Skip to content

Commit f33da3a

Browse files
CreativeCodeCatCreativeCodeCat
committed
Replace Decode Keystore action and add secure cleanup
The GitHub Actions workflows have been updated to replace the third-party `Swisyn/Base64-hash-to-file` action with a standard `bash` script for decoding the Base64 keystore. This removes an external dependency and provides more control over the process. Additionally, a new step has been added to all relevant workflows to securely delete the `mLauncher.jks` keystore file after the build process completes. This is achieved using `shred -u` to overwrite the file before deleting it, enhancing the security of the CI pipeline by ensuring the signing key does not persist on the runner.
1 parent f764287 commit f33da3a

File tree

5 files changed

+98
-35
lines changed

5 files changed

+98
-35
lines changed

.github/workflows/android-branch_ci.yml

Lines changed: 19 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -35,18 +35,30 @@ jobs:
3535

3636
- name: Decode keystore
3737
id: write_base64_file
38-
uses: Swisyn/Base64-hash-to-file@v1.0
39-
with:
40-
destinationFileName: 'mLauncher.jks'
41-
destinationPath: 'app'
42-
encodedString: ${{ secrets.SIGNINGKEY_BASE64 }}
38+
shell: bash
39+
run: |
40+
echo "${{ secrets.SIGNINGKEY_BASE64 }}" > mLauncher.jks.tmp
41+
base64 -d -i mLauncher.jks.tmp > mLauncher.jks
42+
rm mLauncher.jks.tmp
43+
44+
mkdir -p app
45+
mv mLauncher.jks app/
46+
47+
DESTINATION_FILE="app/mLauncher.jks"
48+
echo "filePath=$DESTINATION_FILE" >> "$GITHUB_OUTPUT"
49+
echo "Keystore written to $DESTINATION_FILE"
4350
4451
- name: Build with Gradle
45-
run: ./gradlew clean assembleProdDebug --refresh-dependencies --no-daemon
52+
run: ./gradlew clean assembleProdRelease --refresh-dependencies --no-daemon
4653
env:
4754
JAVA_TOOL_OPTIONS: "-Dhttps.protocols=TLSv1.2"
4855
KEY_STORE_FILE: ${{ steps.write_base64_file.outputs.filePath }}
4956
KEY_STORE_PASSWORD: ${{ secrets.KEY_STORE_PASSWORD }}
5057
KEY_ALIAS: ${{ secrets.KEY_ALIAS }}
5158
KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}
52-
59+
60+
- name: Secure keystore cleanup
61+
if: always()
62+
shell: bash
63+
run: |
64+
shred -u app/mLauncher.jks || rm -f app/mLauncher.jks

.github/workflows/android-main_ci.yml

Lines changed: 20 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -33,17 +33,30 @@ jobs:
3333

3434
- name: Decode keystore
3535
id: write_base64_file
36-
uses: Swisyn/Base64-hash-to-file@v1.0
37-
with:
38-
destinationFileName: 'mLauncher.jks'
39-
destinationPath: 'app'
40-
encodedString: ${{ secrets.SIGNINGKEY_BASE64 }}
36+
shell: bash
37+
run: |
38+
echo "${{ secrets.SIGNINGKEY_BASE64 }}" > mLauncher.jks.tmp
39+
base64 -d -i mLauncher.jks.tmp > mLauncher.jks
40+
rm mLauncher.jks.tmp
41+
42+
mkdir -p app
43+
mv mLauncher.jks app/
44+
45+
DESTINATION_FILE="app/mLauncher.jks"
46+
echo "filePath=$DESTINATION_FILE" >> "$GITHUB_OUTPUT"
47+
echo "Keystore written to $DESTINATION_FILE"
4148
4249
- name: Build with Gradle
43-
run: ./gradlew clean assembleProdDebug --refresh-dependencies --no-daemon
50+
run: ./gradlew clean assembleProdRelease --refresh-dependencies --no-daemon
4451
env:
4552
JAVA_TOOL_OPTIONS: "-Dhttps.protocols=TLSv1.2"
4653
KEY_STORE_FILE: ${{ steps.write_base64_file.outputs.filePath }}
47-
KEY_STORE_PASSWORD: ${{ secrets.KEYSTORE_PASSWORD }}
54+
KEY_STORE_PASSWORD: ${{ secrets.KEY_STORE_PASSWORD }}
4855
KEY_ALIAS: ${{ secrets.KEY_ALIAS }}
4956
KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}
57+
58+
- name: Secure keystore cleanup
59+
if: always()
60+
shell: bash
61+
run: |
62+
shred -u app/mLauncher.jks || rm -f app/mLauncher.jks

.github/workflows/android-pr_ci.yml

Lines changed: 19 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -33,18 +33,30 @@ jobs:
3333

3434
- name: Decode keystore
3535
id: write_base64_file
36-
uses: Swisyn/Base64-hash-to-file@v1.0
37-
with:
38-
destinationFileName: 'mLauncher.jks'
39-
destinationPath: 'app'
40-
encodedString: ${{ secrets.SIGNINGKEY_BASE64 }}
36+
shell: bash
37+
run: |
38+
echo "${{ secrets.SIGNINGKEY_BASE64 }}" > mLauncher.jks.tmp
39+
base64 -d -i mLauncher.jks.tmp > mLauncher.jks
40+
rm mLauncher.jks.tmp
41+
42+
mkdir -p app
43+
mv mLauncher.jks app/
44+
45+
DESTINATION_FILE="app/mLauncher.jks"
46+
echo "filePath=$DESTINATION_FILE" >> "$GITHUB_OUTPUT"
47+
echo "Keystore written to $DESTINATION_FILE"
4148
4249
- name: Build with Gradle
43-
run: ./gradlew clean assembleProdDebug --refresh-dependencies --no-daemon
50+
run: ./gradlew clean assembleProdRelease --refresh-dependencies --no-daemon
4451
env:
4552
JAVA_TOOL_OPTIONS: "-Dhttps.protocols=TLSv1.2"
4653
KEY_STORE_FILE: ${{ steps.write_base64_file.outputs.filePath }}
4754
KEY_STORE_PASSWORD: ${{ secrets.KEY_STORE_PASSWORD }}
4855
KEY_ALIAS: ${{ secrets.KEY_ALIAS }}
4956
KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}
50-
57+
58+
- name: Secure keystore cleanup
59+
if: always()
60+
shell: bash
61+
run: |
62+
shred -u app/mLauncher.jks || rm -f app/mLauncher.jks

.github/workflows/android-release_ci.yml

Lines changed: 21 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -33,21 +33,34 @@ jobs:
3333

3434
- name: Decode keystore
3535
id: write_base64_file
36-
uses: Swisyn/Base64-hash-to-file@v1.0
37-
with:
38-
destinationFileName: 'mLauncher.jks'
39-
destinationPath: 'app'
40-
encodedString: ${{ secrets.SIGNINGKEY_BASE64 }}
36+
shell: bash
37+
run: |
38+
echo "${{ secrets.SIGNINGKEY_BASE64 }}" > mLauncher.jks.tmp
39+
base64 -d -i mLauncher.jks.tmp > mLauncher.jks
40+
rm mLauncher.jks.tmp
41+
42+
mkdir -p app
43+
mv mLauncher.jks app/
4144
42-
- name: Build
43-
run: ./gradlew clean assembleProdRelease --refresh-dependencies --no-daemon && ./gradlew clean bundleProdRelease --refresh-dependencies --no-daemon
45+
DESTINATION_FILE="app/mLauncher.jks"
46+
echo "filePath=$DESTINATION_FILE" >> "$GITHUB_OUTPUT"
47+
echo "Keystore written to $DESTINATION_FILE"
48+
49+
- name: Build with Gradle
50+
run: ./gradlew clean assembleProdRelease bundleProdRelease --refresh-dependencies --no-daemon
4451
env:
4552
JAVA_TOOL_OPTIONS: "-Dhttps.protocols=TLSv1.2"
4653
KEY_STORE_FILE: ${{ steps.write_base64_file.outputs.filePath }}
47-
KEY_STORE_PASSWORD: ${{ secrets.KEYSTORE_PASSWORD }}
54+
KEY_STORE_PASSWORD: ${{ secrets.KEY_STORE_PASSWORD }}
4855
KEY_ALIAS: ${{ secrets.KEY_ALIAS }}
4956
KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}
5057

58+
- name: Secure keystore cleanup
59+
if: always()
60+
shell: bash
61+
run: |
62+
shred -u app/mLauncher.jks || rm -f app/mLauncher.jks
63+
5164
- name: Release to GitHub
5265
uses: svenstaro/upload-release-action@2.11.3
5366
with:

.github/workflows/nightly-release.yml

Lines changed: 19 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@ jobs:
2020
env:
2121
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
2222
run: bash clearRelease.sh
23-
23+
2424
build:
2525
name: Build, Sign & Release
2626
runs-on: ubuntu-latest
@@ -47,11 +47,18 @@ jobs:
4747

4848
- name: Decode keystore
4949
id: write_base64_file
50-
uses: Swisyn/Base64-hash-to-file@v1.0
51-
with:
52-
destinationFileName: 'mLauncher.jks'
53-
destinationPath: 'app'
54-
encodedString: ${{ secrets.SIGNINGKEY_BASE64 }}
50+
shell: bash
51+
run: |
52+
echo "${{ secrets.SIGNINGKEY_BASE64 }}" > mLauncher.jks.tmp
53+
base64 -d -i mLauncher.jks.tmp > mLauncher.jks
54+
rm mLauncher.jks.tmp
55+
56+
mkdir -p app
57+
mv mLauncher.jks app/
58+
59+
DESTINATION_FILE="app/mLauncher.jks"
60+
echo "filePath=$DESTINATION_FILE" >> "$GITHUB_OUTPUT"
61+
echo "Keystore written to $DESTINATION_FILE"
5562
5663
- name: Build with Gradle
5764
run: ./gradlew clean assembleNightlyRelease --refresh-dependencies --no-daemon
@@ -62,6 +69,12 @@ jobs:
6269
KEY_ALIAS: ${{ secrets.KEY_ALIAS }}
6370
KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}
6471

72+
- name: Secure keystore cleanup
73+
if: always()
74+
shell: bash
75+
run: |
76+
shred -u app/mLauncher.jks || rm -f app/mLauncher.jks
77+
6578
- name: Extract Version
6679
id: extract_version
6780
run: |

0 commit comments

Comments
 (0)