ci: Gitea Actions workflow to build APK (debug on push, signed on tag)

Adds .gitea/workflows/build.yml. On push/PR to master it builds a debug
APK as a smoke test (no secrets). On a v* tag it decodes the signing
keystore from the KEYSTORE_BASE64 secret, builds a signed release APK,
and attaches it to the Gitea release for that tag via the API.

Runs on a self-hosted act_runner (label ubuntu-latest →
catthehacker/ubuntu:act-22.04); Android SDK 34 + build-tools 34.0.0 are
installed and cached.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

.gitea/workflows/build.yml

@@ -0,0 +1,117 @@
+name: Build APK
+
+# Push to master / open a PR  → builds a DEBUG apk (smoke test, no secrets needed).
+# Push a tag like v1.14       → builds a SIGNED RELEASE apk and attaches it to the
+#                               Gitea release for that tag.
+on:
+  push:
+    branches: [master]
+    tags: ['v*']
+  pull_request:
+    branches: [master]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up JDK 17
+        uses: actions/setup-java@v4
+        with:
+          distribution: temurin
+          java-version: '17'
+
+      - name: Cache Android SDK
+        id: sdk-cache
+        uses: actions/cache@v3
+        with:
+          path: ${{ github.workspace }}/android-sdk
+          key: android-sdk-cmdline9862592-platform34-buildtools3400
+
+      - name: Install Android SDK
+        if: steps.sdk-cache.outputs.cache-hit != 'true'
+        run: |
+          set -e
+          SDK="$GITHUB_WORKSPACE/android-sdk"
+          mkdir -p "$SDK/cmdline-tools"
+          curl -sSL -o /tmp/cmdtools.zip \
+            https://dl.google.com/android/repository/commandlinetools-linux-9862592_latest.zip
+          unzip -q /tmp/cmdtools.zip -d "$SDK/cmdline-tools"
+          mv "$SDK/cmdline-tools/cmdline-tools" "$SDK/cmdline-tools/latest"
+          yes | "$SDK/cmdline-tools/latest/bin/sdkmanager" --sdk_root="$SDK" --licenses >/dev/null
+          "$SDK/cmdline-tools/latest/bin/sdkmanager" --sdk_root="$SDK" \
+            "platform-tools" "platforms;android-34" "build-tools;34.0.0" >/dev/null
+
+      - name: Point Gradle at the SDK
+        run: echo "sdk.dir=$GITHUB_WORKSPACE/android-sdk" > local.properties
+
+      - name: Cache Gradle
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/.gradle/caches
+            ~/.gradle/wrapper
+          key: gradle-${{ hashFiles('**/*.gradle*', 'gradle/wrapper/gradle-wrapper.properties') }}
+
+      # ── Debug build: every push/PR that is NOT a tag ───────────────────────
+      - name: Build debug APK
+        if: ${{ !startsWith(github.ref, 'refs/tags/') }}
+        run: ./gradlew :app:assembleDebug --no-daemon
+
+      # ── Release build: tags only (needs the KEYSTORE_BASE64 secret) ────────
+      - name: Decode signing keystore
+        if: startsWith(github.ref, 'refs/tags/')
+        run: |
+          if [ -z "${{ secrets.KEYSTORE_BASE64 }}" ]; then
+            echo "::error::KEYSTORE_BASE64 secret is not set — cannot build a signed release."
+            exit 1
+          fi
+          echo "${{ secrets.KEYSTORE_BASE64 }}" | base64 -d > app/claude-widget-release.keystore
+
+      - name: Build release APK
+        if: startsWith(github.ref, 'refs/tags/')
+        run: ./gradlew :app:assembleRelease --no-daemon
+
+      # ── Stage whichever APK was produced ───────────────────────────────────
+      - name: Stage APK
+        run: |
+          mkdir -p out
+          if [ -f app/build/outputs/apk/release/app-release.apk ]; then
+            cp app/build/outputs/apk/release/app-release.apk out/claude-usage-widget.apk
+          else
+            cp app/build/outputs/apk/debug/app-debug.apk out/claude-usage-widget-debug.apk
+          fi
+          ls -la out/
+
+      - name: Upload APK artifact
+        uses: actions/upload-artifact@v3
+        continue-on-error: true
+        with:
+          name: apk
+          path: out/*.apk
+
+      # ── Attach the signed APK to the Gitea release on tag ──────────────────
+      - name: Publish APK to Gitea release
+        if: startsWith(github.ref, 'refs/tags/')
+        env:
+          TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -e
+          TAG="${GITHUB_REF#refs/tags/}"
+          API="${GITHUB_SERVER_URL}/api/v1/repos/${GITHUB_REPOSITORY}"
+          # Create the release if it doesn't exist yet (ignore "already exists").
+          curl -s -X POST "$API/releases" \
+            -H "Authorization: token $TOKEN" -H "Content-Type: application/json" \
+            -d "{\"tag_name\":\"$TAG\",\"name\":\"$TAG\",\"body\":\"Automated build of $TAG\"}" >/dev/null || true
+          RID=$(curl -s "$API/releases/tags/$TAG" -H "Authorization: token $TOKEN" \
+            | python3 -c "import sys,json;print(json.load(sys.stdin)['id'])")
+          # Replace any existing asset of the same name, then upload.
+          curl -s "$API/releases/$RID/assets" -H "Authorization: token $TOKEN" \
+            | python3 -c "import sys,json;[print(a['id']) for a in json.load(sys.stdin) if a['name']=='claude-usage-widget.apk']" \
+            | while read AID; do curl -s -X DELETE "$API/releases/$RID/assets/$AID" -H "Authorization: token $TOKEN"; done
+          curl -s -X POST "$API/releases/$RID/assets?name=claude-usage-widget.apk" \
+            -H "Authorization: token $TOKEN" \
+            -F "attachment=@out/claude-usage-widget.apk" >/dev/null
+          echo "Attached claude-usage-widget.apk to release $TAG"