name: Build on: push: branches: - main - release/**/* workflow_dispatch: inputs: version-name: description: "Optional. Version string to use, in X.Y.Z format. Overrides default in the project." required: false type: string version-code: description: "Optional. Build number to use. Overrides default of GitHub run number." required: false type: number patch_version: description: "Order 999 - Overrides Patch version" type: boolean distribute-to-firebase: description: "Optional. Distribute artifacts to Firebase." required: false default: true type: boolean publish-to-play-store: description: "Optional. Deploy bundle artifact to Google Play Store" required: false default: true type: boolean env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_ACTION_RUN_URL: "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" DISTRIBUTE_TO_FIREBASE: ${{ inputs.distribute-to-firebase || github.event_name == 'push' }} PUBLISH_TO_PLAY_STORE: ${{ inputs.publish-to-play-store || github.event_name == 'push' }} permissions: contents: read packages: read jobs: version: name: Calculate Version Name and Number uses: bitwarden/android/.github/workflows/_version.yml@main with: app_codename: "bwpm" # Start from 11000 to prevent collisions with mobile build version codes base_version_number: 11000 version_name: ${{ inputs.version-name }} version_number: ${{ inputs.version-code }} patch_version: ${{ inputs.patch_version && '999' || '' }} publish_playstore: name: Publish Play Store artifacts needs: - version runs-on: ubuntu-24.04 permissions: id-token: write strategy: fail-fast: false matrix: variant: ["prod", "dev"] artifact: ["apk", "aab"] steps: - name: Check out repo uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: persist-credentials: false - name: Log in to Azure uses: bitwarden/gh-actions/azure-login@main with: subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} tenant_id: ${{ secrets.AZURE_TENANT_ID }} client_id: ${{ secrets.AZURE_CLIENT_ID }} - name: Get Azure Key Vault secrets id: get-kv-secrets uses: bitwarden/gh-actions/get-keyvault-secrets@main with: keyvault: gh-android secrets: "UPLOAD-KEYSTORE-PASSWORD,UPLOAD-BETA-KEYSTORE-PASSWORD,UPLOAD-BETA-KEY-PASSWORD,PLAY-KEYSTORE-PASSWORD,PLAY-BETA-KEYSTORE-PASSWORD,PLAY-BETA-KEY-PASSWORD" - name: Retrieve secrets env: ACCOUNT_NAME: bitwardenci CONTAINER_NAME: mobile run: | mkdir -p ${{ github.workspace }}/secrets mkdir -p ${{ github.workspace }}/app/src/standardBeta mkdir -p ${{ github.workspace }}/app/src/standardRelease az storage blob download --account-name "$ACCOUNT_NAME" --container-name "$CONTAINER_NAME" \ --name app_play-keystore.jks --file ${{ github.workspace }}/keystores/app_play-keystore.jks --output none az storage blob download --account-name "$ACCOUNT_NAME" --container-name "$CONTAINER_NAME" \ --name app_upload-keystore.jks --file ${{ github.workspace }}/keystores/app_upload-keystore.jks --output none az storage blob download --account-name "$ACCOUNT_NAME" --container-name "$CONTAINER_NAME" \ --name play_creds.json --file ${{ github.workspace }}/secrets/play_creds.json --output none az storage blob download --account-name "$ACCOUNT_NAME" --container-name "$CONTAINER_NAME" \ --name app_beta_play-keystore.jks --file ${{ github.workspace }}/keystores/app_beta_play-keystore.jks --output none az storage blob download --account-name "$ACCOUNT_NAME" --container-name "$CONTAINER_NAME" \ --name app_beta_upload-keystore.jks --file ${{ github.workspace }}/keystores/app_beta_upload-keystore.jks --output none az storage blob download --account-name "$ACCOUNT_NAME" --container-name "$CONTAINER_NAME" \ --name google-services.json --file ${{ github.workspace }}/app/src/standardRelease/google-services.json --output none az storage blob download --account-name "$ACCOUNT_NAME" --container-name "$CONTAINER_NAME" \ --name google-services.json --file ${{ github.workspace }}/app/src/standardBeta/google-services.json --output none - name: Download Firebase credentials if: ${{ matrix.variant == 'prod' && env.DISTRIBUTE_TO_FIREBASE }} env: ACCOUNT_NAME: bitwardenci CONTAINER_NAME: mobile run: | mkdir -p ${{ github.workspace }}/secrets az storage blob download --account-name "$ACCOUNT_NAME" --container-name "$CONTAINER_NAME" \ --name app_play_prod_firebase-creds.json --file ${{ github.workspace }}/secrets/app_play_prod_firebase-creds.json --output none - name: Log out from Azure uses: bitwarden/gh-actions/azure-logout@main - name: Setup Android Build uses: ./.github/actions/setup-android-build - name: Update app CI Build info run: | ./scripts/update_app_ci_build_info.sh \ "$GITHUB_REPOSITORY" \ "$GITHUB_REF_NAME" \ "$GITHUB_SHA" \ "$GITHUB_RUN_ID" \ "$GITHUB_RUN_ATTEMPT" - name: Increment version env: VERSION_CODE: ${{ needs.version.outputs.version_number || github.run_number }} VERSION_NAME: ${{ needs.version.outputs.version_name }} run: ./.github/scripts/set-build-version.sh "$VERSION_CODE" "$VERSION_NAME" - name: Generate release Play Store bundle if: ${{ matrix.variant == 'prod' && matrix.artifact == 'aab' }} env: UPLOAD_KEYSTORE_PASSWORD: ${{ steps.get-kv-secrets.outputs.UPLOAD-KEYSTORE-PASSWORD }} run: | bundle exec fastlane bundlePlayStoreRelease \ storeFile:app_upload-keystore.jks \ storePassword:$UPLOAD_KEYSTORE_PASSWORD \ keyAlias:upload \ keyPassword:$UPLOAD_KEYSTORE_PASSWORD - name: Generate beta Play Store bundle if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'aab') }} env: UPLOAD_BETA_KEYSTORE_PASSWORD: ${{ steps.get-kv-secrets.outputs.UPLOAD-BETA-KEYSTORE-PASSWORD }} UPLOAD_BETA_KEY_PASSWORD: ${{ steps.get-kv-secrets.outputs.UPLOAD-BETA-KEY-PASSWORD }} run: | bundle exec fastlane bundlePlayStoreBeta \ storeFile:app_beta_upload-keystore.jks \ storePassword:$UPLOAD_BETA_KEYSTORE_PASSWORD \ keyAlias:bitwarden-beta-upload \ keyPassword:$UPLOAD_BETA_KEY_PASSWORD - name: Generate release Play Store APK if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'apk') }} env: PLAY_KEYSTORE_PASSWORD: ${{ steps.get-kv-secrets.outputs.PLAY-KEYSTORE-PASSWORD }} run: | bundle exec fastlane assemblePlayStoreReleaseApk \ storeFile:app_play-keystore.jks \ storePassword:$PLAY_KEYSTORE_PASSWORD \ keyAlias:bitwarden \ keyPassword:$PLAY_KEYSTORE_PASSWORD - name: Generate beta Play Store APK if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'apk') }} env: PLAY_BETA_KEYSTORE_PASSWORD: ${{ steps.get-kv-secrets.outputs.PLAY-BETA-KEYSTORE-PASSWORD }} PLAY_BETA_KEY_PASSWORD: ${{ steps.get-kv-secrets.outputs.PLAY-BETA-KEY-PASSWORD }} run: | bundle exec fastlane assemblePlayStoreBetaApk \ storeFile:app_beta_play-keystore.jks \ storePassword:$PLAY_BETA_KEYSTORE_PASSWORD \ keyAlias:bitwarden-beta \ keyPassword:$PLAY_BETA_KEY_PASSWORD - name: Generate debug Play Store APKs if: ${{ (matrix.variant != 'prod') && (matrix.artifact == 'apk') }} run: | bundle exec fastlane assembleDebugApks - name: Upload to GitHub Artifacts - prod.aab if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'aab') }} uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: com.x8bit.bitwarden.aab path: app/build/outputs/bundle/standardRelease/com.x8bit.bitwarden.aab if-no-files-found: error - name: Upload to GitHub Artifacts - beta.aab if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'aab') }} uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: com.x8bit.bitwarden.beta.aab path: app/build/outputs/bundle/standardBeta/com.x8bit.bitwarden.beta.aab if-no-files-found: error - name: Upload to GitHub Artifacts - prod.apk if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'apk') }} uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: com.x8bit.bitwarden.apk path: app/build/outputs/apk/standard/release/com.x8bit.bitwarden.apk if-no-files-found: error - name: Upload to GitHub Artifacts - beta.apk if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'apk') }} uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: com.x8bit.bitwarden.beta.apk path: app/build/outputs/apk/standard/beta/com.x8bit.bitwarden.beta.apk if-no-files-found: error # When building variants other than 'prod' - name: Upload to GitHub Artifacts - dev.apk if: ${{ (matrix.variant != 'prod') && (matrix.artifact == 'apk') }} uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: com.x8bit.bitwarden.${{ matrix.variant }}.apk path: app/build/outputs/apk/standard/debug/com.x8bit.bitwarden.dev.apk if-no-files-found: error - name: Create checksum for release .apk artifact if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'apk') }} run: | sha256sum "app/build/outputs/apk/standard/release/com.x8bit.bitwarden.apk" \ > ./com.x8bit.bitwarden.apk-sha256.txt - name: Create checksum for beta .apk artifact if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'apk') }} run: | sha256sum "app/build/outputs/apk/standard/beta/com.x8bit.bitwarden.beta.apk" \ > ./com.x8bit.bitwarden.beta.apk-sha256.txt - name: Create checksum for release .aab artifact if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'aab') }} run: | sha256sum "app/build/outputs/bundle/standardRelease/com.x8bit.bitwarden.aab" \ > ./com.x8bit.bitwarden.aab-sha256.txt - name: Create checksum for beta .aab artifact if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'aab') }} run: | sha256sum "app/build/outputs/bundle/standardBeta/com.x8bit.bitwarden.beta.aab" \ > ./com.x8bit.bitwarden.beta.aab-sha256.txt - name: Create checksum for Debug .apk artifact if: ${{ (matrix.variant != 'prod') && (matrix.artifact == 'apk') }} run: | sha256sum "app/build/outputs/apk/standard/debug/com.x8bit.bitwarden.dev.apk" \ > ./com.x8bit.bitwarden.${{ matrix.variant }}.apk-sha256.txt - name: Upload to GitHub Artifacts - prod.apk-sha256.txt if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'apk') }} uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: com.x8bit.bitwarden.apk-sha256.txt path: ./com.x8bit.bitwarden.apk-sha256.txt if-no-files-found: error - name: Upload to GitHub Artifacts - beta.apk-sha256.txt if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'apk') }} uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: com.x8bit.bitwarden.beta.apk-sha256.txt path: ./com.x8bit.bitwarden.beta.apk-sha256.txt if-no-files-found: error - name: Upload to GitHub Artifacts - prod.aab-sha256.txt if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'aab') }} uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: com.x8bit.bitwarden.aab-sha256.txt path: ./com.x8bit.bitwarden.aab-sha256.txt if-no-files-found: error - name: Upload to GitHub Artifacts - beta.aab-sha256.txt if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'aab') }} uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: com.x8bit.bitwarden.beta.aab-sha256.txt path: ./com.x8bit.bitwarden.beta.aab-sha256.txt if-no-files-found: error - name: Upload to GitHub Artifacts - debug.apk-sha256.txt if: ${{ (matrix.variant != 'prod') && (matrix.artifact == 'apk') }} uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: com.x8bit.bitwarden.${{ matrix.variant }}.apk-sha256.txt path: ./com.x8bit.bitwarden.${{ matrix.variant }}.apk-sha256.txt if-no-files-found: error - name: Install Firebase app distribution plugin if: ${{ matrix.variant == 'prod' && matrix.artifact == 'apk' && env.DISTRIBUTE_TO_FIREBASE }} run: bundle exec fastlane add_plugin firebase_app_distribution - name: Distribute to Firebase - prod.apk if: ${{ matrix.variant == 'prod' && matrix.artifact == 'apk' && env.DISTRIBUTE_TO_FIREBASE }} env: APP_PLAY_FIREBASE_CREDS_PATH: ${{ github.workspace }}/secrets/app_play_prod_firebase-creds.json run: | bundle exec fastlane distributeReleasePlayStoreToFirebase \ actionUrl:$GITHUB_ACTION_RUN_URL \ service_credentials_file:$APP_PLAY_FIREBASE_CREDS_PATH - name: Distribute to Firebase - beta.apk if: ${{ matrix.variant == 'prod' && matrix.artifact == 'apk' && env.DISTRIBUTE_TO_FIREBASE }} env: APP_PLAY_FIREBASE_CREDS_PATH: ${{ github.workspace }}/secrets/app_play_prod_firebase-creds.json run: | bundle exec fastlane distributeBetaPlayStoreToFirebase \ actionUrl:$GITHUB_ACTION_RUN_URL \ service_credentials_file:$APP_PLAY_FIREBASE_CREDS_PATH - name: Verify Play Store credentials if: ${{ matrix.variant == 'prod' && matrix.artifact == 'aab' && env.PUBLISH_TO_PLAY_STORE }} run: | bundle exec fastlane run validate_play_store_json_key - name: Publish to Play Store - prod.aab if: ${{ matrix.variant == 'prod' && matrix.artifact == 'aab' && env.PUBLISH_TO_PLAY_STORE }} run: | bundle exec fastlane publishProdToPlayStore bundle exec fastlane publishBetaToPlayStore publish_fdroid: name: Publish F-Droid artifacts needs: - version runs-on: ubuntu-24.04 permissions: id-token: write steps: - name: Check out repo uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: persist-credentials: false - name: Log in to Azure uses: bitwarden/gh-actions/azure-login@main with: subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} tenant_id: ${{ secrets.AZURE_TENANT_ID }} client_id: ${{ secrets.AZURE_CLIENT_ID }} - name: Get Azure Key Vault secrets id: get-kv-secrets uses: bitwarden/gh-actions/get-keyvault-secrets@main with: keyvault: gh-android secrets: "FDROID-KEYSTORE-PASSWORD,FDROID-BETA-KEYSTORE-PASSWORD,FDROID-BETA-KEY-PASSWORD" - name: Retrieve secrets env: ACCOUNT_NAME: bitwardenci CONTAINER_NAME: mobile run: | az storage blob download --account-name "$ACCOUNT_NAME" --container-name "$CONTAINER_NAME" \ --name app_fdroid-keystore.jks --file ${{ github.workspace }}/keystores/app_fdroid-keystore.jks --output none az storage blob download --account-name "$ACCOUNT_NAME" --container-name "$CONTAINER_NAME" \ --name app_beta_fdroid-keystore.jks --file ${{ github.workspace }}/keystores/app_beta_fdroid-keystore.jks --output none - name: Download Firebase credentials if: ${{ env.DISTRIBUTE_TO_FIREBASE }} env: ACCOUNT_NAME: bitwardenci CONTAINER_NAME: mobile run: | mkdir -p ${{ github.workspace }}/secrets az storage blob download --account-name "$ACCOUNT_NAME" --container-name "$CONTAINER_NAME" \ --name app_fdroid_firebase-creds.json --file ${{ github.workspace }}/secrets/app_fdroid_firebase-creds.json --output none - name: Log out from Azure uses: bitwarden/gh-actions/azure-logout@main - name: Setup Android Build uses: ./.github/actions/setup-android-build - name: Update app CI Build info run: | ./scripts/update_app_ci_build_info.sh \ "$GITHUB_REPOSITORY" \ "$GITHUB_REF_NAME" \ "$GITHUB_SHA" \ "$GITHUB_RUN_ID" \ "$GITHUB_RUN_ATTEMPT" - name: Increment version env: VERSION_CODE: ${{ needs.version.outputs.version_number || github.run_number }} VERSION_NAME: ${{ needs.version.outputs.version_name }} run: ./.github/scripts/set-build-version.sh "$VERSION_CODE" "$VERSION_NAME" - name: Generate F-Droid artifacts env: FDROID_STORE_PASSWORD: ${{ steps.get-kv-secrets.outputs.FDROID-KEYSTORE-PASSWORD }} run: | bundle exec fastlane assembleFDroidReleaseApk \ storeFile:app_fdroid-keystore.jks \ storePassword:$FDROID_STORE_PASSWORD \ keyAlias:bitwarden \ keyPassword:$FDROID_STORE_PASSWORD - name: Generate F-Droid Beta Artifacts env: FDROID_BETA_KEYSTORE_PASSWORD: ${{ steps.get-kv-secrets.outputs.FDROID-BETA-KEYSTORE-PASSWORD }} FDROID_BETA_KEY_PASSWORD: ${{ steps.get-kv-secrets.outputs.FDROID-BETA-KEY-PASSWORD }} run: | bundle exec fastlane assembleFDroidBetaApk \ storeFile:app_beta_fdroid-keystore.jks \ storePassword:$FDROID_BETA_KEYSTORE_PASSWORD \ keyAlias:bitwarden-beta \ keyPassword:$FDROID_BETA_KEY_PASSWORD - name: Upload to GitHub Artifacts - fdroid.apk uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: com.x8bit.bitwarden-fdroid.apk path: app/build/outputs/apk/fdroid/release/com.x8bit.bitwarden-fdroid.apk if-no-files-found: error - name: Create checksum for F-Droid artifact run: | sha256sum "app/build/outputs/apk/fdroid/release/com.x8bit.bitwarden-fdroid.apk" \ > ./com.x8bit.bitwarden-fdroid.apk-sha256.txt - name: Upload to GitHub Artifacts - fdroid.apk-sha256.txt uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: com.x8bit.bitwarden-fdroid.apk-sha256.txt path: ./com.x8bit.bitwarden-fdroid.apk-sha256.txt if-no-files-found: error - name: Upload to GitHub Artifacts - beta.fdroid.apk uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: com.x8bit.bitwarden.beta-fdroid.apk path: app/build/outputs/apk/fdroid/beta/com.x8bit.bitwarden.beta-fdroid.apk if-no-files-found: error - name: Create checksum for F-Droid Beta artifact run: | sha256sum "app/build/outputs/apk/fdroid/beta/com.x8bit.bitwarden.beta-fdroid.apk" \ > ./com.x8bit.bitwarden.beta-fdroid.apk-sha256.txt - name: Upload to GitHub Artifacts - beta.fdroid.apk-sha256.txt uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: com.x8bit.bitwarden.beta-fdroid.apk-sha256.txt path: ./com.x8bit.bitwarden.beta-fdroid.apk-sha256.txt if-no-files-found: error - name: Install Firebase app distribution plugin if: ${{ env.DISTRIBUTE_TO_FIREBASE }} run: bundle exec fastlane add_plugin firebase_app_distribution - name: Distribute to Firebase - fdroid.apk if: ${{ env.DISTRIBUTE_TO_FIREBASE }} env: APP_FDROID_FIREBASE_CREDS_PATH: ${{ github.workspace }}/secrets/app_fdroid_firebase-creds.json run: | bundle exec fastlane distributeReleaseFDroidToFirebase \ actionUrl:$GITHUB_ACTION_RUN_URL \ service_credentials_file:$APP_FDROID_FIREBASE_CREDS_PATH