ci: add GitHub Actions workflow to build and release Android APK via Expo EAS

[Nicks-19]

Summary

This PR adds a GitHub Actions CI/CD workflow to compile and release the Android APK for the mobile application in app/ using EAS Build. This fully resolves #312.

Proposed Changes

1. EAS Build Profile: Added app/eas.json configuration defining preview and production profiles to produce Android APKs ("buildType": "apk").
2. CI/CD Workflow: Created .github/workflows/build-android-apk.yml that:
   • Triggers on version release tags (v*) and manual workflow dispatches.
   • Compiles the APK locally on the GitHub Actions runner (saving Expo Cloud minutes).
   • Restores and saves caches for npm dependencies, Gradle wrapper/caches, EAS CLI, and Expo caches to reduce build times by 40–60%.
   • Supports both Expo-managed remote credentials and local keystores (using base64-decoded ANDROID_KEYSTORE_BASE64 repository secret).
   • Automatically uploads the compiled APK to the corresponding GitHub Release.
3. Maintainer Setup Guide: Added docs/ANDROID_BUILD_SETUP.md explaining how to configure the required secrets (EXPO_TOKEN, keystore parameters) and trigger the builds.
4. Reference Link: Linked the new build guide in the main docs/SETUP.md.

Verification

• Verified YAML syntax of the workflow.
• Verified JSON syntax of eas.json.
• Ran Jest unit tests locally to ensure zero regressions are introduced.

Summary by CodeRabbit

• New Features

  • Automated Android APK build and publish pipeline via CI, triggered by version tags or manual runs; supports local keystore signing or remote credentials and will skip non-tag builds when signing credentials are absent.

• Documentation

  • Added an Android Build and Release Guide and linked it from setup docs, covering configuration, secrets handling, triggers, and troubleshooting.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 5e7abc33-379d-429f-afbf-10fe1567577b

📥 Commits

Reviewing files that changed from the base of the PR and between 37c52e6 and ffc231e.

📒 Files selected for processing (2)

• .github/workflows/build-android-apk.yml
• docs/ANDROID_BUILD_SETUP.md

✅ Files skipped from review due to trivial changes (1)

• docs/ANDROID_BUILD_SETUP.md

---

📝 Walkthrough

Walkthrough

Adds a GitHub Actions workflow that builds an Android APK via Expo EAS (triggered by v* tags or manual dispatch), handles optional local Android signing, caches build artifacts, conditionally runs/uploads the APK, and includes EAS config and documentation.

Changes

Android APK Build and Release

Layer / File(s)	Summary
Workflow foundation and environment setup .github/workflows/build-android-apk.yml (lines 1–56)	Defines the workflow triggers and job, sets up Java 17 and Node 20, configures npm cache keyed to app/package-lock.json, and runs npm ci in ./app.
Signing credentials and build execution .github/workflows/build-android-apk.yml (lines 57–132)	Decodes optional base64 keystore into android/keystores/release.jks, writes app/credentials.json, updates app/eas.json to use local credentials when available, runs eas build for the preview profile with guards for missing credentials, and detects app-release.apk.
GitHub Release publication .github/workflows/build-android-apk.yml (lines 133–141)	Creates/uploads a GitHub Release containing app-release.apk only when the ref is a v* tag and the APK exists.
Build configuration and documentation app/eas.json, docs/ANDROID_BUILD_SETUP.md, docs/SETUP.md	Adds EAS CLI and build profiles (development, preview, production) and documents CI setup, secrets, trigger methods, and troubleshooting; updates docs/SETUP.md with a link to the Android guide.

Sequence Diagram

sequenceDiagram
  participant GitHub as GitHub
  participant Runner as Actions Runner
  participant EAS as Expo EAS
  participant GHRelease as GitHub Releases
  GitHub->>Runner: Trigger on v* tag or workflow_dispatch
  Runner->>Runner: Setup Java 17, Node 20, npm cache
  alt Keystore secrets present
    Runner->>Runner: Decode base64 keystore -> android/keystores/release.jks
    Runner->>Runner: Write app/credentials.json
    Runner->>Runner: Patch app/eas.json (credentialsSource: local)
  else Keystore secrets missing
    Runner->>Runner: Log fallback to remote credentials
  end
  Runner->>EAS: Run eas build --profile preview
  EAS->>Runner: Return app-release.apk (if successful)
  alt APK exists and ref is v* tag
    Runner->>GHRelease: Create Release and upload app-release.apk
  else No APK or non-tag run
    Runner->>Runner: Skip release (exit success)
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested labels

level:intermediate, type:testing

Suggested reviewers

• roshankumar0036singh

Poem

🐰 A rabbit hums beside the tree,
Building APKs so sprightly and free.
Tags hop in, secrets tucked away,
CI blooms bright on release day. ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely describes the main change: adding a GitHub Actions workflow for Android APK building and release via Expo EAS.
Linked Issues check	✅ Passed	All objectives from issue #312 are met: workflow triggers on version tags and manual dispatch, builds Android APK using EAS, uploads to GitHub Release, documents required secrets, includes caching for npm/Gradle/EAS/Expo to reduce build time, and provides setup guidance.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to implementing the Android CI/CD workflow: workflow file, EAS configuration, build documentation, and setup guide reference. No unrelated modifications present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build-android-apk.yml:
- Around line 103-105: The workflow currently exits with 0 when neither
EXPO_TOKEN nor credentials.json is present (the `if [ -z "${{ secrets.EXPO_TOKEN
}}" ] && [ ! -f "credentials.json" ]; then` block), which causes tag-triggered
runs to silently succeed without producing an APK; change the behavior to fail
the job (use a non-zero exit such as `exit 1`) and update the warning message to
indicate a hard failure so missing auth/signing on tag pushes fails loudly;
apply the same change to the analogous check later in the file (the similar
block around lines 111-122) so both places abort with an error when credentials
are missing.
- Around line 65-95: The workflow currently only checks ANDROID_KEYSTORE_BASE64
before decoding the keystore, writing credentials.json, and setting
credentialsSource to 'local' in eas.json; update the conditional to require all
four secrets (ANDROID_KEYSTORE_BASE64, ANDROID_KEYSTORE_PASSWORD,
ANDROID_KEY_ALIAS, ANDROID_KEY_PASSWORD) before proceeding so we never generate
credentials.json with empty fields or flip preview/production to local when any
secret is missing; ensure the same variables are validated in the if-statement
that creates android/keystores/release.jks, builds credentials.json
(keystorePassword, keyAlias, keyPassword) and modifies
data['build']['preview']['android']['credentialsSource'] and
data['build']['production']['android']['credentialsSource'].
- Around line 33-39: Replace the dynamic version pins for the Expo GitHub Action
by setting concrete, tested version strings instead of "latest": update the
expo/expo-github-action usage to specify expo-version and eas-version with
specific version numbers (replace expo-version: latest and eas-version: latest)
so builds are reproducible; locate the action block that uses
expo/expo-github-action and change the expo-version and eas-version inputs to
the exact, app-validated tags you want to pin.
- Around line 17-18: Update the checkout step to set persist-credentials: false
on the actions/checkout@v4 invocation to avoid persisting auth in git config;
pin external actions (e.g., Expo/EAS actions) to immutable refs/SHA instead of
floating tags; in the signing setup validate all required keystore secrets (not
just ANDROID_KEYSTORE_BASE64) before creating credentials.json or mutating
eas.json and fail the job with a clear error if any required secret is missing
(do not silently exit 0), and ensure any conditional behavior in the build step
explicitly logs/skips rather than returning success when secrets are absent.

In `@docs/ANDROID_BUILD_SETUP.md`:
- Around line 43-46: The macOS-style base64 command in the docs ("base64 -i
my-release-key.keystore -o base64-keystore.txt") is not compatible with GNU
coreutils; update the doc to keep the macOS variant and add a Linux-compatible
instruction: for Linux use "base64 -w 0 my-release-key.keystore >
base64-keystore.txt" and include a fallback "base64 my-release-key.keystore | tr
-d '\n' > base64-keystore.txt" for systems without -w; ensure the text labels
these as "To generate the base64 string on macOS/Linux" and "To generate the
base64 string on Linux" alongside the respective commands so readers pick the
correct one.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 3908649b-5cea-49a3-94f8-6115024deaee

📥 Commits

Reviewing files that changed from the base of the PR and between 8a535b2 and 37c52e6.

📒 Files selected for processing (4)

• .github/workflows/build-android-apk.yml
• app/eas.json
• docs/ANDROID_BUILD_SETUP.md
• docs/SETUP.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Show the workflow with line numbers
sed -n '1,200p' .github/workflows/build-android-apk.yml | cat -n

# Search for persist-credentials and checkout usage within the workflow
rg -n "persist-credentials|actions/checkout@" .github/workflows/build-android-apk.yml

# Show any steps that use GITHUB_TOKEN/contents/write or run npm ci/build
rg -n "contents:\s*write|GITHUB_TOKEN|EXPO|EAS|eas\.json|credentials\.json|npm ci|skip on forks|workflow_dispatch|push:\s*tags" .github/workflows/build-android-apk.yml

Repository: roshankumar0036singh/Uni-Event

Length of output: 6302

---

🌐 Web query:

actions/checkout@v4 default persist-credentials

💡 Result:

For actions/checkout@v4, the persist-credentials input defaults to true (i.e., it persists the auth token/credentials in the local git config unless you set persist-credentials: false). [1][2] In more detail: actions/checkout’s README states that the auth token is persisted in the local git config and removed during post-job cleanup, and that setting persist-credentials: false opts out. [2] The action.yml for v4 defines persist-credentials with default: true. [1] Example (opt out): steps: - uses: actions/checkout@v4 with: persist-credentials: false This will prevent checkout from configuring the token/SSH key in the local git config. [1][2]

Citations:

• 1: https://github.com/actions/checkout/blob/v4/action.yml
• 2: https://github.com/actions/checkout/tree/v4

---

Disable checkout credential persistence.

The workflow grants contents: write and uses actions/checkout@v4 without disabling credential persistence (default is to persist auth in git config), giving later steps unnecessary repo-write access.

• Set persist-credentials: false on the checkout step.
• Avoid latest (Expo/EAS) and consider pinning external actions to immutable references (commit/SHA) for reproducibility/supply-chain hardening.
• Signing setup only gates on ANDROID_KEYSTORE_BASE64; validate the other keystore secrets before writing credentials.json / mutating eas.json.
• The build step can exit 0 when secrets are missing, which can silently skip tag releases instead of failing.

Suggested change

      - name: Checkout repository
        uses: actions/checkout@v4
+        with:
+          persist-credentials: false

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 17-18: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 18-18: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build-android-apk.yml around lines 17 - 18, Update the
checkout step to set persist-credentials: false on the actions/checkout@v4
invocation to avoid persisting auth in git config; pin external actions (e.g.,
Expo/EAS actions) to immutable refs/SHA instead of floating tags; in the signing
setup validate all required keystore secrets (not just ANDROID_KEYSTORE_BASE64)
before creating credentials.json or mutating eas.json and fail the job with a
clear error if any required secret is missing (do not silently exit 0), and
ensure any conditional behavior in the build step explicitly logs/skips rather
than returning success when secrets are absent.

[roshankumar0036singh]

@Nicks-19 handlke all the issues flagged still 3 open

[roshankumar0036singh]

@Nicks-19 did you try to build the apk file once try it once that it should suceed

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[roshankumar0036singh]

@Nicks-19 did you try to build the apk file once ?