frp-Android/.github/workflows/android.yml at 841b44d223f8dfeb1ca38170bcd2c0a43bc1b5e8 · AceDroidX/frp-Android · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
name: Android CI

on:
  push:
  workflow_dispatch:

jobs:
  build:

    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4
      - name: set up JDK 17
        uses: actions/setup-java@v4
        with:
          java-version: '17'
          distribution: 'temurin'
          cache: gradle
      - name: Setup Android SDK
        uses: android-actions/setup-android@v3
        with:
          packages: 'build-tools;36.1.0'
      - name: Add build-tools to PATH
        run: echo "$ANDROID_HOME/build-tools/36.1.0" >> "$GITHUB_PATH"

      # https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#storing-base64-binary-blobs-as-secrets
      - name: Retrieve the secret and decode it to a file
        env:
          STORE_FILE: ${{ secrets.STORE_FILE }}
        run: |
          echo $STORE_FILE | base64 --decode > keystore.jks
      - name: Retrieve the key rotation files and decode them to files
        id: key-rotation-files
        env:
          NEW_STORE_FILE: ${{ secrets.NEW_STORE_FILE }}
          LINEAGE: ${{ secrets.LINEAGE }}
        if: env.NEW_STORE_FILE != null && env.LINEAGE != null
        run: |
          echo $NEW_STORE_FILE | base64 --decode > new_keystore.jks
          echo $LINEAGE | base64 --decode > lineage

      - name: Generate blank keystore.properties to bypass gradle check
        run: touch keystore.properties

      - name: Grant execute permission for gradlew
        run: chmod +x gradlew
      - name: Install runtime dependencies
        run: |
          # Ensure jq and tar are available for the frp download script
          sudo apt-get update && sudo apt-get install -y jq tar
      - name: Grant execute permission for update script
        run: chmod +x scripts/update_frp_binaries.sh
      - name: Update frp binaries (download latest)
        run: ./scripts/update_frp_binaries.sh
      - name: Build with Gradle
        run: ./gradlew assembleRelease
        env:
          KEY_ALIAS: ${{ secrets.KEY_ALIAS }}
          KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}
          STORE_FILE: ${{ secrets.STORE_FILE }}
          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}

      - name: Sign APKs with apksigner (key rotation)
        if: steps.key-rotation-files.outcome == 'success'
        env:
          KEY_ALIAS: ${{ secrets.KEY_ALIAS }}
          KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}
          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
        run: |
          set -euo pipefail
          echo "Signing apks in app/build/outputs/apk/release/ with key rotation"
          ls -la app/build/outputs/apk/release/
          # Sanity checks:
          if [ ! -f keystore.jks ]; then
            echo "keystore.jks not found" >&2
            exit 1
          fi
          if [ ! -f new_keystore.jks ]; then
            echo "new_keystore.jks not found" >&2
            exit 1
          fi
          if [ ! -f lineage ]; then
            echo "lineage file not found" >&2
            exit 1
          fi

          # Print apksigner version and path so debugging is easier
          apksigner --version || echo "apksigner didn't output a version"

          # Make for-loop not expand unmatched globs to literal value (bash only)
          shopt -s nullglob
          for apk in app/build/outputs/apk/release/*.apk; do
            if [ -z "$apk" ]; then
              echo "No APKs found to sign, skipping"
              break
            fi
            echo "Signing $apk"
            apksigner sign \
              --ks keystore.jks \
              --ks-key-alias "$KEY_ALIAS" \
              --ks-pass env:STORE_PASSWORD \
              --key-pass env:KEY_PASSWORD \
              --next-signer \
              --ks new_keystore.jks \
              --ks-key-alias "$KEY_ALIAS" \
              --ks-pass env:STORE_PASSWORD \
              --key-pass env:KEY_PASSWORD \
              --lineage lineage \
              "$apk"
          done

      - name: Upload arm64-v8a APK
        uses: actions/upload-artifact@v4
        with:
          name: frp-Android-arm64-v8a
          path: app/build/outputs/apk/release/*arm64-v8a*.apk

      - name: Upload armeabi-v7a APK
        uses: actions/upload-artifact@v4
        with:
          name: frp-Android-armeabi-v7a
          path: app/build/outputs/apk/release/*armeabi-v7a*.apk

      - name: Upload x86_64 APK
        uses: actions/upload-artifact@v4
        with:
          name: frp-Android-x86_64
          path: app/build/outputs/apk/release/*x86_64*.apk

      - name: Upload universal APK
        uses: actions/upload-artifact@v4
        with:
          name: frp-Android-universal
          path: app/build/outputs/apk/release/*universal*.apk

      - name: Create Release
        if: startsWith(github.ref, 'refs/tags/')
        uses: softprops/action-gh-release@v2
        with:
          files: app/build/outputs/apk/release/*.apk
          generate_release_notes: true