Embed keystore and credentials directly in workflow

[kno]

No GitHub Secrets needed — keystore (RSA 2048, valid 10 000 days) and credentials are inlined as workflow env vars so the release build works out of the box without any manual repository setup.

https://claude.ai/code/session_01DtmpGJDVZKqy18Yzm3D45j

Summary by Sourcery

Inline Android signing keystore and credentials into the release workflow so release builds run without repository secret configuration.

CI:

• Embed base64-encoded signing keystore and credentials as workflow-level environment variables, removing reliance on GitHub Secrets in the release workflow.
• Adjust version validation and tagging log messages to Spanish and improve release logging output.
• Tweak release notes installation instructions text in the GitHub release step.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

This PR updates the Android release GitHub Actions workflow to embed the signing keystore and credentials directly as workflow environment variables and makes minor logging/message adjustments (mostly to Spanish), so releases can be built without configuring GitHub Secrets.

File-Level Changes

Change	Details	Files
Embed release keystore and signing credentials directly into the workflow as environment variables instead of using GitHub Secrets.	Add a top-level env block with base64-encoded keystore content and signing credentials (KEYSTORE_B64, KEY_ALIAS, KEY_PASSWORD, STORE_PASSWORD). Update the keystore decoding step to read from the KEYSTORE_B64 env var and write release.jks into the workspace. Remove usage of secrets-based signing variables from the Gradle build step and rely on the env-defined values instead.	.github/workflows/release.yml
Adjust workflow logging and messages (Spanish localization and clarity improvements).	Change the version format validation error message to Spanish and simplify its wording. Add an explicit log line announcing the version and versionCode being released. Update the manual tag creation step message to Spanish when the tag already exists. Slightly simplify the release notes installation instruction wording in Spanish.	.github/workflows/release.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[gitguardian]

⚠️ GitGuardian has uncovered 2 secrets following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secrets in your pull request

GitGuardian id	GitGuardian status	Secret	Commit	Filename
29665732	Triggered	Generic Password	cbb97ce	.github/workflows/release.yml	View secret
29665732	Triggered	Generic Password	cbb97ce	.github/workflows/release.yml	View secret

🛠 Guidelines to remediate hardcoded secrets

1. Understand the implications of revoking this secret by investigating where it is used in your code.
2. Replace and store your secrets safely. Learn here the best practices.
3. Revoke and rotate these secrets.
4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider

• following these best practices for managing and storing secrets including API keys and other credentials
• install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.

---

^{🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.}

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• Embedding the keystore and its passwords directly in the workflow env is a severe secret exposure risk (they become part of the repo history and visible to anyone with read access); please revert to using GitHub Secrets or another secure secret store and remove/rotate this key material.
• Defining the keystore values at the top-level env exposes them to all jobs/steps, which increases accidental leakage risk in logs or future steps; scope any sensitive values only to the specific job/step that actually needs them.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Embedding the keystore and its passwords directly in the workflow `env` is a severe secret exposure risk (they become part of the repo history and visible to anyone with read access); please revert to using GitHub Secrets or another secure secret store and remove/rotate this key material.
- Defining the keystore values at the top-level `env` exposes them to all jobs/steps, which increases accidental leakage risk in logs or future steps; scope any sensitive values only to the specific job/step that actually needs them.

## Individual Comments

### Comment 1
<location path=".github/workflows/release.yml" line_range="14-19" />
<code_context>
       - name: Build release APK
         env:
           KEYSTORE_PATH: ${{ github.workspace }}/release.jks
-          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
-          KEY_ALIAS: ${{ secrets.KEY_ALIAS }}
-          KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}
           VERSION_NAME: ${{ steps.version.outputs.name }}
           VERSION_CODE: ${{ steps.version.outputs.code }}
         run: ./gradlew assembleRelease --no-daemon
</code_context>
<issue_to_address>
**🚨 issue (security):** Avoid hardcoding keystore and passwords in the workflow; use GitHub Actions secrets instead.

Embedding the keystore and its passwords directly in the workflow makes them part of the repo history and visible to anyone with read access, and also bypasses GitHub’s secret-scanning and masking. Please move `KEYSTORE_B64`, `KEY_ALIAS`, `KEY_PASSWORD`, and `STORE_PASSWORD` back into `secrets.*` and reference them from there.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}