mirror of
https://github.com/we-promise/sure.git
synced 2026-06-01 16:59:03 +00:00
956c27df6b
* chore(ci): pin GitHub Actions to commit SHAs (#1811) Follow-up to #1810. The Node-24 upgrade left every workflow on mutable tag refs (`actions/checkout@v5`, `actions/download-artifact@v7`, etc.) which superagent-security[bot] flagged on the ci.yml + publish.yml reviews. Pin all 18 external actions to the commit SHA they currently resolve to and add a trailing `# vMAJOR.MINOR.PATCH` comment so reviewers can see the version. Local reusable-workflow refs (`uses: ./.github/...`) are left alone — pinning those would defeat the point. Closes #1811 * chore(ci): address review — persist-credentials + setup-node consistency (#1811) Two pieces of follow-up feedback on the SHA-pinning PR: - @coderabbitai (P1 nitpicks) + @JSONbored: add 'persist-credentials: false' to checkout steps in jobs that don't perform authenticated git operations. Adds the line to 17 read-only checkouts across 9 workflows (chart-ci, ci, flutter-build, helm-publish, ios-testflight, llm-evals, preview-cleanup, preview-deploy, publish:build). Checkouts inside jobs that 'git push' (chart-release, mobile-build, mobile-release, helm-publish:second-checkout, publish:bump-pre_release) are intentionally left alone so they keep their token. - @jjmata: preview-deploy.yml was the only workflow on actions/setup-node v6.4.0; everywhere else pinned v5.0.0. Standardise on v5.0.0 to match. Dependabot config already has a github-actions ecosystem entry with a weekly schedule, so no addition needed for that point. * chore(ci): document intentional setup-node v6→5 normalization (#1811) @superagent-security flagged the v6.4.0 -> v5.0.0 change in preview-deploy.yml as a possible unintended downgrade. The downgrade was deliberate, per @jjmata's review request to normalize setup-node across all workflows. Add an inline YAML comment next to the line so future scans don't re-flag it. --------- Signed-off-by: Juan José Mata <juanjo.mata@gmail.com> Co-authored-by: jeffrey701 <jeffrey701@users.noreply.github.com> Co-authored-by: Juan José Mata <juanjo.mata@gmail.com>
181 lines
6.0 KiB
YAML
181 lines
6.0 KiB
YAML
name: Flutter Mobile Build
|
|
|
|
on:
|
|
workflow_call:
|
|
outputs:
|
|
has_app_release_aab:
|
|
description: "Whether a signed release AAB artifact was produced"
|
|
value: ${{ jobs.build-android.outputs.has_app_release_aab }}
|
|
workflow_dispatch:
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
build-android:
|
|
name: Build Android APK
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 30
|
|
outputs:
|
|
has_app_release_aab: ${{ steps.check_secrets.outputs.has_keystore }}
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Set up Java
|
|
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
|
|
with:
|
|
distribution: 'temurin'
|
|
java-version: '17'
|
|
|
|
- name: Set up Flutter
|
|
uses: subosito/flutter-action@1a449444c387b1966244ae4d4f8c696479add0b2 # v2.23.0
|
|
with:
|
|
flutter-version: '3.32.4'
|
|
channel: 'stable'
|
|
cache: true
|
|
|
|
- name: Get dependencies
|
|
working-directory: mobile
|
|
run: flutter pub get
|
|
|
|
- name: Copy Sure icons from public/
|
|
run: cp public/android-chrome-512x512.png mobile/assets/icon/app_icon.png
|
|
|
|
- name: Generate app icons
|
|
working-directory: mobile
|
|
run: flutter pub run flutter_launcher_icons
|
|
|
|
- name: Analyze code
|
|
working-directory: mobile
|
|
run: flutter analyze --no-fatal-infos
|
|
|
|
- name: Run tests
|
|
working-directory: mobile
|
|
run: flutter test
|
|
|
|
- name: Check if keystore secrets exist
|
|
id: check_secrets
|
|
run: |
|
|
if [ -n "${{ secrets.KEYSTORE_BASE64 }}" ]; then
|
|
echo "has_keystore=true" >> $GITHUB_OUTPUT
|
|
echo "✓ Keystore secrets found, will build signed APK"
|
|
else
|
|
echo "has_keystore=false" >> $GITHUB_OUTPUT
|
|
echo "⚠ No keystore secrets, will build unsigned debug APK"
|
|
fi
|
|
|
|
- name: Decode and setup keystore
|
|
if: steps.check_secrets.outputs.has_keystore == 'true'
|
|
env:
|
|
KEYSTORE_BASE64: ${{ secrets.KEYSTORE_BASE64 }}
|
|
KEY_STORE_PASSWORD: ${{ secrets.KEY_STORE_PASSWORD }}
|
|
KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}
|
|
KEY_ALIAS: ${{ secrets.KEY_ALIAS }}
|
|
run: |
|
|
echo "$KEYSTORE_BASE64" | base64 -d > mobile/android/app/upload-keystore.jks
|
|
echo "storePassword=$KEY_STORE_PASSWORD" > mobile/android/key.properties
|
|
echo "keyPassword=$KEY_PASSWORD" >> mobile/android/key.properties
|
|
echo "keyAlias=$KEY_ALIAS" >> mobile/android/key.properties
|
|
echo "storeFile=upload-keystore.jks" >> mobile/android/key.properties
|
|
echo "✓ Keystore configured successfully"
|
|
|
|
- name: Build APK (Release)
|
|
working-directory: mobile
|
|
run: |
|
|
if [ "${{ steps.check_secrets.outputs.has_keystore }}" == "true" ]; then
|
|
echo "Building signed release APK..."
|
|
flutter build apk --release
|
|
else
|
|
echo "Building debug-signed APK..."
|
|
flutter build apk --debug
|
|
fi
|
|
|
|
- name: Upload APK artifact
|
|
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
|
|
with:
|
|
name: app-release-apk
|
|
path: |
|
|
mobile/build/app/outputs/flutter-apk/app-release.apk
|
|
mobile/build/app/outputs/flutter-apk/app-debug.apk
|
|
retention-days: 30
|
|
if-no-files-found: ignore
|
|
|
|
- name: Build App Bundle (Release)
|
|
if: steps.check_secrets.outputs.has_keystore == 'true'
|
|
working-directory: mobile
|
|
run: flutter build appbundle --release
|
|
|
|
- name: Upload AAB artifact
|
|
if: steps.check_secrets.outputs.has_keystore == 'true'
|
|
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
|
|
with:
|
|
name: app-release-aab
|
|
path: mobile/build/app/outputs/bundle/release/app-release.aab
|
|
retention-days: 30
|
|
|
|
build-ios:
|
|
name: Build iOS IPA
|
|
runs-on: macos-latest
|
|
timeout-minutes: 45
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Set up Flutter
|
|
uses: subosito/flutter-action@1a449444c387b1966244ae4d4f8c696479add0b2 # v2.23.0
|
|
with:
|
|
flutter-version: '3.32.4'
|
|
channel: 'stable'
|
|
cache: true
|
|
|
|
- name: Get dependencies
|
|
working-directory: mobile
|
|
run: flutter pub get
|
|
|
|
- name: Copy Sure icons from public/
|
|
run: cp public/android-chrome-512x512.png mobile/assets/icon/app_icon.png
|
|
|
|
- name: Generate app icons
|
|
working-directory: mobile
|
|
run: flutter pub run flutter_launcher_icons
|
|
|
|
- name: Install CocoaPods dependencies
|
|
working-directory: mobile/ios
|
|
run: pod install
|
|
|
|
- name: Analyze code
|
|
working-directory: mobile
|
|
run: flutter analyze --no-fatal-infos
|
|
|
|
- name: Run tests
|
|
working-directory: mobile
|
|
run: flutter test
|
|
|
|
- name: Build iOS (No Code Signing)
|
|
working-directory: mobile
|
|
run: flutter build ios --release --no-codesign
|
|
|
|
- name: Create IPA archive info
|
|
working-directory: mobile
|
|
run: |
|
|
echo "iOS build completed successfully" > build/ios-build-info.txt
|
|
echo "Build date: $(date)" >> build/ios-build-info.txt
|
|
echo "Note: This build is not code-signed and cannot be installed on physical devices" >> build/ios-build-info.txt
|
|
echo "For distribution, you need to configure code signing with Apple certificates" >> build/ios-build-info.txt
|
|
|
|
- name: Upload iOS build artifact
|
|
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
|
|
with:
|
|
name: ios-build-unsigned
|
|
path: |
|
|
mobile/build/ios/iphoneos/Runner.app
|
|
mobile/build/ios-build-info.txt
|
|
retention-days: 30
|