Fix secrets access in workflow conditional

- Move secrets to env block instead of if condition - Use bash conditional to check if keystore is available - Provide clear logging for signed vs unsigned builds
2025-12-16 14:10:52 +01:00 · 2025-11-01 15:28:06 +01:00
parent f14ce0d6ad
commit 72bb211a76
1 changed files with 15 additions and 6 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -166,13 +166,22 @@ jobs:
        run: pnpm install --frozen-lockfile

      - name: Setup Keystore (if secrets available)
-        if: ${{ secrets.ANDROID_KEYSTORE != '' }}
+        env:
+          ANDROID_KEYSTORE: ${{ secrets.ANDROID_KEYSTORE }}
+          ANDROID_KEYSTORE_PASSWORD: ${{ secrets.ANDROID_KEYSTORE_PASSWORD }}
+          ANDROID_KEY_ALIAS: ${{ secrets.ANDROID_KEY_ALIAS }}
+          ANDROID_KEY_PASSWORD: ${{ secrets.ANDROID_KEY_PASSWORD }}
        run: |
-          echo "${{ secrets.ANDROID_KEYSTORE }}" | base64 -d > $HOME/keystore.jks
-          echo "ANDROID_KEYSTORE_PATH=$HOME/keystore.jks" >> $GITHUB_ENV
-          echo "ANDROID_KEYSTORE_PASSWORD=${{ secrets.ANDROID_KEYSTORE_PASSWORD }}" >> $GITHUB_ENV
-          echo "ANDROID_KEY_ALIAS=${{ secrets.ANDROID_KEY_ALIAS }}" >> $GITHUB_ENV
-          echo "ANDROID_KEY_PASSWORD=${{ secrets.ANDROID_KEY_PASSWORD }}" >> $GITHUB_ENV
+          if [ -n "$ANDROID_KEYSTORE" ]; then
+            echo "$ANDROID_KEYSTORE" | base64 -d > $HOME/keystore.jks
+            echo "ANDROID_KEYSTORE_PATH=$HOME/keystore.jks" >> $GITHUB_ENV
+            echo "ANDROID_KEYSTORE_PASSWORD=$ANDROID_KEYSTORE_PASSWORD" >> $GITHUB_ENV
+            echo "ANDROID_KEY_ALIAS=$ANDROID_KEY_ALIAS" >> $GITHUB_ENV
+            echo "ANDROID_KEY_PASSWORD=$ANDROID_KEY_PASSWORD" >> $GITHUB_ENV
+            echo "Keystore configured for signing"
+          else
+            echo "No keystore configured, building unsigned APK"
+          fi

      - name: Build Android APK (unsigned if no keystore)
        run: pnpm tauri android build