Firebase App Distribution 내부 배포 플로우 정비#146
Merged
Merged
Conversation
* **refactor: `firebase-app-distribution.yml` 트리거 및 빌드 로직 수정**
* 워크플로우 트리거 방식을 기존 태그 푸시(`push: tags`)에서 수동 및 외부 호출(`workflow_dispatch`) 방식으로 변경했습니다.
* `tag_name`을 입력 파라미터로 받아 특정 태그를 체크아웃하고 빌드하도록 수정했습니다.
* 앱 버전명(`ANDROID_VERSION_NAME`)과 릴리스 노트의 태그 정보를 입력받은 `DISTRIBUTION_TAG` 기반으로 생성하도록 개선했습니다.
* **feat: `version-tag-on-merge.yml` 내 배포 자동화 로직 추가**
* 태그 생성 완료 후 Firebase 배포 워크플로우를 자동으로 실행하는 디스패치(Dispatch) 단계를 추가했습니다.
* 워크플로우 실행을 위해 `actions: write` 권한을 추가하고 `github-script`를 사용하여 `firebase-app-distribution.yml`을 호출합니다.
* **build: `app` 모듈 내 릴리스 서명(Signing Config) 구성**
* `gradleLocalProperties`를 사용하여 `local.properties`에 정의된 키스토어 정보(파일 경로, 비밀번호, 별칭)를 불러오도록 설정했습니다.
* `release` 빌드 타입에 릴리스 서명 설정을 적용했습니다.
* `release` 빌드 타입에서 `isMinifyEnabled`와 `isShrinkResources`를 `false`로 변경했습니다.
* **ci: Firebase App Distribution 대상을 Debug에서 Release로 변경**
* GitHub Actions 워크플로우 내 빌드 태스크를 `assembleDebug`에서 `assembleRelease`로 수정했습니다.
* 빌드 전 GitHub Secrets의 `ANDROID_KEYSTORE_BASE64`를 디코딩하여 릴리스 키스토어 파일(`.jks`)을 생성하는 단계를 추가했습니다.
* 배포 결과물 경로를 `app-release.apk`로 업데이트하고, Discord 알림 메시지의 문구를 배포 환경에 맞춰 수정했습니다.
* **chore: `.gitignore` 서명 관련 파일 제외 설정**
* 키스토어 파일 유출 방지를 위해 `*.jks` 및 `*.keystore` 패턴을 `.gitignore`에 추가했습니다.
* **ci: Firebase App Distribution 워크플로우 내 키스토어 경로 변경**
* 생성되는 키스토어 파일 이름을 `release-keystore.jks`에서 `keystore.jks`로 수정했습니다.
* **build: `build.gradle.kts` 내 앱 ID 및 이름 동적 주입 로직 구현**
* Gradle 속성 또는 환경 변수(`APP_APPLICATION_ID`, `APP_NAME`)로부터 값을 주입받는 Provider를 추가했습니다.
* 주입받은 값을 `defaultConfig`의 `applicationId`에 적용하고, `release` 빌드 타입에서 `app_name` 리소스 값을 동적으로 생성하도록 설정했습니다.
* 환경 변수가 없을 경우 사용될 기본값(`com.team.prezel`, `Prezel`)을 정의했습니다.
* **ci: Firebase App Distribution 워크플로우 설정 업데이트**
* 내부 테스트 배포용 앱 구분을 위해 `APP_APPLICATION_ID`를 `com.team.prezel.internal`로, `APP_NAME`을 `Prezel (Internal)`로 설정하는 환경 변수를 추가했습니다.
* Android 릴리스 키스토어 생성 경로를 `./app/keystore.jks`에서 루트 디렉토리인 `./keystore.jks`로 변경했습니다.
* **build: Firebase App Distribution 워크플로우 내 Application ID 변경**
* `APP_APPLICATION_ID` 환경 변수 값을 `com.team.prezel.internal`에서 `com.team.prezel.dev`로 수정했습니다.
* **build: Android 릴리스 키스토어 생성 파일명 수정**
* GitHub Actions 워크플로우에서 디코딩된 키스토어 파일의 이름을 `keystore.jks`에서 `prezel.jks`로 변경했습니다.
* **ci: 불필요한 push 이벤트 트리거 제거**
* `version-tag-on-merge.yml` 워크플로 구성에서 `fix/firebase-distribution` 브랜치에 설정되어 있던 `push` 트리거를 삭제했습니다.
# Conflicts: # .github/workflows/firebase-app-distribution.yml # .github/workflows/version-tag-on-merge.yml # Prezel/app/build.gradle.kts
Contributor
📝 WalkthroughWalkthroughGitHub Actions workflows are restructured to automate Android release distribution: version tagging workflow gains permissions and logic to dispatch Firebase distribution workflow with generated tags; Firebase workflow converts from automatic tag-based to manual dispatch triggering, and Gradle build configuration is updated to support dynamic application metadata and release signing. ChangesRelease Distribution Pipeline Automation
Possibly related PRs
Suggested labels
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 3
🧹 Nitpick comments (4)
.github/workflows/version-tag-on-merge.yml (2)
87-87: 💤 Low valueAction 참조 핀 고정 권장.
actions/github-script@v8대신 커밋 해시를 사용하면 supply-chain 공격 위험을 줄일 수 있습니다. (예:actions/github-script@60a0d83...)🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/version-tag-on-merge.yml at line 87, Replace the floating tag for the GitHub Action usage to pin to a specific commit SHA instead of the major tag; locate the line containing "uses: actions/github-script@v8" and change it to the action pinned by its commit (e.g., "uses: actions/github-script@<commit-sha>") so the workflow references an exact commit hash to reduce supply-chain risk.
14-14: 💤 Low value
push이벤트 조건이 현재 트리거와 불일치합니다.
on:섹션에pull_request트리거만 정의되어 있어github.event_name == 'push'는 항상 false입니다. 향후push트리거 추가를 대비한 것이라면 주석을 남기거나, 불필요한 조건이라면 제거하는 것이 좋습니다.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/version-tag-on-merge.yml at line 14, The conditional in the workflow's if expression uses github.event_name == 'push' even though the workflow only declares a pull_request trigger; update the if expression to remove the unused push check or add a comment explaining future intent. Specifically edit the line containing "if: ${{ github.event_name == 'push' || (github.event.pull_request.merged == true && github.event.pull_request.base.ref == 'develop') }}" to either (a) drop "github.event_name == 'push' ||" so the condition relies solely on the pull_request merged check, or (b) keep it but add a clarifying comment above that the push clause is intentional for future push-trigger support; ensure the final condition correctly matches the declared triggers..github/workflows/firebase-app-distribution.yml (1)
52-54: 💤 Low valueKeystore 파일 정리 고려.
워크플로우 실패 시 keystore 파일이 workflow artifact에 포함될 수 있습니다. 빌드 완료 후
rm ./prezel.jks로 정리하거나,if: always()스텝을 추가하는 것을 권장합니다.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/firebase-app-distribution.yml around lines 52 - 54, The workflow step "Create Android release keystore" writes the decoded keystore to ./prezel.jks but never removes it, so failed or subsequent runs may leave the keystore in artifacts; update the job to delete ./prezel.jks after the build (e.g., run rm ./prezel.jks) or add a separate cleanup step with if: always() that removes ./prezel.jks to ensure the keystore is not persisted in workflow artifacts.Prezel/app/build.gradle.kts (1)
55-56: 💤 Low valueRelease 빌드에서 minification/shrinking 비활성화 의도 확인.
내부 배포용이라면 괜찮지만, 향후 프로덕션 배포 시에는
isMinifyEnabled = true와isShrinkResources = true가 APK 크기 최적화 및 난독화에 필요합니다. 주석으로 의도를 명시하는 것을 권장합니다.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@Prezel/app/build.gradle.kts` around lines 55 - 56, The Release build currently has isMinifyEnabled = false and isShrinkResources = false which disables code shrinking/obfuscation; either enable them for production by setting isMinifyEnabled = true and isShrinkResources = true in the release block and ensure proguard/R8 rules (e.g., consumerProguardFiles or proguard-rules.pro) are configured, or if this is intentional for internal distribution add a clear comment above the release configuration explaining the intent and that these flags should be switched to true before production release; locate the release buildType settings where isMinifyEnabled and isShrinkResources are defined to apply the change.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/firebase-app-distribution.yml:
- Around line 56-63: Validate and sanitize inputs.tag_name before using it in
the "Prepare version metadata" step: check that DISTRIBUTION_TAG (from
inputs.tag_name) matches a strict semver tag regex like
^v[0-9]+\.[0-9]+\.[0-9]+$ and if it doesn't, fail the job (exit non-zero) or set
a safe fallback; only then export ANDROID_VERSION_NAME=${DISTRIBUTION_TAG#v} and
other env vars. Implement this validation in the same step (before echoing to
$GITHUB_ENV) so functions/variables DISTRIBUTION_TAG and ANDROID_VERSION_NAME
are only derived from a validated, sanitized inputs.tag_name to prevent command
injection.
In @.github/workflows/version-tag-on-merge.yml:
- Around line 86-98: The ref passed to
github.rest.actions.createWorkflowDispatch is derived from
context.ref.replace("refs/heads/", "") which is invalid for pull_request events
(context.ref is refs/pull/.../merge); update the createWorkflowDispatch call to
use a correct ref: prefer the created tag (process.env.TAG_NAME) when available,
otherwise fall back to the PR base branch (github.event.pull_request.base.ref)
or a fixed branch like "develop" — replace the current
context.ref.replace("refs/heads/", "") usage in the createWorkflowDispatch
payload with logic that selects process.env.TAG_NAME ||
github.event.pull_request.base.ref || "develop".
In `@Prezel/app/build.gradle.kts`:
- Around line 36-45: The signing config creation uses nullable properties from
gradleLocalProperties which can be null and cause build failures; update the
signingConfigs.create("release") block to first check that localProperties
contains non-null values for "signed.store.file", "signed.store.password",
"signed.key.alias", and "signed.key.password" and only set
storeFile/storePassword/keyAlias/keyPassword when all values are present
(otherwise skip creating/setting the release signingConfig), and in the
buildTypes.release block assign signingConfig =
signingConfigs.findByName("release") so the release build only uses the signing
config when it exists; reference the signingConfigs.create("release") block and
the release buildType signingConfig assignment to locate and change the code.
---
Nitpick comments:
In @.github/workflows/firebase-app-distribution.yml:
- Around line 52-54: The workflow step "Create Android release keystore" writes
the decoded keystore to ./prezel.jks but never removes it, so failed or
subsequent runs may leave the keystore in artifacts; update the job to delete
./prezel.jks after the build (e.g., run rm ./prezel.jks) or add a separate
cleanup step with if: always() that removes ./prezel.jks to ensure the keystore
is not persisted in workflow artifacts.
In @.github/workflows/version-tag-on-merge.yml:
- Line 87: Replace the floating tag for the GitHub Action usage to pin to a
specific commit SHA instead of the major tag; locate the line containing "uses:
actions/github-script@v8" and change it to the action pinned by its commit
(e.g., "uses: actions/github-script@<commit-sha>") so the workflow references an
exact commit hash to reduce supply-chain risk.
- Line 14: The conditional in the workflow's if expression uses
github.event_name == 'push' even though the workflow only declares a
pull_request trigger; update the if expression to remove the unused push check
or add a comment explaining future intent. Specifically edit the line containing
"if: ${{ github.event_name == 'push' || (github.event.pull_request.merged ==
true && github.event.pull_request.base.ref == 'develop') }}" to either (a) drop
"github.event_name == 'push' ||" so the condition relies solely on the
pull_request merged check, or (b) keep it but add a clarifying comment above
that the push clause is intentional for future push-trigger support; ensure the
final condition correctly matches the declared triggers.
In `@Prezel/app/build.gradle.kts`:
- Around line 55-56: The Release build currently has isMinifyEnabled = false and
isShrinkResources = false which disables code shrinking/obfuscation; either
enable them for production by setting isMinifyEnabled = true and
isShrinkResources = true in the release block and ensure proguard/R8 rules
(e.g., consumerProguardFiles or proguard-rules.pro) are configured, or if this
is intentional for internal distribution add a clear comment above the release
configuration explaining the intent and that these flags should be switched to
true before production release; locate the release buildType settings where
isMinifyEnabled and isShrinkResources are defined to apply the change.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 6b822d2f-fc84-416e-9ace-fcaf4d1be182
📒 Files selected for processing (4)
.github/workflows/firebase-app-distribution.yml.github/workflows/version-tag-on-merge.ymlPrezel/.gitignorePrezel/app/build.gradle.kts
HamBeomJoon
approved these changes
Jun 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
📌 작업 내용
tag push기반에서workflow_dispatch기반으로 변경했습니다.debug에서release로 전환했습니다.ANDROID_VERSION_NAME,APP_APPLICATION_ID,APP_NAME를 주입해 배포 빌드 메타데이터를 동적으로 설정하도록 변경했습니다.Summary by CodeRabbit
릴리스 노트