ci(apk): arm64-only, tag-triggered, persistent /wisp.apk via host mount

- android.Dockerfile: build arm64-v8a only (--max-workers=2) → ~48MB APK, ~4x
  less compile (the 4-ABI build timed out on the shared prod runner).
- ci.yml: build-apk runs only on version tags (v*), timeout 120m — normal pushes
  no longer peg the box; web still auto-deploys on every master push.
- wisp.compose.yml: mount /srv/wisp/wisp.apk read-only so the download survives
  web container rebuilds.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
2026-06-14 13:54:38 +02:00
parent 7a1e6b06c1
commit 30dd2d5b75
3 changed files with 20 additions and 5 deletions
+11 -4
View File
@@ -20,6 +20,7 @@ name: CI
on:
push:
branches: [master]
tags: ['v*']
pull_request:
concurrency:
@@ -71,9 +72,13 @@ jobs:
# with docker create/cp and copy it into the running `wisp` web container so
# it is downloadable at https://wisp.briggen.dev/wisp.apk.
build-apk:
needs: [test, deploy-web]
if: github.event_name == 'push' && github.ref == 'refs/heads/master'
# ONLY on version tags (v*). The native build is heavy (NDK/whisper.cpp) and
# slow on the shared prod runner; building it on every push would peg the box
# (and degrade the live web apps). Cut a release with: git tag v1.2.3 && git push --tags
needs: [test]
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
runs-on: ubuntu-latest
timeout-minutes: 120
steps:
- uses: actions/checkout@v4
- name: Stage signing secrets as files
@@ -92,13 +97,15 @@ jobs:
--secret id=ks_alias,src="$RUNNER_TEMP/sec/ks_alias" \
--secret id=ks_keypass,src="$RUNNER_TEMP/sec/ks_keypass" \
-f docker/android.Dockerfile -t wisp-android:ci --load .
- name: Extract + publish APK to /wisp.apk
- name: Extract APK + publish to the host (served at /wisp.apk via the compose volume)
run: |
cid=$(docker create wisp-android:ci)
docker cp "$cid:/workspace/android/app/build/outputs/apk/release/app-release.apk" ./app-release.apk
docker rm "$cid"
ls -lh app-release.apk
docker cp ./app-release.apk wisp:/usr/share/nginx/html/wisp.apk
# Stream the APK into a host-mounted dir so it survives web container
# recreation (the wisp container mounts /srv/wisp/wisp.apk read-only).
docker run --rm -i -v /srv/wisp:/out alpine:3 sh -c 'mkdir -p /out && cat > /out/wisp.apk' < ./app-release.apk
- name: Cleanup staged secrets
if: always()
run: rm -rf "$RUNNER_TEMP/sec"
+6
View File
@@ -27,6 +27,12 @@ services:
- "traefik.http.routers.wisp.entrypoints=websecure"
- "traefik.http.routers.wisp.tls.certresolver=letsencrypt"
- "traefik.http.services.wisp.loadbalancer.server.port=8080"
# The downloadable Android APK, published to the host by the build-apk CI job
# (or a local build). Mounted read-only so it survives web container rebuilds.
# NOTE: /srv/wisp/wisp.apk must exist on the host before `up` (else Docker
# creates a directory there). The publish step creates it.
volumes:
- /srv/wisp/wisp.apk:/usr/share/nginx/html/wisp.apk:ro
networks:
- proxy
+3 -1
View File
@@ -97,7 +97,9 @@ RUN --mount=type=secret,id=ks_b64 \
ANDROID_KEY_PASSWORD="$(cat /run/secrets/ks_keypass)" \
bash scripts/ci-android-sign.sh \
&& cd android \
&& ./gradlew assembleRelease --no-daemon -x lint --stacktrace
&& ./gradlew assembleRelease \
-PreactNativeArchitectures=arm64-v8a \
--no-daemon --max-workers=2 -x lint --stacktrace
# The signed APK (handy for `docker create` + `docker cp` extraction in CI).
# /workspace/android/app/build/outputs/apk/release/app-release.apk