Open relrod opened 9 years ago
ralphbean
commented
9 years ago :+1:, this would be cool to have.
Presumably google play needs some kind of secret credential from us to publish new APKs... but we can keep that encrypted inside Jenkins, no?
relrod
commented
9 years ago Yeah, I'm not 100% sure how the play publisher plugin above works (the Jenkins wiki seems down right now, too). There are some similar plugins, as well, so we can pick one (or make one, if we have to) that works how we need it to. But I suspect you just give it a key+secret in the application settings (which are only available to Jenkins admins, hopefully), and it automates things from there.
Need to research it a bit more though.
relrod
commented
9 years ago Both of the plugins I've found for doing this seem actively maintained and pretty comparable in features. But neither of them are published in the Jenkins plugins repo, so to use either, we'll have to build it ourselves and throw it somewhere and use that instead. Both of the plugins use Google API via oAuth.
For now, (once the plugin is installed), I'll add Fedora Mobile to my google apps account to figure out the process. We can re-create it on the Red Hat account or whatever later on once we know the process, if we want to. Before 1.0, we'll probably want to do this.
I'll look at trying to install one of these probably tomorrow sometime.
relrod
commented
9 years ago Ok, so I dug into this quite a bit. The first plugin I tried kept throwing NPE, so I gave up and moved on to another one.
There's something of an issue though. To upload an APK to the Play Store (even as an Alpha), the APK needs to be signed. I'm not sure if you can sign alpha, beta, and production with different keys, but either way my concern remains. First off, the workspace is public so that Fedora Mobile's built in autoupdate hack can pull the APK directly from it. So we can't store the key credentials anywhere in there. But we also can't store them anywhere on the build box because another project's admin could put "cat /path/to/the/key/info" in their build script and get the key info. IMO, even for alpha/git releases, the release key needs to be kept very secure - this is especially true if we can only use one key for all of alpha/beta/production tracks.
I think the solution here is that we either need to build this on a dedicated Jenkins slave that is only able to be used for this one project or I could alternatively just have a script pull and build the latest code every night and publish the apk to alpha nightly. This could be on a restricted-access cloud box or something. It wouldn't need to be very powerful, it could just download the APK from Jenkins, sign it, bump the versionCode (and store it somewhere so it knows what to bump it to next time), and upload it using Google's API. I think this is probably the way to approach this. If we really want this to happen on every commit, we could expose a simple web endpoint that Jenkins can ping to trigger the sign + publish process. Otherwise, just make it be a nightly thing.
We can nuke our hackish Jenkins auto update code from Mobile if we take advantage of Google Play's API to publish APKs from Jenkins itself, on a successful build. We can use the alpha/beta features of the Play Store for this, and we can use something like https://github.com/DavidHamm/google-play-publisher for this, probably.
This also eliminates the issue of "Oh crap, the app is totally broken and now the user has no way to update past the broken app" since the update will be managed outside of the app.