claude-usage-widget/.gitea/workflows/build.yml

name: Build APK

# Push to master / open a PR  → builds a DEBUG apk (smoke test, no secrets needed).
# Push a tag like v1.14       → builds a SIGNED RELEASE apk and attaches it to the
#                               Gitea release for that tag.
on:
  push:
    branches: [master]
    tags: ['v*']
  pull_request:
    branches: [master]

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Set up JDK 17
        uses: actions/setup-java@v4
        with:
          distribution: temurin
          java-version: '17'

      - name: Install Android SDK
        run: |
          set -e
          SDK="$GITHUB_WORKSPACE/android-sdk"
          mkdir -p "$SDK/cmdline-tools"
          curl -sSL -o /tmp/cmdtools.zip \
            https://dl.google.com/android/repository/commandlinetools-linux-9862592_latest.zip
          unzip -q /tmp/cmdtools.zip -d "$SDK/cmdline-tools"
          mv "$SDK/cmdline-tools/cmdline-tools" "$SDK/cmdline-tools/latest"
          # Feed "y" via process substitution, not a pipe: `yes |` triggers SIGPIPE (exit 141)
          # once sdkmanager stops reading, and the step shell runs with `-eo pipefail`.
          "$SDK/cmdline-tools/latest/bin/sdkmanager" --sdk_root="$SDK" --licenses >/dev/null < <(yes)
          "$SDK/cmdline-tools/latest/bin/sdkmanager" --sdk_root="$SDK" \
            "platform-tools" "platforms;android-34" "build-tools;34.0.0" >/dev/null

      - name: Point Gradle at the SDK
        run: echo "sdk.dir=$GITHUB_WORKSPACE/android-sdk" > local.properties

      # ── Debug build: every push/PR that is NOT a tag ───────────────────────
      - name: Build debug APK
        if: ${{ !startsWith(github.ref, 'refs/tags/') }}
        run: ./gradlew :app:assembleDebug --no-daemon

      # ── Release build: tags only (needs the KEYSTORE_BASE64 secret) ────────
      - name: Decode signing keystore
        if: startsWith(github.ref, 'refs/tags/')
        run: |
          if [ -z "${{ secrets.KEYSTORE_BASE64 }}" ]; then
            echo "::error::KEYSTORE_BASE64 secret is not set — cannot build a signed release."
            exit 1
          fi
          echo "${{ secrets.KEYSTORE_BASE64 }}" | base64 -d > app/claude-widget-release.keystore

      # Signing passwords are no longer hardcoded in build.gradle.kts — inject them at build time.
      - name: Write signing credentials
        if: startsWith(github.ref, 'refs/tags/')
        run: |
          if [ -z "${{ secrets.KEYSTORE_PASSWORD }}" ] || [ -z "${{ secrets.KEY_PASSWORD }}" ]; then
            echo "::error::KEYSTORE_PASSWORD / KEY_PASSWORD secrets not set — cannot sign release."
            exit 1
          fi
          {
            echo "storePassword=${{ secrets.KEYSTORE_PASSWORD }}"
            echo "keyPassword=${{ secrets.KEY_PASSWORD }}"
            echo "keyAlias=${{ secrets.KEY_ALIAS || 'claudewidget' }}"
          } > keystore.properties

      - name: Build release APK
        if: startsWith(github.ref, 'refs/tags/')
        run: ./gradlew :app:assembleRelease --no-daemon

      # ── Stage whichever APK was produced ───────────────────────────────────
      - name: Stage APK
        run: |
          mkdir -p out
          if [ -f app/build/outputs/apk/release/app-release.apk ]; then
            cp app/build/outputs/apk/release/app-release.apk out/claude-usage-widget.apk
          else
            cp app/build/outputs/apk/debug/app-debug.apk out/claude-usage-widget-debug.apk
          fi
          ls -la out/

      - name: Upload APK artifact
        uses: actions/upload-artifact@v3
        continue-on-error: true
        with:
          name: apk
          path: out/*.apk

      # ── Attach the signed APK to the Gitea release on tag ──────────────────
      - name: Publish APK to Gitea release
        if: startsWith(github.ref, 'refs/tags/')
        env:
          TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          set -e
          TAG="${GITHUB_REF#refs/tags/}"
          API="${GITHUB_SERVER_URL}/api/v1/repos/${GITHUB_REPOSITORY}"
          # Create the release if it doesn't exist yet (ignore "already exists").
          curl -s -X POST "$API/releases" \
            -H "Authorization: token $TOKEN" -H "Content-Type: application/json" \
            -d "{\"tag_name\":\"$TAG\",\"name\":\"$TAG\",\"body\":\"Automated build of $TAG\"}" >/dev/null || true
          RID=$(curl -s "$API/releases/tags/$TAG" -H "Authorization: token $TOKEN" \
            | python3 -c "import sys,json;print(json.load(sys.stdin)['id'])")
          # Replace any existing asset of the same name, then upload.
          curl -s "$API/releases/$RID/assets" -H "Authorization: token $TOKEN" \
            | python3 -c "import sys,json;[print(a['id']) for a in json.load(sys.stdin) if a['name']=='claude-usage-widget.apk']" \
            | while read AID; do curl -s -X DELETE "$API/releases/$RID/assets/$AID" -H "Authorization: token $TOKEN"; done
          curl -s -X POST "$API/releases/$RID/assets?name=claude-usage-widget.apk" \
            -H "Authorization: token $TOKEN" \
            -F "attachment=@out/claude-usage-widget.apk" >/dev/null
          echo "Attached claude-usage-widget.apk to release $TAG"