ci: isolated Zapstore publish workflow#427
Open
AnthonyRonning wants to merge 4 commits intomasterfrom
Open
Conversation
Separate workflow that triggers after Release completes successfully. Downloads the APK from the GitHub release and publishes to Zapstore in its own isolated runner with no access to build infrastructure. Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
📝 WalkthroughWalkthroughAdds Zapstore publishing: a new GitHub Actions workflow that runs after the Release workflow to download the Android APK, install and invoke the Zapstore CLI (zsp) to publish using Changes
Sequence DiagramsequenceDiagram
participant Release as Release Workflow
participant GH as GitHub Actions
participant Releases as GitHub Releases
participant CLI as zsp (Zapstore CLI)
participant Zapstore as Zapstore
Release->>GH: workflow_run completed (head_sha)
GH->>GH: sparse-checkout `zapstore.yaml`, icon
GH->>Releases: locate release for head_sha, download `app-universal-release.apk`
Releases->>GH: APK artifact
GH->>GH: setup Go 1.22.x, install `zsp` v0.3.3
GH->>GH: validate `ZAPSTORE_SIGN_WITH` secret
GH->>CLI: `zsp publish --non-interactive --skip-preview --commit HEAD_SHA` (using `zapstore.yaml`)
CLI->>Zapstore: upload & publish
Zapstore->>CLI: publish result
CLI->>GH: exit status
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 4✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Deploying maple with
|
| Latest commit: |
e017117
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://6b3aaba8.maple-ca8.pages.dev |
| Branch Preview URL: | https://zapstore-isolated-publish.maple-ca8.pages.dev |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
- Remove ref: head_sha from checkout to avoid untrusted code execution - Move head_branch and head_sha to env vars to prevent code injection Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
head_branch is the branch name (e.g. master), not the release tag. Query the GitHub API to find the release matching the commit SHA. Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
workflow_run.head_branch contains the tag name when the triggering workflow was started by a release/tag event. Pass it safely through an env var instead of the broken target_commitish SHA lookup. Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
There was a problem hiding this comment.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In @.github/workflows/zapstore-publish.yml:
- Around line 16-21: The checkout step using actions/checkout@v4 is missing a
ref, so sparse-checkout pulls files from the default branch instead of the
release commit; update the checkout step (the actions/checkout@v4 invocation) to
include a pinned ref (e.g., github.event.release.tag_name or github.sha) so the
sparse-checkout entries (zapstore.yaml and frontend/src-tauri/icons/icon.png)
are fetched from the exact release commit rather than the default branch.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Replaces the approach in #426 with a fully isolated workflow.
What changed:
.github/workflows/zapstore-publish.ymlthat triggers viaworkflow_runafter the Release workflow succeedsZAPSTORE_SIGN_WITHsecretgh release download(no build artifacts or source code build access)zapstore.yamland the icon filezapstore.yamlfor app metadataIsolation:
The runner never sees the Android keystore, NDK, Rust toolchain, or any build infrastructure. It just gets the published APK and signs it for Zapstore.
Secrets required:
ZAPSTORE_SIGN_WITH-- yournsec1...or bunker URLCloses #426
Summary by CodeRabbit