Both BuildAndroidApk and BuildAndroidRelease were using the debug
signing config because the keystore and password were never forwarded
into the Dagger container. Add setupKeystore() helper that decodes
ANDROID_KEYSTORE_BASE64 into android/app/upload-keystore.jks and
sets ANDROID_KEYSTORE_PASSWORD, then wire both secrets through
DeployApk, PublishAndroid, and the Taskfile/CI env blocks.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Decodes ANDROID_KEYSTORE_BASE64 and prints the SHA1 fingerprint via
keytool before invoking the Dagger build, to confirm which key is in
the secret vs. what the build actually uses.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Without the response body we can't tell why Google Play rejects the
upload. Logs the status code and first 500 bytes of the response for
both the init POST and the upload PUT on each failed attempt. Also
moves the init call inside the try/except so init failures are retried.
The resumable upload URL returned by Google Play is session-specific and
expires after a failed attempt. Retrying with the same URL always fails.
Also broadens the caught exception from HTTPError to RequestException so
timeouts and connection errors are retried too.
The ubuntu-latest pool now includes nodes that run Docker containers with
user namespace isolation, causing chown of the workspace to fail before
checkout can run. The codeberg-small label routes consistently to the
actions-tiny nodes (act-latest image, no user namespace restriction) where
Dagger CI succeeded previously.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The ubuntu-latest runner uses Docker containers (ghcr.io/catthehacker/ubuntu:act-22.04)
which don't have task or dagger pre-installed. These steps were mistakenly removed when
switching from the dagger-dagger host runner back to ubuntu-latest.
Also adds DAGGER_NO_NAG=1 to all dagger-invoking steps.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add -q (quiet) flag to all dagger call invocations to suppress INFO-level
engine messages while keeping warnings and errors visible. Set DAGGER_NO_NAG=1
globally to suppress the Dagger Cloud tracing nag line. --progress=plain
is retained on all calls as required.
Refactor the CI pipeline to use WithServiceBinding for the Stalwart mail
server, replacing legacy shell scripts and manual port management.
Introduces pre-seeded data for the Stalwart service to avoid network
hits and improves headless UI testing with Xvfb.
- Add LocalSieveApplied table (schema v32) keyed by (accountId, messageId)
so each email is processed by Sieve at most once, even across restarts.
- Implement EmailRepository.applySieveRules(): loads the active local Sieve
script, runs the interpreter against new INBOX emails, and queues pending
move/delete/flag_seen changes for any matched rules.
- Wire applySieveRules() into both _AccountSync._sync() and
_JmapAccountSync._sync() after the per-mailbox email sync loop.
- Make _flushPendingChangesImap() treat NONEXISTENT / not-found errors as
silent no-ops (counts as flushed) so a second device racing on the same
email does not accumulate retries.
- Add migration test assertions and a dedicated unit test suite covering
rule matching, deduplication, discard, and multi-email processing.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Without flutter pub get, .dart_tool/package_config.json does not exist
in the Dagger container. dart format then defaults to the current SDK
version (3.11+) rather than the package's declared language version
(3.3), applying tall-style formatting and failing on 90 files.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Without pubspec.lock, flutter pub get in the Dagger container resolves
package versions independently of the local lockfile. This caused
flutter_lints to be unresolvable in the container, making dart format
fall back to a different formatter style and flag 90 files as changed.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
