Sulkta-OSS/straw
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
straw/ci/Dockerfile
Cobb 457166e3b0
All checks were successful
build-apk / build-and-publish (push) Successful in 7m29s
Details
gitleaks / scan (push) Successful in 42s
Details
vc=88: deferred-hygiene sweep (audit #2 leftovers, no behavior change) 
M-2: route every SharedPreferences write (Settings/History/Subs/Resume) through
one PrefsWriter — a per-store single-thread dispatcher — so the on-disk apply()
order matches the in-memory CAS order. Previously a Main-thread toggle and an
IO-thread import could land apply() out of order, and ResumePositions detached
ordering entirely via a fresh globalScope.launch per write; a stale value could
then win the next cold-start load. Each write reads the live StateFlow so disk
converges to the latest in-memory state regardless of enqueue order.

L-14: Settings storage-usage sampling (File.length() x4 + Coil diskCache.size)
moved off the composition/Main thread into a LaunchedEffect on Dispatchers.IO.

L-2 / L-4..L-8 / L-15 / L-16: dead code + stale comments from the vc=85 SB/RYD
to Rust migration. Http.kt trimmed to STRAW_USER_AGENT; reconciled the
network_security_config / feed.rs / SubscriptionFeedViewModel / net.rs / CI
comments with reality; recencyScore overflow-guarded; ci/Dockerfile now
pre-installs build-tools 36 (AGP 9.2.1's actual floor, was auto-fetched).

Verified: headless compileDebugKotlin green on the straw-build image.
2026-06-21 20:03:45 -07:00

70 lines
3.6 KiB
Docker
Raw Blame History

# Sulkta straw-build — reproducible Android + Rust build image for the Straw APK.
#
# Pushed to git.sulkta.com/sulkta-infra/straw-build:latest and used as the job
# `container:` in .forgejo/workflows/build.yml. It bakes the toolchain that
# otherwise lives only in bind-mounts on the long-running crafting-table, so a
# FRESH Forgejo CI job container is fully self-contained (no host /caches
# dependency, no per-machine signing key).
#
# Toolchain pinned to exactly what builds successfully:
# JDK 21 · NDK 27.2.12479018 · build-tools 34.0.0 + 36.0.0 · platforms android-36
# Rust stable + 4 Android targets · cargo-ndk · clang/libclang (rquickjs bindgen)
# AGP 9.2.1 (compileSdk 36) requires build-tools 36; we pre-install it so the build
# doesn't sdkmanager-download it on every run (older images shipped only 34.0.0 and
# AGP auto-fetched 36 at build time — works, but a per-build network dependency).
# 34.0.0 is kept for belt-and-suspenders; apksigner uses the highest present (36).
FROM eclipse-temurin:21-jdk-jammy
ENV DEBIAN_FRONTEND=noninteractive \
ANDROID_SDK_ROOT=/opt/android-sdk \
ANDROID_HOME=/opt/android-sdk \
ANDROID_NDK_HOME=/opt/android-sdk/ndk/27.2.12479018 \
CARGO_HOME=/opt/cargo \
RUSTUP_HOME=/opt/rustup \
PATH=/opt/cargo/bin:/opt/android-sdk/cmdline-tools/latest/bin:/opt/android-sdk/platform-tools:/usr/bin:/bin
# Base OS deps: clang/libclang for rquickjs bindgen, a C toolchain for the
# QuickJS C sources, unzip for the SDK zips, git+ca-certs for checkout.
RUN apt-get update && apt-get install -y --no-install-recommends \
git curl unzip ca-certificates clang libclang-dev build-essential pkg-config \
&& rm -rf /var/lib/apt/lists/*
# Android cmdline-tools + the SDK packages the build needs.
ARG CMDLINE_TOOLS_ZIP=commandlinetools-linux-11076708_latest.zip
RUN mkdir -p "$ANDROID_SDK_ROOT/cmdline-tools" \
&& curl -fsSL -o /tmp/cmdtools.zip "https://dl.google.com/android/repository/${CMDLINE_TOOLS_ZIP}" \
&& unzip -q /tmp/cmdtools.zip -d "$ANDROID_SDK_ROOT/cmdline-tools" \
&& mv "$ANDROID_SDK_ROOT/cmdline-tools/cmdline-tools" "$ANDROID_SDK_ROOT/cmdline-tools/latest" \
&& rm /tmp/cmdtools.zip \
&& yes | sdkmanager --licenses >/dev/null 2>&1 \
&& sdkmanager --install \
"platform-tools" \
"platforms;android-36" \
"build-tools;34.0.0" \
"build-tools;36.0.0" \
"ndk;27.2.12479018" >/dev/null \
&& rm -rf "$ANDROID_SDK_ROOT/.temp" /tmp/*
# Rust toolchain + the four Android targets + cargo-ndk.
RUN curl -fsSL https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal \
&& rustup target add \
aarch64-linux-android armv7-linux-androideabi i686-linux-android x86_64-linux-android \
&& cargo install cargo-ndk --locked \
&& rm -rf /opt/cargo/registry/cache /opt/cargo/registry/src
# Sanity: fail the image build early if anything's missing.
RUN java -version && cargo --version && cargo ndk --version || true \
&& test -d "$ANDROID_NDK_HOME" \
&& test -d "$ANDROID_SDK_ROOT/build-tools/34.0.0" \
&& test -d "$ANDROID_SDK_ROOT/build-tools/36.0.0"
# Publish tooling (appended last so the heavy toolchain layers stay cached):
# docker CLI to talk to the runner's host socket for the fdroid steps, and
# openssh-client to stream the signed repo to Rackham. The build steps don't
# touch the socket; only the gated publish step does.
RUN apt-get update && apt-get install -y --no-install-recommends \
docker.io openssh-client \
&& rm -rf /var/lib/apt/lists/*
# The signing keystore is NOT baked — it's injected per-build from the Forgejo
# secret STRAW_SIGNING_KEYSTORE_B64 → STRAW_KEYSTORE_FILE.
Reference in a new issue View git blame Copy permalink