update deploy workflow

[yhs0602]

Please let me know what you had improved.

Summary by CodeRabbit

• Chores
  • Added automated APK release workflow that triggers on version tag pushes and publishes builds to GitHub Releases with support for signed and unsigned artifacts.

[coderabbitai]

📝 Walkthrough

Walkthrough

Introduces a new GitHub Actions workflow that automates APK building and release publishing on tag pushes (v*). The workflow builds release APKs using JDK 17 with Gradle caching, optionally signs them with a keystore secret, and publishes artifacts to GitHub Releases.

Changes

Cohort / File(s)	Summary
Release Workflow .github/workflows/release.yml	New GitHub Actions workflow that triggers on version tags, builds release APK, conditionally signs with keystore, and publishes to GitHub Releases with fallback for unsigned APK.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A workflow so grand, on tags it takes flight,
Building APKs with Gradle delight,
Signing with secrets, none left unsigned,
Release automation, perfectly designed! 📦✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'update deploy workflow' is vague and generic. While it relates to the changeset (which introduces a new release workflow), it lacks specificity about what was changed or added.	Consider a more descriptive title such as 'Add GitHub Actions workflow for building and publishing release APK' to clearly communicate the main change.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/release-apk-workflow

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release.yml:
- Line 39: Add a job-level env block that maps the needed secrets into
environment variables (e.g., KEYSTORE_BASE64: ${{ secrets.KEYSTORE_BASE64 }},
KEYSTORE_PASSWORD: ${{ secrets.KEYSTORE_PASSWORD }}, GPG_PRIVATE_KEY: ${{
secrets.GPG_PRIVATE_KEY }}), then replace the three broken if: conditionals that
reference secrets (the ones checking KEYSTORE_BASE64, KEYSTORE_PASSWORD,
GPG_PRIVATE_KEY) to use the env context instead (for example if:
env.KEYSTORE_BASE64 != ''), ensuring all conditional checks reference env.VAR
rather than secrets.VAR so the steps run correctly.
- Line 27: Replace direct secret interpolation in the run command "echo '${{
secrets.GOOGLE_JSON }}' | base64 --decode > app/google-services.json" by passing
the secret into an environment variable (e.g. GOOGLE_JSON: ${{
secrets.GOOGLE_JSON }}) on the step and then use the shell-safe expansion of
that env var in the run command (e.g. use "$GOOGLE_JSON" piped to base64
--decode to write app/google-services.json) so the secret remains opaque to the
shell parser and avoids shell-injection risk.
- Line 40: Replace the deprecated action usage r0adkll/sign-android-release@v1
with the maintained fork filippoLeporati93/android-release-signer@v1.0.0 in the
workflow; update any inputs/outputs to match the new action's interface (adjust
step name where you reference r0adkll/sign-android-release and any output
consumption in subsequent steps), and verify the new action no longer relies on
node12 or deprecated ::set-output by running the workflow and fixing any
input/output key names to the fork's documented ones.

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c3a3d43 and d14a6b2.

📒 Files selected for processing (1)

• .github/workflows/release.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Shell-injection risk from direct secret interpolation in echo.

${{ secrets.GOOGLE_JSON }} is expanded by the Actions expression engine before the shell interprets the command. If the secret value contains single quotes, it will break out of the shell string and could cause arbitrary command injection. Pass the secret through an env variable instead, which keeps it fully opaque to the shell parser.

🛡️ Proposed fix

       - name: Create google-services.json
-        run: echo '${{ secrets.GOOGLE_JSON }}' | base64 --decode > app/google-services.json
+        env:
+          GOOGLE_JSON: ${{ secrets.GOOGLE_JSON }}
+        run: echo "$GOOGLE_JSON" | base64 --decode > app/google-services.json

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	run: echo '${{ secrets.GOOGLE_JSON }}' | base64 --decode > app/google-services.json
	- name: Create google-services.json
	env:
	GOOGLE_JSON: ${{ secrets.GOOGLE_JSON }}
	run: echo "$GOOGLE_JSON" | base64 --decode > app/google-services.json

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml at line 27, Replace direct secret
interpolation in the run command "echo '${{ secrets.GOOGLE_JSON }}' | base64
--decode > app/google-services.json" by passing the secret into an environment
variable (e.g. GOOGLE_JSON: ${{ secrets.GOOGLE_JSON }}) on the step and then use
the shell-safe expansion of that env var in the run command (e.g. use
"$GOOGLE_JSON" piped to base64 --decode to write app/google-services.json) so
the secret remains opaque to the shell parser and avoids shell-injection risk.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

secrets context is not allowed in if conditions — all three conditionals are broken.

Secrets cannot be directly referenced in if: conditionals. The recommended fix is to set secrets as job-level environment variables and then reference the env context in step conditions.

The secrets context cannot be used in if conditionals, neither in job-level nor step-level if. Since the expression will always resolve to an empty/undefined value, the signing and release steps will never run as intended, silently falling back to the unsigned path every time.

🐛 Proposed fix

Add a job-level env block and replace all three if conditions:

 jobs:
   release:
     name: Build & Publish APK
     runs-on: ubuntu-latest
+    env:
+      KEYSTORE_BASE64: ${{ secrets.KEYSTORE_BASE64 }}

     steps:

       - name: Sign APK
-        if: ${{ secrets.KEYSTORE_BASE64 != '' }}
+        if: ${{ env.KEYSTORE_BASE64 != '' }}

       - name: Upload signed APK to GitHub Releases
-        if: ${{ secrets.KEYSTORE_BASE64 != '' }}
+        if: ${{ env.KEYSTORE_BASE64 != '' }}

       - name: Upload unsigned APK to GitHub Releases (fallback)
-        if: ${{ secrets.KEYSTORE_BASE64 == '' }}
+        if: ${{ env.KEYSTORE_BASE64 == '' }}

Also applies to: 50-50, 61-61

🧰 Tools

🪛 actionlint (1.7.11)

[error] 39-39: context "secrets" is not allowed here. available contexts are "env", "github", "inputs", "job", "matrix", "needs", "runner", "steps", "strategy", "vars". see https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability for more details

(expression)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml at line 39, Add a job-level env block that
maps the needed secrets into environment variables (e.g., KEYSTORE_BASE64: ${{
secrets.KEYSTORE_BASE64 }}, KEYSTORE_PASSWORD: ${{ secrets.KEYSTORE_PASSWORD }},
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}), then replace the three broken
if: conditionals that reference secrets (the ones checking KEYSTORE_BASE64,
KEYSTORE_PASSWORD, GPG_PRIVATE_KEY) to use the env context instead (for example
if: env.KEYSTORE_BASE64 != ''), ensuring all conditional checks reference
env.VAR rather than secrets.VAR so the steps run correctly.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's examine the workflow file to understand the context
fd 'release.yml' .github/workflows/

Repository: yhs0602/Android-Disassembler

Length of output: 101

---

🏁 Script executed:

# Read the release workflow file around the mentioned lines
cat -n .github/workflows/release.yml | sed -n '35,50p'

Repository: yhs0602/Android-Disassembler

Length of output: 780

---

🌐 Web query:

r0adkll sign-android-release action GitHub maintenance status deprecated

💡 Result:

• Not officially deprecated/archived: The repository and Marketplace listing do not indicate “deprecated” or “archived” status. [1][2]
• Maintenance/activity looks low: The latest commit on master is Feb 29, 2024. [3] The floating major tag v1 was last updated Aug 13, 2021. [4]
• Major compatibility concern (GitHub Actions runtime): The action’s action.yml specifies runs: using: 'node12'. [5] GitHub deprecated Node 12 for Actions and began enforcing migration to Node 16 starting June 14, 2023. [6]
• Open maintenance signals: The repo currently shows 31 open issues and 19 open PRs, including requests like “Update to node20” and other deprecation-related reports. [7]
• Community workaround: An open issue notes someone created a separate repo specifically to address upcoming GitHub deprecations affecting this action. [8]

Bottom line: It’s not formally deprecated, but it’s effectively at-risk/unmaintained for modern GitHub Actions due to the Node 12 runtime and the backlog of unresolved modernization issues. [5][6][7]

Sources: [1][2][3][4][5][6][7][8]

---

🌐 Web query:

filippoLeporati93 android-release-signer maintained fork

💡 Result:

The maintained fork you’re looking for is filippoLeporati93/android-release-signer (a GitHub Action to sign Android .apk/.aab releases). It explicitly credits r0adkll/sign-android-release as its upstream base and is published on the GitHub Marketplace as “Android release signer”. The repo shows release v1.0.0 (Mar 19, 2024). [1] [2]

Source repos/pages:

• filippoLeporati93/android-release-signer (fork-based action) [1]
• GitHub Marketplace listing “Android release signer” [2]

[1] (github.com)
[2] (github.com)

Citations:

• 1: https://github.com/filippoLeporati93/android-release-signer
• 2: https://github.com/marketplace/actions/android-release-signer

---

🌐 Web query:

r0adkll/sign-android-release set-output deprecated GitHub action

💡 Result:

The warning isn’t from your workflow YAML — it’s coming from r0adkll/sign-android-release itself.

• The action is built with @actions/core ^1.2.6 (very old) in its package.json, which can still emit the deprecated ::set-output workflow command, triggering the runner warning. [2]
• GitHub’s guidance is: action authors should update @actions/core to v1.10.0+ (which switches setOutput to environment files / GITHUB_OUTPUT). [1]
• Separately, this action still declares runs: using: node12 in action.yml, which is also deprecated on GitHub-hosted runners. [3]

What you can do:

1. Best fix: fork the repo and update it (at minimum):
   • bump @actions/core to >= 1.10.0 [1][2]
   • change action.yml runtime to node20 [3]
   • rebuild/commit the compiled lib/ output (since this repo ships built JS).
2. Short-term: ignore the warning (it’s only a warning as of now per GitHub’s deprecation notice/postponement). [1]
3. Track/discuss upstream in the repo’s open issue about this warning. [4]

Sources: GitHub deprecation notice and required toolkit version [1]; action dependency version [2]; action runtime (node12) [3]; upstream issue listing for the deprecation warning [4].

---

🌐 Web query:

r0adkll sign-android-release v1 GPG key signature expired

💡 Result:

r0adkll/sign-android-release@v1 currently points to a tag whose commit was signed with GitHub’s verified signature key 4AEE18F83AFDEB23, which is marked “expired” on the repo’s Tags page. If your org/repo is enforcing signature verification (e.g., “vigilant mode”/similar policy), that can surface as a “GPG key signature expired” failure. [1]

Fix options

1. Pin to a different ref (recommended)

• Use an older tag in that repo that isn’t using the expired GitHub key (for example v1.0.4), or pin to a specific commit SHA you trust.

- uses: r0adkll/sign-android-release@v1.0.4
# or: r0adkll/sign-android-release@<full_commit_sha>

(Using immutable SHAs is generally the safest for Actions dependencies.)

2. Fork and retag

• Fork r0adkll/sign-android-release, create your own tag (e.g., v1) pointing at a commit signed with a non-expired key, and use your-org/sign-android-release@v1.

Why this happens

GitHub shows verification statuses for signed commits/tags, and in stricter verification modes you’ll see failures when signatures can’t be considered valid (including when keys are expired). [2]

Sources: GitHub tags view for r0adkll/sign-android-release (shows v1 signed with an expired key) [1]; GitHub Docs on signature verification/vigilant mode behavior [2].

---

🏁 Script executed:

# Check if there's any local reference or documentation about the action
git log --oneline -n 1 2>/dev/null | head -1

Repository: yhs0602/Android-Disassembler

Length of output: 102

---

r0adkll/sign-android-release@v1 uses deprecated Node 12 and should be replaced.

GitHub deprecated Node 12 for Actions runners and enforced the migration to Node 16+ starting June 2023. This action still declares node12 in its action.yml and will fail or produce warnings on modern GitHub-hosted runners. The action has low maintenance activity (last v1 tag: August 2021, latest commit: February 2024) with 31 open issues.

Additionally, the action uses an old version of @actions/core (^1.2.6) that emits the deprecated ::set-output workflow command, triggering deprecation warnings on current runners.

Switch to the community-maintained fork filippoLeporati93/android-release-signer (v1.0.0, published March 2024), which is built on Node 20 and addresses these deprecations.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml at line 40, Replace the deprecated action
usage r0adkll/sign-android-release@v1 with the maintained fork
filippoLeporati93/android-release-signer@v1.0.0 in the workflow; update any
inputs/outputs to match the new action's interface (adjust step name where you
reference r0adkll/sign-android-release and any output consumption in subsequent
steps), and verify the new action no longer relies on node12 or deprecated
::set-output by running the workflow and fixing any input/output key names to
the fork's documented ones.

[yhs0602]

@copilot fix the build issue, and remove the unnecessary insecure steps such as signing (will work without in local installation - apk)

[Copilot]

@yhs0602 I've opened a new pull request, #727, to work on those changes. Once the pull request is ready, I'll request review from you.