Jean-Luc Makiola
bca7e391ad
Add ci.yaml triggered on branch pushes and PRs with flutter analyze, flutter test, dart pub audit, Trivy scan, and debug APK build. Gate the release workflow behind a CI job so release builds only proceed after all checks pass. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
103 lines
3.0 KiB
YAML
103 lines
3.0 KiB
YAML
name: CI
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- '**'
|
|
tags-ignore:
|
|
- '**'
|
|
pull_request:
|
|
|
|
jobs:
|
|
ci:
|
|
runs-on: docker
|
|
env:
|
|
ANDROID_HOME: /opt/android-sdk
|
|
ANDROID_SDK_ROOT: /opt/android-sdk
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Setup Java
|
|
uses: actions/setup-java@v4
|
|
with:
|
|
distribution: 'zulu'
|
|
java-version: '17'
|
|
|
|
- name: Setup Android SDK
|
|
uses: android-actions/setup-android@v3
|
|
|
|
- name: Install Android SDK packages
|
|
run: |
|
|
sdkmanager --licenses >/dev/null <<'EOF'
|
|
y
|
|
y
|
|
y
|
|
y
|
|
y
|
|
y
|
|
y
|
|
y
|
|
y
|
|
y
|
|
EOF
|
|
sdkmanager "platform-tools" "platforms;android-36" "build-tools;36.0.0"
|
|
|
|
- name: Setup Flutter
|
|
uses: subosito/flutter-action@v2
|
|
with:
|
|
channel: 'stable'
|
|
|
|
- name: Trust Flutter SDK git directory
|
|
run: |
|
|
set -e
|
|
FLUTTER_BIN_DIR="$(dirname "$(command -v flutter)")"
|
|
FLUTTER_SDK_DIR="$(cd "$FLUTTER_BIN_DIR/.." && pwd -P)"
|
|
git config --global --add safe.directory "$FLUTTER_SDK_DIR"
|
|
if [ -n "${FLUTTER_ROOT:-}" ]; then
|
|
git config --global --add safe.directory "$FLUTTER_ROOT"
|
|
fi
|
|
git config --global --add safe.directory /opt/hostedtoolcache/flutter/stable-3.41.4-x64 || true
|
|
|
|
- name: Verify Android + Flutter toolchain
|
|
run: flutter doctor -v
|
|
|
|
- name: Install dependencies
|
|
run: flutter pub get
|
|
|
|
- name: Static analysis
|
|
run: flutter analyze --no-pub
|
|
|
|
- name: Run tests
|
|
run: flutter test
|
|
|
|
- name: Check outdated dependencies
|
|
run: dart pub outdated
|
|
continue-on-error: true
|
|
|
|
- name: Security audit
|
|
run: dart pub audit
|
|
|
|
- name: Trivy filesystem scan
|
|
run: |
|
|
set -e
|
|
SUDO=""
|
|
if command -v sudo >/dev/null 2>&1; then
|
|
SUDO="sudo"
|
|
fi
|
|
if command -v apt-get >/dev/null 2>&1; then
|
|
$SUDO apt-get update
|
|
$SUDO apt-get install -y wget apt-transport-https gnupg lsb-release
|
|
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | $SUDO tee /usr/share/keyrings/trivy.gpg > /dev/null
|
|
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | $SUDO tee /etc/apt/sources.list.d/trivy.list
|
|
$SUDO apt-get update
|
|
$SUDO apt-get install -y trivy
|
|
elif command -v apk >/dev/null 2>&1; then
|
|
$SUDO apk add --no-cache trivy || (wget -qO trivy.tar.gz https://github.com/aquasecurity/trivy/releases/latest/download/trivy_0.62.1_Linux-64bit.tar.gz && tar xzf trivy.tar.gz trivy && $SUDO mv trivy /usr/local/bin/)
|
|
fi
|
|
trivy filesystem --severity HIGH,CRITICAL --exit-code 0 .
|
|
continue-on-error: true
|
|
|
|
- name: Build debug APK
|
|
run: flutter build apk --debug
|