refactor: use KEYSTORE_BASE64 as single source for keystore

- Update build.gradle to only use keystore.jks decoded from base64
- Remove all references to v2er.jks and ghui.jks files
- Simplify signing configs:
  - Debug: uses default Android debug keystore
  - Release: uses keystore.jks decoded from KEYSTORE_BASE64
  - GitHub variant: now uses debug signing
- Update release pipeline to decode keystore to app/keystore.jks
- Update SIGNING.md to reflect base64-only approach
- Add explicit keystore.jks entries to .gitignore

This ensures the keystore is only stored as a GitHub secret
and never as a file in the repository.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

Author: graycreate

.github/workflows/release.yml

@@ -57,7 +57,7 @@ jobs:
       env:
         KEYSTORE_BASE64: ${{ secrets.KEYSTORE_BASE64 }}
       run: |
-        echo "$KEYSTORE_BASE64" | base64 --decode > ghui.jks
+        echo "$KEYSTORE_BASE64" | base64 --decode > app/keystore.jks
         
     - name: Build release APK
       env:
@@ -66,7 +66,7 @@ jobs:
         GHUI_KEY_ALIAS: ${{ secrets.KEY_ALIAS }}
         KEYSTORE_PATH: ${{ vars.ENABLE_SIGNING == 'true' && 'keystore.jks' || '' }}
       run: |
-        if [ "${{ vars.ENABLE_SIGNING }}" = "true" ] && [ -f "ghui.jks" ]; then
+        if [ "${{ vars.ENABLE_SIGNING }}" = "true" ] && [ -f "app/keystore.jks" ]; then
           echo "Building signed release APK"
           ./gradlew assembleRelease --stacktrace
         else
@@ -77,7 +77,7 @@ jobs:
     - name: Clean up keystore
       if: always()
       run: |
-        rm -f ghui.jks
+        rm -f app/keystore.jks
         
     - name: Upload release APK
       uses: actions/upload-artifact@v4
@@ -125,7 +125,7 @@ jobs:
       env:
         KEYSTORE_BASE64: ${{ secrets.KEYSTORE_BASE64 }}
       run: |
-        echo "$KEYSTORE_BASE64" | base64 --decode > ghui.jks
+        echo "$KEYSTORE_BASE64" | base64 --decode > app/keystore.jks
         
     - name: Build release bundle
       env:
@@ -134,7 +134,7 @@ jobs:
         GHUI_KEY_ALIAS: ${{ secrets.KEY_ALIAS }}
         KEYSTORE_PATH: ${{ vars.ENABLE_SIGNING == 'true' && 'keystore.jks' || '' }}
       run: |
-        if [ "${{ vars.ENABLE_SIGNING }}" = "true" ] && [ -f "ghui.jks" ]; then
+        if [ "${{ vars.ENABLE_SIGNING }}" = "true" ] && [ -f "app/keystore.jks" ]; then
           echo "Building signed release bundle"
           ./gradlew bundleRelease --stacktrace
         else
@@ -144,7 +144,7 @@ jobs:
     - name: Clean up keystore
       if: always()
       run: |
-        rm -f ghui.jks
+        rm -f app/keystore.jks
         
     - name: Upload release bundle
       if: ${{ vars.ENABLE_SIGNING == 'true' }}

.gitignore

@@ -9,4 +9,6 @@
 *.icloud
 *.jks
 *.keystore
-*.base64.txt
+*.base64.txt
+keystore.jks
+app/keystore.jks

SIGNING.md

@@ -4,55 +4,53 @@ This document explains how to set up signing for the V2er Android app.
 
 ## CI/CD Signing (GitHub Actions)
 
-The release pipeline automatically handles signing using GitHub secrets:
+The release pipeline uses GitHub secrets as the single source of truth for signing:
 
-1. **KEYSTORE_BASE64**: Base64-encoded keystore file
+1. **KEYSTORE_BASE64**: Base64-encoded keystore file (the only source for the keystore)
 2. **KEYSTORE_PASSWORD**: Password for the keystore
 3. **KEY_PASSWORD**: Password for the signing key
 4. **KEY_ALIAS**: Alias of the signing key
 
 The pipeline will:
-1. Decode the keystore from the base64 secret
-2. Place it in the correct location (`ghui.jks`)
+1. Decode the keystore from the KEYSTORE_BASE64 secret
+2. Place it temporarily as `app/keystore.jks`
 3. Build signed APK/AAB files
 4. Clean up the keystore file after building
 
 ## Local Development
 
-For local signing, you have two options:
-
-### Option 1: Use Debug Signing (Recommended)
-Simply use the debug build variant, which uses Android's default debug keystore.
+For local development, use the debug build variant which uses Android's default debug keystore:
 
 ```bash
 ./gradlew assembleDebug
 ```
 
-### Option 2: Set Up Release Signing
-1. Obtain the keystore file from the project maintainer
-2. Place it in the project root as `ghui.jks`
+If you need to test release builds locally:
+1. Obtain the base64-encoded keystore from the project maintainer
+2. Decode it and place it as `app/keystore.jks`:
+   ```bash
+   echo "$KEYSTORE_BASE64" | base64 --decode > app/keystore.jks
+   ```
 3. Set environment variables:
    ```bash
    export GHUI_KEYSTORE_PASSWORD="your-keystore-password"
    export GHUI_KEY_PASSWORD="your-key-password"
+   export GHUI_KEY_ALIAS="your-key-alias"  # Optional, defaults to "ghui"
    ```
 4. Build the release variant:
    ```bash
    ./gradlew assembleRelease
    ```
-
-### Option 3: Use GitHub Variant
-The GitHub variant uses a test keystore with known credentials:
-- Keystore: `v2er.jks`
-- Password: `v2er.app`
-- Key alias: `v2er`
-- Key password: `v2er.app`
-
-**Note**: This should only be used for testing, not for production releases.
+5. **Important**: Remove the keystore file after building:
+   ```bash
+   rm app/keystore.jks
+   ```
 
 ## Security Notes
 
+- The keystore is ONLY stored as a base64-encoded GitHub secret
 - Never commit keystore files to the repository
-- Keep keystore passwords secure and never share them publicly
-- The `.gitignore` file is configured to exclude all `.jks` and `.keystore` files
-- For production releases, always use the GitHub Actions release pipeline
+- Always clean up temporary keystore files after use
+- The `.gitignore` file excludes all `.jks` and `.keystore` files
+- For production releases, always use the GitHub Actions release pipeline
+- The GitHub build variant now uses debug signing for simplicity

app/build.gradle

@@ -13,41 +13,32 @@ android {
         vectorDrawables.useSupportLibrary = true
     }
     signingConfigs {
-        github {
-            if (file("../v2er.jks").exists()) {
-                storeFile file("../v2er.jks")
-                storePassword "v2er.app"
-                keyAlias "v2er"
-                keyPassword "v2er.app"
-            } else {
-                // Fallback to debug signing if keystore is missing
-                storeFile file("${System.getProperty('user.home')}/.android/debug.keystore")
-                storePassword "android"
-                keyAlias "androiddebugkey"
-                keyPassword "android"
-            }
+        debug {
+            // Use default debug keystore
         }
 
         release {
-            if (file("../ghui.jks").exists() && project.hasProperty("GHUI_KEYSTORE_PASSWORD") && project.hasProperty("GHUI_KEY_PASSWORD")) {
-                storeFile file("../ghui.jks")
+            // Release signing is only configured when keystore is provided via CI/CD
+            // The keystore will be decoded from KEYSTORE_BASE64 and placed temporarily
+            if (file("keystore.jks").exists() && project.hasProperty("GHUI_KEYSTORE_PASSWORD") && project.hasProperty("GHUI_KEY_PASSWORD")) {
+                storeFile file("keystore.jks")
                 storePassword GHUI_KEYSTORE_PASSWORD
-                keyAlias "ghui"
+                keyAlias project.hasProperty("GHUI_KEY_ALIAS") ? GHUI_KEY_ALIAS : "ghui"
                 keyPassword GHUI_KEY_PASSWORD
             } else {
-                // Use debug signing as fallback for local builds
-                // CI/CD will provide the actual keystore
-                storeFile file("${System.getProperty('user.home')}/.android/debug.keystore")
-                storePassword "android"
-                keyAlias "androiddebugkey"
-                keyPassword "android"
+                // For local builds without proper signing setup, use debug signing
+                def debugSigningConfig = android.signingConfigs.debug
+                storeFile debugSigningConfig.storeFile
+                storePassword debugSigningConfig.storePassword
+                keyAlias debugSigningConfig.keyAlias
+                keyPassword debugSigningConfig.keyPassword
             }
         }
     }
 
     buildTypes {
         github {
-            signingConfig signingConfigs.github
+            signingConfig signingConfigs.debug
         }
 
         release {