Skip to content

Decode keystore in workflow instead of Gradle"#20

Merged
nbassler merged 1 commit into
mainfrom
11-13
Apr 26, 2026
Merged

Decode keystore in workflow instead of Gradle"#20
nbassler merged 1 commit into
mainfrom
11-13

Conversation

@nbassler
Copy link
Copy Markdown
Member

@nbassler nbassler commented Apr 26, 2026

No description provided.

Copilot AI review requested due to automatic review settings April 26, 2026 11:39
Copilot AI reviewed Apr 26, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the Android release signing flow to decode the keystore within the GitHub Actions workflow and have Gradle consume it via a file path, rather than decoding Base64 inside Gradle.

Changes:

  • Replace Gradle-side Base64 keystore decoding with KEYSTORE_PATH-based signing.
  • Add a workflow step to decode KEYSTORE_BASE64 into a temporary keystore file and pass its path to Gradle.
  • Update the release build to enable signing based on the presence of KEYSTORE_PATH.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
app/build.gradle Switch signing config from Base64 decoding to using a keystore file path via KEYSTORE_PATH.
.github/workflows/release.yml Decode keystore in CI and pass the decoded file path into the Gradle build environment.
Comments suppressed due to low confidence (1)

app/build.gradle:32

  • keyPassword is currently sourced from KEYSTORE_PASSWORD, but the workflow no longer provides a separate KEY_PASSWORD env var. If the key password differs from the keystore password (common), signing will fail. Recommend reading keyPassword from a dedicated env var (e.g., KEY_PASSWORD) and keeping storePassword tied to KEYSTORE_PASSWORD.
                storeFile = file(ksPath)
            }
            storePassword = System.getenv("KEYSTORE_PASSWORD") ?: ""
            keyAlias = System.getenv("KEY_ALIAS") ?: "dedx-upload"
            keyPassword = System.getenv("KEYSTORE_PASSWORD") ?: ""

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/release.yml
env:
KEYSTORE_BASE64: ${{ secrets.KEYSTORE_BASE64 }}
KEYSTORE_PATH: ${{ runner.temp }}/keystore.jks
KEYSTORE_PASSWORD: ${{ secrets.KEYSTORE_PASSWORD }}
Copy link

Copilot AI Apr 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The workflow no longer passes a key password env var, but Gradle still needs keyPassword to sign. If the key password is different from the keystore password, the signing step will fail. Recommend reintroducing KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }} (or similar) and wiring Gradle to use it for keyPassword.

Suggested change
KEYSTORE_PASSWORD: ${{ secrets.KEYSTORE_PASSWORD }}
KEYSTORE_PASSWORD: ${{ secrets.KEYSTORE_PASSWORD }}
KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}

Copilot uses AI. Check for mistakes.
@nbassler nbassler merged commit 9620f7f into main Apr 26, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nbassler