Add signature verification to gradle dependencies #2420
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Android - Audit dependencies | |
on: | |
pull_request: | |
paths: | |
- .github/workflows/android-audit.yml | |
- android/gradle/verification-metadata.xml | |
- android/config/dependency-check-suppression.xml | |
- android/test/test-suppression.xml | |
- android/scripts/update-lockfile.sh | |
schedule: | |
# At 06:20 UTC every day. | |
# Notifications for scheduled workflows are sent to the user who last modified the cron | |
# syntax in the workflow file. If you update this you must have notifications for | |
# Github Actions enabled, so these don't go unnoticed. | |
# https://docs.github.com/en/actions/monitoring-and-troubleshooting-workflows/notifications-for-workflow-runs | |
- cron: '20 6 * * *' | |
workflow_dispatch: | |
inputs: | |
override_container_image: | |
description: Override container image | |
type: string | |
required: false | |
permissions: {} | |
jobs: | |
prepare: | |
name: Prepare | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v3 | |
- name: Use custom container image if specified | |
if: ${{ github.event.inputs.override_container_image != '' }} | |
run: echo "inner_container_image=${{ github.event.inputs.override_container_image }}" | |
>> $GITHUB_ENV | |
- name: Use default container image and resolve digest | |
if: ${{ github.event.inputs.override_container_image == '' }} | |
run: | | |
echo "inner_container_image=$(cat ./building/android-container-image.txt)" >> $GITHUB_ENV | |
outputs: | |
container_image: ${{ env.inner_container_image }} | |
owasp-dependency-check: | |
needs: prepare | |
runs-on: ubuntu-latest | |
container: | |
image: ${{ needs.prepare.outputs.container_image }} | |
steps: | |
# Fix for HOME path overridden by GH runners when building in containers, see: | |
# https://github.com/actions/runner/issues/863 | |
- name: Fix HOME path | |
run: echo "HOME=/root" >> $GITHUB_ENV | |
- name: Set locale | |
run: echo "LC_ALL=C.UTF-8" >> $GITHUB_ENV | |
- uses: actions/checkout@v3 | |
- name: Run gradle audit task | |
run: android/gradlew -p android dependencyCheckAnalyze | |
ensure-clean-lockfile: | |
needs: prepare | |
name: Ensure clean lockfile | |
runs-on: ubuntu-latest | |
container: | |
image: ${{ needs.prepare.outputs.container_image }} | |
steps: | |
# Fix for HOME path overridden by GH runners when building in containers, see: | |
# https://github.com/actions/runner/issues/863 | |
- name: Fix HOME path | |
run: echo "HOME=/root" >> $GITHUB_ENV | |
- name: Set locale | |
run: echo "LC_ALL=C.UTF-8" >> $GITHUB_ENV | |
- uses: actions/checkout@v3 | |
- name: Fix git dir | |
run: git config --global --add safe.directory $(pwd) | |
- name: Copy maybenot machines to asset directory | |
run: | | |
mkdir -p android/app/build/extraAssets | |
cp dist-assets/maybenot_machines android/app/build/extraAssets/maybenot_machines | |
- name: Re-generate lockfile | |
run: android/scripts/update-lockfile.sh | |
- name: Ensure no changes | |
run: git diff --exit-code |