From 71da372d835f50abf1b1b77e98c9acfd9c0f882a Mon Sep 17 00:00:00 2001 From: jwinterm Date: Tue, 19 May 2026 07:50:02 -0400 Subject: [PATCH 1/2] CI: install Go + gomobile if missing (for BitBox Flutter iOS bindings) scripts/build_bitbox_flutter.sh invokes build_bindings.sh which calls gomobile to generate iOS bindings for the Go BitBox client. Without Go + gomobile on the Mac runner, that step fails with 'gomobile: command not found'. Adds an idempotent step: install Go via brew if missing, then 'go install golang.org/x/mobile/cmd/{gomobile,gobind}@latest' if missing. Self-hosted runner persists $GOPATH/bin between runs, so steady-state is zero-cost after the first install. Same conditional-install pattern as Flutter + CocoaPods. --- .github/workflows/build-ios-sim.yml | 23 ++++++++++++++++++++-- .github/workflows/build-ios-testflight.yml | 19 ++++++++++++++++++ 2 files changed, 40 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-ios-sim.yml b/.github/workflows/build-ios-sim.yml index b94c1f64..104627fa 100644 --- a/.github/workflows/build-ios-sim.yml +++ b/.github/workflows/build-ios-sim.yml @@ -62,11 +62,9 @@ jobs: pod --version exit 0 fi - # Prefer Homebrew on macOS — no sudo, installs into its own prefix. if command -v brew >/dev/null; then brew install cocoapods else - # Fallback: user-local gem install (no sudo). export GEM_HOME="$HOME/.gem" export PATH="$GEM_HOME/bin:$PATH" echo "GEM_HOME=$HOME/.gem" >> "$GITHUB_ENV" @@ -75,6 +73,27 @@ jobs: fi pod --version + - name: Install Go + gomobile (if missing) + run: | + if ! command -v go >/dev/null; then + if command -v brew >/dev/null; then + brew install go + else + echo "Go missing and brew not available"; exit 1 + fi + fi + go version + # Ensure $(go env GOPATH)/bin is on PATH for subsequent steps. + GOPATH=$(go env GOPATH) + echo "$GOPATH/bin" >> "$GITHUB_PATH" + export PATH="$PATH:$GOPATH/bin" + # gomobile + gobind are needed by scripts/build_bitbox_flutter.sh + if ! command -v gomobile >/dev/null; then + go install golang.org/x/mobile/cmd/gomobile@latest + go install golang.org/x/mobile/cmd/gobind@latest + fi + which gomobile && gomobile version || true + - name: Show toolchain run: | set -x diff --git a/.github/workflows/build-ios-testflight.yml b/.github/workflows/build-ios-testflight.yml index 4acd8192..27e818cd 100644 --- a/.github/workflows/build-ios-testflight.yml +++ b/.github/workflows/build-ios-testflight.yml @@ -76,6 +76,25 @@ jobs: fi pod --version + - name: Install Go + gomobile (if missing) + run: | + if ! command -v go >/dev/null; then + if command -v brew >/dev/null; then + brew install go + else + echo "Go missing and brew not available"; exit 1 + fi + fi + go version + GOPATH=$(go env GOPATH) + echo "$GOPATH/bin" >> "$GITHUB_PATH" + export PATH="$PATH:$GOPATH/bin" + if ! command -v gomobile >/dev/null; then + go install golang.org/x/mobile/cmd/gomobile@latest + go install golang.org/x/mobile/cmd/gobind@latest + fi + which gomobile && gomobile version || true + - name: Show toolchain run: | set -x -- 2.50.1 (Apple Git-155) From 1e4af3dbded78f9434081650b9d85fe7f87d9163 Mon Sep 17 00:00:00 2001 From: jwinterm Date: Tue, 19 May 2026 07:54:09 -0400 Subject: [PATCH 2/2] CI: drop pull_request triggers (Gitea strips secrets from fork PRs) The Android workflow's 'ANDROID_KEYSTORE_BASE64 not set' failure is secrets-not-reaching-runner, not a missing secret. The secret IS set in Builds/hash-wallet's repo secrets. The issue: workflows are being triggered by 'pull_request' events when github-such-software/hash-wallet is mirrored into Builds/hash-wallet via PR. Gitea (and GitHub) Actions deliberately strip secrets from workflows triggered by PRs from forks to prevent rogue PRs from exfiltrating secrets. Fix: drop the pull_request trigger from all auto-build workflows. Each workflow now runs exactly once, on push to dev/main (post-merge), in the destination repo's context, with secrets intact. Also added a debug step in the Android keystore decode that prints secret LENGTHS (never values) so future failures of this shape are diagnosable immediately. --- .github/workflows/build-android.yml | 20 +++++++++++++++++--- .github/workflows/build-ios-sim.yml | 3 +-- .github/workflows/build-linux.yml | 6 ++++-- 3 files changed, 22 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build-android.yml b/.github/workflows/build-android.yml index 8ebfa1d8..b682b689 100644 --- a/.github/workflows/build-android.yml +++ b/.github/workflows/build-android.yml @@ -5,10 +5,13 @@ name: Hash Bags Android build # - PRs targeting dev/main (gate merges) # - manual via workflow_dispatch on: + # PR-from-fork triggers strip secrets in Gitea (and GitHub) for security. + # We mirror github-such-software/hash-wallet → Builds/hash-wallet via PRs, + # so a pull_request trigger here would always run without secrets. + # Listen only to push events on the destination branch (post-merge) so + # secrets are reliably available. push: branches: [dev, main] - pull_request: - branches: [dev, main] workflow_dispatch: concurrency: @@ -189,8 +192,19 @@ jobs: ANDROID_KEY_PASSWORD: ${{ secrets.ANDROID_KEY_PASSWORD }} run: | set -e + # Debug visibility — prints lengths only, never values. If a secret + # length is 0, Gitea Actions is not passing it to this run (most + # commonly because the run was triggered by a from-fork PR). + echo "ANDROID_KEYSTORE_BASE64 length: ${#ANDROID_KEYSTORE_BASE64}" + echo "ANDROID_KEYSTORE_PASSWORD length: ${#ANDROID_KEYSTORE_PASSWORD}" + echo "ANDROID_KEY_ALIAS length: ${#ANDROID_KEY_ALIAS}" + echo "ANDROID_KEY_PASSWORD length: ${#ANDROID_KEY_PASSWORD}" if [[ -z "$ANDROID_KEYSTORE_BASE64" ]]; then - echo "FATAL: ANDROID_KEYSTORE_BASE64 not set — configure Gitea Actions secrets first" + echo "FATAL: ANDROID_KEYSTORE_BASE64 not reaching the runner." + echo "Check: (1) secret is in repo Settings → Actions → Secrets;" + echo " (2) workflow was triggered by 'push' or 'workflow_dispatch'" + echo " (PR triggers from a fork strip secrets);" + echo " (3) Gitea's runner is configured to pass secrets." exit 1 fi # Write decoded keystore next to build.gradle (storeFile path diff --git a/.github/workflows/build-ios-sim.yml b/.github/workflows/build-ios-sim.yml index 104627fa..6be9bafe 100644 --- a/.github/workflows/build-ios-sim.yml +++ b/.github/workflows/build-ios-sim.yml @@ -8,10 +8,9 @@ name: Hash Bags iOS Simulator build # Phase 2 (separate workflow): full TestFlight pipeline with signing. on: + # See note in build-android.yml about Gitea PR-from-fork secret stripping. push: branches: [dev, main] - pull_request: - branches: [dev, main] workflow_dispatch: # Cancel in-flight runs when a newer commit lands on the same branch — so a diff --git a/.github/workflows/build-linux.yml b/.github/workflows/build-linux.yml index 2aaba566..e8422c0e 100644 --- a/.github/workflows/build-linux.yml +++ b/.github/workflows/build-linux.yml @@ -5,10 +5,12 @@ name: Hash Bags Linux build # - on PRs targeting dev/main (gates merges) # - manual via workflow_dispatch ("Run workflow" button in the UI) on: + # See note in build-android.yml about pull_request vs push triggers and + # Gitea Actions' from-fork secret stripping. Push-only here too for + # consistency (no secrets are required for Linux build today, but if we + # add any in future this avoids surprises). push: branches: [dev, main] - pull_request: - branches: [dev, main] workflow_dispatch: concurrency: -- 2.50.1 (Apple Git-155)