dwindown/dewemoji
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add APK release flow with R2 redirects and updater support

Browse Source
This commit is contained in:
Dwindi Ramadhana
2026-02-21 21:28:40 +07:00
parent 3d4a753be7
commit efc013f498
14 changed files with 865 additions and 120 deletions
Download Patch File Download Diff File Expand all files Collapse all files

176
apk-direct-release-guide.md
View File

@@ -1,138 +1,106 @@
# Direct APK Release Guide (No Play Store)
# APK Direct Release Guide (Local Build + Cloudflare R2)
This guide is for shipping Dewemoji Android builds as downloadable `.apk` files from your own site.
This is the Dewemoji direct APK release flow.
## 1) One-time prerequisites
## 1) One-time setup
1. Decide and keep a stable Android package id (example: `com.dewemoji.app`).
2. Create and securely store a release keystore.
3. Keep the same keystore for all future updates.
4. Keep `versionCode` strictly increasing for each release.
If keystore or package id changes, users will not receive in-place updates.
---
## 2) Build release APK
Use your Android build command (NativePHP/Capacitor/Gradle), and ensure output is a **release APK**.
Typical Gradle command:
### Required tools (local machine)
```bash
./gradlew assembleRelease
brew install awscli
brew install --cask android-platform-tools
```
Expected output path (common):
### Required environment variables
```bash
android/app/build/outputs/apk/release/app-release.apk
export R2_ACCOUNT_ID="..."
export R2_ACCESS_KEY_ID="..."
export R2_SECRET_ACCESS_KEY="..."
export R2_BUCKET="dewemoji-downloads"
export R2_PUBLIC_BASE_URL="https://downloads.dewemoji.com"
```
---
## 3) Sign and verify APK
If your build pipeline does not auto-sign, sign manually.
### A) Sign
Optional:
```bash
apksigner sign \
--ks /path/to/keystore.jks \
--ks-key-alias your_alias \
--out dewemoji-vX.Y.Z.apk \
android/app/build/outputs/apk/release/app-release.apk
export DEWEMOJI_APK_URL="https://dewemoji.com/downloads/dewemoji-latest.apk"
```
### B) Verify signature
### Optional signing environment (recommended)
```bash
apksigner verify --verbose --print-certs dewemoji-vX.Y.Z.apk
export ANDROID_KEYSTORE_PATH="/absolute/path/release.jks"
export ANDROID_KEYSTORE_PASSWORD="..."
export ANDROID_KEY_ALIAS="..."
export ANDROID_KEY_PASSWORD="..."
```
---
## 4) Generate checksum
## 2) Canonical URLs used by app updater
Publish SHA-256 so users can verify file integrity.
- `https://dewemoji.com/downloads/version.json`
- `https://dewemoji.com/downloads/dewemoji-latest.apk`
These endpoints redirect to R2 objects.
---
## 3) Release steps
Run from repo root.
### A. Build APK
```bash
shasum -a 256 dewemoji-vX.Y.Z.apk
./scripts/apk/build-release.sh
```
Record output in release notes.
Output APK:
---
- `dewemoji-capacitor/dist/apk/dewemoji-v{versionName}-{versionCode}.apk`
## 5) Upload APK to your server
### B. Publish APK + metadata to R2
Recommended path:
```text
https://dewemoji.com/downloads/dewemoji-vX.Y.Z.apk
```bash
./scripts/apk/publish-r2.sh \
--apk dewemoji-capacitor/dist/apk/dewemoji-v1.1.2-112.apk \
--version-name 1.1.2 \
--version-code 112 \
--min-supported-version-code 100 \
--notes "Bug fixes and update UX improvements" \
--force false
```
Recommended server headers:
### C. Verify published release
1. `Content-Type: application/vnd.android.package-archive`
2. `Content-Disposition: attachment; filename="dewemoji-vX.Y.Z.apk"`
3. Serve over HTTPS only
---
## 6) Update Download page content
On your `/download` page, show:
1. Version (`vX.Y.Z`)
2. Build date
3. File size
4. Minimum Android version
5. SHA-256 checksum
6. Install instructions
7. Changelog
Recommended install instructions for users:
1. Download APK from official Dewemoji URL.
2. Open file on Android.
3. Allow installation from browser/files app if prompted.
4. Install/update.
---
## 7) Release checklist
Before publishing:
1. Login works
2. Search works
3. Copy/insert flow works on device
4. Theme/tone UI works
5. Billing links/webviews (if used) open correctly
6. No crash on cold start
7. Version updated and visible in app
---
## 8) Quick rollback
If latest APK is bad:
1. Re-point Download button to previous APK URL.
2. Keep bad APK file archived (do not overwrite silently).
3. Publish rollback notice/changelog update.
---
## 9) Recommended file naming
Use immutable names:
```text
dewemoji-v1.1.1.apk
dewemoji-v1.1.2.apk
```bash
./scripts/apk/verify-release.sh --base-url https://dewemoji.com/downloads
```
Avoid re-uploading different binaries under the same filename.
---
## 4) Versioning rules
1. Site-only deploy: do not bump APK version and do not publish new `version.json`.
2. Runtime/app-shell change: bump `versionCode` + `versionName`, then publish.
3. `versionCode` must always increase.
4. App update prompt appears only when remote `versionCode` is higher.
---
## 5) Rollback
1. Keep all versioned APK objects immutable (never overwrite).
2. Re-upload previous good APK to `apk/dewemoji-latest.apk`.
3. Re-publish `apk/version.json` with matching checksum/version fields.
4. Re-run verify script.
---
## 6) Notes
- Direct APK update is user-confirmed install (Android policy), not silent.
- Never embed R2 credentials in app.
- Keep app update payload over HTTPS only.