docs: Add internal docs

docs/revanced-internals/Generals/Infrastructure/bulletin.md

@@ -0,0 +1,103 @@
+---
+title: 🏗️ Infrastructure Bulletin
+description: Track changes through the ReVanced Infrastructure Bulletin
+hide_table_of_contents: false
+---
+
+# 🏗️ Infrastructure Bulletin
+
+## Change `10072025-TESTING` (Testing only)
+
+  - Merge Dependabot dependency update into one
+
+    ```yml
+    version: 2
+    multi-ecosystem-groups:
+      dependency: # (A) Can be named any
+        schedule:
+          interval: "weekly"
+          target-branch: dev
+
+    updates:
+      - package-ecosystem: "github-actions"
+        directory: "/"
+        multi-ecosystem-group: "infrastructure" # Set this to (A)
+        patterns: # You must have patterns or else dependabot will fail to work
+          - "*"
+    ```
+
+## Change `01072025` (Production ready)
+
+  - Remove fetch-depth from checkout action
+
+    ```diff
+    steps:
+      # Checkout action
+      - name: Checkout
+        uses: actions/checkout@v4
+    -   with:
+    -     fetch-depth: 0
+    ```
+
+## Change `10062025` (Production ready)
+
+  - Use semantic release actions instead of script
+
+    ```diff
+    # see: https://github.com/cycjimmy/semantic-release-action
+    - - name: Release
+    -   run: npx semantic-release
+    + - name: Release
+    +   uses: cycjimmy/semantic-release-action@v4
+    +   id: release
+    +   env:
+    +     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    ```
+
+- Remove revanced-bot repository access token
+  - Use ${{ secrets.GITHUB_TOKEN }} with `contents: write` permission instead
+
+## Change `01052025` (Production ready)
+
+- Specify `subject-name` on attestation action with the format of `ReVanced <name> <git-tag/version>`
+
+    ```diff
+    - name: Attest
+      uses: actions/attest-build-provenance@v2
+      with:
+    +   subject-name: 'ReVanced Foobar ${{ steps.release.outputs.new_release_git_tag }}'
+        subject-path: revanced-foobar-*.apk # Standard globs allowed only
+    ```
+
+## Change `01012025` (Production ready)
+
+  - (Gradle-specific) Automatically update Gradle wrapper with CI
+    - See [update_gradle_wrapper.yml](/Generals/Infrastructure/github/ci_template/gradle-specific/update_gradle_wrapper.yml)
+
+## Change `01122024` (Production ready)
+
+  - (Gradle-specific) Add Gradle cache action to CI
+
+    ```diff
+    # see: https://github.com/burrunan/gradle-cache-action
+    + - name: Cache Gradle
+    +   uses: burrunan/gradle-cache-action@v3
+    ```
+
+## Change `01112024` (Production ready)
+
+  - Add attestation action to CI
+
+    ```diff
+    + permissions:
+    +   id-token: write
+    +   attestations: write
+    # see: https://github.com/actions/attest-build-provenance
+    + - name: Attest
+    +   uses: actions/attest-build-provenance@v2
+    +   with:
+    +     subject-path: revanced-foobar-*.apk # Standard globs allowed only
+    ```
+
+  - Remove revanced-bot repository access token
+    - Use ${{ secrets.GITHUB_TOKEN }} with `contents: write` permission instead

docs/revanced-internals/Generals/Infrastructure/github/attestation.md

@@ -0,0 +1,27 @@
+---
+title: 🪪 Securing build binaries
+description: Improving attestability, transparency and security of the build binary.
+hide_table_of_contents: false
+---
+
+# 🪪 Attestation
+
+Starting in 2025, ReVanced now required all repository to offered GitHub Attestation which provide SLSA v1.0 L2 by default
+
+To implement it, you need to add https://github.com/actions/attest-build-provenance
+
+## How to verify prebuilt library
+
+Requirements
+  - Have the latest version of GitHub CLI installed on your computer
+
+Verify the library by atttesting the file using this command:
+
+```bash
+gh at verify {prebuilt location} --owner ReVanced
+```
+
+> ⚡ **DANGER**
+> If you use libraries from 3rd party (not ReVanced), replace the owner parametre to their user/organisation.
+> **Make sure that you trust them first**, then update the ownership in the documentation to let everyone know
+> that ownership is changed. (Optional)

docs/revanced-internals/Generals/Infrastructure/github/ci_secrets_registry.md

@@ -0,0 +1,47 @@
+---
+title: 🏗️ Infrastructure Variable / Secrets (GitHub)
+description: ReVanced Infrastructure's variable and secrets configuration (GitHub)
+hide_table_of_contents: false
+---
+
+# 🏗️ Infra variable / secrets
+
+Like with every organisation, variables, secrets are part of the
+CI infra system. Here's an list to find.
+
+* DMCA Guild: ${{ vars.RV_DMCA_GUID }}
+* Google Tag Manager ID: ${{ vars.RV_GOOGLE_TAG_MANAGER_ID }}
+* ReVanced API: ${{ vars.RV_API_URL }}
+* Cloudflare Account: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+* Cloudflare API Token: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+* Crowdin Project ID: ${{ secrets.CROWDIN_PROJECT_ID }}
+* Crowdin Token ${{ secrets.CROWDIN_PERSONAL_TOKEN }}
+* GPG Private Key: ${{ secrets.GPG_PRIVATE_KEY }}
+* GPG Password: ${{ secrets.GPG_PASSPHRASE }}
+* GPG Fingerprint: ${{ vars.GPG_FINGERPRINT }}
+* Discord Bot Portainer webhook: ${{ secrets.DISCORD_BOT_PORTAINER_WEBHOOK_URL }}
+* Websocket API Portainer webhook: ${{ secrets.WEBSOCKET_API_PORTAINER_WEBHOOK_URL }}
+* GitHub Registry Container deletion permission: ${{ secrets.DELETE_PACKAGES_TOKEN }}
+* Keystore binary data: ${{ secrets.KEYSTORE }}
+* Keystore Password: ${{ secrets.KEYSTORE_PASSWORD }}
+* Keystore Entry Alias: ${{ secrets.KEYSTORE_ENTRY_ALIAS }}
+* Keystore Entry Password: ${{ secrets.KEYSTORE_ENTRY_PASSWORD }}
+* ReVanced Documentation push permission: ${{ secrets.DOCUMENTATION_REPO_ACCESS_TOKEN  }}
+
+## Deprecation/Discouraged
+
+* Repository Push permission: ${{ secrets.REPOSITORY_PUSH_ACCESS }}
+
+## Removed
+
+* ReVanced Manager Extra Environment Configuration (Sentry.io Data Source Name aka. Logging, and OTA Crowdin Translation Delivery): ${{ secrets.SECRETS }}
+
+## Migration
+
+* ${{ secrets.SIGNING_KEY_PASSWORD }} -> ${{ secrets.KEYSTORE_ENTRY_PASSWORD }}
+* ${{ secrets.SIGNING_KEY_ALIAS }} -> ${{ secrets.KEYSTORE_ENTRY_ALIAS }}
+* ${{ secrets.SIGNING_KEYSTORE_PASSWORD }} -> ${{ secrets.KEYSTORE_PASSWORD }}
+* ${{ secrets.SIGNING_KEYSTORE }} -> ${{ secrets.KEYSTORE }}
+
+* ${{ secrets.SECRETS }} -> Removed
+* ${{ secrets.REPOSITORY_PUSH_ACCESS }} -> ${{ secrets.GITHUB_TOKEN }} with `contents: write` permission

docs/revanced-internals/Generals/Infrastructure/github/ci_template/gradle-specific/release.yml

@@ -0,0 +1,60 @@
+name: Release
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+      - dev
+
+jobs:
+  release:
+    name: Release
+    permissions:
+      contents: write
+      attestations: write
+      id-token: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup Java
+        uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: '17'
+
+      - name: Cache Gradle
+        uses: burrunan/gradle-cache-action@v3
+
+      - name: Build
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: ./gradlew assembleRelease  # TODO: Change this to the correct task for your project
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 'lts/*'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm install
+
+      - name: Release
+        uses: cycjimmy/semantic-release-action@v4
+        id: release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Attest
+        if: steps.release.outputs.new_release_published == 'true'
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: 'ReVanced {repository name} ${{ steps.release.outputs.new_release_git_tag }}' 
+          # TODO: Change this to the correct repository name for your project
+          subject-path: changeme
+          # TODO: Change this to the correct path for your project

docs/revanced-internals/Generals/Infrastructure/github/ci_template/gradle-specific/update_gradle_wrapper.yml

@@ -0,0 +1,18 @@
+name: Update Gradle wrapper
+
+on:
+  schedule:
+    - cron: 0 0 1 * *
+  workflow_dispatch:
+
+jobs:
+  update:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Update Gradle Wrapper
+        uses: gradle-update/update-gradle-wrapper-action@v1
+        with:
+          target-branch: dev

docs/revanced-internals/Generals/Infrastructure/github/ci_template/open_pull_request.yml

@@ -0,0 +1,26 @@
+name: Open a PR to main
+
+on:
+  push:
+    branches:
+      - dev
+  workflow_dispatch:
+
+env:
+  MESSAGE: Merge branch `${{ github.head_ref || github.ref_name }}` to `main`
+
+jobs:
+  pull-request:
+    name: Open pull request
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Open pull request
+        uses: repo-sync/pull-request@v2
+        with:
+          destination_branch: 'main'
+          pr_title: 'chore: ${{ env.MESSAGE }}'
+          pr_body: 'This pull request will ${{ env.MESSAGE }}.'
+          pr_draft: true

docs/revanced-internals/Generals/Infrastructure/github/ci_template/semantic-release/blank_release.yml

@@ -0,0 +1,44 @@
+name: Release
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+      - dev
+
+jobs:
+  release:
+    name: Release
+    permissions:
+      contents: write
+      attestations: write
+      id-token: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 'lts/*'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm install
+
+      - name: Release
+        uses: cycjimmy/semantic-release-action@v4
+        id: release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Attest
+        if: steps.release.outputs.new_release_published == 'true'
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: 'ReVanced {repository name} ${{ steps.release.outputs.new_release_git_tag }}' 
+          # TODO: Change this to the correct repository name for your project
+          subject-path: changeme
+          # TODO: Change this to the correct path for your project