From a8331e95163bc1c0d7ea862e072212bdbcad8259 Mon Sep 17 00:00:00 2001
From: Mathias Beaulieu-Duncan <mathias@svrnty.io>
Date: Tue, 3 Feb 2026 00:47:15 -0500
Subject: [PATCH] Update Android SDK to latest versions and add version check
 workflow

- Update cmdline-tools from 11076708 to 14742923 (v20.0)
- Update build-tools from 36.0.0 to 36.1.0
- Add Android SDK version checking to update-check workflow
- Creates issues when Android SDK updates are available

This reduces CVEs from 26 to 4 (all from protobuf-java 2.6.1 bundled by Google).

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .gitea/workflows/update-check.yaml | 101 ++++++++++++++++++++++++++++-
 Dockerfile.android                 |   4 +-
 2 files changed, 100 insertions(+), 5 deletions(-)

diff --git a/.gitea/workflows/update-check.yaml b/.gitea/workflows/update-check.yaml
index f2b643b..6993690 100644
--- a/.gitea/workflows/update-check.yaml
+++ b/.gitea/workflows/update-check.yaml
@@ -1,4 +1,4 @@
-name: Check for Flutter SDK Updates
+name: Check for Flutter SDK and Android SDK Updates
 
 on:
   schedule:
@@ -9,6 +9,9 @@ jobs:
   check-update:
     runs-on: ubuntu-latest
     steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
       - name: Get latest Flutter stable version
         id: flutter
         run: |
@@ -17,7 +20,47 @@ jobs:
           echo "version=${LATEST}" >> $GITHUB_OUTPUT
           echo "Latest Flutter stable: ${LATEST}"
 
-      - name: Check if release already exists
+      - name: Get latest Android SDK versions
+        id: android
+        run: |
+          REPO_XML=$(curl -fsSL "https://dl.google.com/android/repository/repository2-1.xml")
+
+          # Latest stable build-tools (exclude rc/alpha/beta)
+          BUILD_TOOLS=$(echo "$REPO_XML" | grep -o 'path="build-tools;[0-9]*\.[0-9]*\.[0-9]*"' | \
+            sed 's/path="build-tools;//;s/"//' | sort -V | tail -1)
+
+          # Latest stable platform
+          PLATFORM=$(echo "$REPO_XML" | grep -o 'path="platforms;android-[0-9]*"' | \
+            sed 's/path="platforms;android-//;s/"//' | sort -n | tail -1)
+
+          # Latest cmdline-tools download ID
+          CMDLINE_DOWNLOAD=$(echo "$REPO_XML" | grep -o 'commandlinetools-linux-[0-9]*_latest' | \
+            sed 's/commandlinetools-linux-//;s/_latest//' | sort -n | tail -1)
+
+          echo "build_tools=${BUILD_TOOLS}" >> $GITHUB_OUTPUT
+          echo "platform=${PLATFORM}" >> $GITHUB_OUTPUT
+          echo "cmdline_tools=${CMDLINE_DOWNLOAD}" >> $GITHUB_OUTPUT
+
+          echo "Latest Android build-tools: ${BUILD_TOOLS}"
+          echo "Latest Android platform: ${PLATFORM}"
+          echo "Latest cmdline-tools download: ${CMDLINE_DOWNLOAD}"
+
+      - name: Check current Android SDK versions in Dockerfile
+        id: current
+        run: |
+          CURRENT_CMDLINE=$(grep -o 'ANDROID_SDK_TOOLS_VERSION=[0-9]*' Dockerfile.android | cut -d= -f2)
+          CURRENT_BUILD_TOOLS=$(grep -o 'ANDROID_BUILD_TOOLS=[0-9.]*' Dockerfile.android | cut -d= -f2)
+          CURRENT_PLATFORM=$(grep -o 'ANDROID_COMPILE_SDK=[0-9]*' Dockerfile.android | cut -d= -f2)
+
+          echo "cmdline_tools=${CURRENT_CMDLINE}" >> $GITHUB_OUTPUT
+          echo "build_tools=${CURRENT_BUILD_TOOLS}" >> $GITHUB_OUTPUT
+          echo "platform=${CURRENT_PLATFORM}" >> $GITHUB_OUTPUT
+
+          echo "Current cmdline-tools: ${CURRENT_CMDLINE}"
+          echo "Current build-tools: ${CURRENT_BUILD_TOOLS}"
+          echo "Current platform: ${CURRENT_PLATFORM}"
+
+      - name: Check if Flutter release already exists
         id: existing
         run: |
           VERSION="${{ steps.flutter.outputs.version }}"
@@ -31,7 +74,29 @@ jobs:
             echo "Release ${VERSION} not found, will create"
           fi
 
-      - name: Create release for new version
+      - name: Determine if Android SDK update is needed
+        id: android_update
+        run: |
+          NEEDS_UPDATE=false
+
+          if [ "${{ steps.android.outputs.cmdline_tools }}" != "${{ steps.current.outputs.cmdline_tools }}" ]; then
+            echo "cmdline-tools update available: ${{ steps.current.outputs.cmdline_tools }} -> ${{ steps.android.outputs.cmdline_tools }}"
+            NEEDS_UPDATE=true
+          fi
+
+          if [ "${{ steps.android.outputs.build_tools }}" != "${{ steps.current.outputs.build_tools }}" ]; then
+            echo "build-tools update available: ${{ steps.current.outputs.build_tools }} -> ${{ steps.android.outputs.build_tools }}"
+            NEEDS_UPDATE=true
+          fi
+
+          if [ "${{ steps.android.outputs.platform }}" != "${{ steps.current.outputs.platform }}" ]; then
+            echo "platform update available: ${{ steps.current.outputs.platform }} -> ${{ steps.android.outputs.platform }}"
+            NEEDS_UPDATE=true
+          fi
+
+          echo "needs_update=${NEEDS_UPDATE}" >> $GITHUB_OUTPUT
+
+      - name: Create release for new Flutter version
         if: steps.existing.outputs.exists == 'false' && steps.flutter.outputs.version != ''
         run: |
           VERSION="${{ steps.flutter.outputs.version }}"
@@ -47,3 +112,33 @@ jobs:
               \"draft\": false,
               \"prerelease\": false
             }"
+
+      - name: Create issue for Android SDK updates
+        if: steps.android_update.outputs.needs_update == 'true'
+        run: |
+          BODY="Android SDK updates are available:\n\n"
+          BODY+="| Component | Current | Latest |\n"
+          BODY+="|-----------|---------|--------|\n"
+          BODY+="| cmdline-tools | ${{ steps.current.outputs.cmdline_tools }} | ${{ steps.android.outputs.cmdline_tools }} |\n"
+          BODY+="| build-tools | ${{ steps.current.outputs.build_tools }} | ${{ steps.android.outputs.build_tools }} |\n"
+          BODY+="| platform | ${{ steps.current.outputs.platform }} | ${{ steps.android.outputs.platform }} |\n"
+          BODY+="\nUpdate \`Dockerfile.android\` to use the latest versions."
+
+          # Check if issue already exists
+          EXISTING=$(curl -s -H "Authorization: token ${{ secrets.GITEA_TOKEN }}" \
+            "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/issues?state=open&labels=android-sdk-update" | jq length)
+
+          if [ "$EXISTING" = "0" ]; then
+            curl -fsSL -X POST \
+              -H "Authorization: token ${{ secrets.GITEA_TOKEN }}" \
+              -H "Content-Type: application/json" \
+              "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/issues" \
+              -d "{
+                \"title\": \"Android SDK updates available\",
+                \"body\": \"$(echo -e "$BODY")\",
+                \"labels\": [\"android-sdk-update\"]
+              }"
+            echo "Created issue for Android SDK updates"
+          else
+            echo "Issue for Android SDK updates already exists"
+          fi
diff --git a/Dockerfile.android b/Dockerfile.android
index dc7343c..17762d5 100644
--- a/Dockerfile.android
+++ b/Dockerfile.android
@@ -1,9 +1,9 @@
 FROM svrnty/base-distro:flutter-sdk-android-latest
 
 ARG FLUTTER_VERSION=3.38.9
-ARG ANDROID_SDK_TOOLS_VERSION=11076708
+ARG ANDROID_SDK_TOOLS_VERSION=14742923
 ARG ANDROID_COMPILE_SDK=36
-ARG ANDROID_BUILD_TOOLS=36.0.0
+ARG ANDROID_BUILD_TOOLS=36.1.0
 
 LABEL org.opencontainers.image.title="flutter-sdk-android"
 LABEL org.opencontainers.image.description="Flutter SDK for Android CI builds"