Add mobile APK signing, build and release scripts

Add four new helper scripts for mobile APK workflows: setup-apk-signing.sh (decode keystores and export signing env vars), verify-apk-signature.sh (check and display APK certificate info), attach-apk-to-release.sh (rename and upload APK to a GitHub Release), and setup-mobile-github-secrets.sh (helper to generate/show required GitHub Secrets). Update product-release.yml to expose version/tag outputs and add a build-mobile-artifacts job that sets up Java/Flutter, installs deps, configures signing from repository secrets, builds APKs for worker/client apps, verifies signatures, uploads artifacts, and optionally attaches the APK to the GitHub Release. Secrets and envvar naming conventions are handled to support dev/staging/prod keystores; documentation references (docs/RELEASE/APK_SIGNING_SETUP.md) are noted in scripts.

.github/workflows/product-release.yml

@@ -35,6 +35,9 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+    outputs:
+      version: ${{ steps.version.outputs.version }}
+      tag_name: ${{ steps.tag.outputs.tag_name }}
       
     steps:
       - name: 📥 Checkout repository
@@ -143,3 +146,146 @@ jobs:
             "${{ github.event.inputs.environment }}" \
             "${{ steps.version.outputs.version }}" \
             "${{ steps.tag.outputs.tag_name }}"
+  
+  build-mobile-artifacts:
+    name: 📱 Build Mobile APK
+    runs-on: ubuntu-latest
+    needs: validate-and-create-release
+    if: ${{ github.event.inputs.app == 'worker-mobile-app' || github.event.inputs.app == 'client-mobile-app' }}
+    permissions:
+      contents: write
+    
+    steps:
+      - name: 📥 Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          
+      - name: 🟢 Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+          cache-dependency-path: 'backend/*/package-lock.json'
+          
+      - name: 🔥 Install Firebase CLI
+        run: |
+          npm install -g firebase-tools
+          firebase --version
+          echo "ℹ️ Note: Firebase CLI installed for Data Connect SDK generation"
+          echo "ℹ️ If SDK generation fails, ensure Data Connect SDK files are committed to repo"
+          
+      - name: ☕ Setup Java
+        uses: actions/setup-java@v4
+        with:
+          distribution: 'zulu'
+          java-version: '17'
+          
+      - name: 🐦 Setup Flutter
+        uses: subosito/flutter-action@v2
+        with:
+          flutter-version: '3.24.5'
+          channel: 'stable'
+          cache: true
+          
+      - name: 🔧 Install Melos
+        run: |
+          dart pub global activate melos
+          echo "$HOME/.pub-cache/bin" >> $GITHUB_PATH
+          
+      - name: 📦 Install Dependencies
+        run: |
+          make mobile-install
+          
+      - name: 🔐 Setup APK Signing
+        env:
+          # Worker Mobile (Staff App) Secrets
+          WORKER_KEYSTORE_DEV_BASE64: ${{ secrets.WORKER_KEYSTORE_DEV_BASE64 }}
+          WORKER_KEYSTORE_STAGING_BASE64: ${{ secrets.WORKER_KEYSTORE_STAGING_BASE64 }}
+          WORKER_KEYSTORE_PROD_BASE64: ${{ secrets.WORKER_KEYSTORE_PROD_BASE64 }}
+          WORKER_KEYSTORE_PASSWORD_DEV: ${{ secrets.WORKER_KEYSTORE_PASSWORD_DEV }}
+          WORKER_KEYSTORE_PASSWORD_STAGING: ${{ secrets.WORKER_KEYSTORE_PASSWORD_STAGING }}
+          WORKER_KEYSTORE_PASSWORD_PROD: ${{ secrets.WORKER_KEYSTORE_PASSWORD_PROD }}
+          WORKER_KEY_ALIAS_DEV: ${{ secrets.WORKER_KEY_ALIAS_DEV }}
+          WORKER_KEY_ALIAS_STAGING: ${{ secrets.WORKER_KEY_ALIAS_STAGING }}
+          WORKER_KEY_ALIAS_PROD: ${{ secrets.WORKER_KEY_ALIAS_PROD }}
+          WORKER_KEY_PASSWORD_DEV: ${{ secrets.WORKER_KEY_PASSWORD_DEV }}
+          WORKER_KEY_PASSWORD_STAGING: ${{ secrets.WORKER_KEY_PASSWORD_STAGING }}
+          WORKER_KEY_PASSWORD_PROD: ${{ secrets.WORKER_KEY_PASSWORD_PROD }}
+          
+          # Client Mobile Secrets
+          CLIENT_KEYSTORE_DEV_BASE64: ${{ secrets.CLIENT_KEYSTORE_DEV_BASE64 }}
+          CLIENT_KEYSTORE_STAGING_BASE64: ${{ secrets.CLIENT_KEYSTORE_STAGING_BASE64 }}
+          CLIENT_KEYSTORE_PROD_BASE64: ${{ secrets.CLIENT_KEYSTORE_PROD_BASE64 }}
+          CLIENT_KEYSTORE_PASSWORD_DEV: ${{ secrets.CLIENT_KEYSTORE_PASSWORD_DEV }}
+          CLIENT_KEYSTORE_PASSWORD_STAGING: ${{ secrets.CLIENT_KEYSTORE_PASSWORD_STAGING }}
+          CLIENT_KEYSTORE_PASSWORD_PROD: ${{ secrets.CLIENT_KEYSTORE_PASSWORD_PROD }}
+          CLIENT_KEY_ALIAS_DEV: ${{ secrets.CLIENT_KEY_ALIAS_DEV }}
+          CLIENT_KEY_ALIAS_STAGING: ${{ secrets.CLIENT_KEY_ALIAS_STAGING }}
+          CLIENT_KEY_ALIAS_PROD: ${{ secrets.CLIENT_KEY_ALIAS_PROD }}
+          CLIENT_KEY_PASSWORD_DEV: ${{ secrets.CLIENT_KEY_PASSWORD_DEV }}
+          CLIENT_KEY_PASSWORD_STAGING: ${{ secrets.CLIENT_KEY_PASSWORD_STAGING }}
+          CLIENT_KEY_PASSWORD_PROD: ${{ secrets.CLIENT_KEY_PASSWORD_PROD }}
+        run: |
+          .github/scripts/setup-apk-signing.sh \
+            "${{ github.event.inputs.app }}" \
+            "${{ github.event.inputs.environment }}" \
+            "${{ runner.temp }}"
+          
+      - name: 🏗️ Build APK
+        id: build_apk
+        run: |
+          APP="${{ github.event.inputs.app }}"
+          
+          if [ "$APP" = "worker-mobile-app" ]; then
+            echo "📱 Building Staff (Worker) APK..."
+            make mobile-staff-build PLATFORM=apk MODE=release
+            APP_NAME="staff"
+          else
+            echo "📱 Building Client APK..."
+            make mobile-client-build PLATFORM=apk MODE=release
+            APP_NAME="client"
+          fi
+          
+          # Find the generated APK (Flutter places it in build/app/outputs/flutter-apk/)
+          APK_PATH=$(find apps/mobile/apps/${APP_NAME}/build/app/outputs/flutter-apk -name "app-release.apk" 2>/dev/null | head -n 1)
+          
+          # Fallback to searching entire apps directory if not found
+          if [ -z "$APK_PATH" ]; then
+            APK_PATH=$(find apps/mobile/apps/${APP_NAME} -name "app-release.apk" | head -n 1)
+          fi
+          
+          if [ -z "$APK_PATH" ]; then
+            echo "❌ Error: APK not found!"
+            echo "Searched in apps/mobile/apps/${APP_NAME}/"
+            find apps/mobile/apps/${APP_NAME} -name "*.apk" || echo "No APK files found"
+            exit 1
+          fi
+          
+          echo "✅ APK built successfully: $APK_PATH"
+          echo "app_name=${APP_NAME}" >> $GITHUB_OUTPUT
+          echo "apk_path=${APK_PATH}" >> $GITHUB_OUTPUT
+          
+      - name: ✅ Verify APK Signature
+        run: |
+          .github/scripts/verify-apk-signature.sh "${{ steps.build_apk.outputs.apk_path }}"
+          
+      - name: 📤 Upload APK as Artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ github.event.inputs.app }}-${{ needs.validate-and-create-release.outputs.version }}-${{ github.event.inputs.environment }}
+          path: apps/mobile/apps/${{ steps.build_apk.outputs.app_name }}/build/app/outputs/flutter-apk/app-release.apk
+          if-no-files-found: error
+          retention-days: 30
+          
+      - name: 📦 Attach APK to GitHub Release
+        if: ${{ github.event.inputs.create_github_release == 'true' }}
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          .github/scripts/attach-apk-to-release.sh \
+            "${{ needs.validate-and-create-release.outputs.tag_name }}" \
+            "${{ github.event.inputs.app }}" \
+            "${{ steps.build_apk.outputs.app_name }}" \
+            "${{ needs.validate-and-create-release.outputs.version }}" \
+            "${{ github.event.inputs.environment }}"