Documentation / Mobile App CI/CD Secrets Setup Guide

Mobile App CI/CD Secrets Setup Guide

Last updated: December 18, 2025

Configure GitHub Actions secrets to enable the DevOpser mobile CI/CD pipeline to build, sign, and optionally upload your Android and iOS apps automatically.

Template Availability: Mobile app CI/CD is currently only available for the Express.js (Bedrock Express) template. Python/Flask templates do not include mobile build capabilities at this time.
Important: Signed builds and marketplace uploads run only on the main and staging branches. Other branches produce debug builds for testing only.
Where to add secrets:
GitHub repo → SettingsSecrets and variablesActionsNew repository secret

Android Secrets

Configure these secrets to enable signed Android builds and optional Google Play uploads.

Required for Signed Builds

ANDROID_PACKAGE_NAME Required

Your Android applicationId / package name used to identify your app.

Example: com.example.app
How to get this value
  1. Open your Android project file:
    • android/app/build.gradle or android/app/build.gradle.kts
  2. Find the applicationId field and copy its value
  3. Add it to GitHub as ANDROID_PACKAGE_NAME
ANDROID_KEYSTORE_BASE64 Required

Your Android upload keystore file encoded as base64.

How to get this value

Step 1: Create an upload keystore (do this once on a secure machine):

keytool -genkeypair -v \
  -storetype PKCS12 \
  -keystore android-upload.keystore \
  -alias yourapp \
  -keyalg RSA \
  -keysize 2048 \
  -validity 10000

Step 2: Convert the keystore to base64 (macOS):

base64 -i android-upload.keystore | pbcopy

Step 3: Paste the copied output into GitHub secret ANDROID_KEYSTORE_BASE64

ANDROID_KEYSTORE_PASSWORD Required

The password you set when creating the keystore.

How to get this value

Use the same password you typed during keystore creation in the previous step.

ANDROID_KEY_ALIAS Required

The alias inside your keystore that identifies the key entry.

Example: yourapp (the -alias value you used)
ANDROID_KEY_PASSWORD Required

The password for the key entry (can be the same as the keystore password).

How to get this value

Use the "key password" you typed during keystore creation. Often this is the same as the keystore password.

Optional (Deep Links & Auto-Upload)

ANDROID_DEBUG_SHA256 Optional

Debug signing certificate SHA-256 fingerprint for deep links / assetlinks.

How to get this value 
keytool -list -v -keystore ~/.android/debug.keystore -alias androiddebugkey

Default password is android. Copy the SHA-256 fingerprint from the output.

ANDROID_RELEASE_SHA256 Optional

Release signing certificate SHA-256 fingerprint for deep links / assetlinks.

How to get this value 
keytool -list -v -keystore android-upload.keystore -alias yourapp

Copy the SHA-256 fingerprint from the output.

ANDROID_PLAY_SIGNING_SHA256 Optional

Google Play app signing certificate SHA-256 fingerprint.

How to get this value
  1. Open Google Play Console
  2. Select your app → SetupApp integrity
  3. Copy the SHA-256 fingerprint for the App signing key certificate
GOOGLE_PLAY_SERVICE_ACCOUNT_JSON Optional Enables Auto-Upload

A Google Cloud service account JSON key used by CI to upload the AAB to Google Play automatically.

How to get this value

Step 1: Create a service account key (Google Cloud)

  1. Open Service Accounts
  2. Select (or create) a Google Cloud project
  3. Create a service account (example: github-actions-play-upload)
  4. Open it → KeysAdd KeyCreate new key → choose JSON
  5. Download the JSON file and store it securely

Step 2: Grant access in Google Play Console

  1. Open Google Play Console
  2. Select your app → SetupAPI access
  3. Link your Google Cloud project (if not linked yet)
  4. Grant the service account permissions to upload releases

Step 3: Add the secret to GitHub

  1. Open the downloaded JSON file
  2. Copy the entire JSON contents
  3. Paste into GitHub secret GOOGLE_PLAY_SERVICE_ACCOUNT_JSON

iOS Secrets

Configure these secrets to enable signed iOS builds and optional TestFlight uploads.

Required for Signed Builds

IOS_BUNDLE_ID Required

Your iOS Bundle ID that uniquely identifies your app on the App Store.

Example: com.example.app
How to get this value
  1. Open Apple Developer Identifiers
  2. Find your App ID and copy the Bundle ID
  3. Add it to GitHub secret IOS_BUNDLE_ID
If not set, the workflow will fall back to ANDROID_PACKAGE_NAME or com.example.app
IOS_TEAM_ID Required

Your Apple Developer Team ID (10 characters).

How to get this value
  1. Open Apple Developer Account
  2. Go to Membership and copy your Team ID
  3. Add it to GitHub secret IOS_TEAM_ID
APPLE_TEAM_ID Required

Same Team ID as above. Some workflows use both variables for compatibility.

Value: Use the same value as IOS_TEAM_ID
IOS_CERTIFICATE_BASE64 Required

Your Apple Distribution certificate exported as .p12 and base64-encoded.

How to get this value
  1. Create or confirm an Apple Distribution certificate at Apple Developer Certificates
  2. On a Mac, open Keychain Access and locate your Apple Distribution certificate under "My Certificates"
  3. Right-click → Export → save as ios_distribution.p12 and set a password
  4. Convert to base64:
base64 -i ios_distribution.p12 | pbcopy

Paste into GitHub secret IOS_CERTIFICATE_BASE64

IOS_CERTIFICATE_PASSWORD Required

The password you set when exporting the .p12 certificate.

How to get this value

Use the export password you chose in Keychain Access when exporting the certificate.

IOS_PROVISIONING_PROFILE_BASE64 Required

An App Store provisioning profile (.mobileprovision) encoded as base64.

How to get this value
  1. Open Apple Developer Profiles
  2. Create an App Store provisioning profile for your Bundle ID
  3. Download the .mobileprovision file
  4. Convert to base64:
base64 -i YourProfile.mobileprovision | pbcopy

Paste into GitHub secret IOS_PROVISIONING_PROFILE_BASE64

Optional (TestFlight Upload)

APP_STORE_CONNECT_API_KEY_ID Optional Enables TestFlight

Key ID for an App Store Connect API key.

How to get this value
  1. Open App Store Connect Users and Access
  2. Go to Keys → create a key with role App Manager
  3. Copy the Key ID and save it as APP_STORE_CONNECT_API_KEY_ID
APP_STORE_CONNECT_API_ISSUER_ID Optional Enables TestFlight

Issuer ID shown on the App Store Connect Keys page.

How to get this value
  1. Open App Store Connect Users and Access
  2. Go to Keys and copy the Issuer ID shown at the top of the page
  3. Save it as APP_STORE_CONNECT_API_ISSUER_ID
APP_STORE_CONNECT_API_KEY_BASE64 Optional Enables TestFlight

The downloaded .p8 private key file encoded as base64.

How to get this value
  1. When you create the App Store Connect API key, download the AuthKey_XXXXXXXXXX.p8 file (one-time download)
  2. Convert to base64:
base64 -i AuthKey_XXXXXXXXXX.p8 | pbcopy

Paste into GitHub secret APP_STORE_CONNECT_API_KEY_BASE64

First-time TestFlight uploads require an App Store Connect app record to exist. Create it at App Store Connect (My Apps → + → New App).

Prerequisites & Security

Developer Accounts Required

If you enroll as an organization/business, Apple (and often Google) will require business verification, typically including a D-U-N-S number.

Security Recommendations

  • Use GitHub Environments for staging and production with environment-protected secrets
  • Limit who can run workflows on main and staging branches
  • Never commit keystores, certificates, provisioning profiles, or API keys to your repo
  • Rotate secrets periodically and after team member departures
Email App Passwords

Chat with our AI assistant