diff --git a/.gitea/workflows/ci.yaml b/.gitea/workflows/ci.yaml new file mode 100644 index 0000000..e463811 --- /dev/null +++ b/.gitea/workflows/ci.yaml @@ -0,0 +1,102 @@ +name: CI + +on: + push: + branches: + - '**' + tags-ignore: + - '**' + pull_request: + +jobs: + ci: + runs-on: docker + env: + ANDROID_HOME: /opt/android-sdk + ANDROID_SDK_ROOT: /opt/android-sdk + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Setup Java + uses: actions/setup-java@v4 + with: + distribution: 'zulu' + java-version: '17' + + - name: Setup Android SDK + uses: android-actions/setup-android@v3 + + - name: Install Android SDK packages + run: | + sdkmanager --licenses >/dev/null <<'EOF' + y + y + y + y + y + y + y + y + y + y + EOF + sdkmanager "platform-tools" "platforms;android-36" "build-tools;36.0.0" + + - name: Setup Flutter + uses: subosito/flutter-action@v2 + with: + channel: 'stable' + + - name: Trust Flutter SDK git directory + run: | + set -e + FLUTTER_BIN_DIR="$(dirname "$(command -v flutter)")" + FLUTTER_SDK_DIR="$(cd "$FLUTTER_BIN_DIR/.." && pwd -P)" + git config --global --add safe.directory "$FLUTTER_SDK_DIR" + if [ -n "${FLUTTER_ROOT:-}" ]; then + git config --global --add safe.directory "$FLUTTER_ROOT" + fi + git config --global --add safe.directory /opt/hostedtoolcache/flutter/stable-3.41.4-x64 || true + + - name: Verify Android + Flutter toolchain + run: flutter doctor -v + + - name: Install dependencies + run: flutter pub get + + - name: Static analysis + run: flutter analyze --no-pub + + - name: Run tests + run: flutter test + + - name: Check outdated dependencies + run: dart pub outdated + continue-on-error: true + + - name: Security audit + run: dart pub audit + + - name: Trivy filesystem scan + run: | + set -e + SUDO="" + if command -v sudo >/dev/null 2>&1; then + SUDO="sudo" + fi + if command -v apt-get >/dev/null 2>&1; then + $SUDO apt-get update + $SUDO apt-get install -y wget apt-transport-https gnupg lsb-release + wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | $SUDO tee /usr/share/keyrings/trivy.gpg > /dev/null + echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | $SUDO tee /etc/apt/sources.list.d/trivy.list + $SUDO apt-get update + $SUDO apt-get install -y trivy + elif command -v apk >/dev/null 2>&1; then + $SUDO apk add --no-cache trivy || (wget -qO trivy.tar.gz https://github.com/aquasecurity/trivy/releases/latest/download/trivy_0.62.1_Linux-64bit.tar.gz && tar xzf trivy.tar.gz trivy && $SUDO mv trivy /usr/local/bin/) + fi + trivy filesystem --severity HIGH,CRITICAL --exit-code 0 . + continue-on-error: true + + - name: Build debug APK + run: flutter build apk --debug diff --git a/.gitea/workflows/release.yaml b/.gitea/workflows/release.yaml index 4345fbf..146e196 100644 --- a/.gitea/workflows/release.yaml +++ b/.gitea/workflows/release.yaml @@ -7,7 +7,100 @@ on: workflow_dispatch: jobs: + ci: + runs-on: docker + env: + ANDROID_HOME: /opt/android-sdk + ANDROID_SDK_ROOT: /opt/android-sdk + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Setup Java + uses: actions/setup-java@v4 + with: + distribution: 'zulu' + java-version: '17' + + - name: Setup Android SDK + uses: android-actions/setup-android@v3 + + - name: Install Android SDK packages + run: | + sdkmanager --licenses >/dev/null <<'EOF' + y + y + y + y + y + y + y + y + y + y + EOF + sdkmanager "platform-tools" "platforms;android-36" "build-tools;36.0.0" + + - name: Setup Flutter + uses: subosito/flutter-action@v2 + with: + channel: 'stable' + + - name: Trust Flutter SDK git directory + run: | + set -e + FLUTTER_BIN_DIR="$(dirname "$(command -v flutter)")" + FLUTTER_SDK_DIR="$(cd "$FLUTTER_BIN_DIR/.." && pwd -P)" + git config --global --add safe.directory "$FLUTTER_SDK_DIR" + if [ -n "${FLUTTER_ROOT:-}" ]; then + git config --global --add safe.directory "$FLUTTER_ROOT" + fi + git config --global --add safe.directory /opt/hostedtoolcache/flutter/stable-3.41.4-x64 || true + + - name: Verify Android + Flutter toolchain + run: flutter doctor -v + + - name: Install dependencies + run: flutter pub get + + - name: Static analysis + run: flutter analyze --no-pub + + - name: Run tests + run: flutter test + + - name: Check outdated dependencies + run: dart pub outdated + continue-on-error: true + + - name: Security audit + run: dart pub audit + + - name: Trivy filesystem scan + run: | + set -e + SUDO="" + if command -v sudo >/dev/null 2>&1; then + SUDO="sudo" + fi + if command -v apt-get >/dev/null 2>&1; then + $SUDO apt-get update + $SUDO apt-get install -y wget apt-transport-https gnupg lsb-release + wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | $SUDO tee /usr/share/keyrings/trivy.gpg > /dev/null + echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | $SUDO tee /etc/apt/sources.list.d/trivy.list + $SUDO apt-get update + $SUDO apt-get install -y trivy + elif command -v apk >/dev/null 2>&1; then + $SUDO apk add --no-cache trivy || (wget -qO trivy.tar.gz https://github.com/aquasecurity/trivy/releases/latest/download/trivy_0.62.1_Linux-64bit.tar.gz && tar xzf trivy.tar.gz trivy && $SUDO mv trivy /usr/local/bin/) + fi + trivy filesystem --severity HIGH,CRITICAL --exit-code 0 . + continue-on-error: true + + - name: Build debug APK + run: flutter build apk --debug + build-and-deploy: + needs: ci runs-on: docker env: ANDROID_HOME: /opt/android-sdk diff --git a/CHANGELOG.md b/CHANGELOG.md index eed66a4..7530c53 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,12 @@ All notable changes to HouseHoldKeeper are documented in this file. +## [1.1.4] - Unreleased + +### Added +- CI workflow for branch pushes and pull requests with static analysis, tests, security audit, and debug build +- Security gate in release workflow — CI checks must pass before release build proceeds + ## [1.1.3] - 2026-03-17 ### Added