Build & Sign Automation

[jfx2006]

Build and signing automation.

Currently, there is a flaw in that it's set to be run on a "workflow_dispatch" trigger. That only works with the primary branch. A different trigger will be needed to use a beta or release branch.**

Requirements:

• Build variables environment:
  These are non-sensitive variables that configure the different builds needed. It is named (currently) based on an input to the workflow dispatch. That won't work probably, so something else is needed.
  • APP_NAME: app-thunderbird | app-k9
  • RELEASE_TYPE: debug | daily | beta | release
  • MATRIX_INCLUDE:
    This is a JSON string used to create the jobs matrix. For example, for Thunderbird beta, the (YAML) value would be:

    - packageFormat: bundle
      packageFlavor: full
    - packageFormat: apk
      packageFlavor: foss

    That would build bundleFullBeta and assembleFossBeta.
• Secrets environments:
  An "upload" secret environment and a "signing" secret environment are needed. Currently the environment names are based on the appName, releaseType, and packageFlavor. So app-thunderbird_beta_full which would have the upload signing configuration for Thunderbird Beta set up. This could be improved.
  The secrets themselves are from https://github.com/noriban/sign-android-release:

        signingKey: ${{ secrets.SIGNING_KEY }}
        alias: ${{ secrets.KEY_ALIAS }}
        keyPassword: ${{ secrets.KEY_PASSWORD }}
        keyStorePassword: ${{ secrets.KEY_STORE_PASSWORD }}

[kewisch]

I think once the workflow has been dispatched once, we could use gh with the --ref argument to run on a specific branch. But certainly it would be easier to trigger this from the web.

Do we have any options aside from the workflow dispatch?

[kewisch]

The default should be full, ideally we want all features to be included by default.

[kewisch]

To be on the safe side, you might want to use add-mask on the signingKey, so it isn't inadvertently exposed.

[kewisch]

Same here

[jfx2006]

I think once the workflow has been dispatched once, we could use gh with the --ref argument to run on a specific branch. But certainly it would be easier to trigger this from the web.

Do we have any options aside from the workflow dispatch?

Actually, workflow_dispatch may work out. I misunderstood the docs before:
"This event will only trigger a workflow run if the workflow file is on the default branch." -- but it triggers against a specific branch or tag.

[jfx2006]

This actually builds and signs.
Everything is now in a single workflow since having separate files turned into a mess when dealing with multiple branches.

Need to test workflow_dispatch against the beta branch, it can be done apparently. The workflow file just needs to exist on the branch in question.

[jfx2006]

https://github.com/jfx2006/thunderbird-android-ci/actions/runs/11185030663

and

https://github.com/jfx2006/thunderbird-android-ci/releases

[jfx2006]

Latest run on fork repo using a branch named "TB_BETA_8.0": https://github.com/jfx2006/thunderbird-android-ci/actions/runs/11195559719

I've set up the different environments necessary for doing a beta release as well. It's semi-scripted using the GitHub CLI - I'll get that cleaned up and file a PR this week so creating the release branch environments will be easier.

VersionName & VersionCode bumps and Play Store upload are next up.

[kewisch]

I'm going to approve this now and we'll see how well it works to build and sign the release.

[kewisch]

Shouldn't we use ${{ needs.get_environment.outputs.releaseEnv }} here and depend on get_environment as well?

[kewisch]

Lint and build is done, I'm going to go ahead and merge as tests shouldn't be affected by this CI and previous commits have succeeded.

[williamdes]

Please add draft: true so the release notes can be added by a human and then the release is published.

Now the release emails I receive have no notes, please fix this 😢