Atomic transfers + signed-release CI

Sync engine / providers: - LocalAccessor: replace createOutputStream with writeAtomically (temp sibling + rename/commit) for both JavaFile and SAF backends, so an interrupted download no longer truncates the destination file. - SyncEngine: use writeAtomically for DOWNLOAD and propagate downloadFile failures via getOrThrow (was silently swallowed -> false success + state). - WebDavProvider (covers Nextcloud/ownCloud): PUT to hidden temp then MOVE onto destination, so a failed upload can't leave a truncated remote file. - SftpProvider: upload to temp then rename onto destination. Build / CI: - compileSdk 34 -> 35 (was below targetSdk 35). - Release signing reads keystore from local.properties or env (CI), with a debug-key fallback so builds still succeed without secrets. - Disable R8/minify for release (never exercised by CI; keeps signed release behaving like the debug builds in use today). - CI: run unit tests on every push/PR, build assembleRelease (signed when KEYSTORE_BASE64 present), publish APK only on v* tags.
2026-06-05 02:15:23 +00:00
parent dbd317624d
commit b973e58d9e
6 changed files with 153 additions and 31 deletions
@@ -2,8 +2,10 @@ name: Build & Release APK

 on:
  push:
+    branches: ['**']
    tags:
      - 'v*'
+  pull_request:

 jobs:
  build:
@@ -20,10 +22,29 @@ jobs:

      - uses: android-actions/setup-android@v3

-      - name: Build debug APK
+      - name: Run unit tests
        run: |
          chmod +x gradlew
-          ./gradlew assembleDebug --no-daemon
+          ./gradlew testDebugUnitTest --no-daemon
+
+      - name: Decode release keystore
+        env:
+          KEYSTORE_BASE64: ${{ secrets.KEYSTORE_BASE64 }}
+        run: |
+          if [ -n "$KEYSTORE_BASE64" ]; then
+            echo "$KEYSTORE_BASE64" | base64 -d > "$RUNNER_TEMP/release.keystore"
+            echo "KEYSTORE_PATH=$RUNNER_TEMP/release.keystore" >> "$GITHUB_ENV"
+            echo "Release keystore decoded — building signed release."
+          else
+            echo "::warning::KEYSTORE_BASE64 secret not set — release APK will be debug-signed."
+          fi
+
+      - name: Build release APK
+        env:
+          KEYSTORE_PASSWORD: ${{ secrets.KEYSTORE_PASSWORD }}
+          KEY_ALIAS: ${{ secrets.KEY_ALIAS }}
+          KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}
+        run: ./gradlew assembleRelease --no-daemon

      - name: Get version name
        id: ver
@@ -32,10 +53,11 @@ jobs:
      - name: Rename APK
        run: |
          mkdir dist
-          cp app/build/outputs/apk/debug/app-debug.apk \
+          cp app/build/outputs/apk/release/app-release.apk \
             dist/SyncFlow-v${{ steps.ver.outputs.name }}.apk

      - name: Attach APK to release
+        if: startsWith(github.ref, 'refs/tags/v')
        env:
          TOKEN: ${{ secrets.GITHUB_TOKEN }}
          TAG: ${{ github.ref_name }}