ci: add release workflows

[ovitrif]

Related: #953
Supersedes: #867 (closed as outdated in favor of #953)

This PR:

1. Adds protected release workflows for signed mainnet store and internal artifacts.
2. Adds debug-only Firebase placeholders so fresh clones can build dev and testnet debug variants without private Firebase files.
3. Adds a WalletScrutiny-oriented reproducible release workflow, local reproduction script, and documentation.

Caution

If you already have a private debug Firebase config at app/google-services.json, move it before checking out this PR or pulling master after this PR merges:

mkdir -p app/src/debug
mv app/google-services.json app/src/debug/google-services.json

app/google-services.json is now the tracked placeholder for fresh clones. Keep app/src/mainnetRelease/google-services.json unchanged for release builds.

Description

The core change is adding release and release-internal GitHub Actions workflows. Both workflows build signed mainnet release artifacts from protected environment secrets. release keeps both APK and AAB outputs for Play/GitHub release handling, while release-internal produces the mainnet APK signed with the internal keystore.

The reproducibility support adds a Reproducible Release workflow and scripts/reproduce-release.sh to build bundleMainnetRelease, recreate APK splits with bundletool, extract arm64-v8a native libraries, and upload checksum evidence. The new documentation explains how this relates to WalletScrutiny issue #953 and captures the currently known native library mappings.

GitHub Actions setup:

• Created the release and release-internal GitHub environments for the protected release workflows.
• Required release environment secrets:
  • MAINNET_RELEASE_GOOGLE_SERVICES_JSON_BASE64,
  • BITKIT_KEYSTORE_BASE64,
  • BITKIT_KEYSTORE_PASSWORD,
  • BITKIT_KEY_ALIAS, and
  • BITKIT_KEY_PASSWORD.
• Required release-internal environment secrets:
  • MAINNET_RELEASE_GOOGLE_SERVICES_JSON_BASE64,
  • INTERNAL_KEYSTORE_BASE64,
  • INTERNAL_KEYSTORE_PASSWORD,
  • INTERNAL_KEY_ALIAS, and
  • INTERNAL_KEY_PASSWORD.

These will be added AFTER the PR is approved.

Remaining upstream work for #953:

• Make bitkit-core-android / Rust-native AAR builds reproducible upstream.
• Pin Rust toolchain, Android NDK, Cargo.lock, build paths, SOURCE_DATE_EPOCH, path remapping, stripping, and published native .so checksums.
• Continue investigating third-party native outputs from androidx.datastore:datastore-core and net.java.dev.jna:jna with diffoscope evidence.

Preview

N/A

QA Notes

Manual Tests

• 1. 2026-05-25 → Firebase config setup: confirmed real debug Firebase config belongs in the ignored shared debug path (app/src/debug/google-services.json) so one file can override the checked-in app/google-services.json placeholder without dirtying Git; app/src/mainnetRelease/google-services.json remains the release-only path.
• 2. 2026-05-25 → Release workflow review: confirmed store release keeps APK + AAB outputs, internal release keeps APK output, and both run post-build signature verification before artifact upload.

Automated Checks

• bash -n scripts/reproduce-release.sh
• YAML parse for .github/workflows/release.yml, .github/workflows/release-internal.yml, and .github/workflows/reproducible-release.yml
• YAML parse for all workflows after moving debug Firebase secrets to the shared app/src/debug/google-services.json path while keeping release secrets at app/src/mainnetRelease/google-services.json
• bash -n for the release signature verification shell blocks
• git diff --check
• git check-ignore -v app/src/debug/google-services.json app/src/mainnetRelease/google-services.json
• Google Services plugin lookup order inspected from local 4.4.4 sources: src/debug/google-services.json resolves before the checked-in root app/google-services.json placeholder, while src/mainnetRelease/google-services.json remains the release override. The root placeholder intentionally omits the production to.bitkit client.
• go run github.com/rhysd/actionlint/cmd/actionlint@latest .github/workflows/reproducible-release.yml .github/workflows/release.yml .github/workflows/release-internal.yml
• GitHub checks on 4aa52470d: lint and detekt passed; build/E2E jobs were skipped while the PR was draft.
• Workflow behavior must be verified in GitHub Actions (after merge).

[ovitrif]

The debug files above are tracked placeholders. Before replacing a debug placeholder with a real Firebase config, hide that local-only change from Git:

git update-index --skip-worktree app/src/devDebug/google-services.json
cp /secure/path/google-services.json app/src/devDebug/google-services.json

Reworking this from above, I don't really like this approach.

---

EDIT: done and force-pushed squashed work in 1 commit.

PR description updated to inform about the "migration" requirement to the new setup which ignores all but placeholder, and requires local clones to move current app/google-services.json to the git-ignored app/debug/google-services.json.