Build Open Source Android Apps with Travis CI while Keeping Your Secrets Secret

If you are new to CI/CD (Continuous Integration/Continuous Delivery), here is the gist: by setting up an automated pipeline, you can integrate code changes, test and deploy those changes quicker, even multiple times in a single day – very useful stuff indeed.

Travis CI is a popular build automation tool you can use with repositories hosted on Github. Even better, if your repository is public, you can use Travis CI for free. Travis CI works with over 30 languages, including Android projects, so you can use it to automatically build and sign Android APKs or app bundles; or whatever other action you want.

However, to take full advantage of these tools in Android, you have to spend a few minutes considering your build automation strategy. Especially when working with open source code base,

Make sure you keep your keystore secure. Never check it in your git repository.

The tricky part comes in here: Travis CI needs the credentials to build and sign the APKs. However you cannot include them in the repo. How can we handle this scenario?

A Working Strategy

The general approach to solving this problem is the following:

  1. Identify the secret files that you will not commit to your repository but are needed by your build agent
    • these included the keystore file, key name, password, any API keys, etc.
  1. Create a single .zip file containing all secret information
    • with an android project you can include the following:
      • keystore file
      • .properties file of key value pairs containing API keys, secrets, etc.
  1. Install the Travis CI command line client
    • you will use this tool to create an encrypted version of your secret .zip file
  1. Follow these steps to encrypt the secret information
    • as you complete this step, Travis CI will add the the necessary information to decrypt your file during build to your project settings
  1. Commit only the encrypted file
    • make sure to ignore all secret information from your public repository.
  1. Write your .travis.yml configuration file
    • This file specifies the steps you want Travis CI to perform whenever repository commit occurs
    • Travis CI will be able to recover all secrets by decrypting the secret file during build
    • There are many options how to configure Travis CI builds for android, therefore follow these docs.
  1. Commit and push your .travis.yml
    • This will trigger a build automatically
    • Make sure everything is working correctly

Based on experience, android builds can be quite tricky to setup compared to, for example, web projects. Some of the hurdles include getting the automated build agent to accept the installation terms of different android packages. However, with practice and sufficient repetition, you can get it right.

Given that the requirements for android builds vary greatly between each project, we have intentionally omitted configuration examples from this article as they would likely not work for many projects, and focused on describing the overall strategy instead.

You will need to configure your build agent to work for your particular project and all its dependencies.

If you are however, interested in a working example, you may review this Travis CI configuration file for inspiration as it demonstrates the same strategy we have described here.


Happy Coding!

If you enjoyed this article please share it with your friends!