Anki-Android icon indicating copy to clipboard operation
Anki-Android copied to clipboard
verified publisher icon ankidroid

Alter publish script to use new Github Immutable Releases feature

Open mikehardy opened this issue 1 month ago • 1 comments

Checked for duplicates?

  • [x] This issue is not a duplicate

Does it also happen in the desktop version?

  • [ ] This bug does not occur in the latest version of Anki Desktop

What are the steps to reproduce this bug?

Publish a release and note that supply-chain attacks are possible if repository is compromised, the release artifacts and/or tag and/or associated commit could be moved later to include some arbitrary code that was not the originally published code.

Expected behaviour

A security attestation and verifiable signature that certifies the released artifacts, associated tag and associated commit are all one and the same as originally published and cannot be changed without signature validation failure

Debug info

See information here on process to implement:

https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/immutable-releases#best-practices-for-publishing-immutable-releases

Basically

- make sure the script creates the release as a "draft" originally on github
- then add all of the artifacts as they are generated
- as a new final step, alter the release from draft to release

That should do it.

(Optional) Anything else you want to share?

No response

Research

  • [x] I have checked the manual and the FAQ and could not find a solution to my issue
  • [ ] (Optional) I have confirmed the issue is not resolved in the latest alpha release (instructions)

mikehardy avatar Nov 28 '25 15:11 mikehardy

I will do this eventually if no one beats me to it. It should be an easy change but is related to technologies that are not the core technologies of the repository - that is, it is shell scripting in our release script, not Kotlin programming for the app. So it likely has little appeal as a task for any typical AnkiDroid developers.

mikehardy avatar Nov 28 '25 15:11 mikehardy

Hi @mikehardy, I've submitted PR #19804 for the immutable releases workflow.

Changes: Modified tools/release.sh to create drafts first, upload assets, then publish. Testing: Validated syntax with shellcheck - can't test actual releases without maintainer permissions, ready for review during next release cycle. Thanks!

yuvc21 avatar Dec 14 '25 15:12 yuvc21