ci: add back snapshot workflow

.github/workflows/deploy_snapshot.yml

@@ -0,0 +1,45 @@
+name: Deploy snapshot builds
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  deploy-release-snapshot:
+    runs-on: ubuntu-latest
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+    steps:
+    - name: Setup Java 16
+      uses: actions/setup-java@d9126d7df2f1b080b603441eaf5810ced3614e78
+      with:
+        distribution: 'zulu'
+        java-version: '16'
+
+    - name: Checkout repository
+      uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
+
+    - name: Copy CI gradle.properties
+      run: mkdir -p ~/.gradle ; cp .github/ci-gradle.properties ~/.gradle/gradle.properties
+
+    - name: Decrypt secrets
+      run: scripts/signing-setup.sh "$ENCRYPT_KEY"
+      env:
+        ENCRYPT_KEY: ${{ secrets.ENCRYPT_KEY }}
+
+    - name: Build release app
+      uses: burrunan/gradle-cache-action@03c71a8ba93d670980695505f48f49daf43704a6
+      with:
+        arguments: :android:assembleRelease
+
+    - name: Clean secrets
+      run: scripts/signing-cleanup.sh
+
+    - name: Deploy snapshot
+      run: scripts/deploy-snapshot.sh
+      env:
+        ACTIONS_DEPLOY_KEY: ${{ secrets.ACTIONS_DEPLOY_KEY }}
+        SSH_USERNAME: ${{ secrets.SSH_USERNAME }}
+        SERVER_ADDRESS: ${{ secrets.SERVER_ADDRESS }}
+        SERVER_DESTINATION: ${{ secrets.SERVER_DESTINATION }}
+        SSH_PORT: ${{ secrets.SSH_PORT }}

scripts/deploy-snapshot.sh

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+export SSHDIR="$HOME/.ssh"
+export SERVER_DEPLOY_STRING="$SSH_USERNAME@$SERVER_ADDRESS:$SERVER_DESTINATION"
+mkdir -p "$SSHDIR"
+echo "$ACTIONS_DEPLOY_KEY" > "$SSHDIR/key"
+chmod 600 "$SSHDIR/key"
+mkdir -p "$GITHUB_WORKSPACE/Claw"
+cp -v ./android/build/outputs/apk/release/android-release.apk "$GITHUB_WORKSPACE/Claw/Claw.apk"
+cd "$GITHUB_WORKSPACE/Claw"
+rsync -ahvcr --omit-dir-times --progress --delete --no-o --no-g -e "ssh -i $SSHDIR/key -o StrictHostKeyChecking=no -p $SSH_PORT" . "$SERVER_DEPLOY_STRING"

scripts/encrypt-secret.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+# Simple script that uses OpenSSL to encrypt a provided file with a provided key, and writes the result
+# to the provided path. Yes it's very needy.
+
+INPUT_FILE="${1:-}"
+OUTPUT_FILE="${2:-}"
+ENCRYPT_KEY="${3:-}"
+
+if [[ -n "$ENCRYPT_KEY" && -n "$INPUT_FILE" && -n "$OUTPUT_FILE" ]]; then
+    openssl enc -aes-256-cbc -md sha256 -pbkdf2 -e -in "${INPUT_FILE}" -out "${OUTPUT_FILE}" -k "${ENCRYPT_KEY}"
+else
+    echo "Usage: ./encrypt-secret.sh <input file> <output file> <encryption key>"
+fi

scripts/signing-cleanup.sh

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+# Delete Release key
+rm -f keystore.jks
+
+# Delete signing config
+rm -f keystore.properties

scripts/signing-setup.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+ENCRYPT_KEY="${1:-}"
+
+declare -A SECRETS
+SECRETS[secrets/keystore.cipher]=keystore.jks
+SECRETS[secrets/props.cipher]=keystore.properties
+
+if [[ -n "$ENCRYPT_KEY" ]]; then
+    for src in "${!SECRETS[@]}"; do
+      openssl enc -aes-256-cbc -md sha256 -pbkdf2 -d -in "${src}" -out "${SECRETS[${src}]}" -k "${ENCRYPT_KEY}"
+    done
+else
+    echo "Usage: ./signing-setup.sh <encryption key>"
+fi