live-player/.github/workflows/deploy-to-play.yml at master · codejq/live-player · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
name: Build & Release

# Triggers when you push a version tag, e.g.: git tag v1.0.1 && git push --tags
on:
  push:
    tags:
      - 'v*.*.*'

jobs:
  build-and-release:
    name: Build, Sign & Release
    runs-on: ubuntu-latest

    # Allow the job to create GitHub Releases and upload assets
    permissions:
      contents: write

    steps:
      # ── 1. Checkout ──────────────────────────────────────────────────────────
      - name: Checkout source
        uses: actions/checkout@v4

      # ── 2. JDK ───────────────────────────────────────────────────────────────
      - name: Set up JDK 17
        uses: actions/setup-java@v4
        with:
          java-version: '17'
          distribution: 'temurin'
          cache: gradle

      # ── 3. Decode keystore ───────────────────────────────────────────────────
      #  Secret KEYSTORE_BASE64 = base64-encoded piisoft.android.keystore
      #  Generate on Windows:
      #    [Convert]::ToBase64String([IO.File]::ReadAllBytes("piisoft.android.keystore"))
      #
      #  Modern PKCS12 keystores (JDK 9+) use AES-256 encryption that the older
      #  BouncyCastle bundled with Android Gradle Plugin cannot parse, causing
      #  "Tag number over 30 is not supported". We convert to JKS format first,
      #  which AGP reads via the JVM's built-in provider rather than BouncyCastle.
      - name: Decode keystore
        run: |
          echo "${{ secrets.KEYSTORE_BASE64 }}" | base64 --decode > /tmp/piisoft-orig.keystore
          keytool -importkeystore \
            -srckeystore /tmp/piisoft-orig.keystore \
            -srcstorepass "${{ secrets.KEYSTORE_PASSWORD }}" \
            -destkeystore $GITHUB_WORKSPACE/piisoft.android.keystore \
            -deststoretype JKS \
            -deststorepass "${{ secrets.KEYSTORE_PASSWORD }}" \
            -noprompt

      # ── 4. Build signed release APK + AAB ────────────────────────────────────
      #  Both outputs are signed by Gradle via the env vars below.
      #  APK  → app/build/outputs/apk/release/StreamPlayer-*.apk   (direct download)
      #  AAB  → app/build/outputs/bundle/release/*.aab              (Google Play)
      - name: Build signed release APK and AAB
        run: |
          chmod +x gradlew
          ./gradlew :app:assembleRelease :app:bundleRelease
        env:
          KEYSTORE_PATH: ${{ github.workspace }}/piisoft.android.keystore
          KEYSTORE_PASSWORD: ${{ secrets.KEYSTORE_PASSWORD }}
          KEY_ALIAS: ${{ secrets.KEY_ALIAS }}
          KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}

      # ── 5. Create GitHub Release + attach APK ────────────────────────────────
      #  Creates a release named after the tag (e.g. "v1.0.1") and attaches
      #  the signed APK so anyone can download and sideload it directly.
      - name: Create GitHub Release
        uses: softprops/action-gh-release@v2
        with:
          name: StreamPlayer ${{ github.ref_name }}
          tag_name: ${{ github.ref_name }}
          draft: false
          prerelease: false
          generate_release_notes: true
          files: app/build/outputs/apk/release/StreamPlayer-*.apk

      # ── 6. Check if Google Play secret is configured ─────────────────────────
      #  secrets context is not allowed in `if:` conditions, so we check via a
      #  run step and expose the result as a step output instead.
      - name: Check Google Play secret
        id: check_play
        env:
          KEY: ${{ secrets.GOOGLE_PLAY_JSON_KEY }}
        run: |
          if [ -n "$KEY" ]; then
            echo "configured=true" >> $GITHUB_OUTPUT
          else
            echo "configured=false" >> $GITHUB_OUTPUT
          fi

      # ── 7. Upload to Google Play (Internal track) ────────────────────────────
      #  Skipped automatically if GOOGLE_PLAY_JSON_KEY secret is not configured.
      #  Set track to 'alpha', 'beta', or 'production' when ready for wider release.
      - name: Upload to Google Play
        if: steps.check_play.outputs.configured == 'true'
        uses: r0adkll/upload-google-play@v1
        with:
          serviceAccountJsonPlainText: ${{ secrets.GOOGLE_PLAY_JSON_KEY }}
          packageName: com.streamplayer.app
          releaseFiles: app/build/outputs/bundle/release/*.aab
          track: internal
          status: completed

      # ── 7. Clean up keystore ─────────────────────────────────────────────────
      - name: Remove keystore
        if: always()
        run: rm -f $GITHUB_WORKSPACE/piisoft.android.keystore /tmp/piisoft-orig.keystore