修复 CI 签名构建与发布校验

Author: Pangu-Immortal

.github/workflows/android-build.yml

@@ -23,6 +23,9 @@ jobs:
   build:
     name: Build AAB & APK
     runs-on: ubuntu-latest
+    outputs:
+      signing_enabled: ${{ steps.signing.outputs.enabled }}
+      build_mode: ${{ steps.build_mode.outputs.mode }}
 
     steps:
       - name: Checkout
@@ -58,22 +61,54 @@ jobs:
         run: ./gradlew lint
         continue-on-error: true
 
+      - name: Check release signing secrets
+        id: signing
+        env:
+          KEYSTORE_BASE64: ${{ secrets.KEYSTORE_BASE64 }}
+          KEYSTORE_PASSWORD: ${{ secrets.KEYSTORE_PASSWORD }}
+          KEY_ALIAS: ${{ secrets.KEY_ALIAS }}
+          KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}
+        run: |
+          if [[ -n "$KEYSTORE_BASE64" && -n "$KEYSTORE_PASSWORD" && -n "$KEY_ALIAS" && -n "$KEY_PASSWORD" ]]; then
+            echo "enabled=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "enabled=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Resolve build mode
+        id: build_mode
+        run: |
+          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
+            echo "mode=debug" >> "$GITHUB_OUTPUT"
+          elif [[ "${{ github.event_name }}" == "workflow_dispatch" && "${{ github.event.inputs.build_type }}" == "debug" ]]; then
+            echo "mode=debug" >> "$GITHUB_OUTPUT"
+          elif [[ "${{ steps.signing.outputs.enabled }}" == "true" ]]; then
+            echo "mode=release" >> "$GITHUB_OUTPUT"
+          else
+            echo "mode=debug" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Validate release signing secrets
+        if: (startsWith(github.ref, 'refs/tags/v') || (github.event_name == 'workflow_dispatch' && github.event.inputs.build_type == 'release')) && steps.signing.outputs.enabled != 'true'
+        run: |
+          echo "::error::Release builds require KEYSTORE_BASE64, KEYSTORE_PASSWORD, KEY_ALIAS and KEY_PASSWORD secrets."
+          exit 1
+
       - name: Build Debug AAB
-        if: github.event_name == 'pull_request' || (github.event_name == 'workflow_dispatch' && github.event.inputs.build_type == 'debug')
+        if: steps.build_mode.outputs.mode == 'debug'
         run: ./gradlew bundleDebug
 
       - name: Build Debug APK
-        if: github.event_name == 'pull_request' || (github.event_name == 'workflow_dispatch' && github.event.inputs.build_type == 'debug')
+        if: steps.build_mode.outputs.mode == 'debug'
         run: ./gradlew assembleDebug
 
       - name: Decode Keystore
-        if: github.event_name != 'pull_request' && (github.event_name != 'workflow_dispatch' || github.event.inputs.build_type == 'release')
+        if: steps.build_mode.outputs.mode == 'release'
         run: |
           echo "${{ secrets.KEYSTORE_BASE64 }}" | base64 -d > app/keystore.jks
-        continue-on-error: true
 
       - name: Build Release AAB
-        if: github.event_name != 'pull_request' && (github.event_name != 'workflow_dispatch' || github.event.inputs.build_type == 'release')
+        if: steps.build_mode.outputs.mode == 'release'
         run: ./gradlew bundleRelease
         env:
           KEYSTORE_FILE: ${{ github.workspace }}/app/keystore.jks
@@ -82,7 +117,7 @@ jobs:
           KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}
 
       - name: Build Release APK
-        if: github.event_name != 'pull_request' && (github.event_name != 'workflow_dispatch' || github.event.inputs.build_type == 'release')
+        if: steps.build_mode.outputs.mode == 'release'
         run: ./gradlew assembleRelease
         env:
           KEYSTORE_FILE: ${{ github.workspace }}/app/keystore.jks
@@ -93,15 +128,15 @@ jobs:
       - name: Upload AAB
         uses: actions/upload-artifact@v4
         with:
-          name: app-bundle-${{ github.event_name == 'pull_request' && 'debug' || github.event.inputs.build_type || 'release' }}
+          name: app-bundle-${{ steps.build_mode.outputs.mode }}
           path: app/build/outputs/bundle/**/*.aab
           retention-days: 30
         if: always()
 
       - name: Upload APK
         uses: actions/upload-artifact@v4
         with:
-          name: app-apk-${{ github.event_name == 'pull_request' && 'debug' || github.event.inputs.build_type || 'release' }}
+          name: app-apk-${{ steps.build_mode.outputs.mode }}
           path: app/build/outputs/apk/**/*.apk
           retention-days: 14
         if: always()
@@ -118,19 +153,38 @@ jobs:
     name: Deploy to Play Store
     needs: build
     runs-on: ubuntu-latest
-    if: startsWith(github.ref, 'refs/tags/v')
+    if: startsWith(github.ref, 'refs/tags/v') && needs.build.outputs.signing_enabled == 'true'
 
     steps:
       - name: Download AAB
         uses: actions/download-artifact@v4
         with:
           name: app-bundle-release
+          path: release
+
+      - name: Validate Play Store secrets
+        env:
+          PLAY_STORE_SERVICE_ACCOUNT: ${{ secrets.PLAY_STORE_SERVICE_ACCOUNT }}
+          PACKAGE_NAME: ${{ secrets.PACKAGE_NAME }}
+        run: |
+          if [[ -z "$PLAY_STORE_SERVICE_ACCOUNT" || -z "$PACKAGE_NAME" ]]; then
+            echo "::error::Play Store deployment requires PLAY_STORE_SERVICE_ACCOUNT and PACKAGE_NAME secrets."
+            exit 1
+          fi
+
+      - name: Validate release AAB
+        run: |
+          find release -name '*.aab' -print
+          if ! find release -name '*.aab' -print -quit | grep -q .; then
+            echo "::error::No release AAB found in downloaded artifact."
+            exit 1
+          fi
 
       - name: Deploy to Play Store
         uses: r0adkll/upload-google-play@v1
         with:
           serviceAccountJsonPlainText: ${{ secrets.PLAY_STORE_SERVICE_ACCOUNT }}
           packageName: ${{ secrets.PACKAGE_NAME }}
-          releaseFiles: release/*.aab
+          releaseFiles: release/**/*.aab
           track: internal
           status: completed

app/build.gradle.kts

@@ -33,19 +33,39 @@ plugins {
     alias(libs.plugins.kotlin.compose)
 }
 
+// 校验发布签名环境，避免空密钥或缺失密码时误用 release 签名。
+fun hasReleaseSigningEnv(): Boolean {
+    val keystoreFile = System.getenv("KEYSTORE_FILE")
+    val keystorePassword = System.getenv("KEYSTORE_PASSWORD")
+    val keyAlias = System.getenv("KEY_ALIAS")
+    val keyPassword = System.getenv("KEY_PASSWORD")
+    return !keystoreFile.isNullOrBlank() &&
+        !keystorePassword.isNullOrBlank() &&
+        !keyAlias.isNullOrBlank() &&
+        !keyPassword.isNullOrBlank() &&
+        file(keystoreFile).isFile
+}
+
 android {
     namespace = "com.google.services"
     compileSdk = 36
     ndkVersion = "27.2.12479018"
 
+    val releaseSigningEnabled = hasReleaseSigningEnv()
+    logger.lifecycle(
+        "KeepLiveService release signing: ${
+            if (releaseSigningEnabled) "enabled" else "disabled, fallback to debug signing"
+        }"
+    )
+
     signingConfigs {
         create("release") {
             val keystoreFile = System.getenv("KEYSTORE_FILE")
-            if (keystoreFile != null && file(keystoreFile).exists()) {
+            if (releaseSigningEnabled && !keystoreFile.isNullOrBlank()) {
                 storeFile = file(keystoreFile)
-                storePassword = System.getenv("KEYSTORE_PASSWORD") ?: ""
-                keyAlias = System.getenv("KEY_ALIAS") ?: ""
-                keyPassword = System.getenv("KEY_PASSWORD") ?: ""
+                storePassword = System.getenv("KEYSTORE_PASSWORD")
+                keyAlias = System.getenv("KEY_ALIAS")
+                keyPassword = System.getenv("KEY_PASSWORD")
             }
         }
     }
@@ -87,8 +107,8 @@ android {
                 "proguard-rules.pro"
             )
 
-            // CI 环境使用环境变量签名，本地开发使用 debug 签名
-            signingConfig = if (System.getenv("KEYSTORE_FILE") != null) {
+            // CI 环境签名参数完整时使用 release 签名，本地开发和缺少参数时使用 debug 签名。
+            signingConfig = if (releaseSigningEnabled) {
                 signingConfigs.getByName("release")
             } else {
                 signingConfigs.getByName("debug")