From d024e82620f7ec179f8d2a8a9029dd9d0b755d50 Mon Sep 17 00:00:00 2001 From: Aleksandar Apostolov Date: Fri, 10 Jul 2026 10:06:04 +0200 Subject: [PATCH 1/4] ci: attach compose sample APK to GitHub releases Publish the compose demo APK as a release asset under a constant filename so the website can link a stable latest/download URL. Triggered by the release published event emitted by the build-conventions release workflow. --- .github/workflows/attach-release-apk.yml | 38 ++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 .github/workflows/attach-release-apk.yml diff --git a/.github/workflows/attach-release-apk.yml b/.github/workflows/attach-release-apk.yml new file mode 100644 index 00000000000..58db33f7d56 --- /dev/null +++ b/.github/workflows/attach-release-apk.yml @@ -0,0 +1,38 @@ +name: Attach sample APK to release + +on: + release: + types: [published] + +permissions: + contents: write + +concurrency: + group: attach-apk-${{ github.event.release.tag_name }} + cancel-in-progress: false + +jobs: + attach-compose-sample-apk: + name: Build and attach Compose sample APK + runs-on: ubuntu-24.04 + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.release.tag_name }} + - uses: GetStream/android-ci-actions/actions/setup-java@main + - name: Prepare signing environment + run: | + git fetch --unshallow || true + echo "${{ secrets.RELEASE_KEYSTORE }}" > .sign/release.keystore.asc + gpg -d --passphrase "${{ secrets.PASSPHRASE }}" --batch .sign/release.keystore.asc > .sign/release.keystore + echo "${{ secrets.RELEASE_KEYSTORE_PROPERTIES }}" > .sign/keystore.properties.asc + gpg -d --passphrase "${{ secrets.PASSPHRASE }}" --batch .sign/keystore.properties.asc > .sign/keystore.properties + - name: Assemble Compose sample (demo/release) + run: bash ./gradlew :stream-chat-android-compose-sample:assembleDemoRelease --stacktrace + - name: Attach APK to release under a constant name + env: + GH_TOKEN: ${{ github.token }} + run: | + gh release upload "${{ github.event.release.tag_name }}" \ + "stream-chat-android-compose-sample/build/outputs/apk/demo/release/stream-chat-android-compose-sample-demo-release.apk#stream-chat-android-sample.apk" \ + --clobber From ade167ec58cc5be1204b21d9442ac647e2a96240 Mon Sep 17 00:00:00 2001 From: Aleksandar Apostolov Date: Fri, 10 Jul 2026 14:06:24 +0200 Subject: [PATCH 2/4] ci: pass release signing secrets via env instead of inline expansion Avoids expanding secrets directly in the run block (SonarCloud findings); pass them as step env vars referenced as shell variables. --- .github/workflows/attach-release-apk.yml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/attach-release-apk.yml b/.github/workflows/attach-release-apk.yml index 58db33f7d56..71dcbf5566f 100644 --- a/.github/workflows/attach-release-apk.yml +++ b/.github/workflows/attach-release-apk.yml @@ -21,12 +21,16 @@ jobs: ref: ${{ github.event.release.tag_name }} - uses: GetStream/android-ci-actions/actions/setup-java@main - name: Prepare signing environment + env: + RELEASE_KEYSTORE: ${{ secrets.RELEASE_KEYSTORE }} + RELEASE_KEYSTORE_PROPERTIES: ${{ secrets.RELEASE_KEYSTORE_PROPERTIES }} + PASSPHRASE: ${{ secrets.PASSPHRASE }} run: | git fetch --unshallow || true - echo "${{ secrets.RELEASE_KEYSTORE }}" > .sign/release.keystore.asc - gpg -d --passphrase "${{ secrets.PASSPHRASE }}" --batch .sign/release.keystore.asc > .sign/release.keystore - echo "${{ secrets.RELEASE_KEYSTORE_PROPERTIES }}" > .sign/keystore.properties.asc - gpg -d --passphrase "${{ secrets.PASSPHRASE }}" --batch .sign/keystore.properties.asc > .sign/keystore.properties + echo "$RELEASE_KEYSTORE" > .sign/release.keystore.asc + gpg -d --passphrase "$PASSPHRASE" --batch .sign/release.keystore.asc > .sign/release.keystore + echo "$RELEASE_KEYSTORE_PROPERTIES" > .sign/keystore.properties.asc + gpg -d --passphrase "$PASSPHRASE" --batch .sign/keystore.properties.asc > .sign/keystore.properties - name: Assemble Compose sample (demo/release) run: bash ./gradlew :stream-chat-android-compose-sample:assembleDemoRelease --stacktrace - name: Attach APK to release under a constant name From 80b847ccc7f1ded079f5ca1e370866fabd76c150 Mon Sep 17 00:00:00 2001 From: Aleksandar Apostolov Date: Fri, 10 Jul 2026 14:15:06 +0200 Subject: [PATCH 3/4] ci: harden release checkout and tag handling Set persist-credentials: false so the checkout token is not written to .git/config while building from the release tag, and fetch full history via fetch-depth: 0 instead of an authenticated post-checkout fetch. Pass the release tag through an env var to avoid shell injection from attacker-controllable tag names. --- .github/workflows/attach-release-apk.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/attach-release-apk.yml b/.github/workflows/attach-release-apk.yml index 71dcbf5566f..77ab572c106 100644 --- a/.github/workflows/attach-release-apk.yml +++ b/.github/workflows/attach-release-apk.yml @@ -19,6 +19,8 @@ jobs: - uses: actions/checkout@v4 with: ref: ${{ github.event.release.tag_name }} + fetch-depth: 0 + persist-credentials: false - uses: GetStream/android-ci-actions/actions/setup-java@main - name: Prepare signing environment env: @@ -26,7 +28,6 @@ jobs: RELEASE_KEYSTORE_PROPERTIES: ${{ secrets.RELEASE_KEYSTORE_PROPERTIES }} PASSPHRASE: ${{ secrets.PASSPHRASE }} run: | - git fetch --unshallow || true echo "$RELEASE_KEYSTORE" > .sign/release.keystore.asc gpg -d --passphrase "$PASSPHRASE" --batch .sign/release.keystore.asc > .sign/release.keystore echo "$RELEASE_KEYSTORE_PROPERTIES" > .sign/keystore.properties.asc @@ -36,7 +37,8 @@ jobs: - name: Attach APK to release under a constant name env: GH_TOKEN: ${{ github.token }} + RELEASE_TAG: ${{ github.event.release.tag_name }} run: | - gh release upload "${{ github.event.release.tag_name }}" \ + gh release upload "$RELEASE_TAG" \ "stream-chat-android-compose-sample/build/outputs/apk/demo/release/stream-chat-android-compose-sample-demo-release.apk#stream-chat-android-sample.apk" \ --clobber From 4604d3701b02d81c366042a156b7825ddf978cd6 Mon Sep 17 00:00:00 2001 From: Aleksandar Apostolov Date: Fri, 10 Jul 2026 14:16:58 +0200 Subject: [PATCH 4/4] ci: bump checkout to v6 to match build-conventions convention --- .github/workflows/attach-release-apk.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/attach-release-apk.yml b/.github/workflows/attach-release-apk.yml index 77ab572c106..d0363456b9e 100644 --- a/.github/workflows/attach-release-apk.yml +++ b/.github/workflows/attach-release-apk.yml @@ -16,7 +16,7 @@ jobs: name: Build and attach Compose sample APK runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 with: ref: ${{ github.event.release.tag_name }} fetch-depth: 0