ci: add release workflows

[ovitrif]

Related: #953
Supersedes: #867 (closed as outdated in favor of #953)

This PR:

1. Adds protected manual release workflows for signed mainnet store and internal artifacts.
2. Adds debug-only Firebase placeholders so fresh clones can build dev and testnet debug variants without private Firebase files.
3. Adds a WalletScrutiny-oriented manual reproducible release workflow, local reproduction script, and documentation.

Caution

If you already have a private debug Firebase config at app/google-services.json, move it before checking out this PR or pulling master after this PR merges:

mkdir -p app/src/debug
mv app/google-services.json app/src/debug/google-services.json

app/google-services.json is now the tracked placeholder for fresh clones. Keep app/src/mainnetRelease/google-services.json unchanged for release builds.

Description

The core change is adding protected manual release and release-internal GitHub Actions workflows. Both workflows build signed mainnet release artifacts from protected environment secrets. release keeps both APK and AAB outputs for Play/GitHub release handling, while release-internal produces the mainnet APK signed with the internal keystore. These workflows do not run automatically on pushed tags; /release remains the release-process orchestrator until it is deliberately updated to consume workflow-produced artifacts.

The reproducibility support adds a manual Reproducible Release workflow and scripts/reproduce-release.sh to build bundleMainnetRelease, recreate APK splits with bundletool, extract arm64-v8a native libraries, and upload checksum evidence. When a comparison artifact is provided, diffoscope differences now fail the workflow while still uploading the generated report.

GitHub Actions setup:

• Created the release and release-internal GitHub environments for the protected release workflows.
• Configured the required release environment secrets:
  • MAINNET_RELEASE_GOOGLE_SERVICES_JSON_BASE64,
  • BITKIT_KEYSTORE_BASE64,
  • BITKIT_KEYSTORE_PASSWORD,
  • BITKIT_KEY_ALIAS, and
  • BITKIT_KEY_PASSWORD.
• Configured the required release-internal environment secrets:
  • MAINNET_RELEASE_GOOGLE_SERVICES_JSON_BASE64,
  • INTERNAL_KEYSTORE_BASE64,
  • INTERNAL_KEYSTORE_PASSWORD,
  • INTERNAL_KEY_ALIAS, and
  • INTERNAL_KEY_PASSWORD.
• GPR_USER and GPR_TOKEN remain optional fallback secrets; the workflows prefer the built-in GitHub Actions token with packages: read.

Remaining upstream work for #953:

• Update /release so it can trigger/download the release workflow artifacts instead of relying on local APK creation.
• Make bitkit-core-android / Rust-native AAR builds reproducible upstream.
• Pin Rust toolchain, Android NDK, Cargo.lock, build paths, SOURCE_DATE_EPOCH, path remapping, stripping, and published native .so checksums.
• Continue investigating third-party native outputs from androidx.datastore:datastore-core and net.java.dev.jna:jna with diffoscope evidence.

Preview

N/A

QA Notes

Manual Tests

• 1. 2026-05-25 → Firebase config setup: confirmed real debug Firebase config belongs in the ignored shared debug path (app/src/debug/google-services.json) so one file can override the checked-in app/google-services.json placeholder without dirtying Git; app/src/mainnetRelease/google-services.json remains the release-only path.
• 2. 2026-05-25 → Release workflow review: confirmed store release keeps APK + AAB outputs, internal release keeps APK output, and both run post-build signature verification before artifact upload.

Automated Checks

• bash -n scripts/reproduce-release.sh
• YAML parse for .github/workflows/release.yml, .github/workflows/release-internal.yml, and .github/workflows/reproducible-release.yml
• YAML parse for all workflows after moving debug Firebase secrets to the shared app/src/debug/google-services.json path while keeping release secrets at app/src/mainnetRelease/google-services.json
• bash -n for the release signature verification shell blocks
• git diff --check
• git check-ignore -v app/src/debug/google-services.json app/src/mainnetRelease/google-services.json
• Google Services plugin lookup order inspected from local 4.4.4 sources: src/debug/google-services.json resolves before the checked-in root app/google-services.json placeholder, while src/mainnetRelease/google-services.json remains the release override. The root placeholder intentionally omits the production to.bitkit client.
• go run github.com/rhysd/actionlint/cmd/actionlint@latest .github/workflows/reproducible-release.yml .github/workflows/release.yml .github/workflows/release-internal.yml
• GitHub checks on 4aa52470d: lint and detekt passed; build/E2E jobs were skipped while the PR was draft.
• Workflow behavior must be verified in GitHub Actions (after merge).

[ovitrif]

The debug files above are tracked placeholders. Before replacing a debug placeholder with a real Firebase config, hide that local-only change from Git:

git update-index --skip-worktree app/src/devDebug/google-services.json
cp /secure/path/google-services.json app/src/devDebug/google-services.json

Reworking this from above, I don't really like this approach.

---

EDIT: done and force-pushed squashed work in 1 commit.

PR description updated to inform about the "migration" requirement to the new setup which ignores all but placeholder, and requires local clones to move current app/google-services.json to the git-ignored app/debug/google-services.json.

[ovitrif]

• Created the release and release-internal GitHub environments for the protected release workflows.
• Required release environment secrets:
  - MAINNET_RELEASE_GOOGLE_SERVICES_JSON_BASE64,
  - BITKIT_KEYSTORE_BASE64,
  - BITKIT_KEYSTORE_PASSWORD,
  - BITKIT_KEY_ALIAS, and
  - BITKIT_KEY_PASSWORD.
• Required release-internal environment secrets:
  - MAINNET_RELEASE_GOOGLE_SERVICES_JSON_BASE64,
  - INTERNAL_KEYSTORE_BASE64,
  - INTERNAL_KEYSTORE_PASSWORD,
  - INTERNAL_KEY_ALIAS, and
  - INTERNAL_KEY_PASSWORD.

These will be added AFTER the PR is approved.

Environments are now configured with the secrets enumerated above (excerpt from PR description)

Sample view of release repo environment:

We don't need GPR_USER and GPR_TOKEN, verified locally with:

GPR_USER='ovitrif' \
GPR_TOKEN='***' \
./gradlew compileDevDebugKotlin --refresh-dependencies --no-daemon

To honour the JVM settings for this build a single-use Daemon process will be forked. For more on this, please refer to https://docs.gradle.org/8.13/userguide/gradle_daemon.html#sec:disabling_the_daemon in the Gradle documentation.
Daemon JVM discovery is an incubating feature.
Daemon will be stopped at the end of the build 

> Task :app:compileDevDebugKotlin
w: ATTENTION!
This build uses unsafe internal compiler arguments:

-XXLanguage:+PropertyParamAnnotationDefaultTargetMode

This mode is not recommended for production use,
as no stability/compatibility guarantees are given on
compiler or generated code. Use it at your own risk!

w: file:///Volumes/ssd/r/synonym/bitkit-android-3/app/src/main/java/to/bitkit/models/PubkyProfile.kt:88:13 Redundant creation of Json format. Creating instances for each usage can be slow.
w: file:///Volumes/ssd/r/synonym/bitkit-android-3/app/src/main/java/to/bitkit/ui/screens/trezor/TrezorScreen.kt:93:34 'fun <reified VM : ViewModel> hiltViewModel(viewModelStoreOwner: ViewModelStoreOwner = ..., key: String? = ...): VM' is deprecated. Moved to package: androidx.hilt.lifecycle.viewmodel.compose.

BUILD SUCCESSFUL in 3m 34s
21 actionable tasks: 13 executed, 8 from cache

[piotr-iohk]

Not clear about the reproducible-release.yml. Also I think that /release command and process should be adjusted such that it takes into account release.yml producing release artifacts. Please see individual comments.

can't signal it was addressed by re-requesting review on the "changes requested" alert.