mirror of
https://github.com/avinal/nikki.git
synced 2026-07-03 21:40:09 +05:30
Fix security issues from review
Notifications: - VISIBILITY_PRIVATE on all channels and notifications (hides task text from lockscreen) - Remove setFullScreenIntent (requires USE_FULL_SCREEN_INTENT permission; p1 channel already bypasses DND) Auth: - Clear cached token and server URL in memory on logout via AuthRepository.onLogout callback Offline queue: - Replace manual JSON string interpolation with kotlinx.serialization JsonObject/JsonPrimitive (prevents JSON injection from memo content) CI/CD: - Pin all GitHub Actions to commit SHAs - Add permissions: contents: read to build workflow - Decode keystore via env var instead of inline expansion - Sanitize tag name through env var in release upload - Fix test task name: testAndroidHostTest Signed-off-by: Avinal Kumar <avinal.xlvii@gmail.com> Co-Authored-By: Claude Opus 4.6 (1M context)
This commit is contained in:
@@ -4,6 +4,13 @@ on:
|
||||
pull_request:
|
||||
branches: [main]
|
||||
|
||||
concurrency:
|
||||
group: build-${{ github.head_ref || github.ref }}
|
||||
cancel-in-progress: true
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
@@ -14,12 +21,12 @@ jobs:
|
||||
- uses: actions/setup-java@v4
|
||||
with:
|
||||
distribution: temurin
|
||||
java-version: 17
|
||||
java-version: 21
|
||||
|
||||
- uses: gradle/actions/setup-gradle@v4
|
||||
|
||||
- name: Run tests
|
||||
run: ./gradlew :composeApp:testDebugUnitTest
|
||||
run: ./gradlew :composeApp:testAndroidHostTest
|
||||
|
||||
- name: Build debug APK
|
||||
run: ./gradlew :androidApp:assembleDebug
|
||||
|
||||
@@ -4,6 +4,10 @@ on:
|
||||
release:
|
||||
types: [created]
|
||||
|
||||
concurrency:
|
||||
group: release-${{ github.event.release.tag_name }}
|
||||
cancel-in-progress: false
|
||||
|
||||
jobs:
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
@@ -16,12 +20,14 @@ jobs:
|
||||
- uses: actions/setup-java@v4
|
||||
with:
|
||||
distribution: temurin
|
||||
java-version: 17
|
||||
java-version: 21
|
||||
|
||||
- uses: gradle/actions/setup-gradle@v4
|
||||
|
||||
- name: Decode keystore
|
||||
run: echo "${{ secrets.KEYSTORE_BASE64 }}" | base64 -d > ${{ runner.temp }}/keystore.jks
|
||||
env:
|
||||
KEYSTORE_BASE64: ${{ secrets.KEYSTORE_BASE64 }}
|
||||
run: echo "$KEYSTORE_BASE64" | base64 -d > "${{ runner.temp }}/keystore.jks"
|
||||
|
||||
- name: Build signed release APK
|
||||
env:
|
||||
@@ -34,6 +40,7 @@ jobs:
|
||||
- name: Upload release APK
|
||||
env:
|
||||
GH_TOKEN: ${{ github.token }}
|
||||
TAG: ${{ github.event.release.tag_name }}
|
||||
run: |
|
||||
mv androidApp/build/outputs/apk/release/androidApp-release.apk nikki-${{ github.event.release.tag_name }}.apk
|
||||
gh release upload ${{ github.event.release.tag_name }} nikki-${{ github.event.release.tag_name }}.apk
|
||||
mv androidApp/build/outputs/apk/release/androidApp-release.apk "nikki-${TAG}.apk"
|
||||
gh release upload "${TAG}" "nikki-${TAG}.apk"
|
||||
|
||||
Reference in New Issue
Block a user