Skip to content

Commit

Permalink
Adds GHA definition and component tests (#10)
Browse files Browse the repository at this point in the history
* Adds GHA definition and component tests

* Changing paths

* Renaming jobs

* Adding missing secrets and cleaning-up
  • Loading branch information
ubiratansoares authored Sep 22, 2024
1 parent dc5adc3 commit 0d2e746
Show file tree
Hide file tree
Showing 8 changed files with 95 additions and 19 deletions.
31 changes: 23 additions & 8 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ jobs:
file-patterns: "*.sh,*.yml"
license: "mit"

e2e:
acceptance-tests:
needs: quality-checks
runs-on: ubuntu-22.04

Expand All @@ -37,32 +37,47 @@ jobs:
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

- name: Test scanning standalone Android apk
run: ./e2e/pocketcasts-android.sh
run: ./tests/pocketcasts-android.sh
env:
APPSWEEP_API_KEY: ${{ secrets.APPSWEEP_DOTANUKI_POCKETCASTS_ANDROID_KEY }}

- name: Test scanning standalone iOS xcarchive
run: ./e2e/pocketcasts-ios.sh
run: ./tests/pocketcasts-ios.sh
env:
APPSWEEP_API_KEY: ${{ secrets.APPSWEEP_DOTANUKI_POCKETCASTS_IOS_KEY }}

- name: Test scanning iOS ipa plus dSyms
run: ./e2e/bitwarden-ios.sh
run: ./tests/bitwarden-ios.sh
env:
APPSWEEP_API_KEY: ${{ secrets.APPSWEEP_DOTANUKI_BITWARDEN_IOS_KEY }}

- name: Test scanning Android apk plus mappings
run: ./e2e/cromite-android.sh
run: ./tests/cromite-android.sh
env:
APPSWEEP_API_KEY: ${{ secrets.APPSWEEP_DOTANUKI_CROMITE_ANDROID_KEY }}

component-tests:
needs: e2e
needs: acceptance-tests
runs-on: ubuntu-22.04

steps:
- name: Project Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

- name: Run tests
run: echo "To do"
- name: Prepares fixtures
run: ./tests/fixtures.sh

- name: Component test for iOS GHA
uses: ./
with:
archive-file: .tmp/pocket-casts-ios.xcarchive
env:
APPSWEEP_API_KEY: ${{ secrets.APPSWEEP_DOTANUKI_POCKETCASTS_IOS_KEY }}

- name: Component test for Android GHA
uses: ./
with:
archive-file: .tmp/pocket-casts-android.apk
wait-for-summary: true
env:
APPSWEEP_API_KEY: ${{ secrets.APPSWEEP_DOTANUKI_POCKETCASTS_ANDROID_KEY }}
27 changes: 27 additions & 0 deletions action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
# Copyright 2024 Dotanuki Labs
# SPDX-License-Identifier: MIT

name: "appsweep-scan-action"
description: "Scan Android or iOS artifacts for security issues with Guardsquare Appsweep"

inputs:
archive-file:
description: >
Path to the Android archive to scan. Accepted formats: '.aab' and '.apk'
required: true
symbols:
description: >
Path to the R8/proguard mappings file (Android) or folder with dSyms (iOS)
required: false
default: "none"
wait-for-summary:
description: >
Whether or not this Action should wait for scan outcomes and show the summary of issues
default: "none"
required: false

runs:
using: "composite"
steps:
- shell: bash
run: ${{ github.action_path }}/main.sh --archive ${{ inputs.archive-file }} --extras ${{ inputs.symbols }} --summary ${{ inputs.wait-for-summary }}
17 changes: 14 additions & 3 deletions src/main.sh → main.sh
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,16 @@ require_archive() {
fi
}

sanitize_inputs() {
if [[ "$extras" == "none" ]]; then
unset extras
fi

if [[ "$summary" == "none" ]]; then
unset summary
fi
}

require_r8_or_proguard_mappings() {
if [[ ! -f "$extras" ]]; then
echo "✗ ERROR : '$extras' R8/proguard mapping file not found"
Expand Down Expand Up @@ -110,17 +120,18 @@ while [ "$#" -gt 0 ]; do
shift 2
;;
--summary)
summary=1
shift 1
summary="$2"
shift 2
;;
*)
error "Unknown argument: $1"
echo "Unknown argument: $1"
exit 1
;;
esac
done

require_archive
sanitize_inputs

case "$archive" in
*.apk | *.aab)
Expand Down
4 changes: 2 additions & 2 deletions e2e/bitwarden-ios.sh → tests/bitwarden-ios.sh
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
# Copyright 2024 Dotanuki Labs
# SPDX-License-Identifier: MIT

set -euo pipefail
set -e

readonly repo="bitwarden/ios"
readonly version="v2024.9.1"
Expand All @@ -24,4 +24,4 @@ curl -fsSL -o "$actual_dir/.tmp/$ipa" -C - "$ipa_download_url"
curl -fsSL -o "$actual_dir/.tmp/$dsyms_zip" -C - "$dsyms_download_url"
unzip -d "$actual_dir/.tmp/dsyms" "$actual_dir/.tmp/$dsyms_zip" >/dev/null 2>&1

src/main.sh --archive "$actual_dir/.tmp/$ipa" --extras "$actual_dir/.tmp/dsyms"
"$actual_dir"/main.sh --archive "$actual_dir/.tmp/$ipa" --extras "$actual_dir/.tmp/dsyms"
4 changes: 2 additions & 2 deletions e2e/cromite-android.sh → tests/cromite-android.sh
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
# Copyright 2024 Dotanuki Labs
# SPDX-License-Identifier: MIT

set -euo pipefail
set -e

readonly repo="uazo/cromite"
readonly version="v129.0.6668.59-bbcb812cffa4e2815760cd7fc3e34b00b4e39ea1"
Expand All @@ -23,4 +23,4 @@ rm -rf "$actual_dir/.tmp" && mkdir "$actual_dir/.tmp"
curl -fsSL -o "$actual_dir/.tmp/$apk" -C - "$apk_download_url"
curl -fsSL -o "$actual_dir/.tmp/$mappings" -C - "$mappings_download_url"

src/main.sh --archive "$actual_dir/.tmp/$apk" --extras "$actual_dir/.tmp/$mappings"
"$actual_dir"/main.sh --archive "$actual_dir/.tmp/$apk" --extras "$actual_dir/.tmp/$mappings"
21 changes: 21 additions & 0 deletions tests/fixtures.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
#!/usr/bin/env bash
# Copyright 2024 Dotanuki Labs
# SPDX-License-Identifier: MIT

set -euo pipefail

readonly android_fixture="https://github.com/Automattic/pocket-casts-android/releases/download/7.72/app-7.72.apk"
readonly android_package="pocket-casts-android.apk"
readonly ios_fixture="https://github.com/Automattic/pocket-casts-ios/releases/download/7.72/PocketCasts.xcarchive.zip"
readonly ios_package="pocket-casts-ios.xcarchive"

script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
cd "${script_dir%/*}"
actual_dir=$(pwd)
rm -rf "$actual_dir/.tmp" && mkdir "$actual_dir/.tmp"

echo
echo "Downloading fixtures to $HOME/.tmp"
echo
curl -fsSL -o "$actual_dir/.tmp/$android_package" -C - "$android_fixture"
curl -fsSL -o "$actual_dir/.tmp/$ios_package" -C - "$ios_fixture"
5 changes: 3 additions & 2 deletions e2e/pocketcasts-android.sh → tests/pocketcasts-android.sh
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
# Copyright 2024 Dotanuki Labs
# SPDX-License-Identifier: MIT

set -euo pipefail
set -e

readonly repo="Automattic/pocket-casts-android"
readonly version="7.72"
Expand All @@ -16,4 +16,5 @@ actual_dir=$(pwd)

rm -rf "$actual_dir/.tmp" && mkdir "$actual_dir/.tmp"
curl -fsSL -o "$actual_dir/.tmp/$package" -C - "$download_url"
src/main.sh --archive "$actual_dir/.tmp/$package" --summary

"$actual_dir"/main.sh --archive "$actual_dir/.tmp/$package" --summary "true"
5 changes: 3 additions & 2 deletions e2e/pocketcasts-ios.sh → tests/pocketcasts-ios.sh
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
# Copyright 2024 Dotanuki Labs
# SPDX-License-Identifier: MIT

set -euo pipefail
set -e

readonly repo="Automattic/pocket-casts-ios"
readonly version="7.72"
Expand All @@ -16,4 +16,5 @@ actual_dir=$(pwd)

rm -rf "$actual_dir/.tmp" && mkdir "$actual_dir/.tmp"
curl -fsSL -o "$actual_dir/.tmp/$package" -C - "$download_url"
src/main.sh --archive "$actual_dir/.tmp/$package" --summary

"$actual_dir"/main.sh --archive "$actual_dir/.tmp/$package" --summary "true"

0 comments on commit 0d2e746

Please sign in to comment.