Android development: How to secure service account credentials Json file

A good security practice is to never push account credentials to your online code repository like Github. This tutorial helps you keep your secrets secure.

Github offers “repository” secrets. The secret variable will be fetch at runtime. From your Git repo go to: Settings -> Secrets and variables -> Actions -> Secrets -> click button “New repository secret”. On the image below you can see we created the secret variable called “PLAY_FILE”.

The content of the PLAY_FILE is our private service account credentials for Google cloud services.

Using Github actions we can get our secret variable and create the JSON file at the path ./app/file.json. Add below snippet to your workflow: .github/workflows/android.yaml

      - name: Get JSON file
        env:
          PLAY_FILE: ${{ secrets.PLAY_FILE }}
        run: |
          echo $PLAY_FILE > ./app/file.json
          find . -name file.json

Then we can set the file inside build.gradle. Example app/build.gradle.kts

 firebaseTestLab {
        serviceAccountCredentials.set(file("file.json"))
    }

Conclusion

Thanks for spending your time reading it and let me know if I’m wrong somewhere or if there’s something that could do differently or better. I’m open to your feedback 🙌🏻

-Andres