Add GitHub Actions workflow to build signed APK#1
Conversation
Co-authored-by: LeMyst <1592048+LeMyst@users.noreply.github.com>
Delete .github/workflows/rtchat.yml which defined the RealtimeChat App CI workflow. The removed file contained iOS and Android jobs that referenced muxable reusable workflows, concurrency groups, environment/publish settings, environment URLs, package name, and required secrets for App Store and Google Play publishing.
LeMyst
force-pushed
the
copilot/add-github-workflow-build-apk
branch
from
a9dd417 to
4a46e82
Compare
There was a problem hiding this comment.
Pull request overview
Adds a GitHub Actions workflow to produce a signed Android release APK as a CI artifact, and adjusts existing CI workflows.
Changes:
- Add
build-apk.ymlworkflow to decode the signing keystore from secrets, build a release APK, and upload it as an artifact. - Update Flutter analyze workflow to not fail the job on analyzer warnings.
- Remove the previous
rtchat.ymlworkflow that invoked reusable iOS/Android publish workflows.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
.github/workflows/rtchat.yml |
Removes the existing cross-platform (iOS/Android) reusable publish workflow. |
.github/workflows/flutter-analyze.yml |
Changes analyzer behavior so warnings are not fatal in CI. |
.github/workflows/build-apk.yml |
Introduces a new workflow to build and upload a signed release APK artifact. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| on: | ||
| push: | ||
| branches: | ||
| - main | ||
| pull_request: | ||
| branches: | ||
| - main | ||
| workflow_dispatch: |
There was a problem hiding this comment.
The workflow runs on pull_request but uses repository secrets to decode the upload keystore and sign the APK. For PRs from forks, secrets won’t be available and the job will fail; for same-repo PRs, this expands exposure of signing credentials to untrusted PR code. Consider restricting signing to push/workflow_dispatch only, or gating the job/steps with an if: check (e.g., only when github.event.pull_request.head.repo.full_name == github.repository and/or github.event_name != 'pull_request') and using a protected environment for the signing secrets.
| name: Build Signed APK | ||
|
|
There was a problem hiding this comment.
This PR is described as adding an APK build workflow, but it also removes the existing rtchat.yml workflow (which previously ran reusable iOS/Android publish jobs). If that removal is intentional, it should be called out in the PR description; otherwise, consider restoring/renaming the old workflow so the release/publish automation isn’t inadvertently dropped.
| uses: invertase/github-action-dart-analyzer@v3 | ||
| with: | ||
| fatal-warnings: false |
There was a problem hiding this comment.
Setting fatal-warnings: false changes CI behavior so analyzer warnings no longer fail the workflow. If this is intentional, it should be justified in the PR description (or scoped to specific warnings) since it weakens the quality gate for all Flutter changes on main/PRs.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Adds a workflow that builds a signed release APK and uploads it as a job artifact.
main,workflow_dispatchUPLOAD_KEYSTOREsecret to a temp.jksfile; passesKEY_ALIAS,KEY_PASSWORD,STORE_FILE,STORE_PASSWORDenv vars consumed by the existingandroid/app/build.gradlesigning configflutter build apk --releasewith Java 17 + Flutter viasubosito/flutter-action@v2app-release.apkviaactions/upload-artifact@v4assigned-apkReuses the same secrets (
UPLOAD_KEYSTORE,UPLOAD_KEYSTORE_PASSWORD) already configured for the Play Store workflow inrtchat.yml.💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.