ci: polish release workflows

[ovitrif]

Closes #1006

This PR:

1. Hooks the /release command into the GitHub-hosted store release workflow.
2. Names release and internal release artifacts with the app name, release name, build number, and workflow run counter.
3. Installs the Android NDK in release workflows and verifies packaged native libraries are stripped before artifacts are uploaded.
4. Aligns local just release with the same NDK version used by the workflows.
5. Makes just run launch detached by default, with just run logs available when logcat should stay attached.
6. Keeps the production release workflow tag-only while allowing internal release QA builds from any branch behind the release-internal environment approval gate.
7. Declares release native symbol-table metadata explicitly so local and GitHub AAB sizes match.

Description

This PR finishes the release workflow follow-up from #1011. The release command now dispatches release.yml, waits for the run, downloads the expected artifact, verifies checksums, and uploads the workflow-built APK to the draft GitHub release.

The workflow artifacts now use traceable names like bitkit-release-185-1 and bitkit-release-internal-185-1. The release jobs also install NDK 28.1.13356709, pass it into Gradle, and fail if any APK/AAB native library still contains debug sections. This keeps oversized unstripped Rust binaries out of final release artifacts while preserving the workflow as the authoritative build path.

Release builds now explicitly set native SYMBOL_TABLE metadata for AABs. That makes the BUNDLE-METADATA/com.android.tools.build.debugsymbols/*.sym entries intentional and reproducible between local just release builds and GitHub release workflow builds. This is separate from the fuller native debug symbol archive work in #988, which is waiting on Rust package releases.

The production release workflow now only proceeds on v* tags. The internal workflow intentionally accepts arbitrary branches so QA can create signed-mainnet internal builds from WIP branches, with access to signing material controlled by the release-internal environment reviewers.

For local development, just run now builds, installs, launches, and returns without streaming device logs. Use just run logs to attach logcat, or just run docker logs when running with the docker port reverses and attached logs.

Preview

N/A

QA Notes

Manual Tests

• 1. GitHub Actions → Release workflow after this PR is merged → run a store release from a release tag: workflow succeeds and uploads bitkit-release-{buildNumber}-{runNumber}.
• 2. GitHub Actions → Internal Release workflow after this PR is merged → run the internal release workflow from a QA branch: workflow waits for the release-internal environment reviewer approval, then succeeds and uploads bitkit-release-internal-{buildNumber}-{runNumber}.
• 3. Repository settings → Environments → release: required reviewers are configured and deployment refs are restricted to v* tags.
• 4. Repository settings → Environments → release-internal: required reviewers are configured and deployment refs are intentionally unrestricted for WIP branch QA builds.
• 5. Download workflow artifacts after merge → verify checksum file, APK/AAB names, signatures, and artifact sizes are suitable for QA / Play Store handoff.

Automated Checks

• Local: actionlint .github/workflows/release.yml .github/workflows/release-internal.yml
• Local: git diff --check
• Local: just release
• Local: NDK_VERSION=28.1.13356709 ./gradlew :app:tasks --no-daemon
• Local: NDK_VERSION=28.1.13356709 ./gradlew bundleMainnetRelease --no-daemon
• Local: just --dry-run run
• Local: just --dry-run run logs
• Local: just --dry-run run docker logs
• Local native artifact check: verified packaged APK/AAB .so entries have no .debug_* sections.
• Local AAB metadata check: verified app/build/outputs/bundle/mainnetRelease/bitkit-mainnet-release-182.aab contains BUNDLE-METADATA/com.android.tools.build.debugsymbols/*.sym entries.

[piotr-iohk]

Probably makes sense to close for now :(

[ovitrif]

Drafted to see how far it can "help" for mitigating security risks, or if, indeed, it should be closed and replaced by a different changeset.

[ovitrif]

Probably makes sense to close for now :(

I reworked the workflow gates instead of closing this PR. The production release workflow now only proceeds on v* tags, while release-internal intentionally allows arbitrary branches for signed-mainnet QA builds behind the release-internal environment reviewer gate.

A malicious workflow can still be started from a branch, but it cannot access the release environment secrets unless GitHub allows that job to deploy to the release environment. With v* restricted at the environment level, arbitrary branches should be blocked before secrets are released.

Resolved in 2c2b2d4

[piotr-iohk]

Tested the updated flows... release and release-internal - looking good.

One slight concern is that produced aab is slightly bigger than usual... apparently the reason is:

Found the smoking gun: the GitHub AAB has about 33.4 MB of BUNDLE-METADATA/com.android.tools.build.debugsymbols/*.sym entries, and the terminal AAB doesn’t.

We need to verify if this is fine, but this can be done in the scope of: #988

[ovitrif]

One slight concern is that produced aab is slightly bigger than usual... apparently the reason is:
Found the smoking gun: the GitHub AAB has about 33.4 MB of BUNDLE-METADATA/com.android.tools.build.debugsymbols/*.sym entries, and the terminal AAB doesn’t.

Verified this and made it explicit in Gradle. The AAB delta is AGP BUNDLE-METADATA/com.android.tools.build.debugsymbols/*.sym symbol-table metadata, not installed app payload. Local and GitHub release AABs now intentionally match by setting release debugSymbolLevel to SYMBOL_TABLE.

This does not replace the fuller external native-debug-symbols-*.zip path in #988.

Recap:

• the BUNDLE-METADATA/com.android.tools.build.debugsymbols/*.sym files inside the AAB are AGP’s symbol-table metadata. That is what made this AAB bigger, and it is not installed into the generated APKs.
• the external native-debug-symbols-*.zip is still the fuller path we want via fix: retain native debug symbols #988, once the Rust package PRs/releases are ready.

Resolved in 0699101