diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 172a7da..35ad3ca 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -138,10 +138,63 @@ jobs: path: "client/build/app/outputs/bundle/release/app-release.aab" retention-days: 2 + build-android-apk: + runs-on: [self-hosted, macOS] + env: + ANDROID_HOME: /Users/admin/Library/Android/sdk + ANDROID_SDK_ROOT: /Users/admin/Library/Android/sdk + defaults: + run: + working-directory: ./client + steps: + - uses: actions/checkout@v4 + + - name: Set up Java + uses: actions/setup-java@v3 + with: + distribution: "temurin" + java-version: "17" + + - name: Setup flutter + uses: subosito/flutter-action@v2 + with: + channel: stable + flutter-version: 3.32.7 + + - name: Install Android SDK components + run: | + $ANDROID_HOME/cmdline-tools/latest/bin/sdkmanager --install 'build-tools;29.0.3' + - name: Accept licenses + run: yes | flutter doctor --android-licenses + + - name: Clean flutter + run: flutter clean + + - name: Install deps + run: flutter pub get + + - name: Build Android APK + run: flutter build apk --release --build-number=${{ github.run_number }} + + - name: Sign APK + uses: r0adkll/sign-android-release@v1 + with: + releaseDirectory: client/build/app/outputs/flutter-apk + signingKeyBase64: "${{ secrets.ANDROID_SIGNING_KEY_BASE64 }}" + alias: "${{ secrets.ANDROID_SIGNING_KEY_ALIAS }}" + keyStorePassword: "${{ secrets.ANDROID_KEYSTORE_PASSWORD }}" + keyPassword: "${{ secrets.ANDROID_KEYSTORE_PASSWORD }}" + + - name: Upload Android Artifact + uses: actions/upload-artifact@v4 + if: startsWith(github.ref, 'refs/tags/') + with: + name: android-app-apk + path: "client/build/app/outputs/flutter-apk/app-release.apk" + retention-days: 2 + release: - needs: [build-ios, build-android] + needs: [build-ios, build-android, build-android-apk] # Create release only if CI was triggered by a tag. if: startsWith(github.ref, 'refs/tags/') uses: ./.github/workflows/release.yaml - secrets: - PRIVATE_REPO_CLONING_TOKEN: ${{ secrets.PRIVATE_REPO_CLONING_TOKEN }} diff --git a/.github/workflows/lint-and-test.yaml b/.github/workflows/lint-and-test.yaml index 603d5d4..01df6ba 100644 --- a/.github/workflows/lint-and-test.yaml +++ b/.github/workflows/lint-and-test.yaml @@ -5,8 +5,8 @@ on: branches: - main - dev - - 'release/**' - - 'hotfix/**' + - "release/**" + - "hotfix/**" paths-ignore: &ignored_paths - "*.md" - "LICENSE" @@ -15,8 +15,8 @@ on: branches: - main - dev - - 'release/**' - - 'hotfix/**' + - "release/**" + - "hotfix/**" paths-ignore: *ignored_paths jobs: @@ -34,8 +34,8 @@ jobs: - name: Scan code with Trivy uses: aquasecurity/trivy-action@0.33.1 with: - scan-type: 'fs' - scan-ref: '.' + scan-type: "fs" + scan-ref: "." exit-code: "1" ignore-unfixed: true severity: "CRITICAL,HIGH,MEDIUM" @@ -66,7 +66,6 @@ jobs: # uses: actions/checkout@v4 # with: # submodules: "recursive" - # token: ${{ secrets.PRIVATE_REPO_CLONING_TOKEN }} # - name: setup flutter # uses: subosito/flutter-action@v2 diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 410f794..103af53 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -2,10 +2,6 @@ name: "Release" on: workflow_call: - secrets: - PRIVATE_REPO_CLONING_TOKEN: - description: "Cloning token" - required: true jobs: create-release: @@ -28,12 +24,10 @@ jobs: files: | ./artifacts/Defguard.ipa ./artifacts/app-release.aab + ./artifacts/app-release.apk create-sbom: needs: [create-release] uses: ./.github/workflows/sbom.yaml with: upload_url: ${{ needs.create-release.outputs.upload_url }} - secrets: - PRIVATE_REPO_CLONING_TOKEN: ${{ secrets.PRIVATE_REPO_CLONING_TOKEN }} - diff --git a/.github/workflows/sbom-regenerate.yaml b/.github/workflows/sbom-regenerate.yaml index 3bd1f03..dff8a3c 100644 --- a/.github/workflows/sbom-regenerate.yaml +++ b/.github/workflows/sbom-regenerate.yaml @@ -1,8 +1,10 @@ name: Periodic SBOM Regeneration +permissions: + contents: write on: schedule: - - cron: '30 2 * * *' # 2:30 AM UTC + - cron: "30 2 * * *" # 2:30 AM UTC jobs: list-releases: @@ -35,5 +37,4 @@ jobs: with: upload_url: ${{ matrix.release.uploadUrl }} tag: ${{ matrix.release.tagName }} - secrets: - PRIVATE_REPO_CLONING_TOKEN: ${{ secrets.PRIVATE_REPO_CLONING_TOKEN }} + secrets: inherit diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 99775f0..67bfc57 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -11,13 +11,11 @@ on: description: "The git tag to generate SBOM for - used in scheduled runs" required: false type: string - secrets: - PRIVATE_REPO_CLONING_TOKEN: - description: "Cloning token" - required: true jobs: create-sbom: + permissions: + contents: write runs-on: [self-hosted, Linux, X64] steps: @@ -33,27 +31,26 @@ jobs: - name: Checkout uses: actions/checkout@v4 with: - submodules: recursive ref: ${{ steps.vars.outputs.TAG_NAME }} - token: ${{ secrets.PRIVATE_REPO_CLONING_TOKEN }} + submodules: recursive - name: Create SBOM with Trivy uses: aquasecurity/trivy-action@0.33.1 with: - scan-type: 'fs' - format: 'spdx-json' + scan-type: "fs" + format: "spdx-json" output: "defguard-mobile-${{ steps.vars.outputs.VERSION }}.sbom.json" - scan-ref: '.' + scan-ref: "." severity: "CRITICAL,HIGH,MEDIUM,LOW" scanners: "vuln" - name: Create security advisory file with Trivy uses: aquasecurity/trivy-action@0.33.1 with: - scan-type: 'fs' - format: 'json' + scan-type: "fs" + format: "json" output: "defguard-mobile-${{ steps.vars.outputs.VERSION }}.advisories.json" - scan-ref: '.' + scan-ref: "." severity: "CRITICAL,HIGH,MEDIUM,LOW" scanners: "vuln" diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..c5edab1 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +.envrc +.direnv/