docker-publish.yml:
- Rewrote as matrix build + manifest merge.
- amd64 on ubuntu-latest, arm64 on ubuntu-24.04-arm (free for public
repos). No QEMU — argon2 and every other native dep compile on
their target CPU, no more SIGILL / exit 132.
- Per-arch GHA cache scopes so builds don't thrash each other.
- Final step merges both digests under one tag (vX.Y.Z + latest),
publishing a real multi-arch manifest. `docker pull` from either
arch gets the right variant automatically.
auto-version.yml, version-bump.yml:
- Checkout now uses `secrets.RELEASE_PAT || secrets.GITHUB_TOKEN`.
With RELEASE_PAT set, the tag push this workflow does DOES
trigger downstream (android-release, docker-publish). Without
it, falls back to GITHUB_TOKEN (no downstream trigger, what we
have today).
All workflows (auto-version, version-bump, android-release,
docker-publish):
- Added FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: 'true' so actions
still on Node 20 runtime (checkout/cache/setup-*) opt in to
Node 24 early. GitHub makes Node 24 default 2026-06-02 and
removes Node 20 2026-09-16.
To finish the chain (one-time user step): create a fine-grained
PAT with "Contents: Read and write" on this repo and add as
RELEASE_PAT secret. After that `feat:` / `fix:` commits auto-tag
AND auto-build with zero manual intervention.
Adds .github/workflows/auto-version.yml that fires on every push to
main, parses commit messages since the last semver tag, and decides
whether to cut a new release:
feat: → minor bump (new feature, backward-compatible)
fix: → patch bump (bug fix)
feat!: → major bump (breaking change)
BREAKING CHANGE in body → major bump
docs/chore/refactor/style/test/ci → no release
If any commit since the last tag matches feat/fix/BREAKING, the
workflow bumps versions across package.json, mobile/package.json,
mobile/android/app/build.gradle, commits the change as
"Release vX.Y.Z", tags it, and pushes. The tag push then fires the
existing android-release and docker-publish workflows.
You no longer need to remember "what version am I on?" — just commit
with a conventional-commits prefix and push. Docs-only or refactor
commits don't create releases. Add [skip ci] to any commit message
to skip this workflow for that commit.
docker-publish.yml:
- Dropped linux/arm64 from the platforms matrix. The amd64 GitHub-
hosted runner builds arm64 under QEMU emulation, which fails at
native argon2 compile with SIGILL (exit 132). Your production
box is x86, so arm64 isn't needed. Add it back with a native
ARM runner the day you deploy to ARM hardware.
version-bump.yml (new):
- Manual Actions trigger. Click "Run workflow" → pick patch / minor /
major (or type a custom X.Y.Z). The workflow computes the next
semver from the current package.json version, updates all three
version sites (package.json, mobile/package.json, Android
versionName + versionCode), commits "Release vX.Y.Z", tags it,
and pushes. The tag push then fires android-release.yml and
docker-publish.yml automatically — APK + Docker image published
with no local commands required.
Typical flow now:
Actions → "Version bump & release" → Run workflow → patch
↓
Bump + tag in ~5 s
↓
Parallel: android APK build (~2 m), docker image push (~4 m)
↓
Both assets show up on the new release; Obtanium + docker-hub
subscribers see the update automatically.
On every v*.*.* tag push the workflow:
1. Checks out the repo
2. Sets up JDK 17 + Node 20 + Android SDK (cached between runs)
3. Runs npm install + npx cap sync android in mobile/
4. Restores the signing keystore from ANDROID_KEYSTORE_BASE64 secret
5. Builds a signed release APK via gradle
6. Renames to pedscribe-X.Y.Z.apk
7. Creates/updates the matching GitHub release with the APK attached
and make_latest=true so the /releases/latest URL always points to
the newest build (Obtanium and the login-page link pick it up
automatically)
Required repo secrets (set via gh secret set ... or the GitHub UI):
ANDROID_KEYSTORE_BASE64 base64 -w0 of the .jks file
ANDROID_KEYSTORE_PASSWORD keystore password
ANDROID_KEY_ALIAS key alias (pedscribe)
ANDROID_KEY_PASSWORD key password (same as keystore in our setup)
Typical release flow after this lands:
scripts/release.sh 6.1.1 --push (laptop, 5 sec)
── Actions builds APK in ~8-10 min ──
── Release updates automatically with signed APK ──
── Obtanium clients notice on next poll ──
The r0adkll/sign-android-release@v1 hardcodes build-tools 29.0.3 which
isn't available. Now uses apksigner from the latest installed build-tools
directly with zipalign + sign + verify steps.
The gradlew stub and missing gradle-wrapper.jar caused CI build to fail.
Now uses gradle/actions/setup-gradle@v4 to install Gradle, then generates
wrapper before building. Also renames signed APK and uploads both signed
and unsigned to GitHub Releases.