-
Notifications
You must be signed in to change notification settings - Fork 0
157 lines (133 loc) · 5.65 KB
/
full-scan-on-pr-and-release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
name: "Build and scan - dynamic scan"
on:
# manual trigger but change to any supported event
# see addl: https://www.andrewhoog.com/post/how-to-build-react-native-android-app-with-github-actions/#3-run-build-workflow
workflow_dispatch:
# new pull requests
pull_request:
branches:
- main
# new releases or pre-releases
release:
types: [published]
jobs:
build_with_signing:
runs-on: macos-latest
steps:
# this was more debug as was curious what came pre-installed
# GitHub shares this online, e.g. https://github.com/actions/runner-images/blob/macOS-12/20230224.1/images/macos/macos-12-Readme.md
- name: checkout repository
uses: actions/checkout@v3
- name: Install the Apple certificate and provisioning profile
env:
BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
PROVISION_PROFILES_BASE64: ${{ secrets.PROVISION_PROFILES_BASE64 }}
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
GOOGLE_SERVICE_INFO: ${{ secrets.GOOGLE_SERVICE_INFO }}
run: |
# create variables
CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
PP_ARCHIVE=$RUNNER_TEMP/mobile_pp.tgz
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
# import certificate and provisioning profile from secrets
echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH
echo -n "$PROVISION_PROFILES_BASE64" | base64 --decode -o $PP_ARCHIVE
# create temporary keychain
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
# import certificate to keychain
security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security list-keychain -d user -s $KEYCHAIN_PATH
# extract and copy provisioning profile(s)
mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
tar xzvf $PP_ARCHIVE -C $RUNNER_TEMP
for PROVISION in `ls $RUNNER_TEMP/*.mobileprovision`
do
UUID=`/usr/libexec/PlistBuddy -c 'Print :UUID' /dev/stdin <<< $(security cms -D -i $PROVISION)`
cp $PROVISION ~/Library/MobileDevice/Provisioning\ Profiles/$UUID.mobileprovision
done
# echo some output
security find-identity -v -p codesigning
ls -l ~/Library/MobileDevice/Provisioning\ Profiles
# install google service info
echo -n "$GOOGLE_SERVICE_INFO" | base64 --decode -o GoogleService-Info.plist
- name: build archive
run: |
xcodebuild -scheme "simple-hn-reader" \
-archivePath $RUNNER_TEMP/simple-hn-reader.xcarchive \
-sdk iphoneos \
-configuration Debug \
-destination generic/platform=iOS \
-disableAutomaticPackageResolution \
clean archive
- name: export ipa
env:
EXPORT_OPTIONS_PLIST: ${{ secrets.EXPORT_OPTIONS_PLIST }}
run: |
EXPORT_OPTS_PATH=$RUNNER_TEMP/ExportOptions.plist
echo -n "$EXPORT_OPTIONS_PLIST" | base64 --decode -o $EXPORT_OPTS_PATH
xcodebuild -exportArchive -archivePath $RUNNER_TEMP/simple-hn-reader.xcarchive -exportOptionsPlist $EXPORT_OPTS_PATH -exportPath $RUNNER_TEMP/build
- name: Upload application
uses: actions/upload-artifact@v3
with:
name: app
path: ${{ runner.temp }}/build/simple-hn-reader.ipa
# you can also archive the entire directory
# path: ${{ runner.temp }}/build
retention-days: 3
scan:
runs-on: ubuntu-latest
outputs:
report_id: ${{ steps.upload.outputs.report_id }}
# The stage that builds the application.
needs: build_with_signing
steps:
- name: Checkout repository
uses: actions/checkout@v3
# NOTE: ripgrep is required for line-of-code identification.
- name: Install ripgrep
run: sudo apt-get install -y ripgrep
# Replace with whatever pulls the application file before we upload.
- name: Download application
uses: actions/download-artifact@v3
with:
# Generated in the "build" stage.
name: app
- id: upload
name: NowSecure upload app
uses: nowsecure/nowsecure-action/upload-app@v3
with:
platform_token: ${{ secrets.NS_TOKEN }}
# TODO: Replace application path.
app_file: "simple-hn-reader.ipa"
# TODO: Replace the Group ID.
group_id: "770531be-697c-4743-9b88-cda00baa20aa"
process:
if: ${{ needs.scan.outputs.report_id }}
runs-on: ubuntu-latest
# permission needed for upload-sarif@v2
permissions:
# required for all workflows
security-events: write
# only required for workflows in private repositories
actions: read
contents: read
# The above stage we introduced.
needs: scan
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: NowSecure download report
uses: nowsecure/nowsecure-action/convert-sarif@v3
timeout-minutes: 60
with:
report_id: ${{ needs.scan.outputs.report_id }}
platform_token: ${{ secrets.NS_TOKEN }}
# TODO: Replace the Group ID.
group_id: "e864bd04-d411-47a0-b028-7a1627e32c2b"
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: NowSecure.sarif