From f990af1cb04b4f4a9bdad06f714942d1901f7fb1 Mon Sep 17 00:00:00 2001
From: Jean-Luc Makiola <business@jeanlucmakiola.de>
Date: Mon, 15 Jun 2026 21:13:43 +0200
Subject: [PATCH] ci(release): make workflow_dispatch a key-rotation / re-sign
 path
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The release job assumed the ref is a version tag (Set version from git tag →
versionCode). A manual workflow_dispatch from a branch yielded versionCode 0
and Gradle aborted assembleRelease before the F-Droid steps ran.

Gate the tag-only steps (version, app keystore, assembleRelease, copy APK)
on refs/tags/*. On a manual dispatch the job now skips the APK build and just
re-signs the existing index with the configured repo key and re-uploads —
exactly what a repo-key rotation or recovery needs, no new release required.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .gitea/workflows/release.yaml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.gitea/workflows/release.yaml b/.gitea/workflows/release.yaml
index 89173f9..bcdb668 100644
--- a/.gitea/workflows/release.yaml
+++ b/.gitea/workflows/release.yaml
@@ -121,7 +121,12 @@ jobs:
             $SUDO apk add --no-cache jq
           fi
 
+      # Tag-only build steps. On a manual workflow_dispatch (ref = a branch,
+      # not a tag) these are skipped: the job then just re-signs the existing
+      # index with the configured repo key and re-uploads — used for key
+      # rotation / repo recovery without publishing a new APK.
       - name: Set version from git tag
+        if: startsWith(github.ref, 'refs/tags/')
         run: |
           set -e
           RAW_TAG="${GITHUB_REF_NAME:-${GITHUB_REF##*/}}"
@@ -137,6 +142,7 @@ jobs:
           grep -E 'versionName|versionCode' app/build.gradle.kts
 
       - name: Setup Android Keystore
+        if: startsWith(github.ref, 'refs/tags/')
         env:
           KEYSTORE_BASE64: ${{ secrets.KEYSTORE_BASE64 }}
           KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}
@@ -155,6 +161,7 @@ jobs:
         run: chmod +x ./gradlew
 
       - name: Build release APK
+        if: startsWith(github.ref, 'refs/tags/')
         run: ./gradlew assembleRelease
 
       - name: Setup F-Droid Server Tools
@@ -206,6 +213,7 @@ jobs:
           mkdir -p fdroid/repo/icons
 
       - name: Copy new APK to repo
+        if: startsWith(github.ref, 'refs/tags/')
         run: |
           set -e
           mkdir -p fdroid/repo