From bca7e391ad3ed68b7ef190fa4449d4d3e1f55639 Mon Sep 17 00:00:00 2001 From: Jean-Luc Makiola Date: Tue, 17 Mar 2026 11:42:17 +0100 Subject: [PATCH] ci: add CI pipeline with analysis, tests, security audit, and debug build Add ci.yaml triggered on branch pushes and PRs with flutter analyze, flutter test, dart pub audit, Trivy scan, and debug APK build. Gate the release workflow behind a CI job so release builds only proceed after all checks pass. Co-Authored-By: Claude Opus 4.6 --- .gitea/workflows/ci.yaml | 102 ++++++++++++++++++++++++++++++++++ .gitea/workflows/release.yaml | 93 +++++++++++++++++++++++++++++++ CHANGELOG.md | 6 ++ 3 files changed, 201 insertions(+) create mode 100644 .gitea/workflows/ci.yaml diff --git a/.gitea/workflows/ci.yaml b/.gitea/workflows/ci.yaml new file mode 100644 index 0000000..e463811 --- /dev/null +++ b/.gitea/workflows/ci.yaml @@ -0,0 +1,102 @@ +name: CI + +on: + push: + branches: + - '**' + tags-ignore: + - '**' + pull_request: + +jobs: + ci: + runs-on: docker + env: + ANDROID_HOME: /opt/android-sdk + ANDROID_SDK_ROOT: /opt/android-sdk + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Setup Java + uses: actions/setup-java@v4 + with: + distribution: 'zulu' + java-version: '17' + + - name: Setup Android SDK + uses: android-actions/setup-android@v3 + + - name: Install Android SDK packages + run: | + sdkmanager --licenses >/dev/null <<'EOF' + y + y + y + y + y + y + y + y + y + y + EOF + sdkmanager "platform-tools" "platforms;android-36" "build-tools;36.0.0" + + - name: Setup Flutter + uses: subosito/flutter-action@v2 + with: + channel: 'stable' + + - name: Trust Flutter SDK git directory + run: | + set -e + FLUTTER_BIN_DIR="$(dirname "$(command -v flutter)")" + FLUTTER_SDK_DIR="$(cd "$FLUTTER_BIN_DIR/.." && pwd -P)" + git config --global --add safe.directory "$FLUTTER_SDK_DIR" + if [ -n "${FLUTTER_ROOT:-}" ]; then + git config --global --add safe.directory "$FLUTTER_ROOT" + fi + git config --global --add safe.directory /opt/hostedtoolcache/flutter/stable-3.41.4-x64 || true + + - name: Verify Android + Flutter toolchain + run: flutter doctor -v + + - name: Install dependencies + run: flutter pub get + + - name: Static analysis + run: flutter analyze --no-pub + + - name: Run tests + run: flutter test + + - name: Check outdated dependencies + run: dart pub outdated + continue-on-error: true + + - name: Security audit + run: dart pub audit + + - name: Trivy filesystem scan + run: | + set -e + SUDO="" + if command -v sudo >/dev/null 2>&1; then + SUDO="sudo" + fi + if command -v apt-get >/dev/null 2>&1; then + $SUDO apt-get update + $SUDO apt-get install -y wget apt-transport-https gnupg lsb-release + wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | $SUDO tee /usr/share/keyrings/trivy.gpg > /dev/null + echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | $SUDO tee /etc/apt/sources.list.d/trivy.list + $SUDO apt-get update + $SUDO apt-get install -y trivy + elif command -v apk >/dev/null 2>&1; then + $SUDO apk add --no-cache trivy || (wget -qO trivy.tar.gz https://github.com/aquasecurity/trivy/releases/latest/download/trivy_0.62.1_Linux-64bit.tar.gz && tar xzf trivy.tar.gz trivy && $SUDO mv trivy /usr/local/bin/) + fi + trivy filesystem --severity HIGH,CRITICAL --exit-code 0 . + continue-on-error: true + + - name: Build debug APK + run: flutter build apk --debug diff --git a/.gitea/workflows/release.yaml b/.gitea/workflows/release.yaml index 4345fbf..146e196 100644 --- a/.gitea/workflows/release.yaml +++ b/.gitea/workflows/release.yaml @@ -7,7 +7,100 @@ on: workflow_dispatch: jobs: + ci: + runs-on: docker + env: + ANDROID_HOME: /opt/android-sdk + ANDROID_SDK_ROOT: /opt/android-sdk + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Setup Java + uses: actions/setup-java@v4 + with: + distribution: 'zulu' + java-version: '17' + + - name: Setup Android SDK + uses: android-actions/setup-android@v3 + + - name: Install Android SDK packages + run: | + sdkmanager --licenses >/dev/null <<'EOF' + y + y + y + y + y + y + y + y + y + y + EOF + sdkmanager "platform-tools" "platforms;android-36" "build-tools;36.0.0" + + - name: Setup Flutter + uses: subosito/flutter-action@v2 + with: + channel: 'stable' + + - name: Trust Flutter SDK git directory + run: | + set -e + FLUTTER_BIN_DIR="$(dirname "$(command -v flutter)")" + FLUTTER_SDK_DIR="$(cd "$FLUTTER_BIN_DIR/.." && pwd -P)" + git config --global --add safe.directory "$FLUTTER_SDK_DIR" + if [ -n "${FLUTTER_ROOT:-}" ]; then + git config --global --add safe.directory "$FLUTTER_ROOT" + fi + git config --global --add safe.directory /opt/hostedtoolcache/flutter/stable-3.41.4-x64 || true + + - name: Verify Android + Flutter toolchain + run: flutter doctor -v + + - name: Install dependencies + run: flutter pub get + + - name: Static analysis + run: flutter analyze --no-pub + + - name: Run tests + run: flutter test + + - name: Check outdated dependencies + run: dart pub outdated + continue-on-error: true + + - name: Security audit + run: dart pub audit + + - name: Trivy filesystem scan + run: | + set -e + SUDO="" + if command -v sudo >/dev/null 2>&1; then + SUDO="sudo" + fi + if command -v apt-get >/dev/null 2>&1; then + $SUDO apt-get update + $SUDO apt-get install -y wget apt-transport-https gnupg lsb-release + wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | $SUDO tee /usr/share/keyrings/trivy.gpg > /dev/null + echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | $SUDO tee /etc/apt/sources.list.d/trivy.list + $SUDO apt-get update + $SUDO apt-get install -y trivy + elif command -v apk >/dev/null 2>&1; then + $SUDO apk add --no-cache trivy || (wget -qO trivy.tar.gz https://github.com/aquasecurity/trivy/releases/latest/download/trivy_0.62.1_Linux-64bit.tar.gz && tar xzf trivy.tar.gz trivy && $SUDO mv trivy /usr/local/bin/) + fi + trivy filesystem --severity HIGH,CRITICAL --exit-code 0 . + continue-on-error: true + + - name: Build debug APK + run: flutter build apk --debug + build-and-deploy: + needs: ci runs-on: docker env: ANDROID_HOME: /opt/android-sdk diff --git a/CHANGELOG.md b/CHANGELOG.md index eed66a4..7530c53 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,12 @@ All notable changes to HouseHoldKeeper are documented in this file. +## [1.1.4] - Unreleased + +### Added +- CI workflow for branch pushes and pull requests with static analysis, tests, security audit, and debug build +- Security gate in release workflow — CI checks must pass before release build proceeds + ## [1.1.3] - 2026-03-17 ### Added