Adds GHA definition and component tests (#10)

* Adds GHA definition and component tests * Changing paths * Renaming jobs * Adding missing secrets and cleaning-up
dotanuki-labs · Sep 22, 2024 · 0d2e746 · 0d2e746
1 parent dc5adc3
commit 0d2e746
Show file tree

Hide file tree

Showing 8 changed files with 95 additions and 19 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -28,7 +28,7 @@ jobs:
           file-patterns: "*.sh,*.yml"
           license: "mit"
 
-  e2e:
+  acceptance-tests:
     needs: quality-checks
     runs-on: ubuntu-22.04
 
@@ -37,32 +37,47 @@ jobs:
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Test scanning standalone Android apk
-        run: ./e2e/pocketcasts-android.sh
+        run: ./tests/pocketcasts-android.sh
         env:
           APPSWEEP_API_KEY: ${{ secrets.APPSWEEP_DOTANUKI_POCKETCASTS_ANDROID_KEY }}
 
       - name: Test scanning standalone iOS xcarchive
-        run: ./e2e/pocketcasts-ios.sh
+        run: ./tests/pocketcasts-ios.sh
         env:
           APPSWEEP_API_KEY: ${{ secrets.APPSWEEP_DOTANUKI_POCKETCASTS_IOS_KEY }}
 
       - name: Test scanning iOS ipa plus dSyms
-        run: ./e2e/bitwarden-ios.sh
+        run: ./tests/bitwarden-ios.sh
         env:
           APPSWEEP_API_KEY: ${{ secrets.APPSWEEP_DOTANUKI_BITWARDEN_IOS_KEY }}
 
       - name: Test scanning Android apk plus mappings
-        run: ./e2e/cromite-android.sh
+        run: ./tests/cromite-android.sh
         env:
           APPSWEEP_API_KEY: ${{ secrets.APPSWEEP_DOTANUKI_CROMITE_ANDROID_KEY }}
 
   component-tests:
-    needs: e2e
+    needs: acceptance-tests
     runs-on: ubuntu-22.04
 
     steps:
       - name: Project Checkout
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
-      - name: Run tests
-        run: echo "To do"
+      - name: Prepares fixtures
+        run: ./tests/fixtures.sh
+
+      - name: Component test for iOS GHA
+        uses: ./
+        with:
+          archive-file: .tmp/pocket-casts-ios.xcarchive
+        env:
+          APPSWEEP_API_KEY: ${{ secrets.APPSWEEP_DOTANUKI_POCKETCASTS_IOS_KEY }}
+
+      - name: Component test for Android GHA
+        uses: ./
+        with:
+          archive-file: .tmp/pocket-casts-android.apk
+          wait-for-summary: true
+        env:
+          APPSWEEP_API_KEY: ${{ secrets.APPSWEEP_DOTANUKI_POCKETCASTS_ANDROID_KEY }}
diff --git a/action.yml b/action.yml
@@ -0,0 +1,27 @@
+# Copyright 2024 Dotanuki Labs
+# SPDX-License-Identifier: MIT
+
+name: "appsweep-scan-action"
+description: "Scan Android or iOS artifacts for security issues with Guardsquare Appsweep"
+
+inputs:
+  archive-file:
+    description: >
+      Path to the Android archive to scan. Accepted formats: '.aab' and '.apk'
+    required: true
+  symbols:
+    description: >
+      Path to the R8/proguard mappings file (Android) or folder with dSyms (iOS)
+    required: false
+    default: "none"
+  wait-for-summary:
+    description: >
+      Whether or not this Action should wait for scan outcomes and show the summary of issues
+    default: "none"
+    required: false
+
+runs:
+  using: "composite"
+  steps:
+    - shell: bash
+      run: ${{ github.action_path }}/main.sh --archive ${{ inputs.archive-file }} --extras ${{ inputs.symbols }} --summary ${{ inputs.wait-for-summary }}
diff --git a/src/main.sh → main.sh b/src/main.sh → main.sh
@@ -20,6 +20,16 @@ require_archive() {
     fi
 }
 
+sanitize_inputs() {
+    if [[ "$extras" == "none" ]]; then
+        unset extras
+    fi
+
+    if [[ "$summary" == "none" ]]; then
+        unset summary
+    fi
+}
+
 require_r8_or_proguard_mappings() {
     if [[ ! -f "$extras" ]]; then
         echo "✗ ERROR : '$extras' R8/proguard mapping file not found"
@@ -110,17 +120,18 @@ while [ "$#" -gt 0 ]; do
         shift 2
         ;;
     --summary)
-        summary=1
-        shift 1
+        summary="$2"
+        shift 2
         ;;
     *)
-        error "Unknown argument: $1"
+        echo "Unknown argument: $1"
         exit 1
         ;;
     esac
 done
 
 require_archive
+sanitize_inputs
 
 case "$archive" in
 *.apk | *.aab)

diff --git a/e2e/bitwarden-ios.sh → tests/bitwarden-ios.sh b/e2e/bitwarden-ios.sh → tests/bitwarden-ios.sh
@@ -2,7 +2,7 @@
 # Copyright 2024 Dotanuki Labs
 # SPDX-License-Identifier: MIT
 
-set -euo pipefail
+set -e
 
 readonly repo="bitwarden/ios"
 readonly version="v2024.9.1"
@@ -24,4 +24,4 @@ curl -fsSL -o "$actual_dir/.tmp/$ipa" -C - "$ipa_download_url"
 curl -fsSL -o "$actual_dir/.tmp/$dsyms_zip" -C - "$dsyms_download_url"
 unzip -d "$actual_dir/.tmp/dsyms" "$actual_dir/.tmp/$dsyms_zip" >/dev/null 2>&1
 
-src/main.sh --archive "$actual_dir/.tmp/$ipa" --extras "$actual_dir/.tmp/dsyms"
+"$actual_dir"/main.sh --archive "$actual_dir/.tmp/$ipa" --extras "$actual_dir/.tmp/dsyms"
diff --git a/e2e/cromite-android.sh → tests/cromite-android.sh b/e2e/cromite-android.sh → tests/cromite-android.sh
@@ -2,7 +2,7 @@
 # Copyright 2024 Dotanuki Labs
 # SPDX-License-Identifier: MIT
 
-set -euo pipefail
+set -e
 
 readonly repo="uazo/cromite"
 readonly version="v129.0.6668.59-bbcb812cffa4e2815760cd7fc3e34b00b4e39ea1"
@@ -23,4 +23,4 @@ rm -rf "$actual_dir/.tmp" && mkdir "$actual_dir/.tmp"
 curl -fsSL -o "$actual_dir/.tmp/$apk" -C - "$apk_download_url"
 curl -fsSL -o "$actual_dir/.tmp/$mappings" -C - "$mappings_download_url"
 
-src/main.sh --archive "$actual_dir/.tmp/$apk" --extras "$actual_dir/.tmp/$mappings"
+"$actual_dir"/main.sh --archive "$actual_dir/.tmp/$apk" --extras "$actual_dir/.tmp/$mappings"
diff --git a/tests/fixtures.sh b/tests/fixtures.sh
@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+# Copyright 2024 Dotanuki Labs
+# SPDX-License-Identifier: MIT
+
+set -euo pipefail
+
+readonly android_fixture="https://github.com/Automattic/pocket-casts-android/releases/download/7.72/app-7.72.apk"
+readonly android_package="pocket-casts-android.apk"
+readonly ios_fixture="https://github.com/Automattic/pocket-casts-ios/releases/download/7.72/PocketCasts.xcarchive.zip"
+readonly ios_package="pocket-casts-ios.xcarchive"
+
+script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+cd "${script_dir%/*}"
+actual_dir=$(pwd)
+rm -rf "$actual_dir/.tmp" && mkdir "$actual_dir/.tmp"
+
+echo
+echo "Downloading fixtures to $HOME/.tmp"
+echo
+curl -fsSL -o "$actual_dir/.tmp/$android_package" -C - "$android_fixture"
+curl -fsSL -o "$actual_dir/.tmp/$ios_package" -C - "$ios_fixture"
diff --git a/e2e/pocketcasts-android.sh → tests/pocketcasts-android.sh b/e2e/pocketcasts-android.sh → tests/pocketcasts-android.sh
@@ -2,7 +2,7 @@
 # Copyright 2024 Dotanuki Labs
 # SPDX-License-Identifier: MIT
 
-set -euo pipefail
+set -e
 
 readonly repo="Automattic/pocket-casts-android"
 readonly version="7.72"
@@ -16,4 +16,5 @@ actual_dir=$(pwd)
 
 rm -rf "$actual_dir/.tmp" && mkdir "$actual_dir/.tmp"
 curl -fsSL -o "$actual_dir/.tmp/$package" -C - "$download_url"
-src/main.sh --archive "$actual_dir/.tmp/$package" --summary
+
+"$actual_dir"/main.sh --archive "$actual_dir/.tmp/$package" --summary "true"
diff --git a/e2e/pocketcasts-ios.sh → tests/pocketcasts-ios.sh b/e2e/pocketcasts-ios.sh → tests/pocketcasts-ios.sh
@@ -2,7 +2,7 @@
 # Copyright 2024 Dotanuki Labs
 # SPDX-License-Identifier: MIT
 
-set -euo pipefail
+set -e
 
 readonly repo="Automattic/pocket-casts-ios"
 readonly version="7.72"
@@ -16,4 +16,5 @@ actual_dir=$(pwd)
 
 rm -rf "$actual_dir/.tmp" && mkdir "$actual_dir/.tmp"
 curl -fsSL -o "$actual_dir/.tmp/$package" -C - "$download_url"
-src/main.sh --archive "$actual_dir/.tmp/$package" --summary
+
+"$actual_dir"/main.sh --archive "$actual_dir/.tmp/$package" --summary "true"