Skip to content

Build and scan - dynamic scan #16

Build and scan - dynamic scan

Build and scan - dynamic scan #16

name: "Build and scan - dynamic scan"
on:
# manual trigger but change to any supported event
# see addl: https://www.andrewhoog.com/post/how-to-build-react-native-android-app-with-github-actions/#3-run-build-workflow
workflow_dispatch:
# new pull requests
pull_request:
branches:
- main
# new releases or pre-releases
release:
types: [published]
jobs:
build_with_signing:
runs-on: macos-latest
steps:
# this was more debug as was curious what came pre-installed
# GitHub shares this online, e.g. https://github.com/actions/runner-images/blob/macOS-12/20230224.1/images/macos/macos-12-Readme.md
- name: checkout repository
uses: actions/checkout@v3
- name: Install the Apple certificate and provisioning profile
env:
BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
PROVISION_PROFILES_BASE64: ${{ secrets.PROVISION_PROFILES_BASE64 }}
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
GOOGLE_SERVICE_INFO: ${{ secrets.GOOGLE_SERVICE_INFO }}
run: |
# create variables
CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
PP_ARCHIVE=$RUNNER_TEMP/mobile_pp.tgz
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
# import certificate and provisioning profile from secrets
echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH
echo -n "$PROVISION_PROFILES_BASE64" | base64 --decode -o $PP_ARCHIVE
# create temporary keychain
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
# import certificate to keychain
security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security list-keychain -d user -s $KEYCHAIN_PATH
# extract and copy provisioning profile(s)
mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
tar xzvf $PP_ARCHIVE -C $RUNNER_TEMP
for PROVISION in `ls $RUNNER_TEMP/*.mobileprovision`
do
UUID=`/usr/libexec/PlistBuddy -c 'Print :UUID' /dev/stdin <<< $(security cms -D -i $PROVISION)`
cp $PROVISION ~/Library/MobileDevice/Provisioning\ Profiles/$UUID.mobileprovision
done
# echo some output
security find-identity -v -p codesigning
ls -l ~/Library/MobileDevice/Provisioning\ Profiles
# install google service info
echo -n "$GOOGLE_SERVICE_INFO" | base64 --decode -o GoogleService-Info.plist
- name: build archive
run: |
xcodebuild -scheme "simple-hn-reader" \
-archivePath $RUNNER_TEMP/simple-hn-reader.xcarchive \
-sdk iphoneos \
-configuration Debug \
-destination generic/platform=iOS \
-disableAutomaticPackageResolution \
clean archive
- name: export ipa
env:
EXPORT_OPTIONS_PLIST: ${{ secrets.EXPORT_OPTIONS_PLIST }}
run: |
EXPORT_OPTS_PATH=$RUNNER_TEMP/ExportOptions.plist
echo -n "$EXPORT_OPTIONS_PLIST" | base64 --decode -o $EXPORT_OPTS_PATH
xcodebuild -exportArchive -archivePath $RUNNER_TEMP/simple-hn-reader.xcarchive -exportOptionsPlist $EXPORT_OPTS_PATH -exportPath $RUNNER_TEMP/build
- name: Upload application
uses: actions/upload-artifact@v3
with:
name: app
path: ${{ runner.temp }}/build/simple-hn-reader.ipa
# you can also archive the entire directory
# path: ${{ runner.temp }}/build
retention-days: 3
scan:
runs-on: ubuntu-latest
outputs:
report_id: ${{ steps.upload.outputs.report_id }}
# The stage that builds the application.
needs: build_with_signing
steps:
- name: Checkout repository
uses: actions/checkout@v3
# NOTE: ripgrep is required for line-of-code identification.
- name: Install ripgrep
run: sudo apt-get install -y ripgrep
# Replace with whatever pulls the application file before we upload.
- name: Download application
uses: actions/download-artifact@v3
with:
# Generated in the "build" stage.
name: app
- id: upload
name: NowSecure upload app
uses: nowsecure/nowsecure-action/upload-app@v3
with:
platform_token: ${{ secrets.NS_TOKEN }}
# TODO: Replace application path.
app_file: "simple-hn-reader.ipa"
# TODO: Replace the Group ID.
group_id: "770531be-697c-4743-9b88-cda00baa20aa"
process:
if: ${{ needs.scan.outputs.report_id }}
runs-on: ubuntu-latest
# permission needed for upload-sarif@v2
permissions:
# required for all workflows
security-events: write
# only required for workflows in private repositories
actions: read
contents: read
# The above stage we introduced.
needs: scan
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: NowSecure download report
uses: nowsecure/nowsecure-action/convert-sarif@v3
timeout-minutes: 60
with:
report_id: ${{ needs.scan.outputs.report_id }}
platform_token: ${{ secrets.NS_TOKEN }}
# TODO: Replace the Group ID.
group_id: "e864bd04-d411-47a0-b028-7a1627e32c2b"
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: NowSecure.sarif