Merge main -> release/1.6-alpha

.github/workflows/build.yaml

@@ -138,10 +138,63 @@ jobs:
           path: "client/build/app/outputs/bundle/release/app-release.aab"
           retention-days: 2
 
+  build-android-apk:
+    runs-on: [self-hosted, macOS]
+    env:
+      ANDROID_HOME: /Users/admin/Library/Android/sdk
+      ANDROID_SDK_ROOT: /Users/admin/Library/Android/sdk
+    defaults:
+      run:
+        working-directory: ./client
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Java
+        uses: actions/setup-java@v3
+        with:
+          distribution: "temurin"
+          java-version: "17"
+
+      - name: Setup flutter
+        uses: subosito/flutter-action@v2
+        with:
+          channel: stable
+          flutter-version: 3.32.7
+
+      - name: Install Android SDK components
+        run: |
+          $ANDROID_HOME/cmdline-tools/latest/bin/sdkmanager --install 'build-tools;29.0.3'
+      - name: Accept licenses
+        run: yes | flutter doctor --android-licenses
+
+      - name: Clean flutter
+        run: flutter clean
+
+      - name: Install deps
+        run: flutter pub get
+
+      - name: Build Android APK
+        run: flutter build apk --release --build-number=${{ github.run_number }}
+
+      - name: Sign APK
+        uses: r0adkll/sign-android-release@v1
+        with:
+          releaseDirectory: client/build/app/outputs/flutter-apk
+          signingKeyBase64: "${{ secrets.ANDROID_SIGNING_KEY_BASE64 }}"
+          alias: "${{ secrets.ANDROID_SIGNING_KEY_ALIAS }}"
+          keyStorePassword: "${{ secrets.ANDROID_KEYSTORE_PASSWORD }}"
+          keyPassword: "${{ secrets.ANDROID_KEYSTORE_PASSWORD }}"
+
+      - name: Upload Android Artifact
+        uses: actions/upload-artifact@v4
+        if: startsWith(github.ref, 'refs/tags/')
+        with:
+          name: android-app-apk
+          path: "client/build/app/outputs/flutter-apk/app-release.apk"
+          retention-days: 2
+
   release:
-    needs: [build-ios, build-android]
+    needs: [build-ios, build-android, build-android-apk]
     # Create release only if CI was triggered by a tag.
     if: startsWith(github.ref, 'refs/tags/')
     uses: ./.github/workflows/release.yaml
-    secrets:
-      PRIVATE_REPO_CLONING_TOKEN: ${{ secrets.PRIVATE_REPO_CLONING_TOKEN }}

.github/workflows/lint-and-test.yaml

@@ -5,8 +5,8 @@ on:
     branches:
       - main
       - dev
-      - 'release/**'
-      - 'hotfix/**'
+      - "release/**"
+      - "hotfix/**"
     paths-ignore: &ignored_paths
       - "*.md"
       - "LICENSE"
@@ -15,8 +15,8 @@ on:
     branches:
       - main
       - dev
-      - 'release/**'
-      - 'hotfix/**'
+      - "release/**"
+      - "hotfix/**"
     paths-ignore: *ignored_paths
 
 jobs:
@@ -34,8 +34,8 @@ jobs:
       - name: Scan code with Trivy
         uses: aquasecurity/trivy-action@0.33.1
         with:
-          scan-type: 'fs'
-          scan-ref: '.'
+          scan-type: "fs"
+          scan-ref: "."
           exit-code: "1"
           ignore-unfixed: true
           severity: "CRITICAL,HIGH,MEDIUM"
@@ -66,7 +66,6 @@ jobs:
   #       uses: actions/checkout@v4
   #       with:
   #         submodules: "recursive"
-  #         token: ${{ secrets.PRIVATE_REPO_CLONING_TOKEN }}
 
   #     - name: setup flutter
   #       uses: subosito/flutter-action@v2

.github/workflows/release.yaml

@@ -2,10 +2,6 @@ name: "Release"
 
 on:
   workflow_call:
-    secrets:
-      PRIVATE_REPO_CLONING_TOKEN:
-        description: "Cloning token"
-        required: true
 
 jobs:
   create-release:
@@ -28,12 +24,10 @@ jobs:
           files: |
             ./artifacts/Defguard.ipa
             ./artifacts/app-release.aab
+            ./artifacts/app-release.apk
 
   create-sbom:
     needs: [create-release]
     uses: ./.github/workflows/sbom.yaml
     with:
       upload_url: ${{ needs.create-release.outputs.upload_url }}
-    secrets:
-      PRIVATE_REPO_CLONING_TOKEN: ${{ secrets.PRIVATE_REPO_CLONING_TOKEN }}
-

.github/workflows/sbom-regenerate.yaml

@@ -1,8 +1,10 @@
 name: Periodic SBOM Regeneration
+permissions:
+  contents: write
 
 on:
   schedule:
-    - cron: '30 2 * * *' # 2:30 AM UTC
+    - cron: "30 2 * * *" # 2:30 AM UTC
 
 jobs:
   list-releases:
@@ -35,5 +37,4 @@ jobs:
     with:
       upload_url: ${{ matrix.release.uploadUrl }}
       tag: ${{ matrix.release.tagName }}
-    secrets:
-      PRIVATE_REPO_CLONING_TOKEN: ${{ secrets.PRIVATE_REPO_CLONING_TOKEN }}
+    secrets: inherit

.github/workflows/sbom.yaml

@@ -11,13 +11,11 @@ on:
         description: "The git tag to generate SBOM for - used in scheduled runs"
         required: false
         type: string
-    secrets:
-      PRIVATE_REPO_CLONING_TOKEN:
-        description: "Cloning token"
-        required: true
 
 jobs:
   create-sbom:
+    permissions:
+      contents: write
     runs-on: [self-hosted, Linux, X64]
 
     steps:
@@ -33,27 +31,26 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
         with:
-          submodules: recursive
           ref: ${{ steps.vars.outputs.TAG_NAME }}
-          token: ${{ secrets.PRIVATE_REPO_CLONING_TOKEN }}
+          submodules: recursive
 
       - name: Create SBOM with Trivy
         uses: aquasecurity/trivy-action@0.33.1
         with:
-          scan-type: 'fs'
-          format: 'spdx-json'
+          scan-type: "fs"
+          format: "spdx-json"
           output: "defguard-mobile-${{ steps.vars.outputs.VERSION }}.sbom.json"
-          scan-ref: '.'
+          scan-ref: "."
           severity: "CRITICAL,HIGH,MEDIUM,LOW"
           scanners: "vuln"
 
       - name: Create security advisory file with Trivy
         uses: aquasecurity/trivy-action@0.33.1
         with:
-          scan-type: 'fs'
-          format: 'json'
+          scan-type: "fs"
+          format: "json"
           output: "defguard-mobile-${{ steps.vars.outputs.VERSION }}.advisories.json"
-          scan-ref: '.'
+          scan-ref: "."
           severity: "CRITICAL,HIGH,MEDIUM,LOW"
           scanners: "vuln"
 

.gitignore

@@ -0,0 +1,2 @@
+.envrc
+.direnv/