Triggers on git tags. Runs CI sanity (lint+test+assembleDebug), then
in build-and-deploy job: writes version from tag into app/build.gradle.kts
(versionCode = MAJOR*10000 + MINOR*100 + PATCH, HouseHoldKeaper
convention), drops keystore + key.properties from secrets, runs
assembleRelease, pulls existing F-Droid repo from Hetzner, drops the
new APK + metadata, regenerates index with 'fdroid update -c', and
SCPs the whole tree back to Hetzner.
Required secrets: KEYSTORE_BASE64, KEY_PASSWORD, KEY_ALIAS,
HETZNER_HOST, HETZNER_USER, HETZNER_PASS. Configure these in Gitea
repo settings before pushing the first tag.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Runs on every push to any branch (tags excluded) and on pull requests.
Installs JDK 17 + Android SDK 36 + 37.0-preview (needed because the
Material 3 Expressive alpha transitively requires compileSdk 37).
Gradle dependency cache keyed on libs.versions.toml. Trivy scan runs
with continue-on-error like HouseHoldKeaper - we report findings but
don't block.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
