# Android CI — JVM unit tests + static repo scans + secret scan. # # Secrets are intentionally ABSENT here: the debug build compiles with an empty # APP_CHECK_DEBUG_TOKEN and a placeholder RC_API_KEY (see app/build.gradle.kts # `secret()` resolution). CI-built APKs therefore cannot pass App Check once # enforcement is on — expected; CI only runs JVM tests. # # app/google-services.json is gitignored (live Firebase config), but the # google-services Gradle plugin hard-fails without one, so CI copies the dummy # stub from .github/ci/google-services.json before any Gradle task. name: Android CI on: push: branches: [main, dev] pull_request: jobs: unit-tests: runs-on: ubuntu-latest timeout-minutes: 30 steps: - uses: actions/checkout@v4 - uses: actions/setup-java@v4 with: distribution: temurin java-version: "17" - uses: gradle/actions/setup-gradle@v4 - name: Provide stub google-services.json (real one is gitignored) run: | if [ ! -f app/google-services.json ]; then cp .github/ci/google-services.json app/google-services.json fi - name: Unit tests run: ./gradlew testDebugUnitTest - name: Upload test reports on failure if: failure() uses: actions/upload-artifact@v4 with: name: unit-test-reports path: app/build/reports/tests/ repo-scans: runs-on: ubuntu-latest timeout-minutes: 10 steps: - uses: actions/checkout@v4 # Static scanners that gate known regression classes (theme tokens, # navigation wiring, IME flags, painter/XML drawable misuse). - name: Scan scripts run: | bash scripts/theme-scan.sh bash scripts/wiring-scan.sh bash scripts/ime-scan.sh bash scripts/painter-xml-scan.sh gitleaks: runs-on: ubuntu-latest timeout-minutes: 10 steps: - uses: actions/checkout@v4 with: fetch-depth: 0 # full history so the scan covers every commit - name: Run gitleaks env: GITLEAKS_VERSION: "8.21.2" run: | curl -sSfL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" | tar -xz gitleaks ./gitleaks detect --source . --no-banner --redact