diff --git a/.taskcluster.yml b/.taskcluster.yml
new file mode 100644
index 00000000..812c22c3
--- /dev/null
+++ b/.taskcluster.yml
@@ -0,0 +1,41 @@
+version: 0
+tasks:
+  - provisionerId: '{{ taskcluster.docker.provisionerId }}'
+    workerType: '{{ taskcluster.docker.workerType }}'
+    scopes:
+        - "secrets:get:project/testpilot/notes"
+    extra:
+      github:
+        events:
+          - pull_request.opened
+          - pull_request.reopened
+          - pull_request.synchronize
+          - push
+          - release
+    payload:
+      features:
+        taskclusterProxy: true
+      maxRunTime: 3600
+      image: circleci/android:api-25-node8-alpha
+      command:
+        - /bin/bash
+        - '--login'
+        - '-c'
+        - >-
+          cd ~ && git clone {{event.head.repo.url}} repo && cd repo && git config
+          advice.detachedHead false && git checkout {{event.head.sha}} && cd native &&
+          source ./misc/taskcluster_secrets.sh &&
+          npm install . && echo $foo && cd android && set +x &&
+          ./gradlew assembleRelease -PMYAPP_RELEASE_STORE_FILE=$MYAPP_RELEASE_STORE_FILE -PMYAPP_RELEASE_KEY_ALIAS=$MYAPP_RELEASE_KEY_ALIAS -PMYAPP_RELEASE_STORE_PASSWORD=$MYAPP_RELEASE_STORE_PASSWORD -PMYAPP_RELEASE_KEY_PASSWORD=$MYAPP_RELEASE_KEY_PASSWORD &&
+          set -x && cp app/build/outputs/apk/release/app-release.apk /tmp
+      artifacts:
+        'public/app-release.apk':
+          type: 'file'
+          path: '/tmp/app-release.apk'
+          expires: "{{ '1 month' | $fromNow }}"
+    metadata:
+      name: Test Pilot Notes
+      description: Test Pilot Notes
+      owner: '{{ event.head.user.email }}'
+      source: '{{ event.head.repo.url }}'
+allowPullRequests: collaborators
diff --git a/native/misc/download_keystore.sh b/native/misc/download_keystore.sh
index 86338490..addea67e 100755
--- a/native/misc/download_keystore.sh
+++ b/native/misc/download_keystore.sh
@@ -1,3 +1,5 @@
+#!/bin/bash -ex
+
 # use curl to download a keystore from $KEYSTORE_URI, if set,
 # to the path/filename set in $KEYSTORE.
 if [[ $KEYSTORE && ${KEYSTORE} && $KEYSTORE_URI && ${KEYSTORE_URI} ]]
diff --git a/native/misc/taskcluster_secrets.sh b/native/misc/taskcluster_secrets.sh
new file mode 100755
index 00000000..0614ac03
--- /dev/null
+++ b/native/misc/taskcluster_secrets.sh
@@ -0,0 +1,26 @@
+#!/bin/bash -ex
+
+set +x
+
+secrets_url="http://taskcluster/secrets/v1/secret/project/testpilot/notes"
+SECRET=$(curl "${secrets_url}")
+
+export KEYSTORE=$(echo "${SECRET}" | jq -r '.secret.KEYSTORE')
+export KEYSTORE_URI=$(echo "${SECRET}" | jq -r '.secret.KEYSTORE_URI')
+export MYAPP_RELEASE_KEY_ALIAS=$(echo "${SECRET}" | jq -r '.secret.MYAPP_RELEASE_KEY_ALIAS')
+export MYAPP_RELEASE_KEY_PASSWORD=$(echo "${SECRET}" | jq -r '.secret.MYAPP_RELEASE_KEY_PASSWORD')
+export MYAPP_RELEASE_STORE_FILE=$(echo "${SECRET}" | jq -r '.secret.MYAPP_RELEASE_STORE_FILE')
+export MYAPP_RELEASE_STORE_PASSWORD=$(echo "${SECRET}" | jq -r '.secret.MYAPP_RELEASE_STORE_PASSWORD')
+export SENTRY_DSN=$(echo "${SECRET}" | jq -r '.secret.SENTRY_DSN')
+
+# use curl to download a keystore from $KEYSTORE_URI, if set,
+# to the path/filename set in $KEYSTORE.
+if [[ $KEYSTORE && ${KEYSTORE} && $KEYSTORE_URI && ${KEYSTORE_URI} ]]
+then
+    echo "Keystore detected - downloading..."
+    curl -L -o android/app/${KEYSTORE} ${KEYSTORE_URI}
+else
+    echo "Keystore uri not set.  .APK artifact will not be signed."
+fi
+
+set -x