pindo 5.17.4 → 5.18.3

data/lib/pindo/module/android/keystore_helper.rb

@@ -1,41 +1,38 @@
-require 'fileutils'
-require 'json'
-require_relative '../../config/pindoconfig'
+# typed: strict
+# frozen_string_literal: true
+
+require "fileutils"
+require "json"
+require "tmpdir"
+require "openssl"
+require "base64"
+require "jpsclient"
+require_relative "../../config/pindoconfig"
+require_relative "../utils/file_downloader"
 
 module Pindo
   module KeystoreHelper
-    class << self
-
-      # 从 PindoConfig 统一配置中读取 Android 签名配置
-      # @return [Hash, nil] 签名配置哈希，包含 debug 和 release 配置
-      def get_android_sign_config
-        begin
-          # 使用 PindoConfig 单例获取配置
-          pindo_config = Pindoconfig.instance
+    # 与工程约定一致：Gradle 内用 RELEASE_* 环境变量 + 本地 ?: 回退；pindo 拉取 JPS 后写入当前进程 ENV（不落盘明文）
+    ENV_RELEASE_KEYSTORE_PATH = "RELEASE_KEYSTORE_PATH"
+    ENV_RELEASE_KEYSTORE_PASSWORD = "RELEASE_KEYSTORE_PASSWORD"
+    ENV_RELEASE_KEY_ALIAS = "RELEASE_KEY_ALIAS"
+    ENV_RELEASE_KEY_PASSWORD = "RELEASE_KEY_PASSWORD"
 
-          # 从 pindo_user_config_json 中获取 android_sign_config
-          android_sign_config = pindo_config.pindo_user_config_json["android_sign_config"]
+    FIELD_CRYPTO_ALGORITHM = "aes-128-gcm"
+    FIELD_CRYPTO_KEY = "WNldU35bhG!8TQtg"
+    FIELD_CRYPTO_IV_LENGTH = 12
+    FIELD_CRYPTO_TAG_LENGTH = 16
 
-          if android_sign_config.nil? || android_sign_config.empty?
-            Funlog.warning("配置中未找到 android_sign_config")
-            return nil
-          end
-
-          # 验证配置结构
-          unless validate_sign_config(android_sign_config)
-            Funlog.error("android_sign_config 配置格式不正确")
-            return nil
-          end
-
-          # 解析文件路径
-          android_sign_config = resolve_keystore_paths(android_sign_config)
-
-          return android_sign_config
-
-        rescue => e
-          Funlog.error("读取签名配置失败: #{e.message}")
-          return nil
-        end
+    class << self
+      # 从 JPS 获取 Android 签名配置（必须成功，否则抛出异常）
+      # @param bundle_id [String] Android 包名（Application ID）
+      # @return [Hash] 签名配置哈希，包含 debug 和 release 配置（共用同一个 JKS）
+      def get_android_sign_config(bundle_id:)
+        raise ArgumentError, "bundle_id 不能为空" if bundle_id.blank?
+
+        cfg = fetch_jks_from_jps(bundle_id: bundle_id)
+        # debug 和 release 使用同一个 JKS
+        { "debug" => cfg, "release" => cfg }
       end
 
       # 验证签名配置格式
@@ -52,7 +49,7 @@ module Pindo
           next if config[build_type].nil?
 
           cfg = config[build_type]
-          required_fields = ["storeFile", "storePassword", "keyAlias", "keyPassword"]
+          required_fields = %w[storeFile storePassword keyAlias keyPassword]
 
           required_fields.each do |field|
             if cfg[field].nil? || cfg[field].to_s.empty?
@@ -82,14 +79,10 @@ module Pindo
           store_file = cfg["storeFile"]
 
           # 如果是相对路径，则基于 pindo_common_config 目录解析
-          unless store_file.start_with?("/")
-            cfg["storeFile"] = File.join(pindo_common_config_dir, store_file)
-          end
+          cfg["storeFile"] = File.join(pindo_common_config_dir, store_file) unless store_file.start_with?("/")
 
           # 验证文件是否存在
-          unless File.exist?(cfg["storeFile"])
-            Funlog.warning("Keystore 文件不存在: #{cfg["storeFile"]}")
-          end
+          Funlog.warning("Keystore 文件不存在: #{cfg["storeFile"]}") unless File.exist?(cfg["storeFile"])
 
           resolved_config[build_type] = cfg
         end
@@ -99,41 +92,54 @@ module Pindo
 
       # 从工程的 build.gradle 中读取已有的 keystore 配置
       # @param project_path [String] 项目路径
-      # @param debug [Boolean] 是否为 debug 构建
-      # @return [Hash, nil] keystore 配置哈希
-      def get_keystore_config_from_project(project_path, debug = false)
+      # @param debug [Boolean] 是否为 debug 构建（仅当未传 workflow_build_type 时用于选择 debug/release）
+      # @param workflow_build_type [String, nil] Workflow 对应 Gradle buildType 名（如 jps）；若提供则**仅**从 buildTypes.<name> 解析，不回退 debug/release
+      # @return [Hash, nil] keystore 配置哈希（workflow 模式下解析失败会 raise，不返回 nil）
+      def get_keystore_config_from_project(project_path, debug = false, workflow_build_type: nil)
         main_module = Pindo::AndroidProjectHelper.get_main_module(project_path)
-        return nil unless main_module
+        return unless main_module
 
         gradle_kts_path = File.join(main_module, "build.gradle.kts")
         gradle_path     = File.join(main_module, "build.gradle")
 
         if File.exist?(gradle_kts_path)
           puts "KTS 项目，读取 #{File.basename(gradle_kts_path)} 文件"
-          get_keystore_config_kts(gradle_kts_path, project_path, debug)
+          get_keystore_config_kts(gradle_kts_path, project_path, debug, workflow_build_type: workflow_build_type)
         elsif File.exist?(gradle_path)
           puts "Groovy 项目，读取 #{File.basename(gradle_path)} 文件"
-          get_keystore_config_groovy(gradle_path, project_path, debug)
+          get_keystore_config_groovy(gradle_path, project_path, debug, workflow_build_type: workflow_build_type)
         else
           puts "未找到 build.gradle 或 build.gradle.kts 文件"
           nil
         end
       end
 
+      # 打包结束后由 AndroidBuildHelper.ensure 调用，删除本次落到工程 signing/ 下的 JKS
+      def cleanup_managed_signing_paths!
+        (@pindo_managed_signing_paths || []).each do |p|
+          FileUtils.rm_f(p) if p && File.exist?(p)
+        end
+        @pindo_managed_signing_paths = []
+      end
+
       # 将签名配置应用到 Android 工程
-      # 新策略：
-      # 1. 从 buildTypes 中找到 debug/release 引用的 signingConfig 名称
-      # 2. 检查该 signingConfig 配置是否存在且完整
-      # 3. 如果不完整，用 Pindo 配置更新该 signingConfig
-      # 4. 不修改 buildTypes 中的引用名称
+      #
+      # 默认（与工程手写的 RELEASE_* 约定一致）：只拉取 JPS、拷贝 jks 到项目 signing/，并设置当前进程
+      # RELEASE_KEYSTORE_PATH / RELEASE_KEYSTORE_PASSWORD / RELEASE_KEY_ALIAS / RELEASE_KEY_PASSWORD，不修改 build.gradle。
+      # RELEASE_KEYSTORE_PATH 使用 jks 的绝对路径，便于 app 子模块内 `file(System.getenv(...))` 引用。
+      #
+      # 若需恢复自动改写 signingConfigs，设置环境变量：PINDO_INJECT_ANDROID_SIGNING_GRADLE=1
+      #
       # @param project_dir [String] 项目目录
       # @param build_type [String] 构建类型 "debug" 或 "release"
       # @return [Boolean] 是否成功
-      def apply_keystore_config(project_dir, build_type = "debug")
+      def apply_keystore_config(project_dir, build_type = "debug", bundle_id:)
         raise ArgumentError, "项目目录不能为空" if project_dir.nil?
         raise ArgumentError, "build_type 必须是 debug 或 release" unless ["debug", "release"].include?(build_type)
+        raise ArgumentError, "bundle_id 不能为空" if bundle_id.blank?
+
+        reset_managed_signing_paths!
 
-        # 查找主模块的 build.gradle
         main_module = Pindo::AndroidProjectHelper.get_main_module(project_dir)
         unless main_module
           Funlog.error("无法找到主模块")
@@ -146,25 +152,289 @@ module Pindo
           return false
         end
 
-        puts "检查并配置 keystore 签名..."
+        sign_config = get_android_sign_config(bundle_id: bundle_id)
+        copy_keystore_to_project(project_dir, build_type, sign_config[build_type])
+
+        # JPS 下载的临时 jks（系统临时目录下 pindo_jks），拷贝进工程后即可删除
+        tmp_jks = sign_config[build_type]["storeFile"].to_s
+        if File.exist?(tmp_jks)
+          tmp_exp = File.expand_path(tmp_jks)
+          tmp_root_exp = File.expand_path(File.join(Dir.tmpdir, "pindo_jks"))
+          under_pindo_tmp = tmp_exp == tmp_root_exp || tmp_exp.start_with?(tmp_root_exp + File::SEPARATOR)
+          FileUtils.rm_f(tmp_jks) if under_pindo_tmp
+        end
 
-        # 获取签名配置并拷贝 keystore 文件到项目
-        sign_config = get_android_sign_config
-        if sign_config && sign_config[build_type]
-          # 拷贝文件并更新配置路径
-          copy_keystore_to_project(project_dir, build_type, sign_config[build_type])
+        cfg = sign_config[build_type]
+        rel_plain = cfg["relative_store_file"].to_s.sub(%r{\A\$rootDir/?}, "").delete_prefix("/")
+        if rel_plain.empty?
+          raise "JPS keystore 未拷贝到工程 signing/（无法解析路径），Gradle 将回退到 build.gradle 中的本地 jks；请检查 JPS 证书是否下载成功"
         end
 
-        # 根据文件类型选择处理方法，传递修改后的配置
-        if gradle_file.end_with?(".kts")
-          ensure_keystore_config_kts(gradle_file, project_dir, build_type, sign_config)
+        abs_keystore = File.expand_path(File.join(project_dir, rel_plain))
+
+        inject_gradle = ENV["PINDO_INJECT_ANDROID_SIGNING_GRADLE"] == "1"
+        if inject_gradle
+          if gradle_file.end_with?(".kts")
+            ensure_keystore_config_kts(gradle_file, project_dir, build_type, sign_config, bundle_id: bundle_id)
+          else
+            ensure_keystore_config_groovy(gradle_file, project_dir, build_type, sign_config, bundle_id: bundle_id)
+          end
+          export_jps_release_signing_env!(cfg, keystore_path_for_env: rel_plain)
         else
-          ensure_keystore_config_groovy(gradle_file, project_dir, build_type, sign_config)
+          export_jps_release_signing_env!(cfg, keystore_path_for_env: abs_keystore)
         end
+        true
       end
 
       private
 
+      def looks_like_field_crypto_b64?(value)
+        return false if value.nil?
+
+        str = value.to_s.strip
+        return false if str.empty?
+        return false unless str.match?(%r{\A[A-Za-z0-9+/=]+\z})
+
+        # 最小长度：Base64(12字节IV + 1字节密文 + 16字节tag) => 29 bytes
+        # 用字符串长度粗略过滤，避免对普通明文误判
+        str.length >= 40
+      end
+
+      # - 输入：Base64( IV(12) + ciphertext_and_tag )
+      # - 算法：AES/GCM/NoPadding (Ruby: aes-128-gcm)
+      # - KEY：UTF-8 16 bytes
+      def decrypt_field_crypto_b64!(ciphertext_b64)
+        raise ArgumentError, "ciphertext 不能为空" if ciphertext_b64.nil?
+
+        combined = Base64.strict_decode64(ciphertext_b64.to_s)
+        raise ArgumentError, "密文长度不合法（不足以包含 IV）" if combined.bytesize <= FIELD_CRYPTO_IV_LENGTH
+
+        iv = combined.byteslice(0, FIELD_CRYPTO_IV_LENGTH)
+        ciphertext_and_tag = combined.byteslice(FIELD_CRYPTO_IV_LENGTH, combined.bytesize - FIELD_CRYPTO_IV_LENGTH)
+        raise ArgumentError, "密文长度不合法（不足以包含 GCM tag）" if ciphertext_and_tag.bytesize < FIELD_CRYPTO_TAG_LENGTH
+
+        ciphertext = ciphertext_and_tag.byteslice(0, ciphertext_and_tag.bytesize - FIELD_CRYPTO_TAG_LENGTH)
+        tag = ciphertext_and_tag.byteslice(ciphertext_and_tag.bytesize - FIELD_CRYPTO_TAG_LENGTH,
+                                           FIELD_CRYPTO_TAG_LENGTH)
+
+        cipher = OpenSSL::Cipher.new(FIELD_CRYPTO_ALGORITHM)
+        cipher.decrypt
+        cipher.key = FIELD_CRYPTO_KEY.encode("utf-8")
+        cipher.iv = iv
+        cipher.auth_tag = tag
+        cipher.auth_data = ""
+
+        (cipher.update(ciphertext) + cipher.final).force_encoding("UTF-8")
+      end
+
+      def decrypt_field_crypto_if_needed(value)
+        return value if value.nil?
+
+        s = value.to_s
+        return s if s.empty?
+        return s unless looks_like_field_crypto_b64?(s)
+
+        decrypt_field_crypto_b64!(s)
+      rescue OpenSSL::Cipher::CipherError, ArgumentError
+        # 兼容历史明文/非该算法密文：解密失败则回退原值
+        s
+      end
+
+      def reset_managed_signing_paths!
+        @pindo_managed_signing_paths = []
+      end
+
+      def register_managed_signing_path!(path)
+        return if path.nil? || path.to_s.empty?
+
+        @pindo_managed_signing_paths ||= []
+        @pindo_managed_signing_paths << path
+      end
+
+      # 将 JPS 返回的路径/口令/别名写入当前进程环境变量，供 Gradle / bundletool 子进程继承（与 build.gradle 中 RELEASE_* 名称一致）
+      def export_jps_release_signing_env!(cfg, keystore_path_for_env:)
+        return unless cfg.is_a?(Hash)
+
+        if keystore_path_for_env && !keystore_path_for_env.to_s.empty?
+          ENV[ENV_RELEASE_KEYSTORE_PATH] =
+            keystore_path_for_env
+        end
+
+        sp = cfg["storePassword"]
+        kp = cfg["keyPassword"]
+        ka = cfg["keyAlias"]
+        # JPS 口令可能为 field_crypto.py 的 AES-GCM Base64 密文；这里解密后仅写入当前进程 ENV（不落盘明文）
+        sp_plain = decrypt_field_crypto_if_needed(sp) if sp && !sp.to_s.empty?
+        kp_plain = decrypt_field_crypto_if_needed(kp) if kp && !kp.to_s.empty?
+
+        ENV[ENV_RELEASE_KEYSTORE_PASSWORD] = sp_plain.to_s if sp_plain && !sp_plain.to_s.empty?
+        ENV[ENV_RELEASE_KEY_PASSWORD] = kp_plain.to_s if kp_plain && !kp_plain.to_s.empty?
+        ENV[ENV_RELEASE_KEY_ALIAS] = ka.to_s if ka && !ka.to_s.empty?
+      end
+
+      # Groovy：解析 storePassword/keyPassword（支持 System.getenv、可选 ?: 回退、或历史明文）
+      def extract_signing_password_groovy(config_block, field)
+        if (m = config_block.match(/#{Regexp.escape(field)}\s+System\.getenv\(\s*["']([^"']+)["']\s*\)(?:\s*\?:\s*["']([^"']+)["'])?/m))
+          v = ENV.fetch(m[1], nil)
+          return v if v.present?
+          return m[2] if m[2] && !m[2].to_s.empty?
+
+          return
+        end
+        return m[1] if (m = config_block.match(/#{Regexp.escape(field)}\s+["']([^"']+)["']/m))
+
+        nil
+      end
+
+      # Kotlin DSL：同上
+      def extract_signing_password_kts(config_block, field)
+        if (m = config_block.match(/#{Regexp.escape(field)}\s*=\s*System\.getenv\(\s*["']([^"']+)["']\s*\)(?:\s*\?:\s*["']([^"']+)["'])?/m))
+          v = ENV.fetch(m[1], nil)
+          return v if v.present?
+          return m[2] if m[2] && !m[2].to_s.empty?
+
+          return
+        end
+        return m[1] if (m = config_block.match(/#{Regexp.escape(field)}\s*=\s*["']([^"']+)["']/m))
+
+        nil
+      end
+
+      # =================== JPS 集成 ===================
+
+      # 初始化 JPSClient（幂等，只初始化一次）
+      def initialize_jps_client
+        return if @jps_client
+
+        config_file = File.join(File.expand_path(Pindoconfig.instance.pindo_common_configdir),
+                                "jps_client_config.json")
+        raise "JPSClient 配置文件不存在: #{config_file}" unless File.exist?(config_file)
+
+        @jps_client = JPSClient::Client.new(config_file: config_file)
+        raise "JPSClient 登录失败" unless @jps_client.do_login(force_login: false)
+      end
+
+      # 从 JPS 获取 JKS 证书并下载到本地缓存
+      # @param bundle_id [String] Android 包名（Application ID）
+      # @param build_type [String] "debug" 或 "release"
+      # @return [Hash] { "storeFile", "storePassword", "keyAlias", "keyPassword" }
+      def fetch_jks_from_jps(bundle_id:, build_type: "debug")
+        initialize_jps_client
+
+        result = @jps_client.get_android_jks_detail(bundle_id: bundle_id)
+        data = result&.dig("data")
+
+        row = pick_jks_detail_row_for_bundle(data, bundle_id)
+        jks_url = resolve_jks_download_url(row, bundle_id)
+
+        raise "JPS 未找到 JKS 证书 (bundleId=#{bundle_id})，请先在 JPS 平台创建对应证书" unless row && jks_url && !jks_url.to_s.empty?
+
+        # 下载 JKS 文件到临时目录（仅当前 bundle 对应的一条 URL；ZIP 包会在下方拆成单个 .jks）
+        tmp_dir = File.join(Dir.tmpdir, "pindo_jks")
+        FileUtils.mkdir_p(tmp_dir)
+        local_jks_path = File.join(tmp_dir, "#{bundle_id}.jks")
+
+        success = Pindo::FileDownloader.download(url: jks_url, dest_path: local_jks_path, silent: true)
+        raise "JKS 文件下载失败 (bundleId=#{bundle_id})" unless success
+
+        materialize_single_jks_file!(local_jks_path, bundle_id)
+
+        {
+          "storeFile"     => local_jks_path,
+          "storePassword" => row["storePassword"],
+          "keyAlias"      => row["aliasName"] || bundle_id,
+          "keyPassword"   => row["keyPassword"],
+        }
+      end
+
+      # 从 JPS data（单条 Hash、列表、或含 list 的包装）中取出与 bundle_id 匹配的一条记录（不取未匹配的多条中的首条）
+      def pick_jks_detail_row_for_bundle(data, bundle_id)
+        bid = bundle_id.to_s.strip
+        return if bid.empty?
+
+        case data
+        when Array
+          explicit = data.find { |r| r.is_a?(Hash) && (r["bundleId"] || r["bundle_id"]).to_s.strip == bid }
+          return explicit if explicit
+          # 仅当接口已按 bundle 过滤且只返回一条时，允许省略 bundleId 字段
+          return data.first if data.size == 1 && data.first.is_a?(Hash) && jks_url_present?(data.first)
+        when Hash
+          %w[list records androidJksList rows dataList].each do |key|
+            inner = data[key]
+            next unless inner.is_a?(Array)
+
+            picked = pick_jks_detail_row_for_bundle(inner, bundle_id)
+            return picked if picked
+          end
+          if jks_url_present?(data)
+            row_bid = (data["bundleId"] || data["bundle_id"]).to_s.strip
+            return data if row_bid.empty? || row_bid == bid
+          end
+        end
+        nil
+      end
+
+      def jks_url_present?(row)
+        return false unless row.is_a?(Hash)
+
+        url = row["jksFileUrl"] || row["jks_file_url"]
+        return true if url && !url.to_s.empty?
+
+        urls = row["jksFileUrls"] || row["jks_file_urls"]
+        urls.is_a?(Array) && urls.any?
+      end
+
+      # 解析可下载的 URL：单链接，或与 bundleIds 平行数组时的对应项（避免下载整包多 URL 时全部拉取）
+      def resolve_jks_download_url(row, bundle_id)
+        return unless row.is_a?(Hash)
+
+        url = row["jksFileUrl"] || row["jks_file_url"]
+        return url if url && !url.to_s.empty?
+
+        urls = row["jksFileUrls"] || row["jks_file_urls"]
+        bids = row["bundleIds"] || row["bundle_ids"]
+        if urls.is_a?(Array) && bids.is_a?(Array) && urls.size == bids.size
+          idx = bids.index { |b| b.to_s.strip == bundle_id.to_s.strip }
+          return urls[idx] if idx
+        end
+
+        nil
+      end
+
+      ZIP_MAGIC = "PK\x03\x04"
+
+      # 若下载结果为 ZIP（服务端偶发打成证书包），只保留当前 bundle 对应的一个 .jks，避免落盘整包多个证书
+      def materialize_single_jks_file!(local_path, bundle_id)
+        return unless File.file?(local_path) && File.size(local_path) >= 4
+
+        magic = File.binread(local_path, 4)
+        return if magic != ZIP_MAGIC
+
+        tmp_extract = Dir.mktmpdir("pindo_jks_unzip")
+        begin
+          ok = system("unzip", "-q", "-o", local_path, "-d", tmp_extract)
+          raise "解压 JKS 压缩包失败（需要 unzip 命令）" unless ok
+
+          all_jks = Dir.glob(File.join(tmp_extract, "**", "*.jks"))
+          raise "压缩包内未找到 .jks 文件 (bundleId=#{bundle_id})" if all_jks.empty?
+
+          bid = bundle_id.to_s.strip
+          chosen = all_jks.find { |f| File.basename(f, ".jks") == bid }
+          chosen ||= all_jks.find { |f| File.basename(f, ".jks").tr("_", ".") == bid }
+          chosen ||= all_jks.find { |f| File.basename(f, ".jks").tr(".", "_") == bid.tr(".", "_") }
+          chosen ||= ((all_jks.size == 1) ? all_jks.first : nil)
+
+          unless chosen
+            names = all_jks.map { |f| File.basename(f) }.join(", ")
+            raise "ZIP 内含多个 JKS（#{names}），无法匹配 bundleId=#{bundle_id}，请将目标证书命名为 #{bid}.jks 或保证包内仅一个 .jks"
+          end
+
+          FileUtils.cp(chosen, local_path)
+        ensure
+          FileUtils.rm_rf(tmp_extract)
+        end
+      end
+
       # =================== Keystore 文件管理 ===================
 
       # 拷贝 keystore 文件到项目的 signing 目录
@@ -188,7 +458,6 @@ module Pindo
 
         # 拷贝文件（如果源文件和目标文件不同）
         unless File.exist?(target_file) && FileUtils.identical?(source_file, target_file)
-          puts "  拷贝 keystore 文件到项目: signing/#{target_filename}"
           FileUtils.cp(source_file, target_file)
           # 设置文件权限为只读
           File.chmod(0444, target_file)
@@ -196,6 +465,7 @@ module Pindo
 
         # 更新配置中的路径为相对路径（用于后续生成配置）
         config["relative_store_file"] = "$rootDir/signing/#{target_filename}"
+        register_managed_signing_path!(target_file)
       end
 
       # =================== 确保 keystore 配置的核心方法 ===================
@@ -205,7 +475,7 @@ module Pindo
       # 1. 检查 buildTypes 中是否有 signingConfig 引用
       # 2. 如果有引用，始终更新对应的 signingConfigs 为相对路径
       # 3. 不再检查配置是否"完整"，直接替换
-      def ensure_keystore_config_groovy(gradle_file, project_dir, build_type, sign_config = nil)
+      def ensure_keystore_config_groovy(gradle_file, _project_dir, build_type, sign_config = nil, bundle_id: nil)
         content = File.read(gradle_file)
         original_content = content.dup
 
@@ -217,7 +487,7 @@ module Pindo
           puts "  buildTypes.#{build_type} 引用的签名配置: #{signing_config_name}"
 
           # 获取 Pindo 配置
-          sign_config ||= get_android_sign_config
+          sign_config ||= (bundle_id ? get_android_sign_config(bundle_id: bundle_id) : nil)
           pindo_config = sign_config ? sign_config[build_type] : nil
 
           unless pindo_config
@@ -244,11 +514,11 @@ module Pindo
         end
 
         # 写入文件
-        if content != original_content
+        if content == original_content
+          puts "  ✓ build.gradle 无需修改"
+        else
           File.write(gradle_file, content)
           puts "  ✓ build.gradle 已更新"
-        else
-          puts "  ✓ build.gradle 无需修改"
         end
 
         true
@@ -259,7 +529,7 @@ module Pindo
       # 1. 检查 buildTypes 中是否有 signingConfig 引用
       # 2. 如果有引用，始终更新对应的 signingConfigs 为相对路径
       # 3. 不再检查配置是否"完整"，直接替换
-      def ensure_keystore_config_kts(gradle_file, project_dir, build_type, sign_config = nil)
+      def ensure_keystore_config_kts(gradle_file, _project_dir, build_type, sign_config = nil, bundle_id: nil)
         content = File.read(gradle_file)
         original_content = content.dup
 
@@ -271,7 +541,7 @@ module Pindo
           puts "  buildTypes.#{build_type} 引用的签名配置: #{signing_config_name}"
 
           # 获取 Pindo 配置
-          sign_config ||= get_android_sign_config
+          sign_config ||= (bundle_id ? get_android_sign_config(bundle_id: bundle_id) : nil)
           pindo_config = sign_config ? sign_config[build_type] : nil
 
           unless pindo_config
@@ -298,11 +568,11 @@ module Pindo
         end
 
         # 写入文件
-        if content != original_content
+        if content == original_content
+          puts "  ✓ build.gradle.kts 无需修改"
+        else
           File.write(gradle_file, content)
           puts "  ✓ build.gradle.kts 已更新"
-        else
-          puts "  ✓ build.gradle.kts 无需修改"
         end
 
         true
@@ -313,7 +583,7 @@ module Pindo
       def extract_signing_config_reference_safely_groovy(content, build_type)
         # 提取整个 buildTypes 块
         build_types_match = content.match(/buildTypes\s*\{[\s\S]*?^\}/m)
-        return nil unless build_types_match
+        return unless build_types_match
 
         build_types_block = build_types_match[0]
 
@@ -323,7 +593,7 @@ module Pindo
         # 2. buildTypes {\n    debug {
         # 3. buildTypes {release { debug {
         if build_types_block =~ /#{build_type}\s*\{[^}]*signingConfig\s+signingConfigs\.(\w+)/m
-          return $1
+          return ::Regexp.last_match(1)
         end
 
         nil
@@ -333,18 +603,16 @@ module Pindo
       def extract_signing_config_reference_from_build_types_groovy(content, build_type)
         # 提取 buildTypes 块
         build_types_match = content.match(/buildTypes\s*\{([\s\S]*?)^\s*\}/m)
-        return nil unless build_types_match
+        return unless build_types_match
 
         build_types_content = build_types_match[1]
 
         # 提取指定 buildType 的块
         build_type_block = extract_build_type_block_from_content_groovy(build_types_content, build_type)
-        return nil unless build_type_block
+        return unless build_type_block
 
         # 提取 signingConfig 引用
-        if build_type_block =~ /signingConfig\s+signingConfigs\.(\w+)/
-          return $1
-        end
+        return ::Regexp.last_match(1) if build_type_block =~ /signingConfig\s+signingConfigs\.(\w+)/
 
         nil
       end
@@ -353,13 +621,13 @@ module Pindo
       def extract_signing_config_reference_safely_kts(content, build_type)
         # 提取整个 buildTypes 块
         build_types_match = content.match(/buildTypes\s*\{[\s\S]*?^\}/m)
-        return nil unless build_types_match
+        return unless build_types_match
 
         build_types_block = build_types_match[0]
 
         # 使用更宽松的正则查找 buildType 块和其中的 signingConfig
         if build_types_block =~ /getByName\s*\(\s*"#{build_type}"\s*\)\s*\{[^}]*signingConfig\s*=\s*signingConfigs\.getByName\s*\(\s*"(\w+)"\s*\)/m
-          return $1
+          return ::Regexp.last_match(1)
         end
 
         nil
@@ -369,17 +637,17 @@ module Pindo
       def extract_signing_config_reference_from_build_types_kts(content, build_type)
         # 提取 buildTypes 块
         build_types_match = content.match(/buildTypes\s*\{([\s\S]*?)^\s*\}/m)
-        return nil unless build_types_match
+        return unless build_types_match
 
         build_types_content = build_types_match[1]
 
         # 提取指定 buildType 的块
         build_type_block = extract_build_type_block_from_content_kts(build_types_content, build_type)
-        return nil unless build_type_block
+        return unless build_type_block
 
         # 提取 signingConfig 引用
         if build_type_block =~ /signingConfig\s*=\s*signingConfigs\.getByName\s*\(\s*"(\w+)"\s*\)/
-          return $1
+          return ::Regexp.last_match(1)
         end
 
         nil
@@ -388,20 +656,20 @@ module Pindo
       # 从内容中提取 buildType 块（Groovy）
       def extract_build_type_block_from_content_groovy(content, build_type)
         match = content.match(/^\s*#{build_type}\s*\{/m)
-        return nil unless match
+        return unless match
 
         start_pos = match.begin(0)
         brace_count = 0
         in_block = false
         end_pos = start_pos
 
-        content[start_pos..-1].each_char.with_index(start_pos) do |char, i|
-          if char == '{'
+        content[start_pos..].each_char.with_index(start_pos) do |char, i|
+          if char == "{"
             brace_count += 1
             in_block = true
-          elsif char == '}'
+          elsif char == "}"
             brace_count -= 1
-            if in_block && brace_count == 0
+            if in_block && brace_count.zero?
               end_pos = i + 1
               break
             end
@@ -412,22 +680,25 @@ module Pindo
       end
 
       # 从内容中提取 buildType 块（Kotlin DSL）
+      # 支持 getByName("debug") 与 create("jps")（Workflow 注入常用）
       def extract_build_type_block_from_content_kts(content, build_type)
-        match = content.match(/^\s*getByName\s*\(\s*"#{build_type}"\s*\)\s*\{/m)
-        return nil unless match
+        escaped = Regexp.escape(build_type.to_s)
+        match = content.match(/^\s*getByName\s*\(\s*"#{escaped}"\s*\)\s*\{/m) ||
+                content.match(/^\s*create\s*\(\s*"#{escaped}"\s*\)\s*\{/m)
+        return unless match
 
         start_pos = match.begin(0)
         brace_count = 0
         in_block = false
         end_pos = start_pos
 
-        content[start_pos..-1].each_char.with_index(start_pos) do |char, i|
-          if char == '{'
+        content[start_pos..].each_char.with_index(start_pos) do |char, i|
+          if char == "{"
             brace_count += 1
             in_block = true
-          elsif char == '}'
+          elsif char == "}"
             brace_count -= 1
-            if in_block && brace_count == 0
+            if in_block && brace_count.zero?
               end_pos = i + 1
               break
             end
@@ -441,10 +712,10 @@ module Pindo
       # 增强检查：不仅检查字段是否存在，还检查是否使用了相对路径
       def check_signing_config_groovy(content, config_name)
         signing_configs_block = extract_signing_configs_groovy(content)
-        return nil unless signing_configs_block
+        return unless signing_configs_block
 
         config_block = extract_config_block_by_name_groovy(signing_configs_block, config_name)
-        return nil unless config_block
+        return unless config_block
 
         config_block = remove_groovy_comments(config_block)
 
@@ -456,27 +727,25 @@ module Pindo
 
         # 检查是否使用了相对路径（rootProject.file 或 signing 目录）
         uses_relative_path = config_block =~ /storeFile\s+rootProject\.file/ ||
-                           config_block =~ /storeFile\s+file\(["']signing\//
+                             config_block =~ %r{storeFile\s+file\(["']signing/}
 
         # 检查是否使用了绝对路径（不推荐）
-        uses_absolute_path = config_block =~ /storeFile\s+file\(["']\/Users\// ||
-                           config_block =~ /storeFile\s+file\(["']\/home\// ||
-                           config_block =~ /storeFile\s+file\(["']C:\\/
-
-        if has_store_file && has_store_password && has_key_alias && has_key_password
-          if uses_absolute_path
-            # 使用了绝对路径，需要更新
-            puts "  ⚠ 检测到使用绝对路径，需要更新为相对路径"
-            nil
-          elsif uses_relative_path
-            # 使用了相对路径，配置正确
-            { exists: true, relative_path: true }
-          else
-            # 可能使用了其他形式的路径，保守处理
-            { exists: true }
-          end
-        else
+        uses_absolute_path = config_block =~ %r{storeFile\s+file\(["']/Users/} ||
+                             config_block =~ %r{storeFile\s+file\(["']/home/} ||
+                             config_block =~ /storeFile\s+file\(["']C:\\/
+
+        return unless has_store_file && has_store_password && has_key_alias && has_key_password
+
+        if uses_absolute_path
+          # 使用了绝对路径，需要更新
+          puts "  ⚠ 检测到使用绝对路径，需要更新为相对路径"
           nil
+        elsif uses_relative_path
+          # 使用了相对路径，配置正确
+          { exists: true, relative_path: true }
+        else
+          # 可能使用了其他形式的路径，保守处理
+          { exists: true }
         end
       end
 
@@ -485,10 +754,10 @@ module Pindo
       # 不解析复杂的变量引用，统一用 Pindo 配置替换
       def check_signing_config_kts(content, config_name)
         signing_configs_block = extract_signing_configs_kts(content)
-        return nil unless signing_configs_block
+        return unless signing_configs_block
 
         config_block = extract_config_block_by_name_kts(signing_configs_block, config_name)
-        return nil unless config_block
+        return unless config_block
 
         config_block = remove_kts_comments(config_block)
 
@@ -500,27 +769,25 @@ module Pindo
 
         # 检查是否使用了相对路径（rootProject.file 或 signing 目录）
         uses_relative_path = config_block =~ /storeFile\s*=\s*rootProject\.file/ ||
-                           config_block =~ /storeFile\s*=\s*file\(["']signing\//
+                             config_block =~ %r{storeFile\s*=\s*file\(["']signing/}
 
         # 检查是否使用了绝对路径（不推荐）
-        uses_absolute_path = config_block =~ /storeFile\s*=\s*file\(["']\/Users\// ||
-                           config_block =~ /storeFile\s*=\s*file\(["']\/home\// ||
-                           config_block =~ /storeFile\s*=\s*file\(["']C:\\/
-
-        if has_store_file && has_store_password && has_key_alias && has_key_password
-          if uses_absolute_path
-            # 使用了绝对路径，需要更新
-            puts "  ⚠ 检测到使用绝对路径，需要更新为相对路径"
-            nil
-          elsif uses_relative_path
-            # 使用了相对路径，配置正确
-            { exists: true, relative_path: true }
-          else
-            # 可能使用了其他形式的路径，保守处理
-            { exists: true }
-          end
-        else
+        uses_absolute_path = config_block =~ %r{storeFile\s*=\s*file\(["']/Users/} ||
+                             config_block =~ %r{storeFile\s*=\s*file\(["']/home/} ||
+                             config_block =~ /storeFile\s*=\s*file\(["']C:\\/
+
+        return unless has_store_file && has_store_password && has_key_alias && has_key_password
+
+        if uses_absolute_path
+          # 使用了绝对路径，需要更新
+          puts "  ⚠ 检测到使用绝对路径，需要更新为相对路径"
           nil
+        elsif uses_relative_path
+          # 使用了相对路径，配置正确
+          { exists: true, relative_path: true }
+        else
+          # 可能使用了其他形式的路径，保守处理
+          { exists: true }
         end
       end
 
@@ -552,18 +819,18 @@ module Pindo
         # 先找到 signingConfigs 块的位置
         if content =~ /signingConfigs\s*\{/
           # 找到 signingConfigs 块的开始位置
-          start_match = $~
+          start_match = $LAST_MATCH_INFO
           start_pos = start_match.end(0)
 
           # 找到对应的结束大括号
           brace_count = 1
           end_pos = start_pos
-          content[start_pos..-1].each_char.with_index do |char, index|
-            if char == '{'
+          content[start_pos..].each_char.with_index do |char, index|
+            if char == "{"
               brace_count += 1
-            elsif char == '}'
+            elsif char == "}"
               brace_count -= 1
-              if brace_count == 0
+              if brace_count.zero?
                 end_pos = start_pos + index
                 break
               end
@@ -577,7 +844,7 @@ module Pindo
           modified_content = remove_config_block_from_content(signing_configs_content, config_name)
 
           # 重组完整内容
-          content[0...start_pos] + modified_content + content[end_pos..-1]
+          content[0...start_pos] + modified_content + content[end_pos..]
         else
           content
         end
@@ -601,14 +868,12 @@ module Pindo
           # 如果在目标块中，计算大括号
           if in_target_block
             line.chars.each do |char|
-              brace_count += 1 if char == '{'
-              brace_count -= 1 if char == '}'
+              brace_count += 1 if char == "{"
+              brace_count -= 1 if char == "}"
             end
 
             # 如果大括号平衡了，说明块结束了
-            if brace_count == 0
-              in_target_block = false
-            end
+            in_target_block = false if brace_count.zero?
             next
           end
 
@@ -625,18 +890,18 @@ module Pindo
         # 先找到 signingConfigs 块的位置
         if content =~ /signingConfigs\s*\{/
           # 找到 signingConfigs 块的开始位置
-          start_match = $~
+          start_match = $LAST_MATCH_INFO
           start_pos = start_match.end(0)
 
           # 找到对应的结束大括号
           brace_count = 1
           end_pos = start_pos
-          content[start_pos..-1].each_char.with_index do |char, index|
-            if char == '{'
+          content[start_pos..].each_char.with_index do |char, index|
+            if char == "{"
               brace_count += 1
-            elsif char == '}'
+            elsif char == "}"
               brace_count -= 1
-              if brace_count == 0
+              if brace_count.zero?
                 end_pos = start_pos + index
                 break
               end
@@ -650,7 +915,7 @@ module Pindo
           modified_content = remove_config_block_from_content_kts(signing_configs_content, config_name)
 
           # 重组完整内容
-          content[0...start_pos] + modified_content + content[end_pos..-1]
+          content[0...start_pos] + modified_content + content[end_pos..]
         else
           content
         end
@@ -674,14 +939,12 @@ module Pindo
           # 如果在目标块中，计算大括号
           if in_target_block
             line.chars.each do |char|
-              brace_count += 1 if char == '{'
-              brace_count -= 1 if char == '}'
+              brace_count += 1 if char == "{"
+              brace_count -= 1 if char == "}"
             end
 
             # 如果大括号平衡了，说明块结束了
-            if brace_count == 0
-              in_target_block = false
-            end
+            in_target_block = false if brace_count.zero?
             next
           end
 
@@ -695,118 +958,142 @@ module Pindo
       # =================== 从工程读取 keystore 配置的辅助方法 ===================
 
       # 处理 Kotlin DSL (build.gradle.kts)
-      # Pindo 策略：配置已经被统一为 signingConfigs.debug/release，直接读取即可
-      def get_keystore_config_kts(gradle_kts_path, project_path, debug)
+      # 无 workflow：按 signingConfigs.debug/release（含互相回退）；有 workflow：仅从 buildTypes.<workflow> → 对应 signingConfigs，不回退
+      def get_keystore_config_kts(gradle_kts_path, project_path, debug, workflow_build_type: nil)
         content = File.read(gradle_kts_path)
         puts "读取 #{File.basename(gradle_kts_path)} 文件"
 
-        build_type = debug ? 'debug' : 'release'
-
-        # 直接从统一的 signingConfigs.debug/release 读取
         signing_configs_block = extract_signing_configs_kts(content)
-        return nil unless signing_configs_block
-
-        config_block = extract_config_block_by_name_kts(signing_configs_block, build_type)
+        return unless signing_configs_block
+
+        config_block = nil
+        if workflow_build_type && !workflow_build_type.to_s.empty?
+          w = workflow_build_type.to_s
+          puts "  workflow 构建：仅从 buildTypes.#{w} 解析 signingConfig（不回退 debug/release）"
+          signing_config_name = extract_signing_config_reference_from_build_types_kts(content, w)
+          if signing_config_name.nil? || signing_config_name.to_s.empty?
+            raise ArgumentError,
+                  "workflow 构建：无法在 buildTypes.#{w} 中解析 signingConfig（需要 signingConfig = signingConfigs.getByName(\"…\") 或等价配置）"
+          end
 
-        # 如果找不到对应的配置，尝试使用另一个配置
-        if config_block.nil?
-          alt_build_type = debug ? 'release' : 'debug'
-          puts "  未找到 signingConfigs.#{build_type}，尝试使用 signingConfigs.#{alt_build_type}"
-          config_block = extract_config_block_by_name_kts(signing_configs_block, alt_build_type)
-          return nil unless config_block
+          # puts "  找到签名配置: signingConfigs.#{signing_config_name}"
+          config_block = extract_config_block_by_name_kts(signing_configs_block, signing_config_name)
+          if config_block.nil?
+            raise ArgumentError, "workflow 构建：未找到 signingConfigs.#{signing_config_name} 配置块"
+          end
+        else
+          build_type = debug ? "debug" : "release"
+          config_block = extract_config_block_by_name_kts(signing_configs_block, build_type)
+          if config_block.nil?
+            alt_build_type = debug ? "release" : "debug"
+            puts "  未找到 signingConfigs.#{build_type}，尝试使用 signingConfigs.#{alt_build_type}"
+            config_block = extract_config_block_by_name_kts(signing_configs_block, alt_build_type)
+          end
+          return unless config_block
         end
 
         config_block = remove_kts_comments(config_block)
 
-        # 直接提取字段值（不处理变量引用）
-        # 支持 file() 和 rootProject.file() 两种格式
-        store_file = config_block[/storeFile\s*=\s*(?:rootProject\.)?file\(["']([^"']+)["']\)/, 1]
-        store_password = config_block[/storePassword\s*=\s*["']([^"']+)["']/, 1]
-        key_alias = config_block[/keyAlias\s*=\s*["']([^"']+)["']/, 1]
-        key_password = config_block[/keyPassword\s*=\s*["']([^"']+)["']/, 1]
+        # storeFile（RELEASE_KEYSTORE_PATH 风格或历史 file(...)）；口令/别名 getenv / ?: / 明文
+        store_file = resolve_keystore_path_from_signing_block(config_block, project_path)
+        store_password = extract_signing_password_kts(config_block, "storePassword")
+        key_password = extract_signing_password_kts(config_block, "keyPassword")
+        key_alias = extract_signing_password_kts(config_block, "keyAlias")
 
         # 解析相对路径
         store_file = fix_store_file_path(store_file, project_path) if store_file
 
         {
-          store_file: store_file,
+          store_file:     store_file,
           store_password: store_password,
-          key_alias: key_alias,
-          key_password: key_password
+          key_alias:      key_alias,
+          key_password:   key_password,
         }
       end
 
       # 处理 Groovy DSL (build.gradle)
-      def get_keystore_config_groovy(gradle_path, project_path, debug)
+      # 无 workflow：按 buildTypes.debug/release（含互相回退）；有 workflow：仅从 buildTypes.<workflow> 解析，不回退
+      def get_keystore_config_groovy(gradle_path, project_path, debug, workflow_build_type: nil)
         content = File.read(gradle_path)
         puts "读取 #{File.basename(gradle_path)} 文件"
 
-        build_type = debug ? 'debug' : 'release'
-
-        # 先从 buildTypes 中找到实际引用的 signingConfig 名称
-        signing_config_name = extract_signing_config_name_from_build_type(content, build_type)
+        signing_config_name = nil
+        if workflow_build_type && !workflow_build_type.to_s.empty?
+          w = workflow_build_type.to_s
+          puts "  workflow 构建：仅从 buildTypes.#{w} 解析 signingConfig（不回退 debug/release）"
+          signing_config_name = extract_signing_config_name_from_build_type(content, w)
+          if signing_config_name.nil? || signing_config_name.to_s.empty?
+            raise ArgumentError,
+                  "workflow 构建：无法在 buildTypes.#{w} 中解析 signingConfig（需要 signingConfig signingConfigs.xxx）"
+          end
+        else
+          build_type = debug ? "debug" : "release"
+          signing_config_name = extract_signing_config_name_from_build_type(content, build_type)
 
-        if signing_config_name.nil?
-          # 如果当前 buildType 没有配置，尝试另一个
-          alt_build_type = debug ? 'release' : 'debug'
-          puts "  buildTypes.#{build_type} 未配置 signingConfig，尝试 buildTypes.#{alt_build_type}"
-          signing_config_name = extract_signing_config_name_from_build_type(content, alt_build_type)
-        end
+          if signing_config_name.nil?
+            alt_build_type = debug ? "release" : "debug"
+            puts "  buildTypes.#{build_type} 未配置 signingConfig，尝试 buildTypes.#{alt_build_type}"
+            signing_config_name = extract_signing_config_name_from_build_type(content, alt_build_type)
+          end
 
-        if signing_config_name.nil?
-          puts "  未找到任何 signingConfig 配置"
-          return nil
+          if signing_config_name.nil?
+            puts "  未找到任何 signingConfig 配置"
+            return
+          end
         end
 
-        puts "  找到签名配置: signingConfigs.#{signing_config_name}"
+        # puts "  找到签名配置: signingConfigs.#{signing_config_name}"
 
         # 从 signingConfigs 中读取对应名称的配置
         signing_configs_block = extract_signing_configs_groovy(content)
-        return nil unless signing_configs_block
+        return unless signing_configs_block
 
         config_block = extract_config_block_by_name_groovy(signing_configs_block, signing_config_name)
 
         if config_block.nil?
+          if workflow_build_type && !workflow_build_type.to_s.empty?
+            raise ArgumentError, "workflow 构建：未找到 signingConfigs.#{signing_config_name} 的详细配置块"
+          end
+
           puts "  未找到 signingConfigs.#{signing_config_name} 的详细配置"
-          return nil
+          return
         end
 
         config_block = remove_groovy_comments(config_block)
 
-        # 直接提取字段值（不处理变量引用）
-        # 支持 file() 和 rootProject.file() 两种格式
-        store_file = config_block[/storeFile\s+(?:rootProject\.)?file\(["']([^"']+)["']\)/, 1]
-        store_password = config_block[/storePassword\s+["']([^"']+)["']/, 1]
-        key_alias = config_block[/keyAlias\s+["']([^"']+)["']/, 1]
-        key_password = config_block[/keyPassword\s+["']([^"']+)["']/, 1]
+        # storeFile（RELEASE_KEYSTORE_PATH 风格或历史 file(...)）；口令/别名 getenv / ?: / 明文
+        store_file = resolve_keystore_path_from_signing_block(config_block, project_path)
+        store_password = extract_signing_password_groovy(config_block, "storePassword")
+        key_password = extract_signing_password_groovy(config_block, "keyPassword")
+        key_alias = extract_signing_password_groovy(config_block, "keyAlias")
 
         # 解析相对路径
         store_file = fix_store_file_path(store_file, project_path) if store_file
 
         {
-          store_file: store_file,
+          store_file:     store_file,
           store_password: store_password,
-          key_alias: key_alias,
-          key_password: key_password
+          key_alias:      key_alias,
+          key_password:   key_password,
         }
       end
 
       def extract_signing_configs_kts(content)
         # 提取 signingConfigs { ... }，使用大括号计数来正确处理嵌套
         if content =~ /signingConfigs\s*\{/
-          start_match = $~
+          start_match = $LAST_MATCH_INFO
           start_pos = start_match.end(0)
 
           # 计算大括号平衡
           brace_count = 1
           end_pos = start_pos
 
-          content[start_pos..-1].each_char.with_index do |char, index|
-            if char == '{'
+          content[start_pos..].each_char.with_index do |char, index|
+            if char == "{"
               brace_count += 1
-            elsif char == '}'
+            elsif char == "}"
               brace_count -= 1
-              if brace_count == 0
+              if brace_count.zero?
                 end_pos = start_pos + index
                 break
               end
@@ -814,7 +1101,7 @@ module Pindo
           end
 
           # 返回 signingConfigs 块的内容（不包括外层大括号）
-          return content[start_pos...end_pos] if brace_count == 0
+          return content[start_pos...end_pos] if brace_count.zero?
         end
 
         nil
@@ -824,36 +1111,34 @@ module Pindo
       def extract_signing_config_name_from_build_type(content, build_type)
         # 先提取 buildTypes 块
         if content =~ /buildTypes\s*\{/
-          start_match = $~
+          start_match = $LAST_MATCH_INFO
           start_pos = start_match.end(0)
 
           # 计算大括号平衡来找到 buildTypes 块的结束
           brace_count = 1
           end_pos = start_pos
 
-          content[start_pos..-1].each_char.with_index do |char, index|
-            if char == '{'
+          content[start_pos..].each_char.with_index do |char, index|
+            if char == "{"
               brace_count += 1
-            elsif char == '}'
+            elsif char == "}"
               brace_count -= 1
-              if brace_count == 0
+              if brace_count.zero?
                 end_pos = start_pos + index
                 break
               end
             end
           end
 
-          build_types_block = content[start_pos...end_pos] if brace_count == 0
+          build_types_block = content[start_pos...end_pos] if brace_count.zero?
 
           if build_types_block
             # 提取特定 buildType 的配置块
             build_type_block = extract_config_block_by_name_groovy(build_types_block, build_type)
 
-            if build_type_block
+            if build_type_block && (build_type_block =~ /signingConfig\s+signingConfigs\.(\w+)/)
               # 查找 signingConfig signingConfigs.XXX
-              if build_type_block =~ /signingConfig\s+signingConfigs\.(\w+)/
-                return $1
-              end
+              return ::Regexp.last_match(1)
             end
           end
         end
@@ -864,19 +1149,19 @@ module Pindo
       def extract_signing_configs_groovy(content)
         # 提取 signingConfigs { ... }，使用大括号计数来正确处理嵌套
         if content =~ /signingConfigs\s*\{/
-          start_match = $~
+          start_match = $LAST_MATCH_INFO
           start_pos = start_match.end(0)
 
           # 计算大括号平衡
           brace_count = 1
           end_pos = start_pos
 
-          content[start_pos..-1].each_char.with_index do |char, index|
-            if char == '{'
+          content[start_pos..].each_char.with_index do |char, index|
+            if char == "{"
               brace_count += 1
-            elsif char == '}'
+            elsif char == "}"
               brace_count -= 1
-              if brace_count == 0
+              if brace_count.zero?
                 end_pos = start_pos + index
                 break
               end
@@ -884,24 +1169,53 @@ module Pindo
           end
 
           # 返回 signingConfigs 块的内容（不包括外层大括号）
-          return content[start_pos...end_pos] if brace_count == 0
+          return content[start_pos...end_pos] if brace_count.zero?
         end
 
         nil
       end
 
+      # 从第一个 `{` 起做大括号配对，返回内层正文（不含最外层花括号）。
+      # 解决 workflow 注入的 signingConfig 内含 `if (...) { }` 时，非贪婪正则会在第一个 `}` 处截断、
+      # 导致读不到 storeFile/keyAlias，bundletool 误用占位或错误别名（如表现为 debug 签名）。
+      def extract_balanced_inner_after_open_brace(full_text, open_brace_index)
+        return nil if open_brace_index.nil? || open_brace_index >= full_text.length
+        return nil unless full_text[open_brace_index] == "{"
+
+        inner_start = open_brace_index + 1
+        brace_count = 1
+        i = inner_start
+        while i < full_text.length
+          ch = full_text[i]
+          if ch == "{"
+            brace_count += 1
+          elsif ch == "}"
+            brace_count -= 1
+            return full_text[inner_start...i] if brace_count.zero?
+          end
+          i += 1
+        end
+        nil
+      end
+
       # 根据配置名称提取配置块（Kotlin DSL）
       def extract_config_block_by_name_kts(signing_configs_block, config_name)
-        # 支持 create("xxx") { ... }
-        match = signing_configs_block.match(/create\s*\(\s*["']#{config_name}["']\s*\)\s*\{([\s\S]*?)^\s*\}/m)
-        match ? match[1] : nil
+        name = config_name.to_s
+        m = signing_configs_block.match(/create\s*\(\s*["']#{Regexp.escape(name)}["']\s*\)\s*\{/)
+        return nil unless m
+
+        open_idx = m.end(0) - 1
+        extract_balanced_inner_after_open_brace(signing_configs_block, open_idx)
       end
 
       # 根据配置名称提取配置块（Groovy）
       def extract_config_block_by_name_groovy(signing_configs_block, config_name)
-        # 支持 xxx { ... }
-        match = signing_configs_block.match(/#{config_name}\s*\{([\s\S]*?)^\s*\}/m)
-        match ? match[1] : nil
+        name = config_name.to_s
+        m = signing_configs_block.match(/\b#{Regexp.escape(name)}\s*\{/)
+        return nil unless m
+
+        open_idx = m.end(0) - 1
+        extract_balanced_inner_after_open_brace(signing_configs_block, open_idx)
       end
 
       def remove_kts_comments(block)
@@ -911,19 +1225,19 @@ module Pindo
 
       def remove_groovy_comments(block)
         # 去除 // 和 /* ... */ 注释
-        block = block.gsub(/\/\*[\s\S]*?\*\//, "")
+        block = block.gsub(%r{/\*[\s\S]*?\*/}, "")
         block.lines.reject { |line| line.strip.start_with?("//") }.join
       end
 
       def fix_store_file_path(store_file, project_path)
-        return nil if store_file.nil? || store_file.empty?
+        return if store_file.blank?
 
         # 如果已经是绝对路径，直接返回
-        return store_file if store_file.start_with?('/') && File.exist?(store_file)
+        return store_file if store_file.start_with?("/") && File.exist?(store_file)
 
         # 处理相对路径（如 signing/xxx.keystore）
         # 这种路径来自于 rootProject.file("signing/xxx.keystore")
-        if !store_file.start_with?('/')
+        unless store_file.start_with?("/")
           # 相对路径，基于项目根目录解析
           absolute_path = File.join(project_path, store_file)
           return absolute_path if File.exist?(absolute_path)
@@ -933,72 +1247,72 @@ module Pindo
         end
 
         # 兼容旧格式：$rootDir、${rootDir}、project.rootDir
-        store_file = store_file.gsub(/^\$?\{?rootDir\}?\/?/, project_path + "/")
-        store_file = store_file.gsub(/^project\.rootDir\/?/, project_path + "/")
+        store_file = store_file.gsub(%r{^\$?\{?rootDir\}?/?}, "#{project_path}/")
+        store_file.gsub(%r{^project\.rootDir/?}, "#{project_path}/")
+      end
+
+      # 从 signingConfig 块解析 keystore 相对/绝对路径（优先 RELEASE_KEYSTORE_PATH + ENV，其次 ?: 回退，再兼容直接 file(...)）
+      def resolve_keystore_path_from_signing_block(config_block, project_path)
+        if config_block.include?("RELEASE_KEYSTORE_PATH") &&
+           (m = config_block.match(/System\.getenv\(\s*["']RELEASE_KEYSTORE_PATH["']\s*\)(?:\s*\?:\s*["']([^"']+)["'])?/m))
+          fb = m[1]
+          v = ENV.fetch(ENV_RELEASE_KEYSTORE_PATH, nil)
+          rel = v.presence || fb
+          return fix_store_file_path(rel, project_path) if rel && !rel.to_s.empty?
+        end
 
-        store_file
+        if (m = config_block.match(/storeFile\s*=\s*(?:rootProject\.)?file\(\s*["']([^"']+)["']\s*\)/m))
+          return fix_store_file_path(m[1], project_path)
+        end
+        if (m = config_block.match(/storeFile\s+(?:rootProject\.)?file\(\s*["']([^"']+)["']\s*\)/m))
+          return fix_store_file_path(m[1], project_path)
+        end
+
+        nil
+      end
+
+      def signing_keystore_fallback_relative(pindo_config)
+        raw = pindo_config["relative_store_file"] || pindo_config["storeFile"]
+        s = raw.to_s
+        s = s.sub(%r{\A\$rootDir/?}, "").delete_prefix("/")
+        s = File.basename(s) if s.start_with?("/") # 绝对路径时仅取文件名作弱回退
+        s
+      end
+
+      def escape_gradle_double_quoted(str)
+        str.to_s.gsub("\\", "\\\\").gsub('"', '\\"')
       end
 
       # =================== 写入 keystore 配置的辅助方法 ===================
 
-      # 生成签名配置代码块（Groovy）
+      # 生成签名配置代码块（Groovy）——与工程约定：RELEASE_* + ?: 本地回退（明文仅回退串，来自 JPS 的敏感值走本次进程 ENV）
       def generate_signing_config_groovy(config_name, pindo_config)
-        # 优先使用相对路径，如果不存在则使用绝对路径
-        store_file = pindo_config["relative_store_file"] || pindo_config["storeFile"]
-        store_password = pindo_config["storePassword"]
-        key_alias = pindo_config["keyAlias"]
-        key_password = pindo_config["keyPassword"]
-
-        # 如果是相对路径（$rootDir），使用不同的语法
-        if store_file && store_file.start_with?("$rootDir")
-          # 使用 rootProject.file() 或直接使用 $rootDir 变量
-          store_file_line = "storeFile file(\"#{store_file.sub('$rootDir/', '')}\")"
-          if store_file.include?("$rootDir/")
-            # 对于 $rootDir/signing/xxx.keystore 格式
-            relative_path = store_file.sub('$rootDir/', '')
-            store_file_line = "storeFile rootProject.file(\"#{relative_path}\")"
-          end
-        else
-          store_file_line = "storeFile file(\"#{store_file}\")"
-        end
+        rel_fb = escape_gradle_double_quoted(signing_keystore_fallback_relative(pindo_config))
+        alias_fb = escape_gradle_double_quoted(pindo_config["keyAlias"])
 
         <<~GROOVY
           #{config_name} {
-                  #{store_file_line}
-                  storePassword "#{store_password}"
-                  keyAlias "#{key_alias}"
-                  keyPassword "#{key_password}"
+                  def keystorePath = System.getenv("#{ENV_RELEASE_KEYSTORE_PATH}") ?: "#{rel_fb}"
+                  storeFile rootProject.file(keystorePath)
+                  storePassword System.getenv("#{ENV_RELEASE_KEYSTORE_PASSWORD}") ?: "123456"
+                  keyAlias System.getenv("#{ENV_RELEASE_KEY_ALIAS}") ?: "#{alias_fb}"
+                  keyPassword System.getenv("#{ENV_RELEASE_KEY_PASSWORD}") ?: "123456"
               }
         GROOVY
       end
 
       # 生成签名配置代码块（Kotlin DSL）
       def generate_signing_config_kts(config_name, pindo_config)
-        # 优先使用相对路径，如果不存在则使用绝对路径
-        store_file = pindo_config["relative_store_file"] || pindo_config["storeFile"]
-        store_password = pindo_config["storePassword"]
-        key_alias = pindo_config["keyAlias"]
-        key_password = pindo_config["keyPassword"]
-
-        # 如果是相对路径（$rootDir），使用不同的语法
-        if store_file && store_file.start_with?("$rootDir")
-          # 对于 Kotlin DSL，使用 rootProject.file()
-          if store_file.include?("$rootDir/")
-            relative_path = store_file.sub('$rootDir/', '')
-            store_file_line = "storeFile = rootProject.file(\"#{relative_path}\")"
-          else
-            store_file_line = "storeFile = file(\"#{store_file}\")"
-          end
-        else
-          store_file_line = "storeFile = file(\"#{store_file}\")"
-        end
+        rel_fb = escape_gradle_double_quoted(signing_keystore_fallback_relative(pindo_config))
+        alias_fb = escape_gradle_double_quoted(pindo_config["keyAlias"])
 
         <<~KOTLIN
           create("#{config_name}") {
-                  #{store_file_line}
-                  storePassword = "#{store_password}"
-                  keyAlias = "#{key_alias}"
-                  keyPassword = "#{key_password}"
+                  val keystorePath = System.getenv("#{ENV_RELEASE_KEYSTORE_PATH}") ?: "#{rel_fb}"
+                  storeFile = rootProject.file(keystorePath)
+                  storePassword = System.getenv("#{ENV_RELEASE_KEYSTORE_PASSWORD}") ?: "123456"
+                  keyAlias = System.getenv("#{ENV_RELEASE_KEY_ALIAS}") ?: "#{alias_fb}"
+                  keyPassword = System.getenv("#{ENV_RELEASE_KEY_PASSWORD}") ?: "123456"
               }
         KOTLIN
       end
@@ -1009,14 +1323,15 @@ module Pindo
         if content =~ /signingConfigs\s*\{/
           # 在 signingConfigs 块内插入
           content.sub(/(signingConfigs\s*\{)/) do
-            "#{$1}\n        #{signing_config_block.strip.gsub(/\n/, "\n        ")}\n"
+            "#{::Regexp.last_match(1)}\n        #{signing_config_block.strip.gsub("\n", "\n        ")}\n"
           end
         else
           # 没有 signingConfigs 块，在 android 块内创建
           android_match = content.match(/(android\s*\{)/m)
           if android_match
             insert_pos = content.index(android_match[0]) + android_match[0].length
-            signing_configs_block = "\n    signingConfigs {\n        #{signing_config_block.strip.gsub(/\n/, "\n        ")}\n    }\n"
+            signing_configs_block = "\n    signingConfigs {\n        #{signing_config_block.strip.gsub("\n",
+                                                                                                       "\n        ")}\n    }\n"
             content.insert(insert_pos, signing_configs_block)
           else
             content
@@ -1030,14 +1345,15 @@ module Pindo
         if content =~ /signingConfigs\s*\{/
           # 在 signingConfigs 块内插入
           content.sub(/(signingConfigs\s*\{)/) do
-            "#{$1}\n        #{signing_config_block.strip.gsub(/\n/, "\n        ")}\n"
+            "#{::Regexp.last_match(1)}\n        #{signing_config_block.strip.gsub("\n", "\n        ")}\n"
           end
         else
           # 没有 signingConfigs 块，在 android 块内创建
           android_match = content.match(/(android\s*\{)/m)
           if android_match
             insert_pos = content.index(android_match[0]) + android_match[0].length
-            signing_configs_block = "\n    signingConfigs {\n        #{signing_config_block.strip.gsub(/\n/, "\n        ")}\n    }\n"
+            signing_configs_block = "\n    signingConfigs {\n        #{signing_config_block.strip.gsub("\n",
+                                                                                                       "\n        ")}\n    }\n"
             content.insert(insert_pos, signing_configs_block)
           else
             content
@@ -1062,7 +1378,7 @@ module Pindo
 
         # 第三步：在 buildType 块开始后添加 signingConfig 引用
         new_block = build_type_block.sub(/^(\s*#{build_type}\s*\{\s*)$/m) do
-          "#{$1}\n            signingConfig signingConfigs.#{config_name}\n"
+          "#{::Regexp.last_match(1)}\n            signingConfig signingConfigs.#{config_name}\n"
         end
 
         # 第四步：替换 buildTypes 块中的内容
@@ -1090,7 +1406,7 @@ module Pindo
 
         # 第三步：在 buildType 块开始后添加 signingConfig 引用
         new_block = build_type_block.sub(/^(\s*getByName\s*\(\s*"#{build_type}"\s*\)\s*\{\s*)$/m) do
-          "#{$1}\n            signingConfig = signingConfigs.getByName(\"#{config_name}\")\n"
+          "#{::Regexp.last_match(1)}\n            signingConfig = signingConfigs.getByName(\"#{config_name}\")\n"
         end
 
         # 第四步：替换 buildTypes 块中的内容
@@ -1110,9 +1426,9 @@ module Pindo
 
         return gradle_kts if File.exist?(gradle_kts)
         return gradle_groovy if File.exist?(gradle_groovy)
+
         nil
       end
-
     end
   end
 end