Require git provenance for Android Argus staging
This commit is contained in:
@@ -18,6 +18,7 @@
|
||||
## Release Checklist
|
||||
|
||||
1. Build the stable APK with the same release key material through `QSFERA_RELEASE_KEYSTORE`, `QSFERA_RELEASE_KEYSTORE_PASSWORD`, `QSFERA_RELEASE_KEY_ALIAS`, and `QSFERA_RELEASE_KEY_PASSWORD`.
|
||||
2. Verify the APK certificate before upload with `apksigner verify --print-certs`.
|
||||
3. Publish to Argus only after certificate, package name, version code, and SHA-256 checks pass.
|
||||
4. Verify the published manifest and download with `scripts/verify-production-state.ps1 -VerifyAndroidDownload` from the repository root.
|
||||
2. Prepare Argus publication only from a clean release branch whose `HEAD` matches its upstream; `Android/scripts/prepare-argus-publication.ps1` enforces this by default and records repository root, branch, upstream, commit, and verification time in `argus-publication.json`. When the Android checkout is used from the pushed `QSfera.git` monorepo, run it from `Android/` with `-GitProvenanceRoot ..`.
|
||||
3. Verify the APK certificate before upload with `apksigner verify --print-certs`.
|
||||
4. Publish to Argus only after certificate, package name, version code, SHA-256, and git provenance checks pass.
|
||||
5. Verify the published manifest and download with `scripts/verify-production-state.ps1 -VerifyAndroidDownload` from the repository root.
|
||||
|
||||
Reference in New Issue
Block a user