Pixelfed/PixelDroid-App-Android
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge branch 'security_suggestions' into 'master'

Browse Source 
Security suggestion, CI changes

See merge request pixeldroid/PixelDroid!446
This commit is contained in:
Matthieu 2022-07-16 08:53:16 +00:00
commit c0449f9adf
2 changed files with 57 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

95
.gitlab-ci.yml
View File

@ -1,11 +1,4 @@
image: reactivecircus/android-emulator-23:latest image: registry.gitlab.com/fdroid/ci-images-client
variables:
API_LEVEL: "23"
ARCH: "x86"
TARGET: "default"
before_script: before_script:
- export GRADLE_USER_HOME=`pwd`/.gradle - export GRADLE_USER_HOME=`pwd`/.gradle
@ -21,6 +14,9 @@ lintDebug:
interruptible: true interruptible: true
stage: build stage: build
script: script:
- apt-get update || apt-get update
- apt-get install -y openjdk-11-jdk-headless
- update-alternatives --auto java
- ./gradlew checkLicenses - ./gradlew checkLicenses
- ./gradlew -Pci --console=plain :app:lintDebug -PbuildDir=lint - ./gradlew -Pci --console=plain :app:lintDebug -PbuildDir=lint
@ -28,50 +24,56 @@ lintDebug:
assembleDebug: assembleDebug:
interruptible: true interruptible: true
stage: build stage: build
tags:
- server_artectrex
script: script:
- apt-get update || apt-get update
- apt-get install -y openjdk-11-jdk-headless
- update-alternatives --auto java
- ./gradlew assembleDebug - ./gradlew assembleDebug
artifacts: artifacts:
paths: paths:
- app/build/outputs/ - app/build/outputs/
# Run all tests, if any fails, interrupt the pipeline(fail it) # Run all tests, if any fails, interrupt the pipeline (fail it)
debugTests: debugTests:
interruptible: true interruptible: true
stage: test stage: test
script: script:
- apt-get update || apt-get update
- apt-get install -y openjdk-11-jdk-headless
- update-alternatives --auto java
- ./gradlew -Pci --console=plain :app:testDebug -x lint - ./gradlew -Pci --console=plain :app:testDebug -x lint
.connected-template: &connected-template
emulatorTest: stage: test
interruptible: true image: registry.gitlab.com/fdroid/ci-images-client
stage: test script:
script: - start-emulator
- echo no | avdmanager create avd --force --name "api-${API_LEVEL}" --abi "${TARGET}/${ARCH}" --package "system-images;android-${API_LEVEL};${TARGET};${ARCH}" - wait-for-emulator
- $ANDROID_SDK_ROOT/emulator/emulator -avd "api-${API_LEVEL}" -no-window -gpu swiftshader_indirect -no-snapshot -noaudio -no-boot-anim -camera-back none & - adb devices
- chmod +x android-wait-for-emulator.sh - adb shell input keyevent 82 &
- ./gradlew build -x lint # Switch to right java version for building the app
- ./android-wait-for-emulator.sh - apt-get update || apt-get update
- adb shell settings put global window_animation_scale 0.0 - apt-get install -y openjdk-11-jdk-headless
- adb shell settings put global transition_animation_scale 0.0 - update-alternatives --auto java
- adb shell settings put global animator_duration_scale 0.0 - ./gradlew connectedStagingAndroidTest || (adb -e logcat -d > logcat.txt; exit 1)
- ./gradlew build connectedCheck connectedStagingAndroidTest jacocoTestReport -x lint
- cat app/build/reports/jacoco/jacocoTestReport/html/index.html | grep -o 'Total[^%]*%'
artifacts:
when: always
paths:
- ./app/build/reports/jacoco/jacocoTestReport/
expire_in: 1 week
fdroid build:
image: registry.gitlab.com/fdroid/ci-images-client:latest
allow_failure: true
artifacts: artifacts:
paths: paths:
- unsigned/ - logcat.txt
connected 24 default x86_64:
<<: *connected-template
fdroid build:
stage: build
image: registry.gitlab.com/fdroid/ci-images-client:latest
allow_failure: true
tags:
- server_artectrex
artifacts:
paths:
- signed/
when: always when: always
only: only:
- tags - tags
@ -79,6 +81,7 @@ fdroid build:
key: "$CI_JOB_NAME" key: "$CI_JOB_NAME"
paths: paths:
- .gradle - .gradle
- .android
script: script:
# Put the correct versionName and versionCode in the .fdroid.yml # Put the correct versionName and versionCode in the .fdroid.yml
- sed -e "s/\${versionName}/$(grep "versionName " app/build.gradle | awk '{print $2}')/" -e "s/\${versionCode}/$(grep "versionCode" app/build.gradle | awk '{print $2}')/" .fdroid.yml.template > .fdroid.yml - sed -e "s/\${versionName}/$(grep "versionName " app/build.gradle | awk '{print $2}')/" -e "s/\${versionCode}/$(grep "versionCode" app/build.gradle | awk '{print $2}')/" .fdroid.yml.template > .fdroid.yml
@ -96,10 +99,11 @@ fdroid build:
- adduser --disabled-password --gecos "" vagrant - adduser --disabled-password --gecos "" vagrant
- ln -s $CI_PROJECT_DIR/fdroidserver /home/vagrant/fdroidserver - ln -s $CI_PROJECT_DIR/fdroidserver /home/vagrant/fdroidserver
- mkdir -p /vagrant/cache - mkdir -p /vagrant/cache
- wget -q https://services.gradle.org/distributions/gradle-5.6.2-bin.zip - wget -q https://services.gradle.org/distributions/gradle-5.6.2-bin.zip --output-document=/vagrant/cache/gradle-5.6.2-bin.zip
--output-document=/vagrant/cache/gradle-5.6.2-bin.zip # Check sha256 of the gralde build
- echo '32fce6628848f799b0ad3205ae8db67d0d828c10ffe62b748a7c0d9f4a5d9ee0 /vagrant/cache/gradle-5.6.2-bin.zip' | sha256sum -c
- bash fdroidserver/buildserver/provision-gradle - bash fdroidserver/buildserver/provision-gradle
- bash fdroidserver/buildserver/provision-apt-get-install http://deb.debian.org/debian - bash fdroidserver/buildserver/provision-apt-get-install https://deb.debian.org/debian
- source /etc/profile.d/bsenv.sh - source /etc/profile.d/bsenv.sh
- apt-get dist-upgrade - apt-get dist-upgrade
@ -111,11 +115,16 @@ fdroid build:
python3-ruamel.yaml python3-ruamel.yaml
yamllint yamllint
- apt-get purge fdroidserver - apt-get purge fdroidserver
- export GRADLE_USER_HOME=$PWD/.gradle - export GRADLE_USER_HOME=$PWD/.gradle
# each `fdroid build --on-server` run expects sudo, then uninstalls it # each fdroid build --on-server run expects sudo, then uninstalls it
- set -x - set -x
- apt-get install sudo - apt-get install sudo
- fdroid fetchsrclibs --verbose - fdroid fetchsrclibs --verbose
# this builds the latest version of the app from its source dir, using the build recipe in .fdroid.yml # this builds the latest version of the app from its source dir, using the build recipe in .fdroid.yml
- fdroid build --verbose --on-server --no-tarball - fdroid build --verbose --on-server --no-tarball
# create a keystore if we dont have one
- ls .android || mkdir .android
- ls .android/debug.keystore || keytool -genkey -v -keystore .android/debug.keystore -storepass android -alias androiddebugkey -keypass android -keyalg RSA -keysize 2048 -validity 10000 -dname 'C=US, O=Android, CN=Android Debug'
# sign the apk
- cp -R unsigned signed
- jarsigner -verbose -keystore .android/debug.keystore -storepass android -keypass android signed/*.apk androiddebugkey

5
app/build.gradle
View File

@ -94,7 +94,12 @@ android {
apply plugin: 'kotlin-kapt' apply plugin: 'kotlin-kapt'
lint { lint {
//We can't expect translators to always keep up immediately:
// don't fail if a a string is untranslated
disable 'MissingTranslation' disable 'MissingTranslation'
// This lint indicates a wrong translation:
// Remove this exception once https://github.com/WeblateOrg/weblate/issues/7520 is solved
disable 'MissingQuantity'
} }
} }