Skip to content

Add password policy to export keys (#1145) #2310

Add password policy to export keys (#1145)

Add password policy to export keys (#1145) #2310

Workflow file for this run

name: APK Build
on:
pull_request: { }
push:
branches: [ main, develop ]
tags: [ tchap_v* ]
# Enrich gradle.properties for CI/CD
env:
# TCHAP increase Xmx to 4g to achieve build in CI and adding default -XX:MaxMetaspaceSize jvmargs parameter https://github.com/gradle/gradle-build-action/issues/122
GRADLE_OPTS: -Dorg.gradle.jvmargs="-Xmx4g -Dfile.encoding=UTF-8 -XX:+HeapDumpOnOutOfMemoryError -XX:MaxMetaspaceSize=1g" -Dkotlin.daemon.jvm.options="-Xmx2560m" -Dkotlin.incremental=false
CI_GRADLE_ARG_PROPERTIES: --stacktrace -PpreDexEnable=false --max-workers 2 --no-daemon
jobs:
debug:
name: Build debug APKs (${{ matrix.target }})
# TCHAP use ubuntu-20.04 instead of latest version according to https://github.com/actions/runner-images/issues/6709
runs-on: ubuntu-20.04
if: github.ref != 'refs/heads/main'
strategy:
fail-fast: false
matrix:
target: [ GplayDevTchapWithdmvoipWithoutpinning, FdroidDevTchapWithdmvoipWithoutpinning, GplayBtchapWithvoipWithpinning ]
# Allow all jobs on develop. Just one per PR.
concurrency:
group: ${{ github.ref == 'refs/heads/develop' && format('integration-tests-develop-{0}-{1}', matrix.target, github.sha) || format('build-debug-{0}-{1}', matrix.target, github.ref) }}
cancel-in-progress: true
steps:
- uses: actions/checkout@v4
with:
# https://github.com/actions/checkout/issues/881
ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
- name: Use JDK 17
uses: actions/setup-java@v4
with:
distribution: 'temurin' # See 'Supported distributions' for available options
java-version: '17'
- name: Configure gradle
uses: gradle/actions/setup-gradle@v3
with:
cache-read-only: ${{ github.ref != 'refs/heads/develop' }}
- name: Assemble ${{ matrix.target }} debug apk
run: ./gradlew assemble${{ matrix.target }}Debug $CI_GRADLE_ARG_PROPERTIES
- name: Upload ${{ matrix.target }} debug APKs
uses: actions/upload-artifact@v3
with:
name: ${{ matrix.target }}-debug
path: |
vector-app/build/outputs/apk/*/debug/*.apk
release:
name: Build unsigned ${{ matrix.target }} APKs
# TCHAP use ubuntu-20.04 instead of latest version according to https://github.com/actions/runner-images/issues/6709
runs-on: ubuntu-20.04
# TCHAP Generate apks on new tchap release
if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/tchap_v')
strategy:
fail-fast: false
matrix:
target: [ GplayBtchapWithdmvoipWithpinning, GplayTchapWithdmvoipWithpinning, FdroidBtchapWithdmvoipWithoutpinning, FdroidTchapWithdmvoipWithoutpinning, GplayBtchapWithvoipWithpinning ]
concurrency:
# TCHAP custom group
group: ${{ github.ref == 'refs/head/main' && format('build-release-apk-main-{0}-{1}', github.sha, matrix.target) || startsWith(github.ref, 'refs/tags/tchap_v') && format('build-release-apk-tag-{0}-{1}', github.sha, matrix.target) }}
cancel-in-progress: ${{ github.ref != 'refs/head/main' && !startsWith(github.ref, 'refs/tags/tchap_v') }}
steps:
- uses: actions/checkout@v4
# TCHAP stay on current branch
# with:
# https://github.com/actions/checkout/issues/881
# ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.ref }}
- name: Use JDK 17
uses: actions/setup-java@v4
with:
distribution: 'temurin' # See 'Supported distributions' for available options
java-version: '17'
- name: Configure gradle
uses: gradle/actions/setup-gradle@v3
with:
cache-read-only: ${{ github.ref != 'refs/heads/develop' }}
- name: Assemble ${{ matrix.target }} unsigned apk
run: ./gradlew clean assemble${{ matrix.target }}Release $CI_GRADLE_ARG_PROPERTIES
- name: Upload ${{ matrix.target }} unsigned APKs
uses: actions/upload-artifact@v3
with:
name: ${{ matrix.target }}-release-unsigned
path: |
vector-app/build/outputs/apk/*/release/*.apk
exodus:
runs-on: ubuntu-latest
needs: release
env:
# TCHAP only generate exodus report for the following target
TARGET_NAME: "GplayTchapWithdmvoipWithpinning"
TARGET_FOLDER: "gplayTchapWithdmvoipWithpinning"
steps:
- name: Obtain apk from artifact
id: download
uses: actions/download-artifact@v3
with:
name: ${{ env.TARGET_NAME }}-release-unsigned
- name: Show apks in artifact
id: list-apks
# TCHAP Find apks in artifacts
run: |
ls -R ${{steps.download.outputs.download-path}} | grep ".apk"
echo ::set-output name=FIRST_APK_NAME::$(ls -R ${{steps.download.outputs.download-path}} | grep ".apk" | head -1)
- name: Execute exodus-standalone
uses: docker://exodusprivacy/exodus-standalone:latest
with:
# Don't fail when finding trackers so they can be reported later
args: /github/workspace/${{ env.TARGET_FOLDER }}/release/${{ steps.list-apks.outputs.FIRST_APK_NAME }} -j -o /github/workspace/exodus.json -e 0
- name: Upload exodus json report
uses: actions/upload-artifact@v3
with:
name: exodus.json
path: |
exodus.json
- name: Check for trackers
env:
SENTRY_ID: 447
# Should only contain a Sentry item
run: |
TRACKER_IDS=$(jq ".trackers[] | .id" exodus.json)
[ $TRACKER_IDS = ${{ env.SENTRY_ID }} ] || { echo '::error static analysis identified user tracking library' ; exit 1; }