diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7403e37..2748781 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -28,7 +28,7 @@ jobs: file-patterns: "*.sh,*.yml" license: "mit" - e2e: + acceptance-tests: needs: quality-checks runs-on: ubuntu-22.04 @@ -37,32 +37,47 @@ jobs: uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Test scanning standalone Android apk - run: ./e2e/pocketcasts-android.sh + run: ./tests/pocketcasts-android.sh env: APPSWEEP_API_KEY: ${{ secrets.APPSWEEP_DOTANUKI_POCKETCASTS_ANDROID_KEY }} - name: Test scanning standalone iOS xcarchive - run: ./e2e/pocketcasts-ios.sh + run: ./tests/pocketcasts-ios.sh env: APPSWEEP_API_KEY: ${{ secrets.APPSWEEP_DOTANUKI_POCKETCASTS_IOS_KEY }} - name: Test scanning iOS ipa plus dSyms - run: ./e2e/bitwarden-ios.sh + run: ./tests/bitwarden-ios.sh env: APPSWEEP_API_KEY: ${{ secrets.APPSWEEP_DOTANUKI_BITWARDEN_IOS_KEY }} - name: Test scanning Android apk plus mappings - run: ./e2e/cromite-android.sh + run: ./tests/cromite-android.sh env: APPSWEEP_API_KEY: ${{ secrets.APPSWEEP_DOTANUKI_CROMITE_ANDROID_KEY }} component-tests: - needs: e2e + needs: acceptance-tests runs-on: ubuntu-22.04 steps: - name: Project Checkout uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Run tests - run: echo "To do" + - name: Prepares fixtures + run: ./tests/fixtures.sh + + - name: Component test for iOS GHA + uses: ./ + with: + archive-file: .tmp/pocket-casts-ios.xcarchive + env: + APPSWEEP_API_KEY: ${{ secrets.APPSWEEP_DOTANUKI_POCKETCASTS_IOS_KEY }} + + - name: Component test for Android GHA + uses: ./ + with: + archive-file: .tmp/pocket-casts-android.apk + wait-for-summary: true + env: + APPSWEEP_API_KEY: ${{ secrets.APPSWEEP_DOTANUKI_POCKETCASTS_ANDROID_KEY }} diff --git a/action.yml b/action.yml new file mode 100644 index 0000000..5f7e829 --- /dev/null +++ b/action.yml @@ -0,0 +1,27 @@ +# Copyright 2024 Dotanuki Labs +# SPDX-License-Identifier: MIT + +name: "appsweep-scan-action" +description: "Scan Android or iOS artifacts for security issues with Guardsquare Appsweep" + +inputs: + archive-file: + description: > + Path to the Android archive to scan. Accepted formats: '.aab' and '.apk' + required: true + symbols: + description: > + Path to the R8/proguard mappings file (Android) or folder with dSyms (iOS) + required: false + default: "none" + wait-for-summary: + description: > + Whether or not this Action should wait for scan outcomes and show the summary of issues + default: "none" + required: false + +runs: + using: "composite" + steps: + - shell: bash + run: ${{ github.action_path }}/main.sh --archive ${{ inputs.archive-file }} --extras ${{ inputs.symbols }} --summary ${{ inputs.wait-for-summary }} diff --git a/src/main.sh b/main.sh similarity index 92% rename from src/main.sh rename to main.sh index 681ff70..1561395 100755 --- a/src/main.sh +++ b/main.sh @@ -20,6 +20,16 @@ require_archive() { fi } +sanitize_inputs() { + if [[ "$extras" == "none" ]]; then + unset extras + fi + + if [[ "$summary" == "none" ]]; then + unset summary + fi +} + require_r8_or_proguard_mappings() { if [[ ! -f "$extras" ]]; then echo "✗ ERROR : '$extras' R8/proguard mapping file not found" @@ -110,17 +120,18 @@ while [ "$#" -gt 0 ]; do shift 2 ;; --summary) - summary=1 - shift 1 + summary="$2" + shift 2 ;; *) - error "Unknown argument: $1" + echo "Unknown argument: $1" exit 1 ;; esac done require_archive +sanitize_inputs case "$archive" in *.apk | *.aab) diff --git a/e2e/bitwarden-ios.sh b/tests/bitwarden-ios.sh similarity index 89% rename from e2e/bitwarden-ios.sh rename to tests/bitwarden-ios.sh index 0b23228..cfaf4d1 100755 --- a/e2e/bitwarden-ios.sh +++ b/tests/bitwarden-ios.sh @@ -2,7 +2,7 @@ # Copyright 2024 Dotanuki Labs # SPDX-License-Identifier: MIT -set -euo pipefail +set -e readonly repo="bitwarden/ios" readonly version="v2024.9.1" @@ -24,4 +24,4 @@ curl -fsSL -o "$actual_dir/.tmp/$ipa" -C - "$ipa_download_url" curl -fsSL -o "$actual_dir/.tmp/$dsyms_zip" -C - "$dsyms_download_url" unzip -d "$actual_dir/.tmp/dsyms" "$actual_dir/.tmp/$dsyms_zip" >/dev/null 2>&1 -src/main.sh --archive "$actual_dir/.tmp/$ipa" --extras "$actual_dir/.tmp/dsyms" +"$actual_dir"/main.sh --archive "$actual_dir/.tmp/$ipa" --extras "$actual_dir/.tmp/dsyms" diff --git a/e2e/cromite-android.sh b/tests/cromite-android.sh similarity index 89% rename from e2e/cromite-android.sh rename to tests/cromite-android.sh index e7a78a8..cbca4b6 100755 --- a/e2e/cromite-android.sh +++ b/tests/cromite-android.sh @@ -2,7 +2,7 @@ # Copyright 2024 Dotanuki Labs # SPDX-License-Identifier: MIT -set -euo pipefail +set -e readonly repo="uazo/cromite" readonly version="v129.0.6668.59-bbcb812cffa4e2815760cd7fc3e34b00b4e39ea1" @@ -23,4 +23,4 @@ rm -rf "$actual_dir/.tmp" && mkdir "$actual_dir/.tmp" curl -fsSL -o "$actual_dir/.tmp/$apk" -C - "$apk_download_url" curl -fsSL -o "$actual_dir/.tmp/$mappings" -C - "$mappings_download_url" -src/main.sh --archive "$actual_dir/.tmp/$apk" --extras "$actual_dir/.tmp/$mappings" +"$actual_dir"/main.sh --archive "$actual_dir/.tmp/$apk" --extras "$actual_dir/.tmp/$mappings" diff --git a/tests/fixtures.sh b/tests/fixtures.sh new file mode 100755 index 0000000..714b69a --- /dev/null +++ b/tests/fixtures.sh @@ -0,0 +1,21 @@ +#!/usr/bin/env bash +# Copyright 2024 Dotanuki Labs +# SPDX-License-Identifier: MIT + +set -euo pipefail + +readonly android_fixture="https://github.com/Automattic/pocket-casts-android/releases/download/7.72/app-7.72.apk" +readonly android_package="pocket-casts-android.apk" +readonly ios_fixture="https://github.com/Automattic/pocket-casts-ios/releases/download/7.72/PocketCasts.xcarchive.zip" +readonly ios_package="pocket-casts-ios.xcarchive" + +script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +cd "${script_dir%/*}" +actual_dir=$(pwd) +rm -rf "$actual_dir/.tmp" && mkdir "$actual_dir/.tmp" + +echo +echo "Downloading fixtures to $HOME/.tmp" +echo +curl -fsSL -o "$actual_dir/.tmp/$android_package" -C - "$android_fixture" +curl -fsSL -o "$actual_dir/.tmp/$ios_package" -C - "$ios_fixture" diff --git a/e2e/pocketcasts-android.sh b/tests/pocketcasts-android.sh similarity index 86% rename from e2e/pocketcasts-android.sh rename to tests/pocketcasts-android.sh index 523cfaa..6e88394 100755 --- a/e2e/pocketcasts-android.sh +++ b/tests/pocketcasts-android.sh @@ -2,7 +2,7 @@ # Copyright 2024 Dotanuki Labs # SPDX-License-Identifier: MIT -set -euo pipefail +set -e readonly repo="Automattic/pocket-casts-android" readonly version="7.72" @@ -16,4 +16,5 @@ actual_dir=$(pwd) rm -rf "$actual_dir/.tmp" && mkdir "$actual_dir/.tmp" curl -fsSL -o "$actual_dir/.tmp/$package" -C - "$download_url" -src/main.sh --archive "$actual_dir/.tmp/$package" --summary + +"$actual_dir"/main.sh --archive "$actual_dir/.tmp/$package" --summary "true" diff --git a/e2e/pocketcasts-ios.sh b/tests/pocketcasts-ios.sh similarity index 86% rename from e2e/pocketcasts-ios.sh rename to tests/pocketcasts-ios.sh index 2166ad3..95d953b 100755 --- a/e2e/pocketcasts-ios.sh +++ b/tests/pocketcasts-ios.sh @@ -2,7 +2,7 @@ # Copyright 2024 Dotanuki Labs # SPDX-License-Identifier: MIT -set -euo pipefail +set -e readonly repo="Automattic/pocket-casts-ios" readonly version="7.72" @@ -16,4 +16,5 @@ actual_dir=$(pwd) rm -rf "$actual_dir/.tmp" && mkdir "$actual_dir/.tmp" curl -fsSL -o "$actual_dir/.tmp/$package" -C - "$download_url" -src/main.sh --archive "$actual_dir/.tmp/$package" --summary + +"$actual_dir"/main.sh --archive "$actual_dir/.tmp/$package" --summary "true"