Run exodus on all PR branches.

Build the release APK for each PR commit, run exodus against that APK.

.github/workflows/build.yml

@@ -46,8 +46,9 @@ jobs:
   release:
     name: Build unsigned GPlay APKs
     runs-on: ubuntu-latest
-    if: github.ref == 'refs/heads/main'
-    # Only runs on main, no concurrency.
+    concurrency:
+      group: ${{ github.ref == 'refs/head/main' && format('build-release-apk-main-{0}', github.sha) || github.ref == 'refs/heads/develop' && format('build-release-apk-develop-{0}', github.sha) || format('build-debug-{0}', github.ref)  }}
+      cancel-in-progress: ${{ github.ref != 'refs/head/main' }}
     steps:
       - uses: actions/checkout@v3
       - uses: actions/cache@v3
@@ -67,4 +68,26 @@ jobs:
           path: |
             vector/build/outputs/apk/*/release/*.apk
 
-# TODO add exodus checks
+  exodus:
+    runs-on: ubuntu-latest
+    needs: release
+    steps:
+      - name: Obtain apk from artifact
+        id: download
+        uses: actions/download-artifact@v3
+        with:
+          name: vector-gplay-release-unsigned
+      - name: Show apks in artifact
+        run: ls -R ${{steps.download.outputs.download-path}}
+      - name: Execute exodus-standalone
+        uses: docker://exodusprivacy/exodus-standalone:latest
+        with:
+          args: /github/workspace/gplay/release/vector-gplay-universal-release-unsigned.apk -j -o /github/workspace/exodus.json
+      - name: Upload exodus json report
+        uses: actions/upload-artifact@v3
+        with:
+          name: exodus.json
+          path: |
+           exodus.json
+      - name: Check for trackers
+        run: "jq -e '.trackers == []' exodus.json > /dev/null || { echo '::error static analysis identified user tracking library' ; exit 1; }"