From ab176931cecf925e7207cb11648ed1c2b2632677 Mon Sep 17 00:00:00 2001
From: Angus Turnbull <github@twinhelix.com>
Date: Thu, 14 Jan 2021 19:40:21 +1300
Subject: [PATCH] Github CI workflow to build, sign and release using Base64
 encoded keystore

---
 .github/workflows/android.yml | 66 +++++++++++++++++++++++++++++++----
 1 file changed, 59 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/android.yml b/.github/workflows/android.yml
index 27d5667372d..483df5a3f30 100644
--- a/.github/workflows/android.yml
+++ b/.github/workflows/android.yml
@@ -1,20 +1,17 @@
 name: Android CI
 
 on:
-  pull_request:
   push:
     branches:
-    - 'main'
-    - '4.**'
-    - '5.**'
+    - '*-FOSS'
 
 permissions:
-  contents: read # to fetch code (actions/checkout)
+  contents: write # to fetch code (actions/checkout) then release/upload.
 
 jobs:
   build:
 
-    runs-on: ubuntu-latest-8-cores
+    runs-on: ubuntu-latest
 
     steps:
     - uses: actions/checkout@v3
@@ -28,11 +25,66 @@ jobs:
         java-version: 17
         cache: gradle
 
+    - name: Enlarge swapfile
+      run: |
+          export SWAP_FILE=$(swapon --show=NAME | tail -n 1)
+          sudo swapoff $SWAP_FILE
+          sudo rm $SWAP_FILE
+          sudo fallocate -l 8192M $SWAP_FILE
+          sudo chmod 600 $SWAP_FILE
+          sudo mkswap $SWAP_FILE
+          sudo swapon $SWAP_FILE
+
     - name: Validate Gradle Wrapper
       uses: gradle/wrapper-validation-action@v1
 
     - name: Build with Gradle
-      run: ./gradlew qa
+      run: ./gradlew assembleWebsiteFossProdRelease
+
+    - name: Get version
+      id: get-version
+      run: echo ::set-output name=VERSION::${GITHUB_REF#refs/heads/}
+
+    - name: Sign APKs
+      env:
+        # If you want to generate a keystore secret, run these commands:
+        # keytool -genkey -v -keystore apksign.keystore -alias apksign -keyalg RSA -keysize 4096
+        # cat apksign.keystore | base64
+        KEYSTORE_BASE64: ${{ secrets.KEYSTORE_BASE64 }}
+        KEYSTORE_PASS: ${{ secrets.KEYSTORE_PASS }}
+      run: |
+        echo "${KEYSTORE_BASE64}" | base64 -d > apksign.keystore
+        for apk in app/build/outputs/apk/websiteFossProd/release/*-unsigned-*.apk; do
+        out=${apk/-unsigned-/-signed-}
+        ${ANDROID_HOME}/build-tools/34.0.0/apksigner sign --ks apksign.keystore --ks-pass env:KEYSTORE_PASS --out "${out}" "${apk}"
+        echo "$(sha256sum ${out})"
+        done
+        rm apksign.keystore
+
+    - name: Create Release
+      id: create_release
+      uses: actions/create-release@v1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        tag_name: "v${{ steps.get-version.outputs.VERSION }}"
+        release_name: "Signal ${{ steps.get-version.outputs.VERSION }}"
+        draft: false
+        prerelease: false
+
+    - name: Get Universal APK Filename
+      id: get-universal-filename
+      run: echo ::set-output name=FILENAME::$(basename $(ls -1 app/build/outputs/apk/websiteFossProd/release/*-universal-*-signed-*.apk) )
+
+    - name: Upload Universal APK
+      uses: actions/upload-release-asset@v1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        upload_url: ${{ steps.create_release.outputs.upload_url }}
+        asset_path: "app/build/outputs/apk/websiteFossProd/release/${{ steps.get-universal-filename.outputs.FILENAME }}"
+        asset_name: ${{ steps.get-universal-filename.outputs.FILENAME }}
+        asset_content_type: application/vnd.android.package-archive
 
     - name: Archive reports for failed build
       if: ${{ failure() }}