77 lines
2.3 KiB
YAML
77 lines
2.3 KiB
YAML
# Android CI — JVM unit tests + static repo scans + secret scan.
|
|
#
|
|
# Secrets are intentionally ABSENT here: the debug build compiles with an empty
|
|
# APP_CHECK_DEBUG_TOKEN and a placeholder RC_API_KEY (see app/build.gradle.kts
|
|
# `secret()` resolution). CI-built APKs therefore cannot pass App Check once
|
|
# enforcement is on — expected; CI only runs JVM tests.
|
|
#
|
|
# app/google-services.json is gitignored (live Firebase config), but the
|
|
# google-services Gradle plugin hard-fails without one, so CI copies the dummy
|
|
# stub from .github/ci/google-services.json before any Gradle task.
|
|
name: Android CI
|
|
|
|
on:
|
|
push:
|
|
branches: [main, dev]
|
|
pull_request:
|
|
|
|
jobs:
|
|
unit-tests:
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 30
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- uses: actions/setup-java@v4
|
|
with:
|
|
distribution: temurin
|
|
java-version: "17"
|
|
|
|
- uses: gradle/actions/setup-gradle@v4
|
|
|
|
- name: Provide stub google-services.json (real one is gitignored)
|
|
run: |
|
|
if [ ! -f app/google-services.json ]; then
|
|
cp .github/ci/google-services.json app/google-services.json
|
|
fi
|
|
|
|
- name: Unit tests
|
|
run: ./gradlew testDebugUnitTest
|
|
|
|
- name: Upload test reports on failure
|
|
if: failure()
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: unit-test-reports
|
|
path: app/build/reports/tests/
|
|
|
|
repo-scans:
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 10
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
# Static scanners that gate known regression classes (theme tokens,
|
|
# navigation wiring, IME flags, painter/XML drawable misuse).
|
|
- name: Scan scripts
|
|
run: |
|
|
bash scripts/theme-scan.sh
|
|
bash scripts/wiring-scan.sh
|
|
bash scripts/ime-scan.sh
|
|
bash scripts/painter-xml-scan.sh
|
|
|
|
gitleaks:
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 10
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0 # full history so the scan covers every commit
|
|
|
|
- name: Run gitleaks
|
|
env:
|
|
GITLEAKS_VERSION: "8.21.2"
|
|
run: |
|
|
curl -sSfL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" | tar -xz gitleaks
|
|
./gitleaks detect --source . --no-banner --redact
|