@invarn/cibuild 1.3.16 → 1.3.17

package/dist/src/yaml/step-validator.js

@@ -0,0 +1,403 @@
+/**
+ * Pre-execution validation orchestrator
+ *
+ * Validates all steps in a workflow BEFORE execution begins.
+ * All validation checks are READ-ONLY and safe to run on the user's machine.
+ * This enables catching all issues at once instead of failing on the first error.
+ */
+import { getStepExecutor, hasStep, getStepMetadata } from './steps/registry.js';
+import { EnvResolver } from './env-resolver.js';
+import { detectPlatformInfo } from './platform-detector.js';
+// POSIX env vars the shell always provides — don't flag these as undeclared.
+// The runner's guest shell seeds HOME, TMPDIR, PATH, etc.; requiring
+// pipelines to redeclare them forces literal-path-only scripts.
+const POSIX_ENV_ALLOWLIST = new Set([
+    'HOME',
+    'USER',
+    'PATH',
+    'TMPDIR',
+    'TMP',
+    'TEMP',
+    'SHELL',
+    'LANG',
+    'LC_ALL',
+    'PWD',
+    'LOGNAME',
+    'HOSTNAME',
+]);
+/**
+ * StepValidator orchestrates pre-execution validation for a workflow.
+ * It iterates through all steps, collects validation requirements,
+ * runs pre-execution checks, and aggregates all issues.
+ */
+export class StepValidator {
+    pipeline;
+    workflow;
+    workflowName;
+    config;
+    envResolver;
+    yamlFilePath;
+    // Track outputs provided by earlier steps for dependency validation
+    availableOutputs = new Map();
+    // Platform established by the first platform-specific step ('ios' or 'android')
+    establishedPlatform = null;
+    constructor(pipeline, workflowName, config, yamlFilePath) {
+        this.pipeline = pipeline;
+        this.workflowName = workflowName;
+        this.workflow = pipeline.workflows[workflowName];
+        this.config = config;
+        this.yamlFilePath = yamlFilePath;
+        if (!this.workflow) {
+            throw new Error(`Workflow '${workflowName}' not found in pipeline`);
+        }
+        // Create env resolver for variable interpolation
+        const platformInfo = detectPlatformInfo(pipeline, workflowName);
+        this.envResolver = new EnvResolver(pipeline, this.workflow, workflowName, platformInfo.platform, platformInfo.stack, yamlFilePath);
+    }
+    /**
+     * Validates all steps in the workflow.
+     * Returns a complete validation result with all issues grouped by step and category.
+     */
+    async validateWorkflow() {
+        const issues = [];
+        const issuesByStep = new Map();
+        const issuesByCategory = new Map();
+        let stepIndex = 0;
+        for (const yamlStep of this.workflow.steps) {
+            const parsedStep = this.parseStep(yamlStep, stepIndex);
+            // Skip unrecognized steps (they'll be handled by converter with warnings)
+            if (!hasStep(parsedStep.name)) {
+                stepIndex++;
+                continue;
+            }
+            const executor = getStepExecutor(parsedStep.name);
+            // Platform compatibility check
+            const stepMetadata = getStepMetadata(parsedStep.name);
+            const stepPlatform = stepMetadata?.platform ?? 'all';
+            if (stepPlatform !== 'all') {
+                if (this.establishedPlatform === null) {
+                    // First platform-specific step establishes the workflow platform
+                    this.establishedPlatform = stepPlatform;
+                }
+                else if (this.establishedPlatform !== stepPlatform) {
+                    // This step conflicts with the established platform
+                    const platformIssue = {
+                        stepName: parsedStep.title || parsedStep.name,
+                        stepIndex,
+                        requirement: {
+                            category: 'platform',
+                            name: parsedStep.name,
+                            description: `'${parsedStep.name}' is an ${stepPlatform} step but this workflow targets ${this.establishedPlatform}`,
+                            timing: 'pre-execution',
+                            severity: 'error',
+                            hint: `Remove this step or move it to a dedicated ${stepPlatform} workflow`,
+                            check: async () => ({
+                                passed: false,
+                                message: `Cross-platform step: '${parsedStep.name}' (${stepPlatform}) cannot be used in an ${this.establishedPlatform} workflow`,
+                            }),
+                        },
+                        result: {
+                            passed: false,
+                            message: `Cross-platform step: '${parsedStep.name}' (${stepPlatform}) cannot be used in an ${this.establishedPlatform} workflow`,
+                        },
+                    };
+                    issues.push(platformIssue);
+                    const stepIssues = issuesByStep.get(platformIssue.stepName) || [];
+                    stepIssues.push(platformIssue);
+                    issuesByStep.set(platformIssue.stepName, stepIssues);
+                    const catIssues = issuesByCategory.get('platform') || [];
+                    catIssues.push(platformIssue);
+                    issuesByCategory.set('platform', catIssues);
+                    stepIndex++;
+                    continue;
+                }
+            }
+            // Skip all validation for steps that will be skipped in local mode
+            if (this.config.local && executor.isSkippedInLocalMode?.()) {
+                if (executor.getOutputs) {
+                    for (const output of executor.getOutputs()) {
+                        this.availableOutputs.set(output.name, { stepName: parsedStep.name, output });
+                    }
+                }
+                stepIndex++;
+                continue;
+            }
+            // Get validation requirements if the executor supports it
+            if (executor.getValidationRequirements) {
+                // Interpolate inputs (but don't throw on missing vars during validation)
+                let interpolatedInputs = parsedStep.inputs;
+                try {
+                    interpolatedInputs = this.envResolver.interpolateObject(parsedStep.inputs, parsedStep.title || parsedStep.name);
+                }
+                catch {
+                    // Interpolation failed because a variable isn't set yet.
+                    // Use a lenient copy: strip unresolved $VAR / ${VAR} references to ''
+                    // so getValidationRequirements can correctly detect them as missing.
+                    interpolatedInputs = this.stripUnresolvedVars(parsedStep.inputs);
+                }
+                const requirements = executor.getValidationRequirements(interpolatedInputs, this.envResolver.getAll(), this.config);
+                // Validate each requirement
+                for (const req of requirements) {
+                    const issue = await this.validateRequirement(req, parsedStep.title || parsedStep.name, stepIndex);
+                    if (issue) {
+                        issues.push(issue);
+                        // Group by step
+                        const stepIssues = issuesByStep.get(issue.stepName) || [];
+                        stepIssues.push(issue);
+                        issuesByStep.set(issue.stepName, stepIssues);
+                        // Group by category
+                        const catIssues = issuesByCategory.get(issue.requirement.category) || [];
+                        catIssues.push(issue);
+                        issuesByCategory.set(issue.requirement.category, catIssues);
+                    }
+                }
+                // Auto-discover any $VAR references in raw inputs that aren't covered above
+                const resolvedEnv = this.envResolver.getAll();
+                const alreadyDeclared = new Set(requirements.map((r) => r.name));
+                const referencedVars = this.extractVariableReferences(parsedStep.inputs);
+                for (const varName of referencedVars) {
+                    // Skip POSIX vars the shell always provides
+                    if (POSIX_ENV_ALLOWLIST.has(varName))
+                        continue;
+                    // Skip if already in resolved env (use hasOwnProperty so empty-string
+                    // values set by the YAML/secrets are still treated as "provided")
+                    if (Object.prototype.hasOwnProperty.call(resolvedEnv, varName))
+                        continue;
+                    // Skip if provided as output by an earlier step
+                    if (this.availableOutputs.has(varName))
+                        continue;
+                    // Skip if already declared by getValidationRequirements
+                    if (alreadyDeclared.has(varName))
+                        continue;
+                    // Skip if already added by a previous step
+                    if (issues.some((i) => i.requirement.name === varName))
+                        continue;
+                    // Skippable steps won't block the build if they fail — downgrade to warning
+                    // so missing vars don't prevent the run when the step can safely be skipped.
+                    const severity = parsedStep.is_skippable ? 'warning' : 'error';
+                    const req = {
+                        category: 'environment',
+                        name: varName,
+                        description: `${varName} is not set`,
+                        timing: 'pre-execution',
+                        severity,
+                        check: async () => ({ passed: false, message: `${varName} is not set` }),
+                    };
+                    const issue = await this.validateRequirement(req, parsedStep.title || parsedStep.name, stepIndex);
+                    if (issue) {
+                        issues.push(issue);
+                        const stepIssues = issuesByStep.get(issue.stepName) || [];
+                        stepIssues.push(issue);
+                        issuesByStep.set(issue.stepName, stepIssues);
+                        const catIssues = issuesByCategory.get(issue.requirement.category) || [];
+                        catIssues.push(issue);
+                        issuesByCategory.set(issue.requirement.category, catIssues);
+                    }
+                }
+            }
+            // Record outputs this step provides for later steps
+            if (executor.getOutputs) {
+                for (const output of executor.getOutputs()) {
+                    this.availableOutputs.set(output.name, {
+                        stepName: parsedStep.name,
+                        output,
+                    });
+                }
+            }
+            stepIndex++;
+        }
+        // Count issues by severity
+        const counts = {
+            errors: issues.filter((i) => i.requirement.severity === 'error').length,
+            warnings: issues.filter((i) => i.requirement.severity === 'warning').length,
+            info: issues.filter((i) => i.requirement.severity === 'info').length,
+        };
+        return {
+            valid: counts.errors === 0,
+            issues,
+            issuesByStep,
+            issuesByCategory,
+            counts,
+        };
+    }
+    /**
+     * Validates a single requirement and returns an issue if it fails
+     */
+    async validateRequirement(requirement, stepName, stepIndex) {
+        // Skip runtime-only checks (they can't be validated before execution)
+        if (requirement.timing === 'runtime') {
+            // For runtime dependencies, check if the providing step exists earlier
+            if (requirement.providedBy) {
+                const provider = this.availableOutputs.get(requirement.name);
+                if (!provider) {
+                    // Output not provided by any earlier step - this is an info message
+                    return {
+                        stepName,
+                        stepIndex,
+                        requirement,
+                        result: {
+                            passed: false,
+                            message: `'${requirement.name}' will be provided by '${requirement.providedBy}' step at runtime`,
+                        },
+                    };
+                }
+            }
+            return null; // Skip other runtime checks
+        }
+        // Run the check if available
+        if (requirement.check) {
+            try {
+                const result = await requirement.check();
+                if (!result.passed) {
+                    return {
+                        stepName,
+                        stepIndex,
+                        requirement,
+                        result,
+                    };
+                }
+            }
+            catch (error) {
+                return {
+                    stepName,
+                    stepIndex,
+                    requirement,
+                    result: {
+                        passed: false,
+                        message: `Check failed: ${error instanceof Error ? error.message : String(error)}`,
+                    },
+                };
+            }
+        }
+        return null;
+    }
+    /**
+     * Extracts all $VAR and ${VAR} variable names referenced in an object recursively.
+     */
+    extractVariableReferences(obj) {
+        const vars = new Set();
+        if (typeof obj === 'string') {
+            const pattern = /\$\{([^}]+)\}|\$([A-Z_][A-Z_0-9]*)/g;
+            let match;
+            while ((match = pattern.exec(obj)) !== null) {
+                vars.add(match[1] || match[2]);
+            }
+        }
+        else if (Array.isArray(obj)) {
+            for (const item of obj) {
+                for (const v of this.extractVariableReferences(item))
+                    vars.add(v);
+            }
+        }
+        else if (obj && typeof obj === 'object') {
+            for (const value of Object.values(obj)) {
+                for (const v of this.extractVariableReferences(value))
+                    vars.add(v);
+            }
+        }
+        return vars;
+    }
+    /**
+     * Replaces all unresolved $VAR and ${VAR} references with empty string.
+     * Used as a lenient fallback when full interpolation fails, so that
+     * getValidationRequirements can detect truly-missing variables correctly.
+     */
+    stripUnresolvedVars(obj) {
+        if (typeof obj === 'string') {
+            return obj.replace(/\$\{[^}]+\}|\$[A-Z_][A-Z_0-9]*/g, '');
+        }
+        if (Array.isArray(obj)) {
+            return obj.map((item) => this.stripUnresolvedVars(item));
+        }
+        if (obj && typeof obj === 'object') {
+            const result = {};
+            for (const [key, value] of Object.entries(obj)) {
+                result[key] = this.stripUnresolvedVars(value);
+            }
+            return result;
+        }
+        return obj;
+    }
+    /**
+     * Parses a YAML step into a ParsedStep (simplified version of converter logic)
+     */
+    parseStep(yamlStep, _index) {
+        const stepKeys = Object.keys(yamlStep);
+        const stepNameWithVersion = stepKeys[0];
+        const stepConfig = yamlStep[stepNameWithVersion];
+        const atIndex = stepNameWithVersion.indexOf('@');
+        const name = atIndex === -1 ? stepNameWithVersion : stepNameWithVersion.substring(0, atIndex);
+        const version = atIndex === -1 ? undefined : stepNameWithVersion.substring(atIndex + 1);
+        let inputs = stepConfig?.inputs || {};
+        if (Array.isArray(inputs)) {
+            const inputsObj = {};
+            for (const input of inputs) {
+                if (typeof input === 'object' && input !== null) {
+                    Object.assign(inputsObj, input);
+                }
+            }
+            inputs = inputsObj;
+        }
+        return {
+            name,
+            version,
+            title: stepConfig?.title,
+            inputs,
+            run_if: stepConfig?.run_if,
+            is_always_run: stepConfig?.is_always_run,
+            is_skippable: stepConfig?.is_skippable,
+        };
+    }
+}
+/**
+ * Format validation result for console output
+ */
+export function formatValidationResult(result) {
+    if (result.valid && result.issues.length === 0) {
+        return '\n✅ All pre-execution validations passed\n';
+    }
+    const lines = [];
+    lines.push('\n' + '═'.repeat(70));
+    lines.push('PRE-EXECUTION VALIDATION RESULTS');
+    lines.push('═'.repeat(70));
+    // Summary
+    lines.push(`\n📊 Summary: ${result.counts.errors} error${result.counts.errors !== 1 ? 's' : ''}, ` +
+        `${result.counts.warnings} warning${result.counts.warnings !== 1 ? 's' : ''}, ` +
+        `${result.counts.info} info\n`);
+    // Group by step
+    for (const [stepName, stepIssues] of result.issuesByStep) {
+        const errors = stepIssues.filter((i) => i.requirement.severity === 'error');
+        const warnings = stepIssues.filter((i) => i.requirement.severity === 'warning');
+        const infos = stepIssues.filter((i) => i.requirement.severity === 'info');
+        lines.push(`\n📦 Step: ${stepName}`);
+        lines.push('─'.repeat(50));
+        for (const issue of errors) {
+            lines.push(`  ❌ ERROR: ${issue.requirement.description}`);
+            lines.push(`     ${issue.result.message}`);
+            if (issue.requirement.hint) {
+                lines.push(`     💡 ${issue.requirement.hint}`);
+            }
+        }
+        for (const issue of warnings) {
+            lines.push(`  ⚠️  WARNING: ${issue.requirement.description}`);
+            lines.push(`     ${issue.result.message}`);
+            if (issue.requirement.hint) {
+                lines.push(`     💡 ${issue.requirement.hint}`);
+            }
+        }
+        for (const issue of infos) {
+            lines.push(`  ℹ️  INFO: ${issue.requirement.description}`);
+            lines.push(`     ${issue.result.message}`);
+        }
+    }
+    lines.push('\n' + '═'.repeat(70));
+    if (result.counts.errors > 0) {
+        lines.push('❌ Validation failed. Please fix the errors above before running the pipeline.');
+    }
+    else {
+        lines.push('⚠️  Validation passed with warnings. Pipeline can proceed.');
+    }
+    lines.push('═'.repeat(70) + '\n');
+    return lines.join('\n');
+}
+//# sourceMappingURL=step-validator.js.map

package/dist/src/yaml/steps/android-sign.d.ts

@@ -0,0 +1,35 @@
+/**
+ * Android signing step: sign-apk
+ */
+import { BaseStepExecutor } from './base.js';
+import type { StepDef, CIConfig } from '../../types.js';
+import type { ValidationRequirement, StepOutput } from '../validation-types.js';
+export interface SignApkInputs {
+    /** Path(s) to APK or AAB file(s), pipe-separated */
+    android_app?: string;
+    /** Keystore file URL or local path (file://...) */
+    keystore_url?: string;
+    /** Keystore password */
+    keystore_password?: string;
+    /** Key alias inside the keystore */
+    keystore_alias?: string;
+    /** Private key password (defaults to keystore_password) */
+    private_key_password?: string;
+    /** Page alignment for .so files: automatic | true | false */
+    page_align?: string;
+    /** Signing tool: automatic | apksigner | jarsigner */
+    signer_tool?: string;
+    /** Output artifact name (without extension) */
+    output_name?: string;
+    /** Enable verbose logging */
+    verbose_log?: boolean;
+}
+/**
+ * Signs APK/AAB files using apksigner or jarsigner with zipalign.
+ */
+export declare class SignApkStepExecutor extends BaseStepExecutor {
+    getValidationRequirements(inputs: SignApkInputs, env: Record<string, string>, _config: CIConfig): ValidationRequirement[];
+    getOutputs(): StepOutput[];
+    execute(inputs: SignApkInputs, _env: Record<string, string>, _config: CIConfig): Promise<StepDef>;
+}
+//# sourceMappingURL=android-sign.d.ts.map

package/dist/src/yaml/steps/android-sign.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"android-sign.d.ts","sourceRoot":"","sources":["../../../../src/yaml/steps/android-sign.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,gBAAgB,EAAE,MAAM,WAAW,CAAC;AAC7C,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AACxD,OAAO,KAAK,EAAE,qBAAqB,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AAEhF,MAAM,WAAW,aAAa;IAC5B,oDAAoD;IACpD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,mDAAmD;IACnD,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,wBAAwB;IACxB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,oCAAoC;IACpC,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,2DAA2D;IAC3D,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,6DAA6D;IAC7D,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,sDAAsD;IACtD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,+CAA+C;IAC/C,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,6BAA6B;IAC7B,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB;AAED;;GAEG;AACH,qBAAa,mBAAoB,SAAQ,gBAAgB;IACvD,yBAAyB,CACvB,MAAM,EAAE,aAAa,EACrB,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAC3B,OAAO,EAAE,QAAQ,GAChB,qBAAqB,EAAE;IAM1B,UAAU,IAAI,UAAU,EAAE;IAOpB,OAAO,CAAC,MAAM,EAAE,aAAa,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO,EAAE,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC;CA0IxG"}

package/dist/src/yaml/steps/android-sign.js

@@ -0,0 +1,147 @@
+/**
+ * Android signing step: sign-apk
+ */
+import { BaseStepExecutor } from './base.js';
+/**
+ * Signs APK/AAB files using apksigner or jarsigner with zipalign.
+ */
+export class SignApkStepExecutor extends BaseStepExecutor {
+    getValidationRequirements(inputs, env, _config) {
+        return [
+            this.requireCommand('zipalign', 'Android zipalign tool is required', 'Install Android SDK Build Tools'),
+        ];
+    }
+    getOutputs() {
+        return [
+            { name: 'CIBUILD_SIGNED_APK_PATH', type: 'environment', description: 'Path to the signed APK' },
+            { name: 'CIBUILD_SIGNED_AAB_PATH', type: 'environment', description: 'Path to the signed AAB' },
+        ];
+    }
+    async execute(inputs, _env, _config) {
+        const stepName = 'sign-apk';
+        const androidApp = this.getInput(inputs, 'android_app', '$CIBUILD_APK_PATH');
+        const keystoreUrl = this.getInput(inputs, 'keystore_url', '$KEYSTORE_URL');
+        const keystorePassword = this.getInput(inputs, 'keystore_password', '$KEYSTORE_PASSWORD');
+        const keystoreAlias = this.getInput(inputs, 'keystore_alias', '$KEYSTORE_ALIAS');
+        const privateKeyPassword = this.getInput(inputs, 'private_key_password', '');
+        const pageAlign = this.getInput(inputs, 'page_align', 'automatic');
+        const signerTool = this.getInput(inputs, 'signer_tool', 'automatic');
+        const outputName = this.getInput(inputs, 'output_name', '');
+        const verboseLog = this.getInput(inputs, 'verbose_log', false);
+        const commands = [];
+        commands.push('# sign-apk — sign Android APK/AAB');
+        commands.push('echo "🔐 Signing Android app..."');
+        commands.push('');
+        // Resolve keystore
+        commands.push('# Resolve keystore file');
+        commands.push(`KEYSTORE_URL="${keystoreUrl}"`);
+        commands.push(`KEYSTORE_PASSWORD="${keystorePassword}"`);
+        commands.push(`KEYSTORE_ALIAS="${keystoreAlias}"`);
+        if (privateKeyPassword) {
+            commands.push(`KEY_PASSWORD="${this.escapeBash(privateKeyPassword)}"`);
+        }
+        else {
+            commands.push('KEY_PASSWORD="$KEYSTORE_PASSWORD"');
+        }
+        commands.push('');
+        commands.push('if [ -z "$KEYSTORE_URL" ] || [ -z "$KEYSTORE_PASSWORD" ] || [ -z "$KEYSTORE_ALIAS" ]; then');
+        commands.push('  echo "❌ Error: keystore_url, keystore_password, and keystore_alias are required"');
+        commands.push('  exit 1');
+        commands.push('fi');
+        commands.push('');
+        // Download or resolve keystore
+        commands.push('# Download or resolve keystore file');
+        commands.push('if [[ "$KEYSTORE_URL" == file://* ]]; then');
+        commands.push('  KEYSTORE_PATH="${KEYSTORE_URL#file://}"');
+        commands.push('elif [[ "$KEYSTORE_URL" == http* ]]; then');
+        commands.push('  KEYSTORE_PATH="$(mktemp -t keystore).jks"');
+        commands.push('  curl -sSfL "$KEYSTORE_URL" -o "$KEYSTORE_PATH"');
+        commands.push('else');
+        commands.push('  KEYSTORE_PATH="$KEYSTORE_URL"');
+        commands.push('fi');
+        commands.push('');
+        commands.push('if [ ! -f "$KEYSTORE_PATH" ]; then');
+        commands.push('  echo "❌ Error: Keystore file not found: $KEYSTORE_PATH"');
+        commands.push('  exit 1');
+        commands.push('fi');
+        commands.push('');
+        // Determine signer tool
+        commands.push('# Determine signing tool');
+        if (signerTool === 'automatic') {
+            commands.push('if command -v apksigner &>/dev/null; then');
+            commands.push('  SIGNER="apksigner"');
+            commands.push('elif command -v jarsigner &>/dev/null; then');
+            commands.push('  SIGNER="jarsigner"');
+            commands.push('else');
+            commands.push('  echo "❌ Error: Neither apksigner nor jarsigner found"');
+            commands.push('  exit 1');
+            commands.push('fi');
+        }
+        else {
+            commands.push(`SIGNER="${this.escapeBash(signerTool)}"`);
+        }
+        commands.push('echo "Using signer: $SIGNER"');
+        commands.push('');
+        // Process each app file
+        commands.push(`ANDROID_APP="${androidApp}"`);
+        commands.push('SIGNED_APK_PATH=""');
+        commands.push('SIGNED_AAB_PATH=""');
+        commands.push('');
+        commands.push('IFS="|" read -ra APP_FILES <<< "$ANDROID_APP"');
+        commands.push('for APP_FILE in "${APP_FILES[@]}"; do');
+        commands.push('  APP_FILE="$(echo "$APP_FILE" | xargs)"  # trim whitespace');
+        commands.push('  [ -z "$APP_FILE" ] && continue');
+        commands.push('  ');
+        commands.push('  if [ ! -f "$APP_FILE" ]; then');
+        commands.push('    echo "⚠️  File not found: $APP_FILE — skipping"');
+        commands.push('    continue');
+        commands.push('  fi');
+        commands.push('  ');
+        commands.push('  EXT="${APP_FILE##*.}"');
+        commands.push('  DIR="$(dirname "$APP_FILE")"');
+        commands.push('  BASE="$(basename "$APP_FILE" ".$EXT")"');
+        if (outputName) {
+            commands.push(`  OUT_NAME="${this.escapeBash(outputName)}"`);
+        }
+        else {
+            commands.push('  OUT_NAME="${BASE}-signed"');
+        }
+        commands.push('  SIGNED_FILE="$DIR/${OUT_NAME}.${EXT}"');
+        commands.push('  ');
+        // zipalign for APKs
+        commands.push('  if [ "$EXT" = "apk" ]; then');
+        commands.push('    echo "Zipaligning: $APP_FILE"');
+        const alignFlag = pageAlign === 'true' ? '-p' : '';
+        commands.push(`    zipalign ${alignFlag} -f 4 "$APP_FILE" "$DIR/\${BASE}-aligned.apk"`);
+        commands.push('    APP_FILE="$DIR/${BASE}-aligned.apk"');
+        commands.push('  fi');
+        commands.push('  ');
+        // Sign
+        commands.push('  echo "Signing: $APP_FILE → $SIGNED_FILE"');
+        commands.push('  if [ "$SIGNER" = "apksigner" ]; then');
+        const verboseFlag = verboseLog ? ' --verbose' : '';
+        commands.push(`    apksigner sign${verboseFlag} --ks "$KEYSTORE_PATH" --ks-pass "pass:$KEYSTORE_PASSWORD" --ks-key-alias "$KEYSTORE_ALIAS" --key-pass "pass:$KEY_PASSWORD" --out "$SIGNED_FILE" "$APP_FILE"`);
+        commands.push('  else');
+        commands.push('    cp "$APP_FILE" "$SIGNED_FILE"');
+        commands.push(`    jarsigner${verboseLog ? ' -verbose' : ''} -keystore "$KEYSTORE_PATH" -storepass "$KEYSTORE_PASSWORD" -keypass "$KEY_PASSWORD" "$SIGNED_FILE" "$KEYSTORE_ALIAS"`);
+        commands.push('  fi');
+        commands.push('  ');
+        // Track outputs
+        commands.push('  if [ "$EXT" = "apk" ]; then');
+        commands.push('    SIGNED_APK_PATH="$SIGNED_FILE"');
+        commands.push('  elif [ "$EXT" = "aab" ]; then');
+        commands.push('    SIGNED_AAB_PATH="$SIGNED_FILE"');
+        commands.push('  fi');
+        commands.push('  echo "✅ Signed: $SIGNED_FILE"');
+        commands.push('done');
+        commands.push('');
+        // Export
+        commands.push('# Export signed paths');
+        commands.push('[ -n "$SIGNED_APK_PATH" ] && envman add --key CIBUILD_SIGNED_APK_PATH --value "$SIGNED_APK_PATH"');
+        commands.push('[ -n "$SIGNED_AAB_PATH" ] && envman add --key CIBUILD_SIGNED_AAB_PATH --value "$SIGNED_AAB_PATH"');
+        commands.push('echo "✅ Signing complete"');
+        const script = this.createBashScriptFromCommands(commands, stepName);
+        return this.createScriptStep(script, stepName);
+    }
+}
+//# sourceMappingURL=android-sign.js.map

package/dist/src/yaml/steps/android-version.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Android version code and version name step implementation
+ * Updates versionCode and versionName in build.gradle
+ */
+import { BaseStepExecutor } from './base.js';
+import type { StepDef, CIConfig } from '../../types.js';
+import type { ValidationRequirement, StepOutput } from '../validation-types.js';
+/**
+ * Inputs for change-android-versioncode-and-versionname step
+ */
+export interface ChangeAndroidVersionInputs {
+    build_gradle_path?: string;
+    new_version_name?: string;
+    new_version_code?: string;
+    version_code_offset?: string;
+}
+/**
+ * Change Android versionCode and versionName step executor
+ * Modifies build.gradle in-place using sed before the build runs
+ */
+export declare class ChangeAndroidVersionStepExecutor extends BaseStepExecutor {
+    getOutputs(): StepOutput[];
+    getValidationRequirements(inputs: ChangeAndroidVersionInputs, _env: Record<string, string>, _config: CIConfig): ValidationRequirement[];
+    execute(inputs: ChangeAndroidVersionInputs, _env: Record<string, string>, _config: CIConfig): Promise<StepDef>;
+}
+//# sourceMappingURL=android-version.d.ts.map

package/dist/src/yaml/steps/android-version.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"android-version.d.ts","sourceRoot":"","sources":["../../../../src/yaml/steps/android-version.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,gBAAgB,EAAE,MAAM,WAAW,CAAC;AAC7C,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AACxD,OAAO,KAAK,EAAE,qBAAqB,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AAEhF;;GAEG;AACH,MAAM,WAAW,0BAA0B;IACzC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED;;;GAGG;AACH,qBAAa,gCAAiC,SAAQ,gBAAgB;IACpE,UAAU,IAAI,UAAU,EAAE;IAO1B,yBAAyB,CACvB,MAAM,EAAE,0BAA0B,EAClC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAC5B,OAAO,EAAE,QAAQ,GAChB,qBAAqB,EAAE;IAMpB,OAAO,CAAC,MAAM,EAAE,0BAA0B,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO,EAAE,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC;CAoHrH"}