[CI] Add github publishing

.github/workflows/shippable_builds.yml

@@ -154,3 +154,61 @@ jobs:
           path: |
             uploads/*-signed.apk
             uploads/*.aab
+
+  pre_publish:
+    # This is a holding job meant to require approval before proceeding with the publishing jobs below
+    # The environment has a deployment protection rule requiring approval from a set of named reviewers
+    # before proceeding.
+    environment: publish_hold
+    needs: [sign_mobile]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Approval
+        shell: bash
+        run: |
+          true
+
+  github_release:
+    runs-on: ubuntu-latest
+    needs: [ pre_publish, dump_config ]
+    environment: gh-releases
+    env:
+      APP_NAME: ${{ needs.dump_config.outputs.appName }}
+      RELEASE_TYPE: ${{ needs.dump_config.outputs.releaseType }}
+      PACKAGE_FORMAT: "apk"
+      PACKAGE_FLAVOR: "foss"
+      UPLOADS: "uploads"
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          # The artifact name is the APK FOSS package for Github releases
+          name: signed-${{ env.APP_NAME }}-${{ env.PACKAGE_FORMAT }}-${{ env.PACKAGE_FLAVOR }}
+          path: ${{ env.UPLOADS }}/
+
+      - name: Get Version -> Tag Name
+        ## This obviously is quite incorrect. Need a way to extract versionName from gradle
+        shell: bash
+        run: |
+          APKANALYZER="${ANDROID_SDK_ROOT}/cmdline-tools/latest/bin/apkanalyzer"
+          APK_FILE="${APP_NAME}-${PACKAGE_FLAVOR}-${RELEASE_TYPE}-signed.apk"
+          _version=$(${APKANALYZER} manifest version-name "${UPLOADS}/${APK_FILE}")
+          _tag="${APP_NAME}-${_version}"
+          echo "TAG_NAME=${_tag}" >> $GITHUB_ENV
+          echo "APK_FILE=${APK_FILE}" >> $GITHUB_ENV
+
+      - name: App Token Generate
+        uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ vars.RELEASER_APP_CLIENT_ID }}
+          private-key: ${{ secrets.RELEASER_APP_PRIVATE_KEY }}
+
+      - name: Publish
+        uses: softprops/action-gh-release@v2
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          target_commitish: ${{ github.sha }}
+          tag_name: ${{ env.TAG_NAME }}
+          fail_on_unmatched_files: true
+          files: |
+            ${{ env.UPLOADS }}/${{ env.APK_FILE }}

docs/CI/Release_Automation.md

@@ -8,7 +8,7 @@ and release type. The environment is selected when triggering the workflow. You
 also select the appropriate branch to run the workflow on. The environments are only
 accessible by the branch they are associated with
 
-**Environments**
+## Build Environments
 
 - thunderbird_beta
 - thunderbird_daily
@@ -30,9 +30,13 @@ The variables set in these environments are non-sensitive and are used by the bu
   ```
   That would build `bundleFullBeta` and `assembleFossBeta`.
 
+## Signing Environments
+
 There are also "secret" environments that are used by the signing job.
 
-An "upload" secret environment and a "signing" secret environment are needed. Currently the environment names are based on the appName, releaseType, and packageFlavor. So `app-thunderbird_beta_full` which would have the upload signing configuration for Thunderbird Beta set up. This could be improved.
+An "upload" secret environment and a "signing" secret environment are needed. Currently the environment names are based
+on the appName, releaseType, and packageFlavor. So `app-thunderbird_beta_full` which would have the upload
+signing configuration for Thunderbird Beta set up. This could be improved.
 The secrets themselves are from https://github.com/noriban/sign-android-release:
 
 ```yaml
@@ -41,3 +45,26 @@ alias: ${{ secrets.KEY_ALIAS }}
 keyPassword: ${{ secrets.KEY_PASSWORD }}
 keyStorePassword: ${{ secrets.KEY_STORE_PASSWORD }}
 ```
+
+## Publishing Hold Environment
+
+The "publish_hold" is shared by all application variants and is used by the "pre_publish" job.
+It has no secrets or variables, but "Required Reviewers" is set to trusted team members who oversee releases. The
+effect is that after package signing completes, the publishing jobs that depend on it will not run until released
+manually.
+
+![publish hold](publish_hold.png)
+
+## Github Releases Environment
+
+"gh_releases" contains the Client Id and Private Key for a Github App that's used by the "actions/create-github-app-token'
+to generate a token with the appropriate permissions to create and tag a Github release.
+
+|          | Name                     | Description                     |
+| -------- | ------------------------ | ------------------------------- |
+| Variable | RELEASER_APP_CLIENT_ID   | The Client ID of the github app |
+| Secret   | RELEASER_APP_PRIVATE_KEY | The private key of the app      |
+
+### App Permissions
+
+**TODO**