Use a fixed release keystore for Android signing (CI signs with ephemeral debug keys) (#300)

[trixy-the-ai-bot]

Summary

• Add a reusable setup-android-signing composite action that decodes base64-encoded release and/or dev keystores from secrets, validates that all four credentials (keystore, password, alias, key password) are present for each flavor, and writes app/android/key.properties; supports require-release=true to fail fast on prod CD when secrets are missing instead of silently shipping a debug-signed artifact.
• Wire the action into cd-app.yml's build-android and build-seeker jobs with require-release: 'true' so production APK/AAB and the Seeker APK are signed with the project-owned release key on every run.
• After the production APK build, invoke apksigner verify --print-certs so any fingerprint drift (wrong key loaded, misconfigured secrets) is visible in the job log.
• Replaces the prior debug-key fallback in app/android/app/build.gradle.kts so released artifacts now have a stable SHA-256 fingerprint, unblocking in-place upgrades for Firebase App Distribution drops, GitHub Releases, and the Seeker/dApp Store APK.

Test plan

• Run cd-app.yml twice and confirm apksigner verify --print-certs build/app/outputs/flutter-apk/app-production-release.apk reports the same SHA-256 certificate fingerprint across both runs.
• Confirm the Seeker APK produced by build-seeker reports the same fingerprint as the production APK.
• Temporarily clear ANDROID_RELEASE_KEYSTORE_BASE64 in a test run and verify cd-app.yml fails fast at the "Set up Android signing" step with the require-release=true error rather than producing a debug-signed artifact.
• Provide release-keystore-base64 but omit one of password/alias/key-password in a test run and verify the action errors out listing the missing inputs.
• On a developer machine without key.properties, run flutter run --release and confirm it still builds via the debug-signing fallback.
• Install a fresh PR APK over a previous PR APK from a different runner and confirm the upgrade installs without uninstall-first.

🤖 Generated with Claude Code

Closes #300

[coderabbitai]

Warning

Rate limit exceeded

@trixy-the-ai-bot has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 48 minutes and 53 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: a579a65f-488f-4929-afd2-6988fa20e2ee

📥 Commits

Reviewing files that changed from the base of the PR and between e1f8cea and 5ec7255.

📒 Files selected for processing (2)

• app/android/app/build.gradle.kts
• docs/RELEASES.md

Walkthrough

This PR implements a complete Android release signing infrastructure for stable, project-owned key management across all CI/CD pipelines. A new composite GitHub Action (setup-android-signing) decodes base64-encoded keystores from secrets and generates a key.properties file. The Gradle build is updated to conditionally load signing configs from key.properties, falling back to debug signing when absent. The CD and PR workflows now invoke the signing action with release keystore credentials before building, and verify APK signatures post-build. CI smoke tests in flutter-ci.yml retain debug signing. Full documentation of the signing model, secret setup, and rotation procedures is added to docs/RELEASES.md, with a changelog entry in NOTES.md.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• TMaYaD/Jeeves#150: Updates the Firebase per-PR APK workflow (pr-apk.yml) with explicit Android signing setup step, directly related to this PR's introduction of stable signing across PR and release workflows.

Suggested reviewers

• TMaYaD

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title clearly and specifically describes the main change: implementing a fixed release keystore for Android signing with a reference to the closed issue.
Description check	✅ Passed	The PR description comprehensively relates to the changeset, detailing the new composite action, workflow integration, signing verification, and test plan for the Android signing implementation.
Linked Issues check	✅ Passed	The PR implementation fully satisfies #300's acceptance criteria: creates signingConfigs.release backed by key.properties, integrates setup-android-signing into cd-app.yml and pr-apk.yml with require-release guard, adds apksigner verification, documents in RELEASES.md, and preserves local debug fallback.
Out of Scope Changes check	✅ Passed	All changes are directly aligned with #300 scope: no Play Store publishing, iOS changes, or unrelated modifications present. Comment clarifications and documentation are supporting materials for the core signing changes.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch issue-300/use-a-fixed-release-keystore-for-android-signing-c

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@app/android/app/build.gradle.kts`:
- Around line 44-61: The signingConfigs block currently only checks
hasKey("releaseStoreFile") / hasKey("devStoreFile") before creating configs;
update it to validate all four required properties (releaseStoreFile,
releaseStorePassword, releaseKeyAlias, releaseKeyPassword for the "release"
config and devStoreFile, devStorePassword, devKeyAlias, devKeyPassword for
"devRelease") by calling keystoreProperties.getProperty(...) or hasKey(...) for
each property before calling create("release") / create("devRelease"); if any
property is missing or blank, avoid creating the config and fail-fast with a
clear Gradle-friendly error (or log and throw GradleException) so the failure
points to the missing keystore property instead of a later signing error.

In `@docs/RELEASES.md`:
- Around line 174-175: The docs currently instruct using "apksigner verify
--print-certs" for AABs which is APK-specific; update the RELEASES.md text
around the cd-app.yml / jeeves-<version>.aab guidance to state that apksigner
cannot verify .aab files and to instead verify the certificate SHA-256 using
keytool -printcert -jarfile jeeves-<version>.aab (include that command as the
recommended local verification step for AABs downloaded from the release), and
keep the existing note that cd-app.yml automatically runs the APK verification
step.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: fbd0424f-5bb2-4ff2-bdf6-3b3eed2ff4ef

📥 Commits

Reviewing files that changed from the base of the PR and between c7597bb and e1f8cea.

📒 Files selected for processing (7)

• .github/actions/setup-android-signing/action.yml
• .github/workflows/cd-app.yml
• .github/workflows/flutter-ci.yml
• .github/workflows/pr-apk.yml
• NOTES.md
• app/android/app/build.gradle.kts
• docs/RELEASES.md

[trixy-the-ai-bot]

Review comments addressed.

Commit 5ec7255 addressed both CodeRabbit review comments: build.gradle.kts now requires all four signing properties up front so partial key.properties files fail at config time, and RELEASES.md was corrected to use keytool -printcert -jarfile for AAB verification instead of the APK-only apksigner. Changes were pushed to the PR branch and both review threads resolved.