release.yml

name: Release

# ROADMAP §6 N6.2 — manual-trigger release workflow:
#   1. Requires the reproducible-build verifier to pass for the same commit.
#   2. Runs release-variant Roborazzi screenshot verification.
#   3. Builds the release variant.
#   4. Signs with the keystore stored as an encrypted secret.
#   5. Uploads the signed APK + SHA-256 manifest to a GitHub Release.
#   6. NOTICE / LICENSES attribution check (Apache-2.0 + SCOWL + LDNOOBW + FlorisBoard upstream).
#   7. SLSA Build L2 provenance attestation via actions/attest-build-provenance.
#   8. SPDX SBOM generation via anchore/sbom-action, attached to the release.
#
# Required repo secrets (set up under Settings → Secrets and variables → Actions):
#   SIGNING_KEYSTORE_BASE64   — base64-encoded contents of the .jks file
#   SIGNING_KEYSTORE_PASSWORD — keystore password
#   SIGNING_KEY_ALIAS         — key alias inside the keystore
#   SIGNING_KEY_PASSWORD      — key password
#
# If the secrets are absent (e.g. a fork running its own dispatch), the workflow
# falls back to producing an unsigned APK and skips the Release-create step;
# this lets contributors validate the build pipeline without owning the signing key.

on:
  workflow_dispatch:
    inputs:
      version:
        description: "Release version (must match gradle.properties projectVersionName, e.g. 1.7.2)"
        required: true
        type: string
      draft:
        description: "Create the GitHub Release as a draft"
        required: false
        type: boolean
        default: false

permissions:
  contents: write

jobs:
  reproducible:
    name: Reproducible APK verification
    uses: ./.github/workflows/reproducible-build.yml
    permissions:
      contents: read

  build:
    needs: reproducible
    runs-on: ubuntu-latest
    permissions:
      contents: write
      id-token: write
      attestations: write
    env:
      SIGNING_KEYSTORE_BASE64: ${{ secrets.SIGNING_KEYSTORE_BASE64 }}
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          submodules: recursive
          fetch-depth: 0

      - uses: gradle/actions/wrapper-validation@48b5f213c81028ace310571dc5ec0fbbca0b2947 # v4

      - name: Set up JDK 17
        uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4
        with:
          java-version: 17
          distribution: temurin

      - name: Cache Gradle
        uses: gradle/actions/setup-gradle@48b5f213c81028ace310571dc5ec0fbbca0b2947 # v4

      - name: Make gradlew executable
        run: chmod +x ./gradlew

      - name: Verify version matches input
        run: |
          declared=$(grep -E '^projectVersionName=' gradle.properties | cut -d= -f2)
          if [ "$declared" != "${{ inputs.version }}" ]; then
            echo "::error::projectVersionName ($declared) does not match input version (${{ inputs.version }}). Bump gradle.properties first."
            exit 1
          fi

      - name: Check release-front-door drift
        run: bash scripts/check-release-front-door.sh

      - name: Verify baseline profile was refreshed
        run: bash scripts/check-baseline-profile-freshness.sh

      - name: Verify NOTICE / LICENSES attributions present
        run: |
          test -f NOTICE || (echo "NOTICE missing"; exit 1)
          test -d LICENSES || (echo "LICENSES/ missing"; exit 1)

      - name: No-network contract check (N7.1)
        run: ./gradlew :app:verifyNoInternetPermission

      # Pin the personal-dictionary + clipboard excludes from
      # data_extraction_rules.xml against accidental rewrite at release time.
      # Same gate as android.yml; calling it explicitly here so a stale tree
      # cannot cut a release with a regressed extraction policy.
      - name: Verify data-extraction rules
        run: ./gradlew :app:verifyDataExtractionRules

      - name: Run unit tests
        run: ./gradlew :app:testDebugUnitTest

      # F24 — release resources / BuildConfig can drift from the debug visual
      # gate. The app module exposes :app:verifyRoborazziRelease as a stable
      # alias backed by the non-shipping releaseRoborazzi variant, which
      # initWith(release) but carries only the screenshot host overlay. Keep
      # this before APK signing/publication so a release-only screenshot
      # regression blocks the dispatch.
      - name: Roborazzi visual-regression verify (release variant)
        run: ./gradlew :app:verifyRoborazziRelease

      - name: Lint debug
        run: ./gradlew :app:lintDebug

      # ROADMAP matrix #9 + #44 — capture OSV scan status into the release body so each
      # tag carries a dated "OSV scan: ..." appendix. HIGH/CRITICAL advisories block
      # the release unless explicitly overridden in .github/osv-overrides.json.
      # See `docs/SECURITY.md` for the policy.
      - name: Generate Gradle dependency tree for OSV scan
        run: ./gradlew :app:dependencies --configuration releaseRuntimeClasspath > gradle-deps.txt

      - name: Run OSV-Scanner against the release tree
        id: osv-scan
        continue-on-error: true
        env:
          # SHA-256 of google/osv-scanner v2.0.2 linux_amd64. Pin the binary
          # by content hash so a compromised GitHub Releases CDN cannot swap a
          # malicious build under the same version tag. Refresh this value
          # alongside any v2.0.2 -> v2.x.y bump and re-record the digest.
          OSV_BINARY_SHA256: "3abcfd7126c453a00421487e721b296e0cb68085bd431d6cef60872774170fc8"
        run: |
          set +e
          curl -sSL -o osv-scanner "https://github.com/google/osv-scanner/releases/download/v2.0.2/osv-scanner_linux_amd64"
          actual_sha="$(sha256sum osv-scanner | awk '{print $1}')"
          if [ "$actual_sha" != "$OSV_BINARY_SHA256" ]; then
            echo "::error::osv-scanner SHA-256 mismatch."
            echo "  expected: $OSV_BINARY_SHA256"
            echo "  actual:   $actual_sha"
            echo "  Refusing to execute an unverified binary."
            exit 1
          fi
          chmod +x osv-scanner
          ./osv-scanner --recursive --skip-git --format=json ./ > osv-result.json
          osv_exit=$?
          echo "osv-exit=$osv_exit" >> "$GITHUB_OUTPUT"
          set -e

      - name: Gate on HIGH/CRITICAL advisories
        run: python3 scripts/osv-release-gate.py

      - name: Summarise OSV result into release appendix
        run: |
          scan_date=$(date -u +"%Y-%m-%d")
          scanner_version="osv-scanner v2.0.2"
          scan_completed=true
          if [ -s osv-result.json ]; then
            vuln_count=$(python3 -c "import json;d=json.load(open('osv-result.json'));n=sum(len(p.get('vulnerabilities', [])) for r in d.get('results', []) for p in r.get('packages', []));print(n)")
          else
            vuln_count="unknown"
            scan_completed=false
          fi
          {
            echo ""
            echo "---"
            echo ""
            echo "### Security scan (OSV)"
            echo ""
            echo "- **Scan date (UTC):** $scan_date"
            echo "- **Scanner:** $scanner_version"
            if [ "$scan_completed" = "false" ]; then
              echo "- **Result:** ⚠️ Scan did NOT complete — \`osv-result.json\` is missing or empty. Vulnerability status is unknown for this release. Check the workflow logs for the scan failure reason."
            elif [ "$vuln_count" = "0" ]; then
              echo "- **Result:** 0 known vulnerabilities in the \`releaseRuntimeClasspath\` of \`:app\`."
            else
              echo "- **Result:** $vuln_count advisory match(es) — see \`osv-result.json\` in the workflow artifacts. A clean scan today does not imply forever-immunity."
            fi
            echo ""
            echo "Reproduce locally: \`./gradlew :app:dependencies --configuration releaseRuntimeClasspath > gradle-deps.txt && osv-scanner --recursive --skip-git ./\`."
          } > RELEASE_OSV_SUMMARY.md

      - name: Upload OSV scan artifacts
        if: always()
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
        with:
          name: swiftfloris-v${{ inputs.version }}-osv
          path: |
            osv-result.json
            gradle-deps.txt
            RELEASE_OSV_SUMMARY.md

      - name: Decode keystore
        id: decode-keystore
        if: ${{ env.SIGNING_KEYSTORE_BASE64 != '' }}
        env:
          SIGNING_KEYSTORE_BASE64: ${{ secrets.SIGNING_KEYSTORE_BASE64 }}
        run: |
          set -euo pipefail
          # Restrict file-mode of the keystore the moment it appears on disk.
          # `echo "$VAR" | base64 -d` adds a trailing newline to its input, so
          # any keystore whose base64 encoding lacks a trailing newline would
          # have a stray 0x0a appended pre-decode and the decoded bytes would
          # be one trailing-byte off. `printf '%s' "$VAR"` writes the exact
          # secret with no trailer.
          umask 077
          keystore_path="$RUNNER_TEMP/keystore.jks"
          printf '%s' "$SIGNING_KEYSTORE_BASE64" | base64 -d > "$keystore_path"
          chmod 600 "$keystore_path"
          # Verify the decoded file is non-empty and looks like a Java keystore
          # (magic bytes: FE ED FE ED for JKS, or 30 82 for PKCS#12 ASN.1
          # DER SEQUENCE). Anything else points at a secret-encoding mishap
          # and the build should fail fast rather than ship an unsigned APK
          # silently.
          if [ ! -s "$keystore_path" ]; then
            echo "::error::Decoded keystore is empty — check SIGNING_KEYSTORE_BASE64 secret." >&2
            exit 1
          fi
          head -c 4 "$keystore_path" | od -An -tx1 | tr -d ' \n' > "$RUNNER_TEMP/keystore.magic"
          magic=$(cat "$RUNNER_TEMP/keystore.magic")
          case "$magic" in
            feedfeed) ;;          # JKS
            3082*) ;;             # PKCS#12 (DER SEQUENCE)
            *)
              echo "::error::Decoded keystore does not start with a JKS or PKCS#12 magic prefix (got: $magic). Check SIGNING_KEYSTORE_BASE64 encoding." >&2
              exit 1
              ;;
          esac
          rm -f "$RUNNER_TEMP/keystore.magic"
          echo "keystore-path=$keystore_path" >> "$GITHUB_OUTPUT"

      - name: Build signed release APK
        if: ${{ env.SIGNING_KEYSTORE_BASE64 != '' }}
        env:
          SIGNING_KEYSTORE_BASE64: ${{ secrets.SIGNING_KEYSTORE_BASE64 }}
          SIGNING_KEYSTORE_PASSWORD: ${{ secrets.SIGNING_KEYSTORE_PASSWORD }}
          SIGNING_KEY_ALIAS: ${{ secrets.SIGNING_KEY_ALIAS }}
          SIGNING_KEY_PASSWORD: ${{ secrets.SIGNING_KEY_PASSWORD }}
          KEYSTORE_PATH: ${{ steps.decode-keystore.outputs.keystore-path }}
        run: ./gradlew :app:assembleRelease

      - name: Build unsigned release APK (fallback when no signing secrets)
        if: ${{ env.SIGNING_KEYSTORE_BASE64 == '' }}
        run: ./gradlew :app:assembleRelease

      - name: Locate release APK
        id: locate-apk
        run: |
          apk=$(ls app/build/outputs/apk/release/*.apk | head -n 1)
          test -f "$apk" || (echo "::error::No release APK produced"; exit 1)
          echo "apk-path=$apk" >> "$GITHUB_OUTPUT"
          echo "apk-name=$(basename $apk)" >> "$GITHUB_OUTPUT"

      # ROADMAP §7 Next-12.4 — 16 KB native-library alignment guard on the
      # release variant. android.yml runs the same check on the debug APK
      # every PR, but the release variant applies R8 minify/shrink and uses
      # different signing — its native .so layout is not transitively
      # validated by the debug build. Run zipalign here so a Play-style
      # 16-KB alignment regression cannot ship a tag. No-op for SwiftFloris
      # today (zero native libs), but engages the moment Next-2 (whisper.cpp),
      # N1.2 (CleverKeys ONNX), L1 (LiteRT-LM addon-tier), or L7 (MCP daemon)
      # bring native code back into the release variant.
      - name: 16 KB native-library alignment guard (release variant)
        env:
          APK: ${{ steps.locate-apk.outputs.apk-path }}
        run: |
          set -euo pipefail
          ANDROID_HOME="${ANDROID_HOME:-/usr/local/lib/android/sdk}"
          BUILD_TOOLS=$(ls -1 "$ANDROID_HOME/build-tools" | sort -V | tail -1)
          ZIPALIGN="$ANDROID_HOME/build-tools/$BUILD_TOOLS/zipalign"
          if [ ! -x "$ZIPALIGN" ]; then
            echo "::error::zipalign not found at $ZIPALIGN" >&2
            exit 1
          fi
          # zipalign -P 16 = require 16 KB alignment for *.so entries
          # (page-size in KB units). Exits non-zero if any .so is misaligned.
          "$ZIPALIGN" -c -P 16 -v 4 "$APK" || {
            echo "::error::Release APK contains a native library aligned to less than 16 KB. Rebuild against NDK r28+ (see ROADMAP §7 Next-12.4 + [STD-A15-16KB])."
            exit 1
          }
          echo "Release APK: all shipped native libraries (if any) are 16 KB aligned."

      - name: Generate SBOM (SPDX)
        uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
        with:
          path: .
          output-file: swiftfloris-sbom.spdx.json
          format: spdx-json

      - name: Attest APK provenance (SLSA Build L2)
        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
        with:
          subject-path: ${{ steps.locate-apk.outputs.apk-path }}

      - name: Compute SHA-256 manifest
        id: sha
        run: |
          cd "$(dirname '${{ steps.locate-apk.outputs.apk-path }}')"
          sha256sum "$(basename '${{ steps.locate-apk.outputs.apk-path }}')" > SHA256SUMS
          echo "manifest-path=$(pwd)/SHA256SUMS" >> "$GITHUB_OUTPUT"
          echo "## Artifact SHA-256" >> "$GITHUB_STEP_SUMMARY"
          echo '```' >> "$GITHUB_STEP_SUMMARY"
          cat SHA256SUMS >> "$GITHUB_STEP_SUMMARY"
          echo '```' >> "$GITHUB_STEP_SUMMARY"

      - name: Upload artifacts
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
        with:
          name: swiftfloris-v${{ inputs.version }}
          path: |
            ${{ steps.locate-apk.outputs.apk-path }}
            ${{ steps.sha.outputs.manifest-path }}
            swiftfloris-sbom.spdx.json

      - name: Create GitHub Release
        if: ${{ env.SIGNING_KEYSTORE_BASE64 != '' }}
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SIGNING_KEYSTORE_BASE64: ${{ secrets.SIGNING_KEYSTORE_BASE64 }}
          # Pass dynamic values via env to avoid interpolating `${{ … }}`
          # directly into the shell command line (consistent with the
          # validate-strings-no-translations.yml hardening pattern).
          RELEASE_VERSION: ${{ inputs.version }}
          RELEASE_DRAFT: ${{ inputs.draft }}
          RELEASE_TARGET: ${{ github.ref_name }}
          APK_PATH: ${{ steps.locate-apk.outputs.apk-path }}
          MANIFEST_PATH: ${{ steps.sha.outputs.manifest-path }}
          SBOM_PATH: swiftfloris-sbom.spdx.json
        run: |
          set -euo pipefail
          tag="v${RELEASE_VERSION}"
          # Compose the release body: extract the per-version section from CHANGELOG.md when
          # present (local dispatches only — CHANGELOG.md is gitignored since 886c4aa, so CI
          # checkouts never have it), fall back to the tracked per-versionCode fastlane
          # changelog, then append the OSV scan appendix (matrix #9 + #44).
          # The CHANGELOG section runs from the version's <a id="vX.Y.Z"></a> anchor to the
          # next <a id="v..."> anchor.
          body_file="$(mktemp)"
          if [ -f CHANGELOG.md ]; then
            awk -v ver="$RELEASE_VERSION" '
              $0 == "<a id=\"v" ver "\"></a>" { in_section = 1; next }
              in_section && /^<a id="v[0-9]/ { exit }
              in_section { print }
            ' CHANGELOG.md > "$body_file"
          fi
          if [ ! -s "$body_file" ]; then
            version_code=$(grep -E '^projectVersionCode=' gradle.properties | cut -d= -f2)
            fastlane_changelog="fastlane/metadata/android/en-US/changelogs/${version_code}.txt"
            if [ -f "$fastlane_changelog" ]; then
              cat "$fastlane_changelog" > "$body_file"
            fi
          fi
          if [ -f RELEASE_OSV_SUMMARY.md ]; then
            cat RELEASE_OSV_SUMMARY.md >> "$body_file"
          fi
          cat >> "$body_file" <<'EOF'

          ## Install trust

          - **Canonical source:** https://github.com/SysAdminDoc/SwiftFloris
          - **Package ID:** `io.github.sysadmindoc.swiftfloris`
          - **GitHub / Obtainium channel:** this APK was built by the release workflow, signed with the SwiftFloris release key, and published with the attached `SHA256SUMS` manifest.
          - **Provenance attestation:** SLSA Build Level 2 — verify with `gh attestation verify <apk-file> --repo SysAdminDoc/SwiftFloris`.
          - **SBOM:** SPDX JSON attached (`swiftfloris-sbom.spdx.json`).
          - **F-Droid channel:** prepared for fdroiddata submission with reproducible-build and no-network gates in CI. If accepted, the F-Droid build/signature is a separate Android install channel; stay on one channel unless you back up, uninstall, reinstall, and restore.
          - **No-network proof:** CI fails if the merged app manifest declares `INTERNET`, `ACCESS_NETWORK_STATE`, `ACCESS_WIFI_STATE`, `CHANGE_NETWORK_STATE`, or `CHANGE_WIFI_STATE`.
          - **Reproducibility proof:** this release job depends on the build-twice APK verifier before signing and publication.
          - **Security reports:** use GitHub Security Advisories when available, or open a minimal GitHub issue asking for private follow-up before sharing exploit details or private data.
          EOF
          draft_arg=()
          if [ "$RELEASE_DRAFT" = "true" ]; then
            draft_arg+=(--draft)
          fi
          if [ -s "$body_file" ]; then
            gh release create "$tag" \
              "$APK_PATH" \
              "$MANIFEST_PATH" \
              "$SBOM_PATH" \
              --title "SwiftFloris v${RELEASE_VERSION}" \
              --notes-file "$body_file" \
              "${draft_arg[@]}" \
              --target "$RELEASE_TARGET"
          else
            gh release create "$tag" \
              "$APK_PATH" \
              "$MANIFEST_PATH" \
              "$SBOM_PATH" \
              --title "SwiftFloris v${RELEASE_VERSION}" \
              --generate-notes \
              "${draft_arg[@]}" \
              --target "$RELEASE_TARGET"
          fi