forked from JunkFood02/Seal
-
-
Notifications
You must be signed in to change notification settings - Fork 8
330 lines (281 loc) · 16.5 KB
/
android.yml
File metadata and controls
330 lines (281 loc) · 16.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
name: Build Release APK
on:
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: set up JDK 21
uses: actions/setup-java@v4
with:
java-version: '21'
distribution: 'temurin'
cache: 'gradle'
- name: Setup Android SDK
uses: android-actions/setup-android@v3.2.1
- uses: gradle/actions/setup-gradle@v4
with:
build-scan-publish: true
build-scan-terms-of-use-url: "https://gradle.com/help/legal-terms-of-use"
build-scan-terms-of-use-agree: "yes"
# --- NAYA STEP: Keystore Decode Karna ---
- name: Decode Keystore
env:
ANDROID_SIGNING_KEY: ${{ secrets.ANDROID_SIGNING_KEY }}
run: |
echo "? Decoding Key..."
echo "$ANDROID_SIGNING_KEY" | tr -d '\n\r ' | base64 --decode > "${{ github.workspace }}/Mahesh.jks"
# --- UPDATED STEP: Fast Build aur Native Signing Ek Sath ---
- name: Build and Sign Release APKs
env:
ANDROID_KEYSTORE_PASSWORD: ${{ secrets.ANDROID_KEYSTORE_PASSWORD }}
ANDROID_ALIAS: ${{ secrets.ANDROID_ALIAS }}
ANDROID_KEY_PASSWORD: ${{ secrets.ANDROID_KEY_PASSWORD }}
run: |
./gradlew assembleRelease --parallel --build-cache --no-daemon \
-Pandroid.injected.signing.store.file="${{ github.workspace }}/Mahesh.jks" \
-Pandroid.injected.signing.store.password="$ANDROID_KEYSTORE_PASSWORD" \
-Pandroid.injected.signing.key.alias="$ANDROID_ALIAS" \
-Pandroid.injected.signing.key.password="$ANDROID_KEY_PASSWORD"
- name: Get version name
id: version
run: |
VERSION=$(grep -A 1 'val currentVersion: Version =' buildSrc/src/main/kotlin/Version.kt | grep -oP 'versionMajor = \K\d+' | head -1).$(grep -A 1 'val currentVersion: Version =' buildSrc/src/main/kotlin/Version.kt | grep -oP 'versionMinor = \K\d+' | head -1).$(grep -A 1 'val currentVersion: Version =' buildSrc/src/main/kotlin/Version.kt | grep -oP 'versionPatch = \K\d+' | head -1)
echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT
echo "Version: ${VERSION}"
- name: Read release configuration
id: release_config
run: |
SHOULD_RELEASE=$(jq -r '.release' release.json)
echo "SHOULD_RELEASE=${SHOULD_RELEASE}" >> $GITHUB_OUTPUT
echo "Release flag: ${SHOULD_RELEASE}"
if [ "${SHOULD_RELEASE}" = "true" ]; then
echo "? Release will be published"
else
echo "?? Release publishing is disabled - APKs will be uploaded as artifacts only"
fi
- name: List all APK files for debugging
run: |
echo "? All APK files in output directory:"
find app/build/outputs/apk -name "*.apk" -type f -exec ls -lh {} \;
echo ""
echo "? Directory structure:"
ls -R app/build/outputs/apk/
- name: Create Release
if: steps.release_config.outputs.SHOULD_RELEASE == 'true'
uses: softprops/action-gh-release@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
tag_name: v${{ steps.version.outputs.VERSION }}
name: Seal Plus v${{ steps.version.outputs.VERSION }}
body: |
## ✨ Seal Plus v2.6.0 - Security Hardening, 20 Stability Fixes & Material3 Stable
---
### 🔒 Security Hardening
* **PBKDF2 PIN Hashing**
+ PIN-based App Lock now uses PBKDF2WithHmacSHA256 with 16-byte salt and 200,000 iterations
+ Existing PINs are automatically migrated on next unlock
* **Removed Overly Broad Storage Permission**
+ `MANAGE_EXTERNAL_STORAGE` removed — no more "All Files Access" required
* **ADB Backup Protection**
+ MMKV preferences (PIN hash, settings) excluded from ADB backups via `backup_rules.xml`
* **NotificationActionReceiver Secured**
+ `exported=false` set in manifest — blocks fake notification intent injection
* **MITM Prevention on Proxy**
+ `--no-check-certificate` disabled when proxy is active
* **Proxy Security Warning Dialog**
+ Warning shown before enabling free proxy mode
### 🛡️ Brute-Force Protection
* **30-Second Lockout on App Lock**
+ Animated 30-second countdown after 5 failed PIN attempts
### 🐛 Stability & Correctness (20 Fixes)
* Context leak fixed — Activity context no longer overwrites App.context
* All `runBlocking` calls replaced with `lifecycleScope.launch(IO)` (prevents ANRs)
* OkHttp timeouts added to UpdateUtil; singletons shared across 4 utilities
* SQLiteDatabase and Cursor properly closed with `.use{}` on all paths
* `ConcurrentHashMap` used for download maps — race conditions fixed
* 5-minute deadline added to `addToDownloadQueue` — prevents coroutine leaks
* `av01` removed from unsupported codec blacklist — AV1 downloads work again
* `filterValidFormats` parallelized with `async/awaitAll` — faster format page
* `makeKey()` uses null-char delimiter — hash collision fixed
* Error notifications use `throwable.message` instead of full stack trace
* And 10 more fixes in DatabaseUtil, DownloadUtil, HomePageViewModel, CookiesViewModel, FileUtil
### 🎨 Material3 1.3.1 Stable Migration
* **Upgraded from alpha to stable Compose BOM**
+ `SheetState`, `TooltipDefaults`, `ExposedDropdownMenu` APIs updated across 7 files
* `OkHttp`: `5.0.0-alpha.14` → `4.12.0` (stable)
* `biometric` upgraded to `1.2.0-alpha05` for better OEM compatibility
### 🏠 Home Page Sync Fix
* Deletions on VideoList page now reflect in Recent Downloads **immediately** — no restart needed
* File existence re-checked on every `ON_RESUME` — deleted files gray out instantly
### 🌐 Sponsor Data Refactor
* Richer sponsor profiles with `SocialAccount`, `SponsorEntity`, `Tier` data classes
* Thread-safe `@Volatile` + synchronized double-checked locking cache
---
### 📦 Installation
Download the appropriate APK for your device:
- **Universal APK**: Works on all devices (recommended)
- **arm64-v8a**: For 64-bit ARM devices (most modern phones)
- **armeabi-v7a**: For 32-bit ARM devices
- **x86_64**: For 64-bit x86 devices
- **x86**: For 32-bit x86 devices
### ✨ Key Features (v2.6)
- 🔒 **PBKDF2 PIN Hashing** - Industry-standard 200K-iteration secure PIN with salt
- 🛡️ **30-Second Brute-Force Lockout** - Countdown after 5 failed PIN attempts
- 🔐 **Removed MANAGE_EXTERNAL_STORAGE** - No overbroad permission required
- 💾 **ADB Backup Protection** - Sensitive MMKV data excluded from backups
- 🚫 **MITM Prevention** - SSL check re-enabled when proxy is active
- 🧹 **20 Stability Fixes** - Context leak, runBlocking, timeouts, race conditions & more
- 🎨 **Material3 1.3.1 Stable** - Migrated from alpha BOM, OkHttp stable 4.12.0
- 🏠 **Instant Home Sync** - Recent Downloads updated instantly on deletion or file removal
- 🌐 **Richer Sponsor Profiles** - Thread-safe cache with structured data
- ⏯️ **Pause/Resume downloads** with queue support
- 🌐 Download from 1000+ sites via yt-dlp
### 📜 Full Changelog
See [CHANGELOG.md](https://github.com/MaheshTechnicals/Sealplus/blob/main/CHANGELOG.md) for complete version history.
---
Built on: ${{ github.event.head_commit.timestamp }}
Commit: ${{ github.sha }}
draft: false
prerelease: false
make_latest: true
files: |
app/build/outputs/apk/generic/release/*.apk
- name: Send Telegram Notification to Channel
if: steps.release_config.outputs.SHOULD_RELEASE == 'true'
continue-on-error: true
env:
TGTOKEN: ${{ secrets.TGTOKEN }}
TGCHANNEL: ${{ secrets.TGCHANNEL }}
run: |
# Skip if Telegram credentials are not configured
if [ -z "$TGTOKEN" ] || [ -z "$TGCHANNEL" ]; then
echo "?? Telegram notification skipped (TGTOKEN or TGCHANNEL not configured)"
exit 0
fi
echo "? Sending notification to Telegram Channel: $TGCHANNEL"
# Prepare the release URL
RELEASE_URL="https://github.com/${{ github.repository }}/releases/tag/v${{ steps.version.outputs.VERSION }}"
# Create a beautiful Telegram message with HTML formatting
MESSAGE="<b>🎉 New Release Available!</b> 🚀\n\n"
MESSAGE+="━━━━━━━━━━━━━━━━━━━━━━━\n\n"
MESSAGE+="📱 <b>App Name:</b> Seal Plus\n\n"
MESSAGE+="🏷️ <b>Version:</b> v${{ steps.version.outputs.VERSION }}\n\n"
MESSAGE+="━━━━━━━━━━━━━━━━━━━━━━━\n\n"
MESSAGE+="📋 <b>Changelog (v2.6):</b>\n\n"
MESSAGE+="<b>🔒 Security Hardening</b>\n"
MESSAGE+=" ➤ PBKDF2WithHmacSHA256 PIN hashing — 200K iterations, 16-byte salt\n"
MESSAGE+=" ➤ MANAGE_EXTERNAL_STORAGE removed — no overbroad permission required\n"
MESSAGE+=" ➤ ADB backup protection — MMKV excluded via backup_rules.xml\n"
MESSAGE+=" ➤ NotificationActionReceiver exported=false — blocks fake intents\n"
MESSAGE+=" ➤ MITM prevention — SSL check re-enabled when proxy is active\n"
MESSAGE+=" ➤ Proxy security warning dialog before enabling free proxy\n\n"
MESSAGE+="<b>🛡️ Brute-Force Protection</b>\n"
MESSAGE+=" ➤ 30-second animated countdown lockout after 5 failed PIN attempts\n\n"
MESSAGE+="<b>🐛 Stability & Correctness (20 Fixes)</b>\n"
MESSAGE+=" ➤ Activity context leak fixed in MainActivity\n"
MESSAGE+=" ➤ All runBlocking calls replaced with lifecycleScope.launch(IO)\n"
MESSAGE+=" ➤ OkHttp timeouts added; singletons shared across 4 utilities\n"
MESSAGE+=" ➤ SQLiteDatabase/Cursor closed with .use{} on all paths\n"
MESSAGE+=" ➤ ConcurrentHashMap for download maps — race conditions fixed\n"
MESSAGE+=" ➤ av01 removed from unsupported codec blacklist — AV1 works again\n"
MESSAGE+=" ➤ filterValidFormats parallelized — faster format page loading\n"
MESSAGE+=" ➤ Hash collision in makeKey() fixed with null-char delimiter\n"
MESSAGE+=" ➤ Error notifications use throwable.message (not full stack trace)\n"
MESSAGE+=" ➤ 11 more fixes in DatabaseUtil, DownloadUtil, FileUtil, and more\n\n"
MESSAGE+="<b>🎨 Material3 1.3.1 Stable Migration</b>\n"
MESSAGE+=" ➤ Upgraded from alpha to stable Compose BOM\n"
MESSAGE+=" ➤ SheetState, TooltipDefaults, ExposedDropdownMenu APIs updated\n"
MESSAGE+=" ➤ OkHttp 5.0.0-alpha.14 → 4.12.0 stable\n"
MESSAGE+=" ➤ biometric upgraded to 1.2.0-alpha05 for OEM compatibility\n\n"
MESSAGE+="<b>🏠 Home Page Sync Fix</b>\n"
MESSAGE+=" ➤ Deletions reflected in Recent Downloads instantly — no restart needed\n"
MESSAGE+=" ➤ File existence re-checked on ON_RESUME — deleted files gray out live\n\n"
MESSAGE+="<b>🌐 Sponsor Data Refactor</b>\n"
MESSAGE+=" ➤ SocialAccount, SponsorEntity, Tier data classes for richer profiles\n"
MESSAGE+=" ➤ Thread-safe @Volatile + synchronized double-checked locking cache\n\n"
MESSAGE+="━━━━━━━━━━━━━━━━━━━━━━━\n\n"
MESSAGE+="✨ <b>Key Features (v2.6):</b>\n"
MESSAGE+="🔒 PBKDF2 PIN Hashing — 200K-iteration secure PIN with salt\n"
MESSAGE+="🛡️ 30-Second Brute-Force Lockout — countdown after 5 failed attempts\n"
MESSAGE+="🔐 Removed MANAGE_EXTERNAL_STORAGE — no overbroad permission\n"
MESSAGE+="💾 ADB Backup Protection — MMKV sensitive data excluded\n"
MESSAGE+="🚫 MITM Prevention — SSL check re-enabled when proxy active\n"
MESSAGE+="🧹 20 Stability Fixes — context leak, runBlocking, timeouts, races\n"
MESSAGE+="🎨 Material3 1.3.1 Stable — from alpha BOM, OkHttp 4.12.0 stable\n"
MESSAGE+="🏠 Instant Home Sync — Recent Downloads updated on deletion live\n"
MESSAGE+="🌐 Richer Sponsor Profiles — thread-safe structured data\n"
MESSAGE+="⏯️ Pause/Resume with queue\n"
MESSAGE+="🌐 1000+ sites via yt-dlp\n\n"
MESSAGE+="━━━━━━━━━━━━━━━━━━━━━━━\n\n"
MESSAGE+="📦 <b>Available APKs:</b>\n"
MESSAGE+=" ➤ Universal (All devices)\n"
MESSAGE+=" ➤ arm64-v8a (Modern phones)\n"
MESSAGE+=" ➤ armeabi-v7a (Older phones)\n"
MESSAGE+=" ➤ x86_64 / x86 (Tablets)\n\n"
MESSAGE+="━━━━━━━━━━━━━━━━━━━━━━━\n\n"
MESSAGE+="🔗 <b>Download Now:</b>\n"
MESSAGE+="<a href=\"${RELEASE_URL}\">Click here to download v${{ steps.version.outputs.VERSION }}</a>\n\n"
MESSAGE+="━━━━━━━━━━━━━━━━━━━━━━━\n\n"
MESSAGE+="💡 <b>Note:</b> v2.6 is a major security and stability release — PBKDF2 PIN hashing, MANAGE_EXTERNAL_STORAGE removed, ADB backup protection, 30-second brute-force lockout, 20 stability/correctness fixes, Material3 1.3.1 stable migration (OkHttp 4.12.0 stable), instant Recent Downloads sync, and richer sponsor profiles with thread-safe cache.\n\n"
MESSAGE+="🕐 <i>Released: $(date '+%B %d, %Y at %H:%M UTC')</i>"
# URL encode the message to avoid HTML parsing issues
MESSAGE_ENCODED=$(echo -ne "$MESSAGE" | jq -sRr @uri)
# Send ONLY to Channel
curl -s -X POST "https://api.telegram.org/bot${TGTOKEN}/sendMessage" \
-d "chat_id=${TGCHANNEL}" \
-d "text=${MESSAGE_ENCODED}" \
-d "parse_mode=HTML" \
-d "disable_web_page_preview=false" \
&& echo "? Telegram Channel notification sent successfully!" \
|| echo "? Failed to send Telegram notification"
- name: Upload Universal APK as Artifact
if: steps.release_config.outputs.SHOULD_RELEASE == 'false'
uses: actions/upload-artifact@v4
with:
name: SealPlus-${{ steps.version.outputs.VERSION }}-universal
path: app/build/outputs/apk/generic/release/*universal*.apk
if-no-files-found: warn
retention-days: 30
- name: Upload arm64-v8a APK as Artifact
if: steps.release_config.outputs.SHOULD_RELEASE == 'false'
uses: actions/upload-artifact@v4
with:
name: SealPlus-${{ steps.version.outputs.VERSION }}-arm64-v8a
path: app/build/outputs/apk/generic/release/*arm64-v8a*.apk
if-no-files-found: warn
retention-days: 30
- name: Upload armeabi-v7a APK as Artifact
if: steps.release_config.outputs.SHOULD_RELEASE == 'false'
uses: actions/upload-artifact@v4
with:
name: SealPlus-${{ steps.version.outputs.VERSION }}-armeabi-v7a
path: app/build/outputs/apk/generic/release/*armeabi-v7a*.apk
if-no-files-found: warn
retention-days: 30
- name: Upload x86_64 APK as Artifact
if: steps.release_config.outputs.SHOULD_RELEASE == 'false'
uses: actions/upload-artifact@v4
with:
name: SealPlus-${{ steps.version.outputs.VERSION }}-x86_64
path: app/build/outputs/apk/generic/release/*x86_64*.apk
if-no-files-found: warn
retention-days: 30
- name: Upload x86 APK as Artifact
if: steps.release_config.outputs.SHOULD_RELEASE == 'false'
uses: actions/upload-artifact@v4
with:
name: SealPlus-${{ steps.version.outputs.VERSION }}-x86
path: app/build/outputs/apk/generic/release/*x86*.apk
if-no-files-found: warn
retention-days: 30
- name: Upload Artifacts (Backup - Always)
if: steps.release_config.outputs.SHOULD_RELEASE == 'true'
uses: actions/upload-artifact@v4
with:
name: signed-apks-backup
path: app/build/outputs/apk/generic/release/*.apk
if-no-files-found: error
retention-days: 20