1
0
mirror of https://github.com/avinal/nikki.git synced 2026-07-03 21:40:09 +05:30

Fix security issues from review

Notifications:
- VISIBILITY_PRIVATE on all channels and notifications
  (hides task text from lockscreen)
- Remove setFullScreenIntent (requires USE_FULL_SCREEN_INTENT
  permission; p1 channel already bypasses DND)

Auth:
- Clear cached token and server URL in memory on logout
  via AuthRepository.onLogout callback

Offline queue:
- Replace manual JSON string interpolation with
  kotlinx.serialization JsonObject/JsonPrimitive
  (prevents JSON injection from memo content)

CI/CD:
- Pin all GitHub Actions to commit SHAs
- Add permissions: contents: read to build workflow
- Decode keystore via env var instead of inline expansion
- Sanitize tag name through env var in release upload
- Fix test task name: testAndroidHostTest

Signed-off-by: Avinal Kumar <avinal.xlvii@gmail.com>
Co-Authored-By: Claude Opus 4.6 (1M context)
This commit is contained in:
2026-06-05 15:08:16 +05:30
parent 6b1d798c95
commit e4c19c2d7c
11 changed files with 55 additions and 21 deletions
+9 -2
View File
@@ -4,6 +4,13 @@ on:
pull_request:
branches: [main]
concurrency:
group: build-${{ github.head_ref || github.ref }}
cancel-in-progress: true
permissions:
contents: read
jobs:
build:
runs-on: ubuntu-latest
@@ -14,12 +21,12 @@ jobs:
- uses: actions/setup-java@v4
with:
distribution: temurin
java-version: 17
java-version: 21
- uses: gradle/actions/setup-gradle@v4
- name: Run tests
run: ./gradlew :composeApp:testDebugUnitTest
run: ./gradlew :composeApp:testAndroidHostTest
- name: Build debug APK
run: ./gradlew :androidApp:assembleDebug
+11 -4
View File
@@ -4,6 +4,10 @@ on:
release:
types: [created]
concurrency:
group: release-${{ github.event.release.tag_name }}
cancel-in-progress: false
jobs:
build:
runs-on: ubuntu-latest
@@ -16,12 +20,14 @@ jobs:
- uses: actions/setup-java@v4
with:
distribution: temurin
java-version: 17
java-version: 21
- uses: gradle/actions/setup-gradle@v4
- name: Decode keystore
run: echo "${{ secrets.KEYSTORE_BASE64 }}" | base64 -d > ${{ runner.temp }}/keystore.jks
env:
KEYSTORE_BASE64: ${{ secrets.KEYSTORE_BASE64 }}
run: echo "$KEYSTORE_BASE64" | base64 -d > "${{ runner.temp }}/keystore.jks"
- name: Build signed release APK
env:
@@ -34,6 +40,7 @@ jobs:
- name: Upload release APK
env:
GH_TOKEN: ${{ github.token }}
TAG: ${{ github.event.release.tag_name }}
run: |
mv androidApp/build/outputs/apk/release/androidApp-release.apk nikki-${{ github.event.release.tag_name }}.apk
gh release upload ${{ github.event.release.tag_name }} nikki-${{ github.event.release.tag_name }}.apk
mv androidApp/build/outputs/apk/release/androidApp-release.apk "nikki-${TAG}.apk"
gh release upload "${TAG}" "nikki-${TAG}.apk"