From 21ac70f10ca48f29e1308e1d03966bacc4b062ab Mon Sep 17 00:00:00 2001
From: norohind <60548839+norohind@users.noreply.github.com>
Date: Tue, 16 Apr 2024 20:13:21 +0300
Subject: [PATCH] CI: sign apk with present in repo debug key This workflow
 reuses already existing in repo debug key in debug.keystore. I understand
 that this key can be used by anyone to sign any apk, but I don't think it
 should bother us. On our side this key is only going to be used for signing
 CI builds, so an malefactor could use this key only to replace installed from
 CI artifact DSUB to a malicous DSUB, I think it's unlikely somebody going to
 target this. Especially after we get DSub2000 to fdroid.

Additionally, this would allow for third-party forks
to provide builds, compatible with ours. Thus allowing
for users to switch between forks of their choice, if
desired.

Also, it appers step setup-android isn't required,
the flow works without it, so deleting it.
---
 .github/workflows/ci-build.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci-build.yml b/.github/workflows/ci-build.yml
index fb9b2b24f..e155d32e8 100644
--- a/.github/workflows/ci-build.yml
+++ b/.github/workflows/ci-build.yml
@@ -13,10 +13,13 @@ jobs:
       with:
         java-version: '17'
         distribution: 'temurin'
-    - uses: android-actions/setup-android@v3
     - uses: actions/checkout@v4
     - name: Build
       run: sh gradlew --no-daemon assembleRelease
+
+    - name: Sign the apk with debug key
+      run: /usr/local/lib/android/sdk/build-tools/34.0.0/apksigner sign --ks debug.keystore --ks-pass pass:android --ks-key-alias androiddebugkey app/build/outputs/apk/floss/release/*-release.apk
+
     - uses: actions/upload-artifact@v4
       with:
         name: DSub2000 APK