chore(release): prepare for 3.32.5

Automated changes by
[create-pull-request](https://github.com/peter-evans/create-pull-request)
GitHub action

Co-authored-by: verified-commit[bot] <180343340+verified-commit[bot]@users.noreply.github.com>

.github/workflows/build.yml

@@ -27,20 +27,7 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - name: Login to Docker Hub
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          username: ${{ secrets.DOCKER_HUB_USERNAME }}
-          password: ${{ secrets.DOCKER_HUB_TOKEN }}
-
-      - name: Setup CUE
-        uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
-        with:
-          repo: cue-lang/cue
-          tag: v0.12.0
-          digest: e55cd5abd98a592c110f87a7da9ef15bc72515200aecfe1bed04bf86311f5ba1
-
-      - name: Read environment variables from version.json
+      - name: Read environment variables from the version manifest
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         env:
           GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }}
@@ -63,8 +50,14 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
 
+      - name: Login to Docker Hub
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_TOKEN }}
+
       - name: Build image and push to local Docker daemon
-        uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           file: android.Dockerfile
           load: true
@@ -90,7 +83,7 @@ jobs:
       # TODO: Parallelize testing and vulnerability scanning
       - name: Scan with Docker Scout
         id: docker-scout
-        uses: docker/scout-action@381b657c498a4d287752e7f2cfb2b41823f566d9 # v1.17.1
+        uses: docker/scout-action@aceeb83b88f2ae54376891227858dda7af647183 # v1.18.1
         with:
           command: compare, recommendations
           # Use the Docker Hub image that is the first tag in the metadata
@@ -105,7 +98,7 @@ jobs:
           # debug: true
           # verbose-debug: true
 
-  validate_version:
+  validate_version_files:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout repository
@@ -115,8 +108,8 @@ jobs:
         uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
         with:
           repo: cue-lang/cue
-          tag: v0.12.0
-          digest: e55cd5abd98a592c110f87a7da9ef15bc72515200aecfe1bed04bf86311f5ba1
+          tag: v0.13.0
+          digest: 59ba96137da07cd2cdd2e17ec33af81f850126f022f25dd96516f0b42071b6a9
 
       - name: Validate version.json and flutter_version.json with CUE
         run: |
@@ -133,8 +126,8 @@ jobs:
         uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
         with:
           repo: cue-lang/cue
-          tag: v0.12.0
-          digest: e55cd5abd98a592c110f87a7da9ef15bc72515200aecfe1bed04bf86311f5ba1
+          tag: v0.13.0
+          digest: 59ba96137da07cd2cdd2e17ec33af81f850126f022f25dd96516f0b42071b6a9
 
       - name: Generate test files with CUE
         run: |
@@ -154,7 +147,7 @@ jobs:
       - name: Setup NodeJS
         uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
-          cache: 'npm'
+          cache: npm
           cache-dependency-path: docs/src/package-lock.json
           node-version-file: docs/src/package.json
 
@@ -217,8 +210,8 @@ jobs:
         uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
         with:
           repo: cue-lang/cue
-          tag: v0.12.0
-          digest: e55cd5abd98a592c110f87a7da9ef15bc72515200aecfe1bed04bf86311f5ba1
+          tag: v0.13.0
+          digest: 59ba96137da07cd2cdd2e17ec33af81f850126f022f25dd96516f0b42071b6a9
 
       - name: Validate version.json with CUE
         run: cue vet config/version.cue -d '#Version' config/version.json

.github/workflows/changelog.yml

@@ -0,0 +1,61 @@
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - config/version.json
+  workflow_dispatch:
+
+jobs:
+  changelog:
+    runs-on: ubuntu-24.04
+    env:
+      IMAGE_REPOSITORY_NAME: flutter-android
+      VERSION_MANIFEST: config/version.json
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          # TODO: Fetch only a few commits after using --unreleased in git-cliff
+          # Fetch all commits to use as input for the changelog generation
+          fetch-depth: 0
+          # Fetch all tags to use as input for the changelog generation
+          fetch-tags: true
+      
+      - name: Setup git-cliff
+        uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
+        with:
+          repo: orhun/git-cliff
+          tag: v2.8.0
+          digest: 17da092783079c63a0fb14c24fbfa0d3b589e225c6ef01c93111e39cecbc88e8
+
+      - name: Read environment variables from the version manifest
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        env:
+          GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }}
+          IMAGE_REPOSITORY_NAME: ${{ env.IMAGE_REPOSITORY_NAME }}
+          VERSION_MANIFEST: ${{ env.VERSION_MANIFEST }}
+        with:
+          script: |
+            const script = require('./script/setEnvironmentVariables.js')
+            return await script({ core })
+      
+      - name: Update changelog
+        run: |
+          git-cliff -v --tag ${{ env.FLUTTER_VERSION }} --github-repo ${{ github.repository }} --output changelog.md
+      
+      - name: Generate authentication token with GitHub App to trigger Actions
+        uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
+        id: app-token
+        with:
+          app-id: ${{ secrets.VERIFIED_COMMIT_ID }}
+          private-key: ${{ secrets.VERIFIED_COMMIT_KEY }}
+          repositories: ${{ github.event.repository.name }}
+          owner: ${{ github.repository_owner }}
+
+      - name: Commit and push changelog
+        uses: grafana/github-api-commit-action@b1d81091e8480dd11fcea8bc1f0ab977a0376ca5 # v1.0.0
+        with:
+          commit-message: "chore(release): prepare for ${{ env.FLUTTER_VERSION }}"
+          stage-all-files: true
+          token: ${{ steps.app-token.outputs.token }}

.github/workflows/ci.yml

@@ -2,6 +2,8 @@ on:
   push:
     branches:
       - main
+    paths-ignore:
+      - changelog.md
   workflow_dispatch:
 
 # Read-only permissions by default
@@ -31,10 +33,10 @@ jobs:
         uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
         with:
           repo: cue-lang/cue
-          tag: v0.12.0
-          digest: e55cd5abd98a592c110f87a7da9ef15bc72515200aecfe1bed04bf86311f5ba1
+          tag: v0.13.0
+          digest: 59ba96137da07cd2cdd2e17ec33af81f850126f022f25dd96516f0b42071b6a9
 
-      - name: Read environment variables from version.json
+      - name: Read environment variables from the version manifest
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         env:
           GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }}
@@ -58,7 +60,7 @@ jobs:
         uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
 
       - name: Build image and push to local Docker daemon
-        uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           file: android.Dockerfile
           load: true
@@ -80,51 +82,4 @@ jobs:
         with:
           image: ${{ fromJSON(steps.metadata.outputs.json).tags[0] }}
           config: test/android.yml
-
-  create_git_tag:
-    permissions:
-      # Allow to write contents to push tags
-      contents: write
-    needs: test_image
-    runs-on: ubuntu-24.04
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-
-      - name: Generate authentication token with GitHub App to trigger Actions
-        uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
-        id: app-token
-        with:
-          app-id: ${{ secrets.VERIFIED_COMMIT_ID }}
-          private-key: ${{ secrets.VERIFIED_COMMIT_KEY }}
-          repositories: ${{ github.event.repository.name }}
-          owner: ${{ github.repository_owner }}
-
-      - name: Setup CUE
-        uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
-        with:
-          repo: cue-lang/cue
-          tag: v0.12.0
-          digest: e55cd5abd98a592c110f87a7da9ef15bc72515200aecfe1bed04bf86311f5ba1
-
-      - name: Read environment variables from version.json
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
-        env:
-          GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }}
-          IMAGE_REPOSITORY_NAME: ${{ env.IMAGE_REPOSITORY_NAME }}
-          VERSION_MANIFEST: ${{ env.VERSION_MANIFEST }}
-        with:
-          script: |
-            const script = require('./script/setEnvironmentVariables.js')
-            return await script({ core })
-      
-      - name: Create Tag for a New Flutter Version
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
-        env:
-          OLD_FLUTTER_VERSION: ${{ vars.FLUTTER_VERSION }}
-          NEW_FLUTTER_VERSION: ${{ env.FLUTTER_VERSION }}
-        with:
-          github-token: ${{ steps.app-token.outputs.token }}
-          script: |
-            const script = require('./script/createGitTag.js')
-            await script({ core, context, github })
+  

.github/workflows/release.yml

@@ -1,21 +1,25 @@
 on:
   push:
     tags:
-    - '*'
+      - '*'
   workflow_dispatch:
 
 # Read-only permissions by default
 permissions:
   contents: read
 
+env:
+  FLUTTER_VERSION: ${{ github.ref_name }}
+
 jobs:
   release_android:
     permissions:
       # Allow to write packages to push the container image to the Github Container Registry
       packages: write
-      # Allow to write security events to upload the results to code-scanning dashboard.
-      security-events: write
     runs-on: ubuntu-24.04
+    outputs:
+      # Use the Docker Hub image which is the first tag in the metadata
+      docker_hub_image_path: ${{ fromJson(steps.metadata.outputs.json).tags[0] }}
     env:
       IMAGE_REPOSITORY_NAME: flutter-android
       ANDROID_BUILD_TOOLS_VERSION: 30.0.3
@@ -24,43 +28,7 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - name: Generate authentication token with GitHub App to trigger Actions
-        uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
-        id: app-token
-        with:
-          app-id: ${{ secrets.VERIFIED_COMMIT_ID }}
-          private-key: ${{ secrets.VERIFIED_COMMIT_KEY }}
-          repositories: ${{ github.event.repository.name }}
-          owner: ${{ github.repository_owner }}
-
-      - name: Login to Docker Hub
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          username: ${{ secrets.DOCKER_HUB_USERNAME }}
-          password: ${{ secrets.DOCKER_HUB_TOKEN }}
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ github.token }}
-
-      - name: Login to Quay.io
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: quay.io
-          username: ${{ secrets.QUAY_USERNAME }}
-          password: ${{ secrets.QUAY_ROBOT_TOKEN }}
-
-      - name: Setup CUE
-        uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
-        with:
-          repo: cue-lang/cue
-          tag: v0.12.0
-          digest: e55cd5abd98a592c110f87a7da9ef15bc72515200aecfe1bed04bf86311f5ba1
-
-      - name: Read environment variables from version.json
+      - name: Read environment variables from the version manifest
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         env:
           GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }}
@@ -85,8 +53,28 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
 
+      - name: Login to Docker Hub
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_TOKEN }}
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ github.token }}
+
+      - name: Login to Quay.io
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_USERNAME }}
+          password: ${{ secrets.QUAY_ROBOT_TOKEN }}
+
       - name: Build image and push it to registries
-        uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           file: android.Dockerfile
           push: true
@@ -103,6 +91,27 @@ jobs:
             android_ndk_version=${{ env.ANDROID_NDK_VERSION }}
             cmake_version=${{ env.CMAKE_VERSION }}
 
+  update_description:
+    runs-on: ubuntu-24.04
+    needs: release_android
+    env:
+      IMAGE_REPOSITORY_NAME: flutter-android
+      VERSION_MANIFEST: config/version.json
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Read environment variables from the version manifest
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        env:
+          GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }}
+          IMAGE_REPOSITORY_NAME: ${{ env.IMAGE_REPOSITORY_NAME }}
+          VERSION_MANIFEST: ${{ env.VERSION_MANIFEST }}
+        with:
+          script: |
+            const script = require('./script/setEnvironmentVariables.js')
+            return await script({ core })
+
       - name: Update Docker Hub description
         uses: peter-evans/dockerhub-description@432a30c9e07499fd01da9f8a49f0faf9e0ca5b77 # v4.0.2
         with:
@@ -112,54 +121,96 @@ jobs:
           short-description: ${{ github.event.repository.description }}
           readme-filepath: readme.md
 
+  record_image:
+    permissions:
+      # Allow to write code scanning results to GitHub's code scanning dashboard
+      security-events: write
+    runs-on: ubuntu-24.04
+    needs: release_android
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_TOKEN }}
+
       - name: Record image in Docker Scout environment
-        id: docker-scout-environment
-        uses: docker/scout-action@381b657c498a4d287752e7f2cfb2b41823f566d9 # v1.17.1
+        uses: docker/scout-action@aceeb83b88f2ae54376891227858dda7af647183 # v1.18.1
         with:
           command: environment, cves
-          # Use the Docker Hub image that is the first tag in the metadata
-          image: registry://${{ fromJson(steps.metadata.outputs.json).tags[0] }}
+          image: registry://${{ needs.release_android.outputs.docker_hub_image_path }}
           environment: prod
           only-fixed: true
           organization: ${{ secrets.DOCKER_HUB_USERNAME }}
           sarif-file: sarif.json
-      
+
+      - name: Upload the results to GitHub's code scanning dashboard
+        uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+        with:
+          sarif_file: sarif.json
+
+  set_bootstrap_image:
+    runs-on: ubuntu-24.04
+    needs: release_android
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Generate authentication token with GitHub App to trigger Actions
+        uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
+        id: app-token
+        with:
+          app-id: ${{ secrets.VERIFIED_COMMIT_ID }}
+          private-key: ${{ secrets.VERIFIED_COMMIT_KEY }}
+          repositories: ${{ github.event.repository.name }}
+          owner: ${{ github.repository_owner }}
+
       - name: Update bootstrap image tag in environment variable
         run: gh variable set FLUTTER_VERSION --body "${{ env.FLUTTER_VERSION }}"
         env:
           GH_TOKEN: ${{ steps.app-token.outputs.token }}
 
-      # Upload the results to GitHub's code scanning dashboard (optional).
-      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
-      - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 # v3.28.16
+  create_github_release:
+    permissions:
+      # Allow to create releases and upload assets to them
+      contents: write
+    runs-on: ubuntu-24.04
+    needs: release_android
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          sarif_file: sarif.json
+          # TODO: Fetch only a few commits after using --unreleased in git-cliff
+          # Fetch all commits to use as input for the changelog generation
+          fetch-depth: 0
+          # Fetch all tags to use as input for the changelog generation
+          fetch-tags: true
 
-      # TODO: Use kaniko for building and pushing after slowness is solved
-      # TODO: https://github.com/GoogleContainerTools/kaniko/issues/970
-      # TODO: https://github.com/GoogleContainerTools/kaniko/issues/875
-      # TODO: Use kaniko for building and pushing after pushing to Docker daemon is solved, to be able to test Docker image, with the following issues
-      # TODO: https://github.com/GoogleContainerTools/kaniko/issues/1331
-      # - name: Build image and push it to registries
-      #   uses: int128/kaniko-action@v1
-      #   with:
-      #     push: true
-      #     cache: true
-      #     cache-repository: ${{ steps.ecr-cache.outputs.repository-uri }}
-      #     tags: ${{ steps.metadata.outputs.tags }}
-      #     labels: ${{ steps.metadata.outputs.labels }}
-      #     build-args: |
-      #       flutter_version=${{ env.FLUTTER_VERSION }}
-      #       android_build_tools_version=${{ env.ANDROID_BUILD_TOOLS_VERSION }}
-      #       android_platform_versions=${{ env.ANDROID_PLATFORM_VERSIONS }}
-      #     kaniko-args: |
-      #       --skip-unused-stages=true
-      #       --use-new-run=true
-      #       --snapshotMode=redo
-      #     target: android
-      #     executor: gcr.io/kaniko-project/executor:latest
-# TODO: https://github.com/snok/container-retention-policy
-# TODO: Push a build image before the final image
-# TODO: Run basic tests with build image
-# TODO: Push final image only if tests pass https://redhat-cop.github.io/ci/publishing-images.html
+      - name: Setup git-cliff
+        uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
+        with:
+          repo: orhun/git-cliff
+          tag: v2.8.0
+          digest: 17da092783079c63a0fb14c24fbfa0d3b589e225c6ef01c93111e39cecbc88e8
+
+      - name: Get the tag details
+        id: get-tag-details
+        run: |-
+          # Store the changelog in a temporary directory to not pollute the working directory
+          mkdir -p "${{ runner.temp }}/git-cliff"
+          changelog_file="${{ runner.temp }}/git-cliff/changelog.md"
+          echo "changelog_file=${changelog_file}" >>$GITHUB_OUTPUT
+
+          git-cliff -v --latest --strip all --no-exec --github-repo "${{ github.repository }}" --output "$changelog_file"
+
+      - name: Create Github release
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |-
+          gh release create "${{ env.FLUTTER_VERSION }}" \
+            --title="${{ env.FLUTTER_VERSION }}" \
+            --notes-file="${{ steps.get-tag-details.outputs.changelog_file }}"

.github/workflows/scorecard.yml

@@ -39,7 +39,7 @@ jobs:
           persist-credentials: false
 
       - name: Run analysis
-        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
+        uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
         with:
           results_file: results.sarif
           results_format: sarif
@@ -70,6 +70,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 # v3.28.16
+        uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
         with:
           sarif_file: results.sarif

.github/workflows/tag.yml

@@ -0,0 +1,48 @@
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - changelog.md
+  workflow_dispatch:
+
+jobs:
+  create_git_tag:
+    runs-on: ubuntu-24.04
+    env:
+      IMAGE_REPOSITORY_NAME: flutter-android
+      VERSION_MANIFEST: config/version.json
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Generate authentication token with GitHub App to trigger Actions
+        uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
+        id: app-token
+        with:
+          app-id: ${{ secrets.VERIFIED_COMMIT_ID }}
+          private-key: ${{ secrets.VERIFIED_COMMIT_KEY }}
+          repositories: ${{ github.event.repository.name }}
+          owner: ${{ github.repository_owner }}
+
+      - name: Read environment variables from the version manifest
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        env:
+          GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }}
+          IMAGE_REPOSITORY_NAME: ${{ env.IMAGE_REPOSITORY_NAME }}
+          VERSION_MANIFEST: ${{ env.VERSION_MANIFEST }}
+        with:
+          script: |
+            const script = require('./script/setEnvironmentVariables.js')
+            return await script({ core })
+      
+      - name: Create Tag for a New Flutter Version
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        env:
+          OLD_FLUTTER_VERSION: ${{ vars.FLUTTER_VERSION }}
+          NEW_FLUTTER_VERSION: ${{ env.FLUTTER_VERSION }}
+        with:
+          github-token: ${{ steps.app-token.outputs.token }}
+          script: |
+            const script = require('./script/createGitTag.js')
+            await script({ core, context, github })

.github/workflows/update_version.yml

@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-24.04
     outputs:
       new_version: ${{ steps.update_flutter_version.outputs.result }}
-      version_artifact_id: ${{ steps.upload-version.outputs.artifact-id }}
+      flutter_version_artifact_id: ${{ steps.upload-version.outputs.artifact-id }}
     steps:
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -35,8 +35,8 @@ jobs:
         uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
         with:
           repo: cue-lang/cue
-          tag: v0.12.0
-          digest: e55cd5abd98a592c110f87a7da9ef15bc72515200aecfe1bed04bf86311f5ba1
+          tag: v0.13.0
+          digest: 59ba96137da07cd2cdd2e17ec33af81f850126f022f25dd96516f0b42071b6a9
 
       - name: Validate version.json with CUE
         if: ${{ steps.update_flutter_version.outputs.result == 'true' }}
@@ -60,6 +60,8 @@ jobs:
       pull-requests: write
     needs: update_flutter_version
     if: ${{ needs.update_flutter_version.outputs.new_version == 'true' }}
+    outputs:
+      version_artifact_id: ${{ steps.upload-version.outputs.artifact-id }}
     runs-on: ubuntu-24.04
     container:
       image: ghcr.io/${{ github.repository_owner }}/flutter-android:${{ vars.FLUTTER_VERSION }}
@@ -69,12 +71,6 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          # TODO: Fetch only a few commits after using --unreleased in git-cliff
-          # Fetch all commits to use as input for the changelog generation
-          fetch-depth: 0
-          # Fetch all tags to use as input for the changelog generation
-          fetch-tags: true
 
       # TODO: Workaround because actions/download-artifact can't overwrite existing files
       # Check if this workaround can be removed after the following issues are fixed:
@@ -86,20 +82,11 @@ jobs:
       - name: Download artifact with the new Flutter version
         uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
-          artifact-ids: ${{ needs.update_flutter_version.outputs.version_artifact_id }}
+          artifact-ids: ${{ needs.update_flutter_version.outputs.flutter_version_artifact_id }}
           path: config
           # Download to the configured path instead of separated directories by artifact id
           merge-multiple: true
 
-      - name: Generate authentication token with GitHub App to trigger Actions
-        uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
-        id: app-token
-        with:
-          app-id: ${{ secrets.VERIFIED_COMMIT_ID }}
-          private-key: ${{ secrets.VERIFIED_COMMIT_KEY }}
-          repositories: ${{ github.event.repository.name }}
-          owner: ${{ github.repository_owner }}
-
       - name: Copy Flutter version into version manifest and export FLUTTER_* environment variables
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
@@ -136,20 +123,78 @@ jobs:
         run: |
           rm -rf test_app
 
+      - name: Upload artifact with the updated version.json
+        id: upload-version
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: version.json
+          path: config/version.json
+
+  validate_config_version:
+    needs: update_android_version
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      # TODO: Workaround because actions/download-artifact can't overwrite existing files
+      # Check if this workaround can be removed after the following issues are fixed:
+      # https://github.com/actions/download-artifact/issues/225
+      # https://github.com/actions/download-artifact/issues/138
+      - name: Delete version.json
+        run: rm config/version.json
+
+      - name: Download artifact with the new Flutter version
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          artifact-ids: ${{ needs.update_android_version.outputs.version_artifact_id }}
+          path: config
+          # Download to the configured path instead of separated directories by artifact id
+          merge-multiple: true
+
       - name: Setup CUE
         uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
         with:
           repo: cue-lang/cue
-          tag: v0.12.0
-          digest: e55cd5abd98a592c110f87a7da9ef15bc72515200aecfe1bed04bf86311f5ba1
+          tag: v0.13.0
+          digest: 59ba96137da07cd2cdd2e17ec33af81f850126f022f25dd96516f0b42071b6a9
 
       - name: Validate version.json with CUE
         run: cue vet config/version.cue -d '#Version' config/version.json
 
+  update_docs_and_create_pr:
+    needs:
+      - update_flutter_version
+      - update_android_version
+      - validate_config_version
+    runs-on: ubuntu-24.04
+    env:
+      IMAGE_REPOSITORY_NAME: flutter-android
+      VERSION_MANIFEST: config/version.json
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      # TODO: Workaround because actions/download-artifact can't overwrite existing files
+      # Check if this workaround can be removed after the following issues are fixed:
+      # https://github.com/actions/download-artifact/issues/225
+      # https://github.com/actions/download-artifact/issues/138
+      - name: Delete flutter_version.json and version.json
+        run: |-
+          rm config/flutter_version.json config/version.json
+
+      - name: Download artifact with the new Flutter version
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          artifact-ids: ${{ needs.update_flutter_version.outputs.flutter_version_artifact_id }},${{ needs.update_android_version.outputs.version_artifact_id }}
+          path: config
+          # Download to the configured path instead of separated directories by artifact id
+          merge-multiple: true
+
       - name: Setup NodeJS
         uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
-          cache: 'npm'
+          cache: npm
           cache-dependency-path: docs/src/package-lock.json
           node-version-file: docs/src/package.json
 
@@ -159,21 +204,30 @@ jobs:
           npm ci --prefer-offline
           npm run build
 
-      - name: Setup git-cliff
-        uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
+      - name: Read environment variables from the version manifest
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        env:
+          GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }}
+          IMAGE_REPOSITORY_NAME: ${{ env.IMAGE_REPOSITORY_NAME }}
+          VERSION_MANIFEST: ${{ env.VERSION_MANIFEST }}
         with:
-          repo: orhun/git-cliff
-          tag: v2.8.0
-          digest: 17da092783079c63a0fb14c24fbfa0d3b589e225c6ef01c93111e39cecbc88e8
-
-      - name: Update changelog
-        run: |
-          git-cliff -v --tag ${{ env.FLUTTER_VERSION }} --github-repo ${{ github.repository }} --output changelog.md
+          script: |
+            const script = require('./script/setEnvironmentVariables.js')
+            return await script({ core })      
 
       - name: Create commit message variable
         run: |
           echo "COMMIT_MESSAGE=chore(release): update flutter dependencies in version.json for ${{ env.FLUTTER_VERSION }}" >> $GITHUB_ENV
 
+      - name: Generate authentication token with GitHub App to trigger Actions
+        uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
+        id: app-token
+        with:
+          app-id: ${{ secrets.VERIFIED_COMMIT_ID }}
+          private-key: ${{ secrets.VERIFIED_COMMIT_KEY }}
+          repositories: ${{ github.event.repository.name }}
+          owner: ${{ github.repository_owner }}
+      
       # TODO: Generate changelog for the new flutter version, that will be the new tag
       - name: Create pull request if there are changes
         uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8

.github/workflows/windows.yml

@@ -33,7 +33,7 @@ jobs:
           username: ${{ secrets.DOCKER_HUB_USERNAME }}
           password: ${{ secrets.DOCKER_HUB_TOKEN }}
 
-      - name: Read environment variables from version.json
+      - name: Read environment variables from the version manifest
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         env:
           GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }}

android.Dockerfile

@@ -1,4 +1,4 @@
-FROM debian:12.11-slim@sha256:90522eeb7e5923ee2b871c639059537b30521272f10ca86fdbbbb2b75a8c40cd AS flutter
+FROM debian:12.11-slim@sha256:e5865e6858dacc255bead044a7f2d0ad8c362433cfaa5acefb670c1edf54dfef AS flutter
 
 SHELL ["/bin/bash", "-euxo", "pipefail", "-c"]
 

changelog.md

@@ -2,6 +2,41 @@
 
 All notable changes to this project will be documented in this file.
 
+## [3.32.5] - 2025-06-26
+
+### ⚙️ Miscellaneous Tasks
+
+- Parse json before output (#354)
+- *(release)* Update flutter dependencies in version.json for 3.32.5 (#357)
+
+## [3.32.4] - 2025-06-14
+
+### ⚙️ Miscellaneous Tasks
+
+- Split release workflow into jobs (#352)
+- *(release)* Update flutter dependencies in version.json for 3.32.4 (#353)
+
+## [3.32.3] - 2025-06-12
+
+### ⚙️ Miscellaneous Tasks
+
+- Add VERSION_MANIFEST to tag workflow (#349)
+- *(release)* Update flutter dependencies in version.json for 3.32.2 (#350)
+- *(release)* Update flutter dependencies in version.json for 3.32.3 (#351)
+
+## [3.32.2] - 2025-06-05
+
+### ⚙️ Miscellaneous Tasks
+
+- Split  into tag.yml and changelog.yml workflows (#347)
+- *(release)* Update flutter dependencies in version.json for 3.32.2 (#348)
+
+## [3.32.1] - 2025-05-30
+
+### ⚙️ Miscellaneous Tasks
+
+- *(release)* Update flutter dependencies in version.json for 3.32.1 (#345)
+
 ## [3.32.0] - 2025-05-23
 
 ### ⚙️ Miscellaneous Tasks
@@ -10,6 +45,7 @@ All notable changes to this project will be documented in this file.
 - Set tools digest to verify integrity (#331)
 - Download immutable artifact by id (#337)
 - Update artifact download configuration (#342)
+- *(release)* Update flutter dependencies in version.json for 3.32.0 (#343)
 
 ## [3.29.3] - 2025-04-17
 

config/flutter_version.json

@@ -1,7 +1,7 @@
 {
     "flutter": {
         "channel": "stable",
-        "commit": "be698c48a6750c8cb8e61c740ca9991bb947aba2",
-        "version": "3.32.0"
+        "commit": "fcf2c11572af6f390246c056bc905eca609533a0",
+        "version": "3.32.5"
     }
 }

config/version.json

@@ -1,8 +1,8 @@
 {
     "flutter": {
         "channel": "stable",
-        "commit": "be698c48a6750c8cb8e61c740ca9991bb947aba2",
-        "version": "3.32.0"
+        "commit": "fcf2c11572af6f390246c056bc905eca609533a0",
+        "version": "3.32.5"
     },
     "android": {
         "platforms": [
@@ -27,6 +27,6 @@
         }
     },
     "fastlane": {
-        "version": "2.227.2"
+        "version": "2.228.0"
     }
 }

readme.md

@@ -23,10 +23,10 @@ The images includes the minimum tools to run Flutter and build apps. The version
 
 ## Features
 
-* Installed Flutter SDK 3.32.0.
+* Installed Flutter SDK 3.32.5.
 * Analytics disabled by default, opt-in if `ENABLE_ANALYTICS` environment variable is passed when running the container.
 * Rootless user `flutter:flutter`, with permissions to run on Github workflows and GitLab CI.
-* Cached Fastlane gem 2.227.2.
+* Cached Fastlane gem 2.228.0.
 * Minimal image with predownloaded SDKs and tools ready to run `flutter` commands for the Android platform.
 
 Predownloaded SDKs and tools in Android:
@@ -40,15 +40,15 @@ Predownloaded SDKs and tools in Android:
 
 | Registry                  | flutter-android                                                                                                            |
 | ------------------------- | -------------------------------------------------------------------------------------------------------------------------- |
-| Docker Hub                | [gmeligio/flutter-android:3.32.0](https://hub.docker.com/r/gmeligio/flutter-android)                                       |
-| GitHub Container Registry | [ghcr.io/gmeligio/flutter-android:3.32.0](https://github.com/gmeligio/flutter-docker-image/pkgs/container/flutter-android) |
-| Quay                      | [quay.io/gmeligio/flutter-android:3.32.0](https://quay.io/repository/gmeligio/flutter-android)                             |
+| Docker Hub                | [gmeligio/flutter-android:3.32.5](https://hub.docker.com/r/gmeligio/flutter-android)                                       |
+| GitHub Container Registry | [ghcr.io/gmeligio/flutter-android:3.32.5](https://github.com/gmeligio/flutter-docker-image/pkgs/container/flutter-android) |
+| Quay                      | [quay.io/gmeligio/flutter-android:3.32.5](https://quay.io/repository/gmeligio/flutter-android)                             |
 
 On the terminal:
 
 ```bash
 # From GitHub Container Registry
-docker run --rm -it ghcr.io/gmeligio/flutter-android:3.32.0 bash
+docker run --rm -it ghcr.io/gmeligio/flutter-android:3.32.5 bash
 ```
 
 On a workflow in GitHub Actions:
@@ -58,7 +58,7 @@ jobs:
   build:
     runs-on: ubuntu-22.04
     container:
-      image: ghcr.io/gmeligio/flutter-android:3.32.0
+      image: ghcr.io/gmeligio/flutter-android:3.32.5
     steps:
       - name: Checkout
         uses: actions/checkout@v2
@@ -70,7 +70,7 @@ On a `.gitlab-ci.yml` in GitLab CI:
 
 ```yaml
 build:
-  image: ghcr.io/gmeligio/flutter-android:3.32.0
+  image: ghcr.io/gmeligio/flutter-android:3.32.5
   script:
     - flutter build apk
 ```
@@ -91,20 +91,20 @@ bundle exec fastlane
 
 Every new tag on the flutter stable channel gets built. The tag is composed of the Flutter version used to build the image:
 
-* Docker image: gmeligio/flutter-android:3.32.0
-* Flutter version: 3.32.0
+* Docker image: gmeligio/flutter-android:3.32.5
+* Flutter version: 3.32.5
 
 ## Building Locally
 
 The android.Dockerfile expects a few arguments:
 
-* `flutter_version <string>`: The version of Flutter to use when building. Example: 3.32.0
+* `flutter_version <string>`: The version of Flutter to use when building. Example: 3.32.5
 * `android_build_tools_version <string>`: The version of the Android SDK Build Tools to install. Example: 34.0.0
 * `android_platform_versions <list>`: The versions of the Android SDK Platforms to install, separated by spaces. Example: 35
 
 ```bash
 # Android
-docker build --target android --build-arg flutter_version=3.32.0 --build-arg fastlane_version=2.227.2 --build-arg android_build_tools_version=34.0.0 --build-arg android_platform_versions="35" -t android-test .
+docker build --target android --build-arg flutter_version=3.32.5 --build-arg fastlane_version=2.228.0 --build-arg android_build_tools_version=34.0.0 --build-arg android_platform_versions="35" -t android-test .
 ```
 
 ## Roadmap

windows.Dockerfile

@@ -1,6 +1,6 @@
 # escape=`
 
-FROM mcr.microsoft.com/windows/servercore:ltsc2025@sha256:c6b2b26058a096cb3f627ed03d0be66bea262c89222c988b516e63ae68f3ea72 as flutter
+FROM mcr.microsoft.com/windows/servercore:ltsc2025@sha256:4c8150b6fe78cac412f24690d250c97c29a8cf2b0f241be7e9330e7d93292305 as flutter
 
 SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]