows/on-demand-preview-releases-PR.yml b/.github/workflows/on-demand-preview-releases-PR.yml index 3e6398640..907f58331 100644 --- a/.github/workflows/on-demand-preview-releases-PR.yml +++ b/.github/workflows/on-demand-preview-releases-PR.yml @@ -28,7 +28,8 @@ jobs: && (github.repository_owner == 'Acode-Foundation' && (!contains(github.event.pull_request.labels.*.name, 'DO NOT PREVIEW RELEASE') && (contains(github.event.pull_request.labels.*.name, 'Bypass check - PREVIEW RELEASE') - || contains(github.event.pull_request.labels.*.name, 'CI: RUN ON-DEMAND PREVIEW RELEASES'))) + || contains(github.event.pull_request.labels.*.name, 'CI: RUN ON-DEMAND PREVIEW RELEASES') + )) ) runs-on: ubuntu-latest @@ -84,7 +85,6 @@ jobs: is_PR: true PR_NUMBER: ${{ github.event.pull_request.number }} is_trusted_pr: ${{ github.event.pull_request.head.repo.full_name == github.repository }} - skip_tagging_and_releases: true update_Last_Comment: needs: [job_trigger,trigger_builder] From 3ea66b229a2b4dac48301b19632a36a153413952 Mon Sep 17 00:00:00 2001 From: UnschooledGamer <76094069+UnschooledGamer@users.noreply.github.com> Date: Thu, 9 Jul 2026 21:35:53 +0530 Subject: [PATCH 04/39] chore: use my checks for testing --- .github/workflows/nightly-build.yml | 2 +- .github/workflows/nightly-release.yml | 4 ++-- .github/workflows/on-demand-preview-releases-PR.yml | 6 +++--- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/nightly-build.yml b/.github/workflows/nightly-build.yml index 3b2e3e882..363e69287 100644 --- a/.github/workflows/nightly-build.yml +++ b/.github/workflows/nightly-build.yml @@ -58,7 +58,7 @@ jobs: build: runs-on: ubuntu-latest timeout-minutes: 60 - if: github.repository_owner == 'Acode-Foundation' + # if: github.repository_owner == 'Acode-Foundation' permissions: contents: read pull-requests: read diff --git a/.github/workflows/nightly-release.yml b/.github/workflows/nightly-release.yml index 4b1d307bc..f80bb587b 100644 --- a/.github/workflows/nightly-release.yml +++ b/.github/workflows/nightly-release.yml @@ -15,7 +15,7 @@ concurrency: jobs: build: - uses: Acode-Foundation/acode/.github/workflows/nightly-build.yml@main + uses: unschooledgamer/acode/.github/workflows/nightly-build.yml@main permissions: contents: read pull-requests: read @@ -29,7 +29,7 @@ jobs: release: needs: build runs-on: ubuntu-latest - if: ${{ github.repository_owner == 'Acode-Foundation' && needs.build.result == 'success' }} + # if: ${{ github.repository_owner == 'Acode-Foundation' && needs.build.result == 'success' }} permissions: contents: write steps: diff --git a/.github/workflows/on-demand-preview-releases-PR.yml b/.github/workflows/on-demand-preview-releases-PR.yml index 907f58331..d83ce38c6 100644 --- a/.github/workflows/on-demand-preview-releases-PR.yml +++ b/.github/workflows/on-demand-preview-releases-PR.yml @@ -25,7 +25,7 @@ jobs: issues: write if: | github.event.pull_request.draft == false - && (github.repository_owner == 'Acode-Foundation' + && (github.repository_owner == 'UnschooledGamer' && (!contains(github.event.pull_request.labels.*.name, 'DO NOT PREVIEW RELEASE') && (contains(github.event.pull_request.labels.*.name, 'Bypass check - PREVIEW RELEASE') || contains(github.event.pull_request.labels.*.name, 'CI: RUN ON-DEMAND PREVIEW RELEASES') @@ -80,7 +80,7 @@ jobs: secrets: KEYSTORE_CONTENT: ${{ secrets.KEYSTORE_CONTENT }} BUILD_JSON_CONTENT: ${{ secrets.BUILD_JSON_CONTENT }} - uses: Acode-Foundation/acode/.github/workflows/nightly-build.yml@main + uses: unschooledgamer/acode/.github/workflows/nightly-build.yml@main with: is_PR: true PR_NUMBER: ${{ github.event.pull_request.number }} @@ -92,7 +92,7 @@ jobs: contents: read runs-on: ubuntu-latest - if: ${{ github.repository_owner == 'Acode-Foundation' && always() && contains(fromJSON('["failure","cancelled", "success"]'), needs.trigger_builder.result) }} + if: ${{ github.repository_owner == 'UnschooledGamer' && always() && contains(fromJSON('["failure","cancelled", "success"]'), needs.trigger_builder.result) }} steps: - name: Update Last Comment by bot (If Workflow Triggering succeeded) From e5866d35ddcde322ffb28e0678d9878e85bd61e3 Mon Sep 17 00:00:00 2001 From: UnschooledGamer <76094069+UnschooledGamer@users.noreply.github.com> Date: Thu, 9 Jul 2026 21:38:25 +0530 Subject: [PATCH 05/39] chore: use my checks for testing this. --- .github/workflows/on-demand-preview-releases-PR.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/on-demand-preview-releases-PR.yml b/.github/workflows/on-demand-preview-releases-PR.yml index d83ce38c6..bf273419f 100644 --- a/.github/workflows/on-demand-preview-releases-PR.yml +++ b/.github/workflows/on-demand-preview-releases-PR.yml @@ -80,7 +80,7 @@ jobs: secrets: KEYSTORE_CONTENT: ${{ secrets.KEYSTORE_CONTENT }} BUILD_JSON_CONTENT: ${{ secrets.BUILD_JSON_CONTENT }} - uses: unschooledgamer/acode/.github/workflows/nightly-build.yml@main + uses: unschooledgamer/acode/.github/workflows/nightly-build.yml@fix/on-demand-previews with: is_PR: true PR_NUMBER: ${{ github.event.pull_request.number }} From 21e927b54583eb4ceeae63959419c962d16719a6 Mon Sep 17 00:00:00 2001 From: UnschooledGamer <76094069+UnschooledGamer@users.noreply.github.com> Date: Thu, 9 Jul 2026 21:52:13 +0530 Subject: [PATCH 06/39] chore: update nightly release workflow and add permissions for pull requests --- .github/workflows/nightly-release.yml | 6 ++++-- .github/workflows/on-demand-preview-releases-PR.yml | 2 +- pnpm-workspace.yaml | 4 ++++ 3 files changed, 9 insertions(+), 3 deletions(-) create mode 100644 pnpm-workspace.yaml diff --git a/.github/workflows/nightly-release.yml b/.github/workflows/nightly-release.yml index f80bb587b..86717465e 100644 --- a/.github/workflows/nightly-release.yml +++ b/.github/workflows/nightly-release.yml @@ -132,11 +132,13 @@ jobs: GITHUB_TOKEN: ${{ secrets.NIGHTLY_RELEASE_NOTES_GH_TOKEN }} - name: Create nightly prerelease - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@v3 + env: + FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true with: prerelease: true tag_name: nightly-${{ github.sha }} - name: nightly-${{ github.sha }} + name: nightly-${{ needs.build.outputs.updated_version}} files: | /tmp/artifacts/normal/*.apk /tmp/artifacts/normal/*.apk.sha256 diff --git a/.github/workflows/on-demand-preview-releases-PR.yml b/.github/workflows/on-demand-preview-releases-PR.yml index bf273419f..a5d31e37c 100644 --- a/.github/workflows/on-demand-preview-releases-PR.yml +++ b/.github/workflows/on-demand-preview-releases-PR.yml @@ -90,7 +90,7 @@ jobs: needs: [job_trigger,trigger_builder] permissions: contents: read - + pull-requests: write runs-on: ubuntu-latest if: ${{ github.repository_owner == 'UnschooledGamer' && always() && contains(fromJSON('["failure","cancelled", "success"]'), needs.trigger_builder.result) }} steps: diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml new file mode 100644 index 000000000..9aa4293aa --- /dev/null +++ b/pnpm-workspace.yaml @@ -0,0 +1,4 @@ +allowBuilds: + '@parcel/watcher': true + core-js: true + core-js-pure: true From 2f731104c9b91348f06766c91671e38a45d64c1a Mon Sep 17 00:00:00 2001 From: UnschooledGamer <76094069+UnschooledGamer@users.noreply.github.com> Date: Thu, 9 Jul 2026 21:53:34 +0530 Subject: [PATCH 07/39] rm "for owners" in the progress notification --- .github/workflows/on-demand-preview-releases-PR.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/on-demand-preview-releases-PR.yml b/.github/workflows/on-demand-preview-releases-PR.yml index a5d31e37c..091b2dc7c 100644 --- a/.github/workflows/on-demand-preview-releases-PR.yml +++ b/.github/workflows/on-demand-preview-releases-PR.yml @@ -61,11 +61,11 @@ jobs: message: | ⚒️ Starting a workflow to build, Your On-Demand Preview Release/build for ${{ github.event.pull_request.html_url || github.event.pull_request.url }}. - status: **\`🟡 in_progress\`** + status: **`🟡 in_progress`** Kindly wait, this message may be updated with success or failure status. - For Owners: Please [Click here to view that github actions](https://github.com/${{ github.repository}}/actions/runs/${{ github.run_id }})/ + Please [Click here to view that github actions](https://github.com/${{ github.repository}}/actions/runs/${{ github.run_id }})/ env: PR: ${{ github.event.pull_request.number }} From 5c775e46ad1b803b7c04453e0aab8e1a2a7f0143 Mon Sep 17 00:00:00 2001 From: UnschooledGamer <76094069+UnschooledGamer@users.noreply.github.com> Date: Thu, 9 Jul 2026 22:06:26 +0530 Subject: [PATCH 08/39] chore: use my repo for testing --- .github/workflows/nightly-release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/nightly-release.yml b/.github/workflows/nightly-release.yml index 86717465e..007f690d2 100644 --- a/.github/workflows/nightly-release.yml +++ b/.github/workflows/nightly-release.yml @@ -15,7 +15,7 @@ concurrency: jobs: build: - uses: unschooledgamer/acode/.github/workflows/nightly-build.yml@main + uses: unschooledgamer/acode/.github/workflows/nightly-build.yml@fix/on-demand-previews permissions: contents: read pull-requests: read From 3312f7e30fa68c273882277877de6058bc3a163b Mon Sep 17 00:00:00 2001 From: Emmanuel Lobo <76094069+UnschooledGamer@users.noreply.github.com> Date: Thu, 9 Jul 2026 22:57:47 +0530 Subject: [PATCH 09/39] Update nightly-release.yml --- .github/workflows/nightly-release.yml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/nightly-release.yml b/.github/workflows/nightly-release.yml index 007f690d2..718bf0423 100644 --- a/.github/workflows/nightly-release.yml +++ b/.github/workflows/nightly-release.yml @@ -42,6 +42,18 @@ jobs: - name: Install cosign uses: sigstore/cosign-installer@v4.1.0 + - name: Download normal APK artifact + uses: actions/download-artifact@v4 + with: + name: app-debug-${{ github.sha }} + path: /tmp/artifacts/normal + + - name: Download fdroid APK artifact + uses: actions/download-artifact@v4 + with: + name: app-debug-fdroid-${{ github.sha }} + path: /tmp/artifacts/fdroid + - name: Generate sha256 files (per APK) shell: bash run: | @@ -104,18 +116,6 @@ jobs: git tag -f nightly "${GITHUB_SHA}" git push origin refs/tags/nightly --force - - name: Download normal APK artifact - uses: actions/download-artifact@v4 - with: - name: app-debug-${{ github.sha }} - path: /tmp/artifacts/normal - - - name: Download fdroid APK artifact - uses: actions/download-artifact@v4 - with: - name: app-debug-fdroid-${{ github.sha }} - path: /tmp/artifacts/fdroid - - name: Generate release notes id: notes continue-on-error: true From e4e89afe8ef9cd6f1d5ff6837465c074c2713bc7 Mon Sep 17 00:00:00 2001 From: Emmanuel Lobo <76094069+UnschooledGamer@users.noreply.github.com> Date: Thu, 9 Jul 2026 23:17:45 +0530 Subject: [PATCH 10/39] Update nightly-release.yml --- .github/workflows/nightly-release.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/nightly-release.yml b/.github/workflows/nightly-release.yml index 718bf0423..a79095bb9 100644 --- a/.github/workflows/nightly-release.yml +++ b/.github/workflows/nightly-release.yml @@ -32,6 +32,7 @@ jobs: # if: ${{ github.repository_owner == 'Acode-Foundation' && needs.build.result == 'success' }} permissions: contents: write + id-token: write steps: - name: Checkout repository uses: actions/checkout@v7 @@ -69,6 +70,7 @@ jobs: find /tmp/artifacts -type f -name "*.apk" | while read -r f; do # Produces: .sig and .pem cosign sign-blob --yes "$f" \ + --oidc-provider=github-actions \ --output-signature "${f}.sig" \ --output-certificate "${f}.pem" done From 9c0359fa84c64601f8e921c6fbfb4e049ce9fa26 Mon Sep 17 00:00:00 2001 From: Emmanuel Lobo <76094069+UnschooledGamer@users.noreply.github.com> Date: Thu, 9 Jul 2026 23:49:40 +0530 Subject: [PATCH 11/39] Update nightly-release.yml --- .github/workflows/nightly-release.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/nightly-release.yml b/.github/workflows/nightly-release.yml index a79095bb9..b22063c60 100644 --- a/.github/workflows/nightly-release.yml +++ b/.github/workflows/nightly-release.yml @@ -72,7 +72,8 @@ jobs: cosign sign-blob --yes "$f" \ --oidc-provider=github-actions \ --output-signature "${f}.sig" \ - --output-certificate "${f}.pem" + --output-certificate "${f}.pem" \ + --bundle "${f}.sigstore.json" done - name: Create provenance attestation (per APK) @@ -147,11 +148,13 @@ jobs: /tmp/artifacts/normal/*.apk.sig /tmp/artifacts/normal/*.apk.pem /tmp/artifacts/normal/*.apk.jsonl + /tmp/artifacts/normal/*.apk.sigstore.json /tmp/artifacts/fdroid/*.apk /tmp/artifacts/fdroid/*.apk.sha256 /tmp/artifacts/fdroid/*.apk.sig /tmp/artifacts/fdroid/*.apk.pem /tmp/artifacts/fdroid/*.apk.jsonl + /tmp/artifacts/fdroid/*.apk.sigstore.json body: | Automated Nightly pre-release From 43cdaaea5be3b9830993fa2a0ea70ae8aae9cf83 Mon Sep 17 00:00:00 2001 From: Emmanuel Lobo <76094069+UnschooledGamer@users.noreply.github.com> Date: Fri, 10 Jul 2026 00:21:26 +0530 Subject: [PATCH 12/39] Update nightly-release.yml --- .github/workflows/nightly-release.yml | 73 +++++++++------------------ 1 file changed, 23 insertions(+), 50 deletions(-) diff --git a/.github/workflows/nightly-release.yml b/.github/workflows/nightly-release.yml index b22063c60..ddbc9fb70 100644 --- a/.github/workflows/nightly-release.yml +++ b/.github/workflows/nightly-release.yml @@ -33,6 +33,13 @@ jobs: permissions: contents: write id-token: write + + outputs: + release_output_url: ${{ steps.gh_release.outputs.url }} + release_notes: ${{ env.RELEASE_NOTES }} + previous_tag_commit: ${{ steps.prev_tag.outputs.tag_commit }} + nightly_tag_name: ${{ needs.build.outputs.updated_version }} + steps: - name: Checkout repository uses: actions/checkout@v7 @@ -58,51 +65,11 @@ jobs: - name: Generate sha256 files (per APK) shell: bash run: | + set -euo pipefail find /tmp/artifacts -type f -name "*.apk" | while read -r f; do sha256sum "$f" > "${f}.sha256" done - - name: Keyless sign each APK with cosign - env: - COSIGN_EXPERIMENTAL: "true" - shell: bash - run: | - find /tmp/artifacts -type f -name "*.apk" | while read -r f; do - # Produces: .sig and .pem - cosign sign-blob --yes "$f" \ - --oidc-provider=github-actions \ - --output-signature "${f}.sig" \ - --output-certificate "${f}.pem" \ - --bundle "${f}.sigstore.json" - done - - - name: Create provenance attestation (per APK) - env: - COSIGN_EXPERIMENTAL: "true" - shell: bash - run: | - find /tmp/artifacts -type f -name "*.apk" | while read -r f; do - DIGEST="$(sha256sum "$f" | awk '{print $1}')" - PRED="$(mktemp)" - cat > "$PRED" <" + base64-subjects: "${{ needs.release.outputs.hashes_b64 }}" + upload-assets: true + upload-tag-name: "${{ needs.release.outputs.nightly_tag_name }}" \ No newline at end of file From 8eae6524f40ee3c1297e89d85b5d4b213a4a2433 Mon Sep 17 00:00:00 2001 From: Emmanuel Lobo <76094069+UnschooledGamer@users.noreply.github.com> Date: Fri, 10 Jul 2026 00:26:17 +0530 Subject: [PATCH 13/39] Refactor SLSA provenance section in workflow --- .github/workflows/nightly-release.yml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/nightly-release.yml b/.github/workflows/nightly-release.yml index ddbc9fb70..3a5e9d472 100644 --- a/.github/workflows/nightly-release.yml +++ b/.github/workflows/nightly-release.yml @@ -121,16 +121,16 @@ jobs: ${{ env.RELEASE_NOTES }} - provenance: - name: Generate SLSA provenance - needs: [release] - permissions: - actions: read - id-token: write - contents: write - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 - with: + provenance: + name: Generate SLSA provenance + needs: [release] + permissions: + actions: read + id-token: write + contents: write + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 + with: # base64 of lines in sha256sum format: "" - base64-subjects: "${{ needs.release.outputs.hashes_b64 }}" - upload-assets: true - upload-tag-name: "${{ needs.release.outputs.nightly_tag_name }}" \ No newline at end of file + base64-subjects: "${{ needs.release.outputs.hashes_b64 }}" + upload-assets: true + upload-tag-name: "${{ needs.release.outputs.nightly_tag_name }}" From 4b05a54d29a5be2ecc105a9b84135b1a0c09c5f1 Mon Sep 17 00:00:00 2001 From: Emmanuel Lobo <76094069+UnschooledGamer@users.noreply.github.com> Date: Fri, 10 Jul 2026 00:47:18 +0530 Subject: [PATCH 14/39] Update nightly-release.yml --- .github/workflows/nightly-release.yml | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/.github/workflows/nightly-release.yml b/.github/workflows/nightly-release.yml index 3a5e9d472..8c5e36c75 100644 --- a/.github/workflows/nightly-release.yml +++ b/.github/workflows/nightly-release.yml @@ -39,6 +39,7 @@ jobs: release_notes: ${{ env.RELEASE_NOTES }} previous_tag_commit: ${{ steps.prev_tag.outputs.tag_commit }} nightly_tag_name: ${{ needs.build.outputs.updated_version }} + hashes_b64: ${{ steps.slsa_subjects.outputs.hashes_b64 }} steps: - name: Checkout repository @@ -66,10 +67,26 @@ jobs: shell: bash run: | set -euo pipefail - find /tmp/artifacts -type f -name "*.apk" | while read -r f; do - sha256sum "$f" > "${f}.sha256" + + mapfile -d '' apks < <(find /tmp/artifacts -type f -name '*.apk' -print0 | sort -z) + if [ "${#apks[@]}" -eq 0 ]; then + echo "No APKs found under /tmp/artifacts" >&2 + exit 1 + fi + + tmp="$(mktemp)" + for f in "${apks[@]}"; do + sha="$(sha256sum "$f" | awk '{print $1}')" + name="$(basename "$f")" + printf '%s %s\n' "$sha" "$name" >> "$tmp" done + echo "Subjects:" + cat "$tmp" + + b64="$(base64 -w0 "$tmp")" + echo "hashes_b64=$b64" >> "$GITHUB_OUTPUT" + - name: Resolve previous nightly tag commit id: prev run: | @@ -107,8 +124,8 @@ jobs: FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true with: prerelease: true - tag_name: nightly-${{ github.sha }} - name: nightly-${{ needs.build.outputs.updated_version}} + tag_name: ${{ needs.build.outputs.updated_version}} + name: ${{ needs.build.outputs.updated_version}} files: | /tmp/artifacts/normal/*.apk /tmp/artifacts/normal/*.apk.sha256 From 4649c49602572bd237b4140211f735d6ee5df7c0 Mon Sep 17 00:00:00 2001 From: Emmanuel Lobo <76094069+UnschooledGamer@users.noreply.github.com> Date: Fri, 10 Jul 2026 07:41:35 +0530 Subject: [PATCH 15/39] Update nightly-release.yml [skip ci] --- .github/workflows/nightly-release.yml | 30 ++++++++++----------------- 1 file changed, 11 insertions(+), 19 deletions(-) diff --git a/.github/workflows/nightly-release.yml b/.github/workflows/nightly-release.yml index 8c5e36c75..7b0597898 100644 --- a/.github/workflows/nightly-release.yml +++ b/.github/workflows/nightly-release.yml @@ -39,7 +39,7 @@ jobs: release_notes: ${{ env.RELEASE_NOTES }} previous_tag_commit: ${{ steps.prev_tag.outputs.tag_commit }} nightly_tag_name: ${{ needs.build.outputs.updated_version }} - hashes_b64: ${{ steps.slsa_subjects.outputs.hashes_b64 }} + subjects_file: ${{ steps.subjects_file.outputs.handle }} steps: - name: Checkout repository @@ -63,29 +63,21 @@ jobs: name: app-debug-fdroid-${{ github.sha }} path: /tmp/artifacts/fdroid - - name: Generate sha256 files (per APK) + - name: Build SLSA subjects file shell: bash run: | set -euo pipefail + find /tmp/artifacts -type f -name '*.apk' -print0 | sort -z | while IFS= read -r -d '' f; do + sha256sum "$f" + done > /tmp/slsa-subjects.txt - mapfile -d '' apks < <(find /tmp/artifacts -type f -name '*.apk' -print0 | sort -z) - if [ "${#apks[@]}" -eq 0 ]; then - echo "No APKs found under /tmp/artifacts" >&2 - exit 1 - fi - - tmp="$(mktemp)" - for f in "${apks[@]}"; do - sha="$(sha256sum "$f" | awk '{print $1}')" - name="$(basename "$f")" - printf '%s %s\n' "$sha" "$name" >> "$tmp" - done + test -s /tmp/slsa-subjects.txt || { echo "No subjects found"; exit 1; } - echo "Subjects:" - cat "$tmp" - - b64="$(base64 -w0 "$tmp")" - echo "hashes_b64=$b64" >> "$GITHUB_OUTPUT" + - name: Create subjects file handle + id: subjects_file + uses: slsa-framework/slsa-github-generator/actions/generator/generic/create-base64-subjects-from-file@v2.1.0 + with: + path: /tmp/slsa-subjects.txt - name: Resolve previous nightly tag commit id: prev From 2def9a46d2daf741adb48cf6638cd32d00164f90 Mon Sep 17 00:00:00 2001 From: Emmanuel Lobo <76094069+UnschooledGamer@users.noreply.github.com> Date: Fri, 10 Jul 2026 07:42:32 +0530 Subject: [PATCH 16/39] Update nightly-release.yml [skip ci] --- .github/workflows/nightly-release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/nightly-release.yml b/.github/workflows/nightly-release.yml index 7b0597898..b96c12600 100644 --- a/.github/workflows/nightly-release.yml +++ b/.github/workflows/nightly-release.yml @@ -140,6 +140,6 @@ jobs: uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 with: # base64 of lines in sha256sum format: "" - base64-subjects: "${{ needs.release.outputs.hashes_b64 }}" + base64-subjects-as-file: "${{ needs.release.outputs.subjects_file }}" upload-assets: true upload-tag-name: "${{ needs.release.outputs.nightly_tag_name }}" From d7ec3b21bb4defd744d7d618b026ef23a345bdfb Mon Sep 17 00:00:00 2001 From: Emmanuel Lobo <76094069+UnschooledGamer@users.noreply.github.com> Date: Fri, 10 Jul 2026 09:24:56 +0530 Subject: [PATCH 17/39] Update nightly-release.yml --- .github/workflows/nightly-release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/nightly-release.yml b/.github/workflows/nightly-release.yml index b96c12600..ee4ae95c3 100644 --- a/.github/workflows/nightly-release.yml +++ b/.github/workflows/nightly-release.yml @@ -69,7 +69,7 @@ jobs: set -euo pipefail find /tmp/artifacts -type f -name '*.apk' -print0 | sort -z | while IFS= read -r -d '' f; do sha256sum "$f" - done > /tmp/slsa-subjects.txt + done | base64 -w0 > /tmp/base64-subjects.txt test -s /tmp/slsa-subjects.txt || { echo "No subjects found"; exit 1; } From 387dff01dd1c2f805d939e0bbc758e4d78c36c38 Mon Sep 17 00:00:00 2001 From: Emmanuel Lobo <76094069+UnschooledGamer@users.noreply.github.com> Date: Fri, 10 Jul 2026 09:33:51 +0530 Subject: [PATCH 18/39] Update nightly-release.yml [skip ci] --- .github/workflows/nightly-release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/nightly-release.yml b/.github/workflows/nightly-release.yml index ee4ae95c3..7ef10505d 100644 --- a/.github/workflows/nightly-release.yml +++ b/.github/workflows/nightly-release.yml @@ -69,7 +69,7 @@ jobs: set -euo pipefail find /tmp/artifacts -type f -name '*.apk' -print0 | sort -z | while IFS= read -r -d '' f; do sha256sum "$f" - done | base64 -w0 > /tmp/base64-subjects.txt + done | base64 -w0 > /tmp/slsa-subjects.txt test -s /tmp/slsa-subjects.txt || { echo "No subjects found"; exit 1; } From 588754678c2c3869d425291e05a1f89cb89d944b Mon Sep 17 00:00:00 2001 From: UnschooledGamer <76094069+UnschooledGamer@users.noreply.github.com> Date: Fri, 10 Jul 2026 13:24:53 +0530 Subject: [PATCH 19/39] Enhance nightly release workflow with SHA256 signature computation and publish decision logic --- .github/workflows/nightly-build.yml | 13 +++++- .github/workflows/nightly-release.yml | 65 ++++++++++++++++++++++----- 2 files changed, 64 insertions(+), 14 deletions(-) diff --git a/.github/workflows/nightly-build.yml b/.github/workflows/nightly-build.yml index 363e69287..bddc43246 100644 --- a/.github/workflows/nightly-build.yml +++ b/.github/workflows/nightly-build.yml @@ -46,6 +46,7 @@ permissions: contents: read concurrency: + # Allow only one workflow per branch. group: ${{ github.workflow }}-${{ github.ref_name }}-${{ inputs.is_PR && 'is_PR' || 'not_PR' }} cancel-in-progress: true @@ -183,6 +184,14 @@ jobs: - name: Cleanup signing files if: ${{ !inputs.is_PR || inputs.is_trusted_pr }} run: rm -f ${{ env.STORE_FILE_PATH }} ${{ env.BUILD_JSON_PATH }} + + - name: Post Build - SHA256 signature computation (output) + id: sha256 + run: | + echo "normal_apk_sha256=$(sha256sum ${{ env.NORMAL_APK_PATH }} | awk '{print $1}')" >> "$GITHUB_OUTPUT" + if [ -f "${{ env.FDROID_APK_PATH }}" ]; then + echo "fdroid_apk_sha256=$(sha256sum ${{ env.FDROID_APK_PATH }} | awk '{print $1}')" >> "$GITHUB_OUTPUT" + fi - name: Post build summary (Table) run: | @@ -193,5 +202,5 @@ jobs: echo "| Git Commit | ${{ steps.meta.outputs.git_commit }} |" >> $GITHUB_STEP_SUMMARY echo "| Normal APK Artifact Name | ${{ steps.meta.outputs.normal_artifact_name }} |" >> $GITHUB_STEP_SUMMARY echo "| F-Droid APK Artifact Name | ${{ steps.meta.outputs.fdroid_artifact_name || 'N/A' }} |" >> $GITHUB_STEP_SUMMARY - echo "| Normal APK Artifact signature | \`${{ steps.meta.outputs.normal_artifact_name }}.sha256\` |" >> $GITHUB_STEP_SUMMARY - echo "| F-Droid APK Artifact signature | \`${{ steps.meta.outputs.fdroid_artifact_name || 'N/A' }}.sha256\` |" >> $GITHUB_STEP_SUMMARY \ No newline at end of file + echo "| Normal APK Artifact SHA256 | ${{ steps.sha256.outputs.normal_apk_sha256 }} |" >> $GITHUB_STEP_SUMMARY + echo "| F-Droid APK Artifact SHA256 | ${{ steps.sha256.outputs.fdroid_apk_sha256 || 'N/A' }} |" >> $GITHUB_STEP_SUMMARY \ No newline at end of file diff --git a/.github/workflows/nightly-release.yml b/.github/workflows/nightly-release.yml index 7ef10505d..c76fd1a7c 100644 --- a/.github/workflows/nightly-release.yml +++ b/.github/workflows/nightly-release.yml @@ -35,9 +35,10 @@ jobs: id-token: write outputs: + should_publish: ${{ steps.publish_gate.outputs.should_publish }} release_output_url: ${{ steps.gh_release.outputs.url }} release_notes: ${{ env.RELEASE_NOTES }} - previous_tag_commit: ${{ steps.prev_tag.outputs.tag_commit }} + previous_tag_commit: ${{ steps.prev.outputs.tag_commit }} nightly_tag_name: ${{ needs.build.outputs.updated_version }} subjects_file: ${{ steps.subjects_file.outputs.handle }} @@ -63,7 +64,43 @@ jobs: name: app-debug-fdroid-${{ github.sha }} path: /tmp/artifacts/fdroid + - name: Resolve previous nightly tag commit + id: prev + shell: bash + run: | + set -euo pipefail + VERSION_TAG="${{ needs.build.outputs.updated_version }}" + FALLBACK_TAG="nightly" + git fetch --tags --force + + if git show-ref --quiet "refs/tags/${VERSION_TAG}"; then + echo "tag_exists=true" >> "$GITHUB_OUTPUT" + echo "tag_commit=$(git rev-parse "${VERSION_TAG}")" >> "$GITHUB_OUTPUT" + elif git show-ref --quiet "refs/tags/${FALLBACK_TAG}"; then + echo "tag_exists=true" >> "$GITHUB_OUTPUT" + echo "tag_commit=$(git rev-parse "${FALLBACK_TAG}")" >> "$GITHUB_OUTPUT" + else + echo "tag_exists=false" >> "$GITHUB_OUTPUT" + echo "tag_commit=" >> "$GITHUB_OUTPUT" + fi + + - name: Decide whether to publish + id: publish_gate + shell: bash + run: | + set -euo pipefail + if [[ "${{ steps.prev.outputs.tag_exists }}" != "true" || "${{ steps.prev.outputs.tag_commit }}" != "${GITHUB_SHA}" ]]; then + echo "should_publish=true" >> "$GITHUB_OUTPUT" + else + echo "should_publish=false" >> "$GITHUB_OUTPUT" + fi + + echo "| should_publish | ${{ steps.publish_gate.outputs.should_publish }} |" >> "$GITHUB_STEP_SUMMARY" + echo "| tag_exists | ${{ steps.prev.outputs.tag_exists }} |" >> "$GITHUB_STEP_SUMMARY" + echo "| tag_commit | ${{ steps.prev.outputs.tag_commit }} |" >> "$GITHUB_STEP_SUMMARY" + - name: Build SLSA subjects file + if: steps.publish_gate.outputs.should_publish == 'true' shell: bash run: | set -euo pipefail @@ -73,22 +110,22 @@ jobs: test -s /tmp/slsa-subjects.txt || { echo "No subjects found"; exit 1; } + - name: Generate per-APK sha256 files + shell: bash + run: | + set -euo pipefail + find /tmp/artifacts -type f -name '*.apk' -print0 | while IFS= read -r -d '' f; do + sha256sum "$f" > "${f}.sha256" + done + - name: Create subjects file handle id: subjects_file uses: slsa-framework/slsa-github-generator/actions/generator/generic/create-base64-subjects-from-file@v2.1.0 with: path: /tmp/slsa-subjects.txt - - name: Resolve previous nightly tag commit - id: prev - run: | - if git show-ref --quiet refs/tags/nightly; then - echo "tag_commit=$(git rev-parse nightly)" >> "$GITHUB_OUTPUT" - else - echo "tag_commit=$(git rev-list --max-parents=0 HEAD)" >> "$GITHUB_OUTPUT" - fi - - name: Move nightly tag + if: steps.publish_gate.outputs.should_publish == 'true' run: | git config --global user.name 'GitHub Actions' git config --global user.email 'github-actions@github.com' @@ -96,6 +133,7 @@ jobs: git push origin refs/tags/nightly --force - name: Generate release notes + if: steps.publish_gate.outputs.should_publish == 'true' id: notes continue-on-error: true run: | @@ -111,13 +149,15 @@ jobs: GITHUB_TOKEN: ${{ secrets.NIGHTLY_RELEASE_NOTES_GH_TOKEN }} - name: Create nightly prerelease + if: steps.publish_gate.outputs.should_publish == 'true' + id: gh_release uses: softprops/action-gh-release@v3 env: FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true with: prerelease: true - tag_name: ${{ needs.build.outputs.updated_version}} - name: ${{ needs.build.outputs.updated_version}} + tag_name: ${{ needs.build.outputs.updated_version }} + name: ${{ needs.build.outputs.updated_version }} files: | /tmp/artifacts/normal/*.apk /tmp/artifacts/normal/*.apk.sha256 @@ -133,6 +173,7 @@ jobs: provenance: name: Generate SLSA provenance needs: [release] + if: needs.release.outputs.should_publish == 'true' permissions: actions: read id-token: write From e1cd0c1546daeb3203804e3c65ff64f08f061b90 Mon Sep 17 00:00:00 2001 From: UnschooledGamer <76094069+UnschooledGamer@users.noreply.github.com> Date: Sat, 11 Jul 2026 21:25:01 +0530 Subject: [PATCH 20/39] chore: improve maintainability and add release-notifier --- .github/workflows/nightly-release.yml | 66 +++++++++++++++++++++------ 1 file changed, 51 insertions(+), 15 deletions(-) diff --git a/.github/workflows/nightly-release.yml b/.github/workflows/nightly-release.yml index c76fd1a7c..d336e2e8f 100644 --- a/.github/workflows/nightly-release.yml +++ b/.github/workflows/nightly-release.yml @@ -52,17 +52,30 @@ jobs: - name: Install cosign uses: sigstore/cosign-installer@v4.1.0 + - name: Set Publish Metadata + shell: bash + run: | + set -euo pipefail + echo "ARTIFACTS_DIR=${{ env.ARTIFACTS_DIR}}" >> $GITHUB_ENV + echo "NORMAL_ARTIFACT_NAME=app-debug-${{ github.sha }}" >> $GITHUB_ENV + echo "FDROID_ARTIFACT_NAME=app-debug-fdroid-${{ github.sha }}" >> $GITHUB_ENV + echo "SUBJECTS_FILE=${{ env.SUBJECTS_FILE }}" >> $GITHUB_ENV + env: + ARTIFACTS_DIR: ${{ runner.temp }}/artifacts + SUBJECTS_FILE: ${{ runner.temp }}/slsa-subjects.txt + + - name: Download normal APK artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v8 with: name: app-debug-${{ github.sha }} - path: /tmp/artifacts/normal + path: ${{ env.ARTIFACTS_DIR }}/normal - name: Download fdroid APK artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v8 with: name: app-debug-fdroid-${{ github.sha }} - path: /tmp/artifacts/fdroid + path: ${{ env.ARTIFACTS_DIR }}/fdroid - name: Resolve previous nightly tag commit id: prev @@ -95,7 +108,9 @@ jobs: echo "should_publish=false" >> "$GITHUB_OUTPUT" fi - echo "| should_publish | ${{ steps.publish_gate.outputs.should_publish }} |" >> "$GITHUB_STEP_SUMMARY" + echo "| Variable | Value |" >> "$GITHUB_STEP_SUMMARY" + echo "| --- | --- |" >> "$GITHUB_STEP_SUMMARY" + echo "| should_publish | ${{ steps.publish_gate.outputs.should_publish && 'true' || 'false' }} |" >> "$GITHUB_STEP_SUMMARY" echo "| tag_exists | ${{ steps.prev.outputs.tag_exists }} |" >> "$GITHUB_STEP_SUMMARY" echo "| tag_commit | ${{ steps.prev.outputs.tag_commit }} |" >> "$GITHUB_STEP_SUMMARY" @@ -104,17 +119,21 @@ jobs: shell: bash run: | set -euo pipefail - find /tmp/artifacts -type f -name '*.apk' -print0 | sort -z | while IFS= read -r -d '' f; do + find ${{ env.ARTIFACTS_DIR }} -type f -name '*.apk' -print0 | sort -z | while IFS= read -r -d '' f; do sha256sum "$f" - done | base64 -w0 > /tmp/slsa-subjects.txt + done | base64 -w0 > "${SUBJECTS_FILE}" - test -s /tmp/slsa-subjects.txt || { echo "No subjects found"; exit 1; } + test -s "${SUBJECTS_FILE}" || { echo "No subjects found"; exit 1; } + env: + ARTIFACTS_DIR: ${{ env.ARTIFACTS_DIR }} + SUBJECTS_FILE: ${{ env.SUBJECTS_FILE }} + - name: Generate per-APK sha256 files shell: bash run: | set -euo pipefail - find /tmp/artifacts -type f -name '*.apk' -print0 | while IFS= read -r -d '' f; do + find ${{ env.ARTIFACTS_DIR }} -type f -name '*.apk' -print0 | while IFS= read -r -d '' f; do sha256sum "$f" > "${f}.sha256" done @@ -122,7 +141,7 @@ jobs: id: subjects_file uses: slsa-framework/slsa-github-generator/actions/generator/generic/create-base64-subjects-from-file@v2.1.0 with: - path: /tmp/slsa-subjects.txt + path: ${{ env.SUBJECTS_FILE }} - name: Move nightly tag if: steps.publish_gate.outputs.should_publish == 'true' @@ -159,10 +178,10 @@ jobs: tag_name: ${{ needs.build.outputs.updated_version }} name: ${{ needs.build.outputs.updated_version }} files: | - /tmp/artifacts/normal/*.apk - /tmp/artifacts/normal/*.apk.sha256 - /tmp/artifacts/fdroid/*.apk - /tmp/artifacts/fdroid/*.apk.sha256 + ${{ env.ARTIFACTS_DIR }}/normal/*.apk + ${{ env.ARTIFACTS_DIR }}/normal/*.apk.sha256 + ${{ env.ARTIFACTS_DIR }}/fdroid/*.apk + ${{ env.ARTIFACTS_DIR }}/fdroid/*.apk.sha256 body: | Automated Nightly pre-release @@ -180,7 +199,24 @@ jobs: contents: write uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 with: - # base64 of lines in sha256sum format: "" base64-subjects-as-file: "${{ needs.release.outputs.subjects_file }}" upload-assets: true upload-tag-name: "${{ needs.release.outputs.nightly_tag_name }}" + draft-release: false + + community-release-notifier: + name: Notify community of nightly release + needs: [release] + if: ${{ needs.release.outputs.should_publish == 'true' && (contains(fromJSON('["push", "schedule"]'), github.event_name)) && needs.release.outputs.release_output_url }} + permissions: + contents: read + uses: unschooledgamer/acode/.github/workflows/community-release-notifier.yml@fix/on-demand-previews + with: + url: ${{ needs.release.outputs.release_output_url }} + tag_name: ${{ needs.release.outputs.nightly_tag_name }} + body: ${{ needs.release.outputs.release_notes }} + secrets: + DISCORD_WEBHOOK_RELEASE_NOTES: ${{ secrets.DISCORD_WEBHOOK_RELEASE_NOTES }} + TELEGRAM_BOT_TOKEN: ${{ secrets.TELEGRAM_BOT_TOKEN }} + TELEGRAM_CHAT_ID: ${{ secrets.TELEGRAM_CHAT_ID }} + TELEGRAM_MESSAGE_THREAD_ID: ${{ secrets.TELEGRAM_MESSAGE_THREAD_ID }} \ No newline at end of file From 56bf41d87a20bf1d38654cf3cb7fb1a58f10337a Mon Sep 17 00:00:00 2001 From: UnschooledGamer <76094069+UnschooledGamer@users.noreply.github.com> Date: Sat, 11 Jul 2026 21:31:12 +0530 Subject: [PATCH 21/39] fix: conditionally create subjects file handle based on publish gate output --- .github/workflows/nightly-release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/nightly-release.yml b/.github/workflows/nightly-release.yml index d336e2e8f..135fcec47 100644 --- a/.github/workflows/nightly-release.yml +++ b/.github/workflows/nightly-release.yml @@ -139,6 +139,7 @@ jobs: - name: Create subjects file handle id: subjects_file + if: steps.publish_gate.outputs.should_publish == 'true' uses: slsa-framework/slsa-github-generator/actions/generator/generic/create-base64-subjects-from-file@v2.1.0 with: path: ${{ env.SUBJECTS_FILE }} From 5a5de7942c232ddacb926ffde07a109e44b4cef9 Mon Sep 17 00:00:00 2001 From: UnschooledGamer <76094069+UnschooledGamer@users.noreply.github.com> Date: Sat, 11 Jul 2026 21:34:17 +0530 Subject: [PATCH 22/39] fix: enhance secret validation step for nightly builds --- .github/workflows/nightly-build.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/nightly-build.yml b/.github/workflows/nightly-build.yml index bddc43246..e8990d789 100644 --- a/.github/workflows/nightly-build.yml +++ b/.github/workflows/nightly-build.yml @@ -71,7 +71,8 @@ jobs: fdroid_artifact_name: ${{ steps.meta.outputs.fdroid_artifact_name }} steps: - - name: Validate required secrets (Fast Fail If missing) + - name: Validate required secrets (Fast Fail If missing on nightly builds) + if: ${{ !inputs.is_PR || inputs.is_trusted_pr }} env: KEYSTORE_CONTENT: ${{ secrets.KEYSTORE_CONTENT }} BUILD_JSON_CONTENT: ${{ secrets.BUILD_JSON_CONTENT }} From 302ce6e79912bdeff46e236b18114fd085d439b4 Mon Sep 17 00:00:00 2001 From: UnschooledGamer <76094069+UnschooledGamer@users.noreply.github.com> Date: Sat, 11 Jul 2026 21:40:06 +0530 Subject: [PATCH 23/39] chore: tmp remove this check --- .github/workflows/nightly-build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/nightly-build.yml b/.github/workflows/nightly-build.yml index e8990d789..19c36dafd 100644 --- a/.github/workflows/nightly-build.yml +++ b/.github/workflows/nightly-build.yml @@ -72,7 +72,7 @@ jobs: steps: - name: Validate required secrets (Fast Fail If missing on nightly builds) - if: ${{ !inputs.is_PR || inputs.is_trusted_pr }} + if: ${{ !inputs.is_PR }} env: KEYSTORE_CONTENT: ${{ secrets.KEYSTORE_CONTENT }} BUILD_JSON_CONTENT: ${{ secrets.BUILD_JSON_CONTENT }} From aa1429ec9816762accc83842a5baea78b1821fb1 Mon Sep 17 00:00:00 2001 From: UnschooledGamer <76094069+UnschooledGamer@users.noreply.github.com> Date: Sat, 11 Jul 2026 21:52:34 +0530 Subject: [PATCH 24/39] remove this check too tmp --- .github/workflows/nightly-build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/nightly-build.yml b/.github/workflows/nightly-build.yml index 19c36dafd..0ea8ee5e4 100644 --- a/.github/workflows/nightly-build.yml +++ b/.github/workflows/nightly-build.yml @@ -124,7 +124,7 @@ jobs: echo "fdroid_artifact_name=app-debug-fdroid-$GIT_COMMIT" >> "$GITHUB_OUTPUT" - name: Inject signing files - if: ${{ !inputs.is_PR || inputs.is_trusted_pr }} + if: ${{ !inputs.is_PR }} run: | echo "${{ secrets.KEYSTORE_CONTENT }}" | base64 -d > "${{ env.STORE_FILE_PATH }}" echo "${{ secrets.BUILD_JSON_CONTENT }}" | base64 -d > "${{ env.BUILD_JSON_PATH }}" From 9824c32be9df2c00595335972996ea36f0d07e27 Mon Sep 17 00:00:00 2001 From: Emmanuel Lobo <76094069+UnschooledGamer@users.noreply.github.com> Date: Sat, 11 Jul 2026 23:22:39 +0530 Subject: [PATCH 25/39] Update nightly-release.yml [skip ci] --- .github/workflows/nightly-release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/nightly-release.yml b/.github/workflows/nightly-release.yml index 135fcec47..b4e295187 100644 --- a/.github/workflows/nightly-release.yml +++ b/.github/workflows/nightly-release.yml @@ -208,7 +208,7 @@ jobs: community-release-notifier: name: Notify community of nightly release needs: [release] - if: ${{ needs.release.outputs.should_publish == 'true' && (contains(fromJSON('["push", "schedule"]'), github.event_name)) && needs.release.outputs.release_output_url }} + if: ${{ needs.release.outputs.should_publish == 'true' && needs.release.outputs.release_output_url }} permissions: contents: read uses: unschooledgamer/acode/.github/workflows/community-release-notifier.yml@fix/on-demand-previews From 5db134598388461e0ee2ec8263d88fbefb58f94c Mon Sep 17 00:00:00 2001 From: Emmanuel Lobo <76094069+UnschooledGamer@users.noreply.github.com> Date: Sat, 11 Jul 2026 23:52:00 +0530 Subject: [PATCH 26/39] Update community-release-notifier.yml [skip ci] --- .github/workflows/community-release-notifier.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/community-release-notifier.yml b/.github/workflows/community-release-notifier.yml index 1b08d7bee..c36a07542 100644 --- a/.github/workflows/community-release-notifier.yml +++ b/.github/workflows/community-release-notifier.yml @@ -49,7 +49,7 @@ on: jobs: notify: - if: github.repository_owner == 'Acode-Foundation' + #if: github.repository_owner == 'Acode-Foundation' runs-on: ubuntu-latest steps: - name: Prepare release variables From 23c1e9cd0a01f16a05766fd960ee8e35ee0cc913 Mon Sep 17 00:00:00 2001 From: UnschooledGamer <76094069+UnschooledGamer@users.noreply.github.com> Date: Sun, 12 Jul 2026 13:22:34 +0530 Subject: [PATCH 27/39] chore: add job summary output for nightly release workflow [skip ci] --- .github/workflows/nightly-release.yml | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/.github/workflows/nightly-release.yml b/.github/workflows/nightly-release.yml index b4e295187..747196255 100644 --- a/.github/workflows/nightly-release.yml +++ b/.github/workflows/nightly-release.yml @@ -108,12 +108,6 @@ jobs: echo "should_publish=false" >> "$GITHUB_OUTPUT" fi - echo "| Variable | Value |" >> "$GITHUB_STEP_SUMMARY" - echo "| --- | --- |" >> "$GITHUB_STEP_SUMMARY" - echo "| should_publish | ${{ steps.publish_gate.outputs.should_publish && 'true' || 'false' }} |" >> "$GITHUB_STEP_SUMMARY" - echo "| tag_exists | ${{ steps.prev.outputs.tag_exists }} |" >> "$GITHUB_STEP_SUMMARY" - echo "| tag_commit | ${{ steps.prev.outputs.tag_commit }} |" >> "$GITHUB_STEP_SUMMARY" - - name: Build SLSA subjects file if: steps.publish_gate.outputs.should_publish == 'true' shell: bash @@ -189,6 +183,16 @@ jobs: [Compare Changes](https://github.com/${{ github.repository }}/compare/${{ steps.prev.outputs.tag_commit }}...${{ github.sha }}) ${{ env.RELEASE_NOTES }} + + - name: Post Job summary + if: always() + run: | + echo "| Variable | Value |" >> "$GITHUB_STEP_SUMMARY" + echo "| --- | --- |" >> "$GITHUB_STEP_SUMMARY" + echo "| should_publish | ${{ steps.publish_gate.outputs.should_publish && 'true' || 'false' }} |" >> "$GITHUB_STEP_SUMMARY" + echo "| tag_exists | ${{ steps.prev.outputs.tag_exists }} |" >> "$GITHUB_STEP_SUMMARY" + echo "| tag_commit | ${{ steps.prev.outputs.tag_commit }} |" >> "$GITHUB_STEP_SUMMARY" + echo "| release_output_url | ${{ steps.gh_release.outputs.url || 'N/A' }} |" >> "$GITHUB_STEP_SUMMARY" provenance: name: Generate SLSA provenance From 76f78384aa140bdeb233ced12b9fbe148d41ffd1 Mon Sep 17 00:00:00 2001 From: UnschooledGamer <76094069+UnschooledGamer@users.noreply.github.com> Date: Sun, 12 Jul 2026 13:41:49 +0530 Subject: [PATCH 28/39] fix: correct condition for should_publish output in nightly release summary [skip ci] --- .github/workflows/nightly-release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/nightly-release.yml b/.github/workflows/nightly-release.yml index 747196255..fd9729538 100644 --- a/.github/workflows/nightly-release.yml +++ b/.github/workflows/nightly-release.yml @@ -189,7 +189,7 @@ jobs: run: | echo "| Variable | Value |" >> "$GITHUB_STEP_SUMMARY" echo "| --- | --- |" >> "$GITHUB_STEP_SUMMARY" - echo "| should_publish | ${{ steps.publish_gate.outputs.should_publish && 'true' || 'false' }} |" >> "$GITHUB_STEP_SUMMARY" + echo "| should_publish | ${{ steps.publish_gate.outputs.should_publish == 'true' && 'true' || 'false' }} |" >> "$GITHUB_STEP_SUMMARY" echo "| tag_exists | ${{ steps.prev.outputs.tag_exists }} |" >> "$GITHUB_STEP_SUMMARY" echo "| tag_commit | ${{ steps.prev.outputs.tag_commit }} |" >> "$GITHUB_STEP_SUMMARY" echo "| release_output_url | ${{ steps.gh_release.outputs.url || 'N/A' }} |" >> "$GITHUB_STEP_SUMMARY" From 44522a0046fe68c4fcc0d371a7b960a8db725af4 Mon Sep 17 00:00:00 2001 From: Emmanuel Lobo <76094069+UnschooledGamer@users.noreply.github.com> Date: Sun, 12 Jul 2026 21:26:07 +0530 Subject: [PATCH 29/39] Update nightly-build.yml [skip ci] --- .github/workflows/nightly-build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/nightly-build.yml b/.github/workflows/nightly-build.yml index 0ea8ee5e4..b880c76a3 100644 --- a/.github/workflows/nightly-build.yml +++ b/.github/workflows/nightly-build.yml @@ -59,7 +59,7 @@ jobs: build: runs-on: ubuntu-latest timeout-minutes: 60 - # if: github.repository_owner == 'Acode-Foundation' + if: github.repository_owner == 'Acode-Foundation' permissions: contents: read pull-requests: read From 9dca0b80b34030edadb733b04d3ba66c4abf911f Mon Sep 17 00:00:00 2001 From: Emmanuel Lobo <76094069+UnschooledGamer@users.noreply.github.com> Date: Sun, 12 Jul 2026 21:27:27 +0530 Subject: [PATCH 30/39] Update nightly-release.yml [skip ci] --- .github/workflows/nightly-release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/nightly-release.yml b/.github/workflows/nightly-release.yml index fd9729538..f76802fa4 100644 --- a/.github/workflows/nightly-release.yml +++ b/.github/workflows/nightly-release.yml @@ -29,7 +29,7 @@ jobs: release: needs: build runs-on: ubuntu-latest - # if: ${{ github.repository_owner == 'Acode-Foundation' && needs.build.result == 'success' }} + if: ${{ github.repository_owner == 'Acode-Foundation' && needs.build.result == 'success' }} permissions: contents: write id-token: write From 1e605ed7a218c4eb409dcead26d64a33b1c4ee91 Mon Sep 17 00:00:00 2001 From: Emmanuel Lobo <76094069+UnschooledGamer@users.noreply.github.com> Date: Sun, 12 Jul 2026 21:28:34 +0530 Subject: [PATCH 31/39] Update community-release-notifier.yml --- .github/workflows/community-release-notifier.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/community-release-notifier.yml b/.github/workflows/community-release-notifier.yml index c36a07542..1b08d7bee 100644 --- a/.github/workflows/community-release-notifier.yml +++ b/.github/workflows/community-release-notifier.yml @@ -49,7 +49,7 @@ on: jobs: notify: - #if: github.repository_owner == 'Acode-Foundation' + if: github.repository_owner == 'Acode-Foundation' runs-on: ubuntu-latest steps: - name: Prepare release variables From 14a8dcdda3e49d7137cf6b15983e416c6c8443c3 Mon Sep 17 00:00:00 2001 From: Emmanuel Lobo <76094069+UnschooledGamer@users.noreply.github.com> Date: Sun, 12 Jul 2026 21:30:14 +0530 Subject: [PATCH 32/39] Update nightly-release.yml [skip ci] --- .github/workflows/nightly-release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/nightly-release.yml b/.github/workflows/nightly-release.yml index f76802fa4..2ad0fe9be 100644 --- a/.github/workflows/nightly-release.yml +++ b/.github/workflows/nightly-release.yml @@ -15,6 +15,7 @@ concurrency: jobs: build: + if: ${{ github.repository_owner == 'Acode-Foundation' }} uses: unschooledgamer/acode/.github/workflows/nightly-build.yml@fix/on-demand-previews permissions: contents: read From 8d56bac994e59adf089bb903972da44e1efd3824 Mon Sep 17 00:00:00 2001 From: Emmanuel Lobo <76094069+UnschooledGamer@users.noreply.github.com> Date: Sun, 12 Jul 2026 22:14:54 +0530 Subject: [PATCH 33/39] Update nightly-build.yml [skip ci] --- .github/workflows/nightly-build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/nightly-build.yml b/.github/workflows/nightly-build.yml index b880c76a3..f259abfda 100644 --- a/.github/workflows/nightly-build.yml +++ b/.github/workflows/nightly-build.yml @@ -72,7 +72,7 @@ jobs: steps: - name: Validate required secrets (Fast Fail If missing on nightly builds) - if: ${{ !inputs.is_PR }} + if: ${{ !inputs.is_PR || inputs.is_trusted_pr }} env: KEYSTORE_CONTENT: ${{ secrets.KEYSTORE_CONTENT }} BUILD_JSON_CONTENT: ${{ secrets.BUILD_JSON_CONTENT }} @@ -124,7 +124,7 @@ jobs: echo "fdroid_artifact_name=app-debug-fdroid-$GIT_COMMIT" >> "$GITHUB_OUTPUT" - name: Inject signing files - if: ${{ !inputs.is_PR }} + if: ${{ !inputs.is_PR || inputs.is_trusted_pr }} run: | echo "${{ secrets.KEYSTORE_CONTENT }}" | base64 -d > "${{ env.STORE_FILE_PATH }}" echo "${{ secrets.BUILD_JSON_CONTENT }}" | base64 -d > "${{ env.BUILD_JSON_PATH }}" From 56801021114ef24e0b6a87f1bd6ff9726adc2a36 Mon Sep 17 00:00:00 2001 From: Emmanuel Lobo <76094069+UnschooledGamer@users.noreply.github.com> Date: Sun, 12 Jul 2026 22:32:28 +0530 Subject: [PATCH 34/39] Update nightly-release.yml [skip ci] --- .github/workflows/nightly-release.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/nightly-release.yml b/.github/workflows/nightly-release.yml index 2ad0fe9be..1e64736e5 100644 --- a/.github/workflows/nightly-release.yml +++ b/.github/workflows/nightly-release.yml @@ -15,8 +15,8 @@ concurrency: jobs: build: - if: ${{ github.repository_owner == 'Acode-Foundation' }} - uses: unschooledgamer/acode/.github/workflows/nightly-build.yml@fix/on-demand-previews + if: ${{ github.repository_owner == 'Acode-Foundation' }} + uses: Acode-Foundation/acode/.github/workflows/nightly-build.yml@main permissions: contents: read pull-requests: read @@ -191,8 +191,8 @@ jobs: echo "| Variable | Value |" >> "$GITHUB_STEP_SUMMARY" echo "| --- | --- |" >> "$GITHUB_STEP_SUMMARY" echo "| should_publish | ${{ steps.publish_gate.outputs.should_publish == 'true' && 'true' || 'false' }} |" >> "$GITHUB_STEP_SUMMARY" - echo "| tag_exists | ${{ steps.prev.outputs.tag_exists }} |" >> "$GITHUB_STEP_SUMMARY" - echo "| tag_commit | ${{ steps.prev.outputs.tag_commit }} |" >> "$GITHUB_STEP_SUMMARY" + echo "| (pre-release versioned/nightly tag) tag_exists | ${{ steps.prev.outputs.tag_exists }} |" >> "$GITHUB_STEP_SUMMARY" + echo "| (pre-release versioned/nightly tag) tag_commit | ${{ steps.prev.outputs.tag_commit }} |" >> "$GITHUB_STEP_SUMMARY" echo "| release_output_url | ${{ steps.gh_release.outputs.url || 'N/A' }} |" >> "$GITHUB_STEP_SUMMARY" provenance: @@ -216,7 +216,7 @@ jobs: if: ${{ needs.release.outputs.should_publish == 'true' && needs.release.outputs.release_output_url }} permissions: contents: read - uses: unschooledgamer/acode/.github/workflows/community-release-notifier.yml@fix/on-demand-previews + uses: Acode-Foundation/acode/.github/workflows/community-release-notifier.yml@main with: url: ${{ needs.release.outputs.release_output_url }} tag_name: ${{ needs.release.outputs.nightly_tag_name }} From e4c0dc74e3b2caa6104a321b7b4f36758f75149d Mon Sep 17 00:00:00 2001 From: Emmanuel Lobo <76094069+UnschooledGamer@users.noreply.github.com> Date: Sun, 12 Jul 2026 22:37:55 +0530 Subject: [PATCH 35/39] Update on-demand-preview-releases-PR.yml [skip ci] --- .github/workflows/on-demand-preview-releases-PR.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/on-demand-preview-releases-PR.yml b/.github/workflows/on-demand-preview-releases-PR.yml index 091b2dc7c..ed30b02c4 100644 --- a/.github/workflows/on-demand-preview-releases-PR.yml +++ b/.github/workflows/on-demand-preview-releases-PR.yml @@ -25,7 +25,7 @@ jobs: issues: write if: | github.event.pull_request.draft == false - && (github.repository_owner == 'UnschooledGamer' + && (github.repository_owner == 'Acode-Foundation' && (!contains(github.event.pull_request.labels.*.name, 'DO NOT PREVIEW RELEASE') && (contains(github.event.pull_request.labels.*.name, 'Bypass check - PREVIEW RELEASE') || contains(github.event.pull_request.labels.*.name, 'CI: RUN ON-DEMAND PREVIEW RELEASES') @@ -80,7 +80,7 @@ jobs: secrets: KEYSTORE_CONTENT: ${{ secrets.KEYSTORE_CONTENT }} BUILD_JSON_CONTENT: ${{ secrets.BUILD_JSON_CONTENT }} - uses: unschooledgamer/acode/.github/workflows/nightly-build.yml@fix/on-demand-previews + uses: Acode-Foundation/acode/.github/workflows/nightly-build.yml@main with: is_PR: true PR_NUMBER: ${{ github.event.pull_request.number }} From 776fd7caaa4212d529d1c6b44afc2c5fbe809c4f Mon Sep 17 00:00:00 2001 From: Emmanuel Lobo <76094069+UnschooledGamer@users.noreply.github.com> Date: Sun, 12 Jul 2026 22:41:33 +0530 Subject: [PATCH 36/39] Update on-demand-preview-releases-PR.yml --- .github/workflows/on-demand-preview-releases-PR.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/on-demand-preview-releases-PR.yml b/.github/workflows/on-demand-preview-releases-PR.yml index ed30b02c4..5a584d40d 100644 --- a/.github/workflows/on-demand-preview-releases-PR.yml +++ b/.github/workflows/on-demand-preview-releases-PR.yml @@ -92,7 +92,7 @@ jobs: contents: read pull-requests: write runs-on: ubuntu-latest - if: ${{ github.repository_owner == 'UnschooledGamer' && always() && contains(fromJSON('["failure","cancelled", "success"]'), needs.trigger_builder.result) }} + if: ${{ github.repository_owner == 'Acode-Foundation' && always() && contains(fromJSON('["failure","cancelled", "success"]'), needs.trigger_builder.result) }} steps: - name: Update Last Comment by bot (If Workflow Triggering succeeded) From f788a39a72f0afbd785c9e4f55bc983486365a2b Mon Sep 17 00:00:00 2001 From: Emmanuel Lobo <76094069+UnschooledGamer@users.noreply.github.com> Date: Sun, 12 Jul 2026 22:45:18 +0530 Subject: [PATCH 37/39] Add CODEOWNER for nightly-release.yml workflow [skip ci] --- .github/CODEOWNERS | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index f2c641ed1..421cbeac9 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -4,3 +4,4 @@ .github/workflows/nightly-build.yml @unschooledgamer .github/workflows/on-demand-preview-releases-PR.yml @unschooledgamer .github/workflows/community-release-notifier.yml @unschooledgamer +.github/workflows/nightly-release.yml @unschooledgamer From 8e3822a28bae3f22485e725b3137f4165e1d5636 Mon Sep 17 00:00:00 2001 From: Emmanuel Lobo <76094069+UnschooledGamer@users.noreply.github.com> Date: Sun, 12 Jul 2026 22:48:50 +0530 Subject: [PATCH 38/39] Delete pnpm-workspace.yaml [skip ci] --- pnpm-workspace.yaml | 4 ---- 1 file changed, 4 deletions(-) delete mode 100644 pnpm-workspace.yaml diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml deleted file mode 100644 index 9aa4293aa..000000000 --- a/pnpm-workspace.yaml +++ /dev/null @@ -1,4 +0,0 @@ -allowBuilds: - '@parcel/watcher': true - core-js: true - core-js-pure: true From bd1fa7e7689d5f03943781558d79c16ee70f9732 Mon Sep 17 00:00:00 2001 From: Emmanuel Lobo <76094069+UnschooledGamer@users.noreply.github.com> Date: Sun, 12 Jul 2026 23:02:55 +0530 Subject: [PATCH 39/39] Update .github/workflows/nightly-release.yml Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> --- .github/workflows/nightly-release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/nightly-release.yml b/.github/workflows/nightly-release.yml index 1e64736e5..1f17fc49d 100644 --- a/.github/workflows/nightly-release.yml +++ b/.github/workflows/nightly-release.yml @@ -69,13 +69,13 @@ jobs: - name: Download normal APK artifact uses: actions/download-artifact@v8 with: - name: app-debug-${{ github.sha }} + name: ${{ needs.build.outputs.normal_artifact_name }} path: ${{ env.ARTIFACTS_DIR }}/normal - name: Download fdroid APK artifact uses: actions/download-artifact@v8 with: - name: app-debug-fdroid-${{ github.sha }} + name: ${{ needs.build.outputs.fdroid_artifact_name }} path: ${{ env.ARTIFACTS_DIR }}/fdroid - name: Resolve previous nightly tag commit