Skip to content

CI signing: use the repo's actual keystore secret names#27

Merged
HereLiesAz merged 4 commits into
mainfrom
claude/debug-loc-messaging-u0p51l
Jun 22, 2026
Merged

CI signing: use the repo's actual keystore secret names#27
HereLiesAz merged 4 commits into
mainfrom
claude/debug-loc-messaging-u0p51l

Conversation

@HereLiesAz

Copy link
Copy Markdown
Owner

Why

The signing workflows referenced secrets that don't exist in this repo — UPLOAD_KEYSTORE_BASE64, UPLOAD_KEYSTORE_PASSWORD, UPLOAD_KEY_ALIAS, UPLOAD_KEY_PASSWORD. The effect: the keystore decoded to an empty file and the passwords came back blank, so gradle's hasReleaseSigning was false and it silently fell back to unsigned builds. That's why the "signed" builds weren't signed.

What

Point both signing workflows (build-apk.yml dispatch path, release-play.yml) at the repo's actual secret names:

Purpose Secret
keystore (base64 .jks, decoded to upload.jks) KEYSTORE_RAW
store password KEYSTORE_SECRET
key alias KEY_ALIAS
key password KEY_SECRET
Play service account PLAY_SERVICE_ACCOUNT_JSON (unchanged)

The internal QUICLOC_* env-var names gradle actually reads (signingProp(...) in app/build.gradle.kts) are unchanged — the workflows just feed them from the correct secrets now. Header comments and docs/PLAY_PUBLISHING.md secret tables updated to match. No UPLOAD_* references remain; YAML validates.

Assumption to confirm

KEYSTORE_RAW is decoded with base64 --decode (i.e. I'm assuming it's the base64-encoded .jks, the standard way to put a binary keystore in a GitHub secret). If it's stored in some other form, the keystore load will fail at build time with a clear error — tell me the encoding and I'll adjust.

Verification

This can only be fully confirmed by a dispatch run (the signed paths need the secrets, which CI on a PR doesn't expose): run Build and Publish QuicLoc APK (or Release to Play) and confirm the output is signed (apksigner verify / jarsigner -verify). The PR's normal CI only builds the unsigned debug path.

🤖 Generated with Claude Code


Generated by Claude Code

claude and others added 2 commits June 22, 2026 12:53
The signing workflows referenced UPLOAD_KEYSTORE_BASE64 / UPLOAD_KEYSTORE_PASSWORD
/ UPLOAD_KEY_ALIAS / UPLOAD_KEY_PASSWORD — none of which exist as repo secrets, so
the keystore decoded empty and the passwords came back blank, making gradle fall
back to UNSIGNED builds.

Point the workflows at the real secrets:
  KEYSTORE_RAW      -> base64 keystore, decoded to upload.jks
  KEYSTORE_SECRET   -> store password (QUICLOC_KEYSTORE_PASSWORD env)
  KEY_ALIAS         -> key alias
  KEY_SECRET        -> key password (QUICLOC_KEY_PASSWORD env)
  PLAY_SERVICE_ACCOUNT_JSON (unchanged)

The internal QUICLOC_* env-var names gradle reads are unchanged. Updated the
release-play header comment, build-apk header comment, and PLAY_PUBLISHING.md
secret tables to match.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01UkMUU9nhTAZBkKwpuyBdtw

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry @HereLiesAz, you have reached your weekly rate limit of 500000 diff characters.

Please try again later or upgrade to continue using Sourcery

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the naming convention of the GitHub secrets used for signing release builds, renaming the UPLOAD_* secrets to KEYSTORE_RAW, KEYSTORE_SECRET, KEY_ALIAS, and KEY_SECRET. These changes are applied to the GitHub Actions workflows in repo_backup.txt and documented in docs/PLAY_PUBLISHING.md. As there are no review comments, I have no feedback to provide.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

@HereLiesAz HereLiesAz marked this pull request as ready for review June 22, 2026 13:58
@HereLiesAz HereLiesAz merged commit 1922189 into main Jun 22, 2026
1 check passed

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry @HereLiesAz, you have reached your weekly rate limit of 500000 diff characters.

Please try again later or upgrade to continue using Sourcery

@HereLiesAz HereLiesAz deleted the claude/debug-loc-messaging-u0p51l branch June 22, 2026 13:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants