anyproto · konstantiniiv · Aug 11, 2025 · Aug 11, 2025
@@ -4,7 +4,7 @@ on:
   workflow_dispatch:
     inputs:
       tag:
-        description: 'Git tag to build from'
+        description: "Git tag to build from"
         required: true
         type: string
 
@@ -15,9 +15,9 @@ jobs:
 
     steps:
       - name: Checkout repo at tag
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
-          fetch-depth: 0 # needed to fetch all tags
+          fetch-depth: 0
           ref: ${{ github.event.inputs.tag }}
 
       - name: Set up Android NDK
@@ -29,7 +29,7 @@ jobs:
       - name: Set up Java
         uses: actions/setup-java@v3
         with:
-          distribution: "zulu"
+          distribution: zulu
           java-version: 17
 
       - name: Setup middleware dependency
@@ -39,22 +39,23 @@ jobs:
           amplitude_secret: ${{ secrets.ANYTYPE_AMPLITUDE_SECRET }}
           amplitude_secret_debug: ${{ secrets.ANYTYPE_AMPLITUDE_DEBUG_SECRET }}
           sentry_dsn_secret: ${{ secrets.ANYTYPE_SENTRY_DSN_SECRET }}
-        run: ./middleware2.sh $token_secret $user_secret $amplitude_secret $amplitude_secret_debug $sentry_dsn_secret
+        run: ./middleware2.sh "$token_secret" "$user_secret" "$amplitude_secret" "$amplitude_secret_debug" "$sentry_dsn_secret"
 
       - name: Decrypt secrets
-        run: ./scripts/release/decrypt-secrets.sh
         env:
           ENCRYPT_KEY: ${{ secrets.ENCRYPT_KEY }}
+        run: ./scripts/release/decrypt-secrets.sh
 
       - name: Setup keystore
         env:
+          TOKEN_SECRET: ${{ secrets.ANYTYPE_SECRET }}
           RELEASE_KEY_ALIAS: ${{ secrets.RELEASE_KEY_ALIAS }}
           RELEASE_KEY_PWD: ${{ secrets.RELEASE_KEY_PWD }}
           RELEASE_STORE_PWD: ${{ secrets.RELEASE_STORE_PWD }}
-        run: ./scripts/release/setup-store.sh $token_secret $RELEASE_KEY_ALIAS $RELEASE_KEY_PWD $RELEASE_STORE_PWD
+        run: ./scripts/release/setup-store.sh "$TOKEN_SECRET" "$RELEASE_KEY_ALIAS" "$RELEASE_KEY_PWD" "$RELEASE_STORE_PWD"
 
       - name: Checkout license repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           repository: anyproto/open
           ref: refs/heads/main
@@ -68,25 +69,40 @@ jobs:
           sudo gem install license_finder
           license_finder ignored_dependencies add skiko --why "Excluded due to native binary license concerns"
           license_finder inherited_decisions add open/decisions.yml
+
+          license_finder licenses add "KBase58" MIT --who "CI" --why "Upstream repo license" --homepage "https://github.com/komputing/KBase58"
+          license_finder licenses add "any-crypto-kotlin" MIT --who "CI" --why "Upstream repo license" --homepage "https://github.com/anyproto/any-crypto-kotlin"
+
+          license_finder permitted_licenses add MIT --who "CI" --why "Allowed OSS license"
           license_finder --gradle-command="./gradlew \
-          -Pcom.anytype.ci=true \
-          -Dorg.gradle.unsafe.configuration-cache=false"
+            -Pcom.anytype.ci=true \
+            -Dorg.gradle.unsafe.configuration-cache=false"
 
       - name: Prepare Android Manifest
         run: ./scripts/release/apk.sh
 
       - name: Build release APKs
         run: ./gradlew :app:assembleRelease -PenableAbiSplits=true
 
-      - name: Clean secrets
-        if: always()
-        run: ./scripts/release/clean-secrets.sh
-
       - name: Prepare artefacts
         run: ./scripts/release/prepare-release-artefacts.sh
 
       - name: Upload artefacts as GitHub Actions output
         uses: actions/upload-artifact@v4
         with:
           name: release-apks-${{ github.event.inputs.tag }}
-          path: app/build/outputs/apk/release/release-artefacts/
+          path: app/build/outputs/apk/release/release-artefacts/.
+
+      # ---- Cleanup is LAST, best-effort, and cannot fail the job ----
+      - name: Clean secrets
+        if: always()
+        run: |
+          set -u
+          if [ -x ./scripts/release/clean-secrets.sh ]; then
+            ./scripts/release/clean-secrets.sh
+          elif [ -f ./scripts/release/clean-secrets.sh ]; then
+            chmod +x ./scripts/release/clean-secrets.sh
+            ./scripts/release/clean-secrets.sh
+          else
+            echo "scripts/release/clean-secrets.sh not found; skipping"
+          fi