name: Verify reproducible build on: workflow_dispatch: inputs: releaseTag: description: Tag of the release to download required: true release: types: [ published ] permissions: contents: write jobs: build: uses: ./.github/workflows/build.yml verify: needs: [ build ] runs-on: ubuntu-latest steps: - name: Install dependencies run: sudo apt-get update && sudo apt-get install apksigner python3-click apksigcopier -y - name: Download build artifact uses: actions/download-artifact@v4 with: name: app-unsigned - run: mv *.apk unsigned.apk - name: Set asset URL id: set_asset_url run: | if [ "${{ github.event_name }}" = "release" ]; then echo "release_tag=${{ github.event.release.tag_name }}" >> "$GITHUB_ENV" else echo "release_tag=${{ github.event.inputs.releaseTag }}" >> "$GITHUB_ENV" fi - name: Download release asset run: | gh release download "$release_tag" --pattern "*.apk" --output upstream.apk --repo "$REPO" env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} REPO: ${{ github.repository }} - name: Compare APKs run: apksigcopier compare upstream.apk --unsigned unsigned.apk && echo OK