ci: fall back to ephemeral keystore when secrets are unavailable

GitHub Actions does not expose secrets to workflows triggered by PRs from forks, so the lsposed job's `assembleRelease` was failing with a corrupt release.jks for every external contributor. Generate a throwaway keystore on the fly in that case so fork PRs get a green CI; signed-for-release artifacts (push/tag runs) keep using the real secrets unchanged.
2026-05-05 10:20:35 +00:00 · 2026-04-25 19:42:44 +03:00 · 2026-04-25 19:42:44 +03:00 · 4ad2ba8c2d
commit 4ad2ba8c2d
parent d6f6d62682
1 changed files with 14 additions and 1 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -182,7 +182,20 @@ jobs:
          KEY_ALIAS: ${{ secrets.ANDROID_KEY_ALIAS }}
        run: |
          KEYSTORE_PATH="$GITHUB_WORKSPACE/lsposed/release.jks"
-          echo "$KEYSTORE_BASE64" | base64 --decode > "$KEYSTORE_PATH"
+          if [ -n "$KEYSTORE_BASE64" ]; then
+            echo "$KEYSTORE_BASE64" | base64 --decode > "$KEYSTORE_PATH"
+          else
+            echo "ANDROID_KEYSTORE_BASE64 is empty (fork PR); generating an ephemeral keystore. Resulting APK is signed with a throwaway key and is NOT suitable for release."
+            KEYSTORE_PASSWORD=ephemeral
+            KEY_ALIAS=ephemeral
+            keytool -genkeypair -v \
+              -keystore "$KEYSTORE_PATH" \
+              -storepass "$KEYSTORE_PASSWORD" \
+              -keypass "$KEYSTORE_PASSWORD" \
+              -alias "$KEY_ALIAS" \
+              -keyalg RSA -keysize 4096 -validity 365 \
+              -dname "CN=vpnhide-fork-ci, O=vpnhide, C=US"
+          fi
          cat > "$GITHUB_WORKSPACE/lsposed/keystore.properties" <<EOF
          password=$KEYSTORE_PASSWORD
          keyAlias=$KEY_ALIAS