Merge pull request #144 from sledtools/zapstore

ci: add Zapstore publish pipeline with hardened signing secret handling

Author: justinmoon

.github/workflows/release.yml

@@ -145,3 +145,51 @@ jobs:
           files: |
             dist/*.apk
             dist/SHA256SUMS
+
+  publish-zapstore:
+    if: (github.actor == 'justinmoon' || github.actor == 'futurepaul' || github.actor == 'AnthonyRonning' || github.actor == 'benthecarman') && hashFiles('secrets/zapstore-signing.env.age') != ''
+    needs: [build, publish]
+    runs-on: blacksmith-16vcpu-ubuntu-2404
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: useblacksmith/stickydisk@v1
+        with:
+          key: ${{ github.repository }}-nix-v1-${{ runner.os }}
+          path: /nix
+      - name: Fix /nix ownership
+        run: |
+          if [ -d /nix ] && [ "$(stat -c %u /nix)" != "$(id -u)" ]; then
+            sudo chown -R $(id -u):$(id -g) /nix
+          fi
+      - uses: nixbuild/nix-quick-install-action@v30
+
+      - uses: actions/download-artifact@v4
+        with:
+          name: release-apk
+          path: dist
+
+      - name: Validate tag matches VERSION
+        run: |
+          set -euo pipefail
+          expected_tag="v$(./scripts/version-read --name)"
+          if [ "${GITHUB_REF_NAME}" != "$expected_tag" ]; then
+            echo "error: tag/version mismatch: ref=${GITHUB_REF_NAME}, expected=${expected_tag}"
+            exit 1
+          fi
+
+      - name: Publish to Zapstore
+        env:
+          AGE_SECRET_KEY: ${{ secrets.AGE_SECRET_KEY }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+          set +x
+          apk_count="$(find dist -maxdepth 1 -type f -name '*.apk' | wc -l | xargs)"
+          if [ "$apk_count" -ne 1 ]; then
+            echo "error: expected exactly one APK artifact in dist/, found $apk_count"
+            find dist -maxdepth 1 -type f -name '*.apk' -print
+            exit 1
+          fi
+          apk_path="$(find dist -maxdepth 1 -type f -name '*.apk' | head -n 1)"
+          nix develop .#default -c ./scripts/zapstore-publish "$apk_path" "https://github.com/${GITHUB_REPOSITORY}"

.gitignore

@@ -40,6 +40,9 @@ worktrees
 .pika-cli-test
 ios/UITests/env.test
 .DS_Store
+secrets/zapstore-signing.env
+secrets/.age-key*.tmp
+secrets/.zapstore-sign-with.*
 
 # Avoid accidentally staging enormous vendored build output.
 third_party/openclaw-marmot/target/

docs/release.md

@@ -8,11 +8,12 @@ read_when:
 
 # Release
 
-This repo has two independent release pipelines, both tag-driven:
+This repo has three independent release pipelines, all tag-driven:
 
 | Target | Tag pattern | CI workflow | Artifacts |
 |--------|------------|-------------|-----------|
 | Android APK | `v*` (e.g. `v0.2.2`) | `release.yml` | Signed APK + SHA256SUMS on GitHub Releases |
+| Zapstore publish | `v*` (e.g. `v0.2.2`) | `release.yml` (`publish-zapstore` job) | NIP-82 app/release/asset events on Zapstore relays |
 | marmotd (OpenClaw extension) | `marmotd-v*` (e.g. `marmotd-v0.3.2`) | `marmotd-release.yml` | Linux + macOS binaries on GitHub Releases, npm package |
 
 **Important:** All release tags must be created from the `master` branch. Tags on
@@ -69,13 +70,23 @@ gh release view v0.3.0
 
 - Commit only encrypted keystore: `android/pika-release.jks.age`.
 - Commit only encrypted signing env: `secrets/android-signing.env.age`.
+- Commit only encrypted Zapstore signing env: `secrets/zapstore-signing.env.age`.
 - Keep plaintext `android/pika-release.jks` out of git.
-- Encrypt both artifacts to all required recipients:
+- Keep plaintext Zapstore signing env (`secrets/zapstore-signing.env`) out of git.
+- Encrypt all encrypted artifacts to all required recipients:
   - YubiKey primary: `age1yubikey1q0zhu9e7zrj48zmnpx4fg07c0drt9f57e26uymgxa4h3fczwutzjjp5a6y5`
   - YubiKey backup: `age1yubikey1qtdv7spad78v4yhrtrts6tvv5wc80vw6mah6g64m9cr9l3ryxsf2jdx8gs9`
   - CI age public key (dedicated release key)
 - CI env var required:
-  - `AGE_SECRET_KEY` (decrypts both encrypted artifacts in CI)
+  - `AGE_SECRET_KEY` (decrypts all encrypted artifacts in CI)
+- Zapstore encrypted env format:
+  - `ZAPSTORE_SIGN_WITH=nsec1...` (or NIP-46 bunker URL)
+- Helper command:
+  - `just zapstore-encrypt-signing`
+  - or include in full bootstrap: `PIKA_ZAPSTORE_SIGN_WITH='nsec1...' ./scripts/init-release-secrets`
+- Publish helper:
+  - `./scripts/zapstore-publish <apk-path> [repo-url]`
+  - used by both `just zapstore-publish` and CI to centralize secret handling
 - Optional for local hardware-key decrypt:
   - `PIKA_AGE_IDENTITY_FILE` (defaults to `~/configs/yubikeys/keys.txt`)
 
@@ -88,6 +99,12 @@ Jobs:
 1. `check` - validates tag/version match and runs `just pre-merge-pika`
 2. `build` - runs `just android-release`, uploads APK + `SHA256SUMS`
 3. `publish` - creates GitHub Release with uploaded assets
+4. `publish-zapstore` - publishes the built APK artifact to Zapstore relays
+
+`publish-zapstore` is gated on `secrets/zapstore-signing.env.age` existing in
+git. It decrypts `ZAPSTORE_SIGN_WITH` via `AGE_SECRET_KEY`, uses centralized
+`scripts/zapstore-publish` handling (xtrace disabled, masking enabled, temp-file
+cleanup), and passes it to `zsp` only for the publish command.
 
 ---
 

flake.nix

@@ -103,6 +103,28 @@
             mainProgram = "cargo-dinghy";
           };
         };
+
+        zsp = pkgs.buildGoModule rec {
+          pname = "zsp";
+          version = "0.3.3";
+
+          src = pkgs.fetchFromGitHub {
+            owner = "zapstore";
+            repo = "zsp";
+            rev = "v${version}";
+            hash = "sha256-OiCk+LatiD+W0MR9klEWZ/bx/9QK1+MjO4lKyHSOFn8=";
+          };
+
+          vendorHash = "sha256-INIDPettuY0y4h6NF8ltF9r/AMQx9Each9JVBe9+CGo=";
+          doCheck = false;
+
+          meta = with pkgs.lib; {
+            description = "CLI tool for publishing Android apps to Nostr relays";
+            homepage = "https://github.com/zapstore/zsp";
+            license = licenses.mit;
+            mainProgram = "zsp";
+          };
+        };
       in {
         devShells.default = pkgs.mkShell {
           buildInputs = pkgs.lib.optionals pkgs.stdenv.isDarwin [
@@ -131,6 +153,7 @@
             pkgs.age
             pkgs.age-plugin-yubikey
             pkgs.openssl
+            zsp
             rmp
           ] ++ pkgs.lib.optionals pkgs.stdenv.isDarwin [
             pkgs.xcodegen

justfile

@@ -297,6 +297,18 @@ android-release:
   cp android/app/build/outputs/apk/release/app-release.apk "dist/pika-${version}-${abis}.apk"; \
   echo "ok: built dist/pika-${version}-${abis}.apk"
 
+# Encrypt Zapstore signing value to `secrets/zapstore-signing.env.age`.
+zapstore-encrypt-signing:
+  ./scripts/encrypt-zapstore-signing
+
+# Check Zapstore publish inputs for a local APK without publishing events.
+zapstore-check APK:
+  zsp publish --check "{{APK}}" -r https://github.com/sledtools/pika
+
+# Publish a local APK artifact to Zapstore.
+zapstore-publish APK:
+  ./scripts/zapstore-publish "{{APK}}" https://github.com/sledtools/pika
+
 # Build Android debug APK.
 android-assemble: gen-kotlin android-rust android-local-properties
   cd android && ./gradlew :app:assembleDebug

scripts/encrypt-zapstore-signing

@@ -0,0 +1,143 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+OUTPUT_ENCRYPTED="$ROOT/secrets/zapstore-signing.env.age"
+OUTPUT_ENCRYPTED_NEXT="$ROOT/secrets/zapstore-signing.env.age.next"
+CI_KEY_TMP="$ROOT/secrets/.age-key.ci.tmp"
+
+# Defaults from ~/configs/secrets/secrets.nix; can be overridden via env.
+YUBIKEY_PRIMARY="${PIKA_YUBIKEY_PRIMARY_RECIPIENT:-age1yubikey1q0zhu9e7zrj48zmnpx4fg07c0drt9f57e26uymgxa4h3fczwutzjjp5a6y5}"
+YUBIKEY_BACKUP="${PIKA_YUBIKEY_BACKUP_RECIPIENT:-age1yubikey1qtdv7spad78v4yhrtrts6tvv5wc80vw6mah6g64m9cr9l3ryxsf2jdx8gs9}"
+CI_RECIPIENT="${PIKA_CI_AGE_RECIPIENT:-}"
+
+usage() {
+  cat <<'USAGE'
+usage: ./scripts/encrypt-zapstore-signing
+
+Encrypts `secrets/zapstore-signing.env.age` with:
+  - YubiKey primary recipient
+  - YubiKey backup recipient
+  - CI recipient (from PIKA_CI_AGE_RECIPIENT, AGE_SECRET_KEY, `server` in configs, or prompt)
+
+Input:
+  - `PIKA_ZAPSTORE_SIGN_WITH` (recommended)
+  - or interactive prompt
+
+Environment overrides:
+  PIKA_ZAPSTORE_SIGN_WITH
+  PIKA_CI_AGE_RECIPIENT
+  PIKA_YUBIKEY_PRIMARY_RECIPIENT
+  PIKA_YUBIKEY_BACKUP_RECIPIENT
+USAGE
+}
+
+need_cmd() {
+  if ! command -v "$1" >/dev/null 2>&1; then
+    echo "error: missing command: $1" >&2
+    exit 1
+  fi
+}
+
+load_recipients_from_configs() {
+  local cfg="$HOME/configs/secrets/secrets.nix"
+  local candidate=""
+  if [ ! -f "$cfg" ]; then
+    return 0
+  fi
+
+  candidate="$(grep -E 'yubikey_primary = "age1' "$cfg" | head -n 1 | sed -E 's/.*"(age1[^"]+)".*/\1/')"
+  if [ -z "${PIKA_YUBIKEY_PRIMARY_RECIPIENT:-}" ] && [ -n "$candidate" ]; then
+    YUBIKEY_PRIMARY="$candidate"
+  fi
+
+  candidate="$(grep -E 'yubikey_backup = "age1' "$cfg" | head -n 1 | sed -E 's/.*"(age1[^"]+)".*/\1/')"
+  if [ -z "${PIKA_YUBIKEY_BACKUP_RECIPIENT:-}" ] && [ -n "$candidate" ]; then
+    YUBIKEY_BACKUP="$candidate"
+  fi
+
+  if [ -z "${PIKA_CI_AGE_RECIPIENT:-}" ] && [ -z "$CI_RECIPIENT" ]; then
+    candidate="$(grep -E 'server = "age1' "$cfg" | head -n 1 | sed -E 's/.*"(age1[^"]+)".*/\1/')"
+    if [ -n "$candidate" ]; then
+      CI_RECIPIENT="$candidate"
+    fi
+  fi
+}
+
+cleanup() {
+  rm -f "$CI_KEY_TMP" "$OUTPUT_ENCRYPTED_NEXT"
+}
+trap cleanup EXIT INT TERM
+
+if [ "${1:-}" = "-h" ] || [ "${1:-}" = "--help" ]; then
+  usage
+  exit 0
+fi
+if [ "$#" -ne 0 ]; then
+  usage >&2
+  exit 2
+fi
+
+need_cmd age
+need_cmd age-keygen
+need_cmd grep
+need_cmd sed
+
+load_recipients_from_configs
+
+if [ -z "$CI_RECIPIENT" ] && [ -n "${AGE_SECRET_KEY:-}" ]; then
+  umask 077
+  printf '%s\n' "$AGE_SECRET_KEY" >"$CI_KEY_TMP"
+  CI_RECIPIENT="$(age-keygen -y "$CI_KEY_TMP")"
+fi
+
+if [ -z "$CI_RECIPIENT" ]; then
+  if [ -t 0 ]; then
+    read -r -p "Enter CI age recipient (age1...): " CI_RECIPIENT
+  else
+    echo "error: set PIKA_CI_AGE_RECIPIENT, AGE_SECRET_KEY, or configure server recipient in ~/configs/secrets/secrets.nix" >&2
+    exit 1
+  fi
+fi
+
+if ! printf '%s\n' "$CI_RECIPIENT" | grep -Eq '^age1[023456789acdefghjklmnpqrstuvwxyz]+$'; then
+  echo "error: invalid CI recipient format (expected age1...)" >&2
+  exit 1
+fi
+
+sign_with="${PIKA_ZAPSTORE_SIGN_WITH:-}"
+if [ -z "$sign_with" ]; then
+  if [ ! -t 0 ]; then
+    echo "error: set PIKA_ZAPSTORE_SIGN_WITH when running non-interactively" >&2
+    exit 1
+  fi
+  read -r -s -p "Enter Zapstore SIGN_WITH (nsec or bunker URL): " sign_with
+  printf '\n'
+fi
+
+if [ -z "$sign_with" ]; then
+  echo "error: missing Zapstore SIGN_WITH value" >&2
+  exit 1
+fi
+
+mkdir -p "$ROOT/secrets"
+umask 077
+
+{
+  printf 'ZAPSTORE_SIGN_WITH=%s\n' "$sign_with"
+} | age -e \
+  -r "$YUBIKEY_PRIMARY" \
+  -r "$YUBIKEY_BACKUP" \
+  -r "$CI_RECIPIENT" \
+  -o "$OUTPUT_ENCRYPTED_NEXT"
+
+chmod 600 "$OUTPUT_ENCRYPTED_NEXT"
+mv "$OUTPUT_ENCRYPTED_NEXT" "$OUTPUT_ENCRYPTED"
+
+unset sign_with
+
+echo "ok: wrote $OUTPUT_ENCRYPTED"
+echo "ok: recipients:"
+echo "  - $YUBIKEY_PRIMARY"
+echo "  - $YUBIKEY_BACKUP"
+echo "  - $CI_RECIPIENT (CI)"

scripts/init-release-secrets

@@ -5,10 +5,12 @@ ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
 
 KEYSTORE_ENCRYPTED="$ROOT/android/pika-release.jks.age"
 PASSWORD_ENCRYPTED="$ROOT/secrets/android-signing.env.age"
+ZAPSTORE_SIGNING_ENCRYPTED="$ROOT/secrets/zapstore-signing.env.age"
 KEYSTORE_PLAINTEXT="$ROOT/android/pika-release.jks"
 KEYSTORE_TEST="$ROOT/android/pika-release.test.jks"
 KEYSTORE_ENCRYPTED_NEXT="$ROOT/android/pika-release.jks.age.next"
 PASSWORD_ENCRYPTED_NEXT="$ROOT/secrets/android-signing.env.age.next"
+ZAPSTORE_SIGNING_ENCRYPTED_NEXT="$ROOT/secrets/zapstore-signing.env.age.next"
 CI_KEY_TMP="$ROOT/android/.pika-ci-age.key.tmp"
 YUBIKEY_IDENTITY_FILE="${PIKA_AGE_IDENTITY_FILE:-$HOME/configs/yubikeys/yubikey-primary.txt}"
 
@@ -43,6 +45,7 @@ Environment overrides:
   PIKA_YUBIKEY_PRIMARY_RECIPIENT
   PIKA_YUBIKEY_BACKUP_RECIPIENT
   PIKA_KEYSTORE_PASSWORD
+  PIKA_ZAPSTORE_SIGN_WITH
 EOF
 }
 
@@ -72,7 +75,7 @@ load_recipients_from_configs() {
 }
 
 cleanup() {
-  rm -f "$KEYSTORE_PLAINTEXT" "$KEYSTORE_TEST" "$CI_KEY_TMP" "$KEYSTORE_ENCRYPTED_NEXT" "$PASSWORD_ENCRYPTED_NEXT"
+  rm -f "$KEYSTORE_PLAINTEXT" "$KEYSTORE_TEST" "$CI_KEY_TMP" "$KEYSTORE_ENCRYPTED_NEXT" "$PASSWORD_ENCRYPTED_NEXT" "$ZAPSTORE_SIGNING_ENCRYPTED_NEXT"
 }
 trap cleanup EXIT INT TERM
 
@@ -168,6 +171,20 @@ rm -f "$PASSWORD_ENCRYPTED_NEXT"
 chmod 600 "$PASSWORD_ENCRYPTED_NEXT"
 mv "$PASSWORD_ENCRYPTED_NEXT" "$PASSWORD_ENCRYPTED"
 
+if [ -n "${PIKA_ZAPSTORE_SIGN_WITH:-}" ]; then
+  echo "Encrypting Zapstore signing env to recipients..."
+  rm -f "$ZAPSTORE_SIGNING_ENCRYPTED_NEXT"
+  {
+    printf 'ZAPSTORE_SIGN_WITH=%s\n' "$PIKA_ZAPSTORE_SIGN_WITH"
+  } | age -e \
+    -r "$YUBIKEY_PRIMARY" \
+    -r "$YUBIKEY_BACKUP" \
+    -r "$ci_recipient" \
+    -o "$ZAPSTORE_SIGNING_ENCRYPTED_NEXT"
+  chmod 600 "$ZAPSTORE_SIGNING_ENCRYPTED_NEXT"
+  mv "$ZAPSTORE_SIGNING_ENCRYPTED_NEXT" "$ZAPSTORE_SIGNING_ENCRYPTED"
+fi
+
 echo "Testing YubiKey decryption with $YUBIKEY_IDENTITY_FILE (touch/PIN may be required)..."
 rm -f "$KEYSTORE_TEST"
 age -d -i "$YUBIKEY_IDENTITY_FILE" -o "$KEYSTORE_TEST" "$KEYSTORE_ENCRYPTED"
@@ -195,6 +212,11 @@ unset ci_secret_key
 
 echo "ok: wrote $KEYSTORE_ENCRYPTED"
 echo "ok: wrote $PASSWORD_ENCRYPTED"
+if [ -n "${PIKA_ZAPSTORE_SIGN_WITH:-}" ]; then
+  echo "ok: wrote $ZAPSTORE_SIGNING_ENCRYPTED"
+else
+  echo "note: skipped $ZAPSTORE_SIGNING_ENCRYPTED (set PIKA_ZAPSTORE_SIGN_WITH to include it)"
+fi
 echo "ok: recipients:"
 echo "  - $YUBIKEY_PRIMARY"
 echo "  - $YUBIKEY_BACKUP"