diff --git a/.github/renovate.json5 b/.github/renovate.json5 index ba848b42b..71995b374 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -5,6 +5,11 @@ "helpers:pinGitHubActionDigests", ], "branchConcurrentLimit": 15, + "github-actions": { + "fileMatch": [ + ".github/reusable-workflows/.+\\.ya?ml$", + ], + }, "packageRules": [ { matchDatasources: [ diff --git a/.github/reusable-workflows/setup-gradle/action.yml b/.github/reusable-workflows/setup-gradle/action.yml new file mode 100644 index 000000000..bdbd90cea --- /dev/null +++ b/.github/reusable-workflows/setup-gradle/action.yml @@ -0,0 +1,58 @@ +name: 'Setup Gradle' +description: 'Checks out the repository and sets up Java and Gradle' +inputs: + token: + description: 'token input for actions/checkout' + required: false + default: ${{ github.token }} + fetch-depth: + description: 'fetch-depth input for actions/checkout' + required: false + default: 1 + ref: + description: 'ref input for actions/checkout' + required: false + java-version: + description: 'java-version input for actions/setup-java' + required: false + default: 20 + gradle-version: + description: 'gradle-version input for actions/setup-java' + required: false + cache-read-only: + description: 'cache-read-only input for gradle/actions/setup-gradle' + required: false + default: ${{ github.event.repository != null && github.ref_name != github.event.repository.default_branch }} + dependency-graph: + description: 'dependency-graph input for gradle/actions/setup-gradle' + required: false + default: 'disabled' +runs: + using: "composite" + steps: + - name: Checkout repository + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + fetch-depth: ${{ inputs.fetch-depth }} + ref: ${{ inputs.ref }} + token: ${{ inputs.token }} + + - name: Set up JDK + uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 + with: + distribution: temurin + java-version: ${{ inputs.java-version }} + + - name: Copy CI gradle.properties + shell: bash + run: mkdir -p ~/.gradle ; cp .github/ci-gradle.properties ~/.gradle/gradle.properties + + - name: Setup Gradle + uses: gradle/actions/setup-gradle@6cec5d49d4d6d4bb982fbed7047db31ea6d38f11 # v3 + with: + add-job-summary: always + cache-read-only: ${{ inputs.cache-read-only }} + dependency-graph: ${{ inputs.dependency-graph }} + gradle-home-cache-cleanup: true + gradle-version: ${{ inputs.gradle-version }} + validate-wrappers: true diff --git a/.github/workflows/codeql_analysis.yml b/.github/workflows/codeql_analysis.yml index bc8497238..2ba0a94da 100644 --- a/.github/workflows/codeql_analysis.yml +++ b/.github/workflows/codeql_analysis.yml @@ -21,14 +21,8 @@ jobs: contents: read security-events: write steps: - - name: Checkout repository - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - - name: Set up JDK - uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 - with: - distribution: temurin - java-version: 20 + - name: Setup build environment + uses: android-password-store/android-password-store/.github/reusable-workflows/setup-gradle@develop - name: Initialize CodeQL uses: github/codeql-action/init@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10 @@ -38,11 +32,8 @@ jobs: queries: +security-extended - name: Build project - uses: gradle/actions/setup-gradle@6cec5d49d4d6d4bb982fbed7047db31ea6d38f11 # v3 - with: - gradle-home-cache-cleanup: true - cache-read-only: true - arguments: assembleNonFreeRelease + shell: bash + run: ./gradlew assembleNonFreeRelease - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10 diff --git a/.github/workflows/deploy_github_releases.yml b/.github/workflows/deploy_github_releases.yml index bbcfb5def..a010e8eec 100644 --- a/.github/workflows/deploy_github_releases.yml +++ b/.github/workflows/deploy_github_releases.yml @@ -9,28 +9,18 @@ jobs: name: Build release binaries runs-on: ubuntu-latest steps: - - name: Checkout repository - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - - name: Set up JDK - uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 - with: - distribution: temurin - java-version: 20 + - name: Setup build environment + uses: android-password-store/android-password-store/.github/reusable-workflows/setup-gradle@develop - name: Decrypt secrets + shell: bash run: scripts/signing-setup.sh "$ENCRYPT_KEY" env: ENCRYPT_KEY: ${{ secrets.ENCRYPT_KEY }} - - name: Copy CI gradle.properties - run: mkdir -p ~/.gradle ; cp .github/ci-gradle.properties ~/.gradle/gradle.properties - - name: Build release binaries - uses: gradle/actions/setup-gradle@6cec5d49d4d6d4bb982fbed7047db31ea6d38f11 # v3 - with: - arguments: :app:assembleFreeRelease :app:assembleNonFreeRelease :app:bundleNonFreeRelease - gradle-home-cache-cleanup: true + shell: bash + run: ./gradlew :app:assembleFreeRelease :app:assembleNonFreeRelease :app:bundleNonFreeRelease env: SENTRY_DSN: ${{ secrets.SENTRY_DSN }} @@ -103,7 +93,8 @@ jobs: - name: Get the version id: get_version - run: echo ::set-output name=VERSION::${GITHUB_REF#refs/tags/} + shell: bash + run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT - name: Upload Non-Free Release Apk uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2 diff --git a/.github/workflows/deploy_library_releases.yml b/.github/workflows/deploy_library_releases.yml index 04b2374b6..cdb1a2117 100644 --- a/.github/workflows/deploy_library_releases.yml +++ b/.github/workflows/deploy_library_releases.yml @@ -8,20 +8,12 @@ jobs: publish-release: runs-on: ubuntu-latest steps: - - name: Checkout repository - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - - name: Set up JDK - uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 - with: - distribution: temurin - java-version: 20 + - name: Setup build environment + uses: android-password-store/android-password-store/.github/reusable-workflows/setup-gradle@develop - name: Upload binaries - uses: gradle/actions/setup-gradle@6cec5d49d4d6d4bb982fbed7047db31ea6d38f11 # v3 - with: - arguments: --no-configuration-cache :autofill-parser:publishAllPublicationsToMavenCentralRepository - gradle-home-cache-cleanup: true + shell: bash + run: ./gradlew --no-configuration-cache :autofill-parser:publishAllPublicationsToMavenCentralRepository env: ORG_GRADLE_PROJECT_mavenCentralUsername: ${{ secrets.NEXUS_PUBLISH_USERNAME }} ORG_GRADLE_PROJECT_mavenCentralPassword: ${{ secrets.NEXUS_PUBLISH_PASSWORD }} diff --git a/.github/workflows/deploy_snapshot.yml b/.github/workflows/deploy_snapshot.yml index 3c185c01b..ccfea2d6a 100644 --- a/.github/workflows/deploy_snapshot.yml +++ b/.github/workflows/deploy_snapshot.yml @@ -18,40 +18,32 @@ jobs: runs-on: ubuntu-latest if: "!contains(github.event.head_commit.message, '[ci skip]')" steps: - - name: Checkout repository - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: Setup build environment + uses: android-password-store/android-password-store/.github/reusable-workflows/setup-gradle@develop with: fetch-depth: 0 - - - name: Set up JDK - uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 - with: - distribution: temurin - java-version: 20 + dependency-graph: generate-and-submit - name: Decrypt secrets + shell: bash run: scripts/signing-setup.sh "$ENCRYPT_KEY" env: ENCRYPT_KEY: ${{ secrets.ENCRYPT_KEY }} - - name: Copy CI gradle.properties - run: mkdir -p ~/.gradle ; cp .github/ci-gradle.properties ~/.gradle/gradle.properties - - name: Build release app - uses: gradle/actions/setup-gradle@6cec5d49d4d6d4bb982fbed7047db31ea6d38f11 # v3 + shell: bash + run: ./gradlew collectFreeReleaseApks collectNonFreeReleaseApks bundleFreeRelease bundleNonFreeRelease -PsentryUploadMappings env: SNAPSHOT: "true" SENTRY_DSN: ${{ secrets.SENTRY_DSN }} SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} - with: - arguments: collectFreeReleaseApks collectNonFreeReleaseApks bundleFreeRelease bundleNonFreeRelease -PsentryUploadMappings - gradle-home-cache-cleanup: true - dependency-graph: generate-and-submit - name: Clean secrets + shell: bash run: scripts/signing-cleanup.sh - name: Deploy snapshot + shell: bash run: scripts/deploy-snapshot.sh env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/draft_new_release.yml b/.github/workflows/draft_new_release.yml index 95cb50a9b..fa0b7ab9b 100644 --- a/.github/workflows/draft_new_release.yml +++ b/.github/workflows/draft_new_release.yml @@ -32,26 +32,16 @@ jobs: echo "PR_BASE=release-${BRANCH_VERSION}" >> $GITHUB_ENV echo "PR_HEAD=release-prep" >> $GITHUB_ENV - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: Setup build environment + uses: android-password-store/android-password-store/.github/reusable-workflows/setup-gradle@develop with: ref: ${{ env.CHECKOUT_REF }} - - name: Set up JDK - uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 - with: - distribution: temurin - java-version: 20 - - name: Update changelog uses: thomaseizinger/keep-a-changelog-new-release@77ac767b2f7f6edf2ee72ab3364ed26667086f96 # 3.0.0 with: version: ${{ github.event.milestone.title }} - - name: Setup Gradle caching - uses: gradle/actions/setup-gradle@6cec5d49d4d6d4bb982fbed7047db31ea6d38f11 # v3 - with: - gradle-home-cache-cleanup: true - - name: Initialize git config and commit changes shell: bash run: | diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 4129cd1d8..3141425e2 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -15,25 +15,12 @@ jobs: check-codestyle: runs-on: ubuntu-latest steps: - - name: Checkout repository - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - fetch-depth: 0 - - - name: Set up JDK - uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 - with: - distribution: temurin - java-version: 20 - - - name: Copy CI gradle.properties - run: mkdir -p ~/.gradle ; cp .github/ci-gradle.properties ~/.gradle/gradle.properties + - name: Setup build environment + uses: android-password-store/android-password-store/.github/reusable-workflows/setup-gradle@develop - name: Check codestyle - uses: gradle/actions/setup-gradle@6cec5d49d4d6d4bb982fbed7047db31ea6d38f11 # v3 - with: - arguments: ktfmtCheck - gradle-home-cache-cleanup: true + shell: bash + run: ./gradlew ktfmtCheck - name: Upload Kotlin build report if: "${{ always() }}" @@ -45,25 +32,12 @@ jobs: unit-tests: runs-on: ubuntu-latest steps: - - name: Checkout repository - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - fetch-depth: 0 - - - name: Set up JDK - uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 - with: - distribution: temurin - java-version: 20 - - - name: Copy CI gradle.properties - run: mkdir -p ~/.gradle ; cp .github/ci-gradle.properties ~/.gradle/gradle.properties + - name: Setup build environment + uses: android-password-store/android-password-store/.github/reusable-workflows/setup-gradle@develop - name: Run unit tests - uses: gradle/actions/setup-gradle@6cec5d49d4d6d4bb982fbed7047db31ea6d38f11 # v3 - with: - arguments: test -PslimTests - gradle-home-cache-cleanup: true + shell: bash + run: ./gradlew test -PslimTests - name: (Fail-only) Upload test report if: "${{ failure() }}" @@ -82,25 +56,12 @@ jobs: build-apks: runs-on: ubuntu-latest steps: - - name: Checkout repository - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - fetch-depth: 0 - - - name: Set up JDK - uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 - with: - distribution: temurin - java-version: 20 - - - name: Copy CI gradle.properties - run: mkdir -p ~/.gradle ; cp .github/ci-gradle.properties ~/.gradle/gradle.properties + - name: Setup build environment + uses: android-password-store/android-password-store/.github/reusable-workflows/setup-gradle@develop - name: Build debug APKs - uses: gradle/actions/setup-gradle@6cec5d49d4d6d4bb982fbed7047db31ea6d38f11 # v3 - with: - arguments: assembleFreeDebug assembleNonFreeDebug assembleNonFreeRelease - gradle-home-cache-cleanup: true + shell: bash + run: ./gradlew assembleFreeDebug assembleNonFreeDebug assembleNonFreeRelease - name: Upload Kotlin build report if: "${{ always() }}" @@ -112,25 +73,12 @@ jobs: check-api: runs-on: ubuntu-latest steps: - - name: Checkout repository - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - fetch-depth: 0 - - - name: Set up JDK - uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 - with: - distribution: temurin - java-version: 20 - - - name: Copy CI gradle.properties - run: mkdir -p ~/.gradle ; cp .github/ci-gradle.properties ~/.gradle/gradle.properties + - name: Setup build environment + uses: android-password-store/android-password-store/.github/reusable-workflows/setup-gradle@develop - name: Check library API - uses: gradle/actions/setup-gradle@6cec5d49d4d6d4bb982fbed7047db31ea6d38f11 # v3 - with: - arguments: metalavaCheckCompatibilityRelease - gradle-home-cache-cleanup: true + shell: bash + run: ./gradlew metalavaCheckCompatibilityRelease - name: Upload Kotlin build report if: "${{ always() }}" @@ -142,25 +90,12 @@ jobs: lint: runs-on: ubuntu-latest steps: - - name: Checkout repository - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - fetch-depth: 0 - - - name: Set up JDK - uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 - with: - distribution: temurin - java-version: 20 - - - name: Copy CI gradle.properties - run: mkdir -p ~/.gradle ; cp .github/ci-gradle.properties ~/.gradle/gradle.properties + - name: Setup build environment + uses: android-password-store/android-password-store/.github/reusable-workflows/setup-gradle@develop - name: Run Lint - uses: gradle/actions/setup-gradle@6cec5d49d4d6d4bb982fbed7047db31ea6d38f11 # v3 - with: - arguments: lint - gradle-home-cache-cleanup: true + shell: bash + run: ./gradlew lint - name: Upload Kotlin build report if: "${{ always() }}" diff --git a/.github/workflows/shadow_job.yml b/.github/workflows/shadow_job.yml index dac5e2be9..1b2959f07 100644 --- a/.github/workflows/shadow_job.yml +++ b/.github/workflows/shadow_job.yml @@ -16,6 +16,7 @@ jobs: - id: agp-version-finder uses: usefulness/agp-version-finder-action@59c81bc46c56a1a1255659027ca2db6047154952 # v1 - id: build-agp-matrix + shell: bash run: echo 'agp-versions=["${{ steps.agp-version-finder.outputs.latest-beta }}","${{ steps.agp-version-finder.outputs.latest-alpha }}"]' >> $GITHUB_OUTPUT shadow-job: @@ -33,30 +34,19 @@ jobs: runs-on: ubuntu-latest name: Run Gradle-${{ matrix.gradle-version }}, AGP-${{ matrix.agp-version }}, Java-${{ matrix.java-version }} steps: - - name: Checkout repository - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: Setup build environment + uses: android-password-store/android-password-store/.github/reusable-workflows/setup-gradle@develop with: - fetch-depth: 0 - - - name: Set up JDK - uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 - with: - distribution: temurin + cache-read-only: true + gradle-version: ${{ matrix.gradle-version }} java-version: ${{ matrix.java-version }} - - name: Copy CI gradle.properties - run: mkdir -p ~/.gradle ; cp .github/ci-gradle.properties ~/.gradle/gradle.properties - - name: Run checks - uses: gradle/actions/setup-gradle@6cec5d49d4d6d4bb982fbed7047db31ea6d38f11 # v3 + shell: bash + run: ./gradlew check env: DEP_OVERRIDE: true DEP_OVERRIDE_agp: ${{ matrix.agp-version }} - with: - arguments: check - gradle-version: ${{ matrix.gradle-version }} - gradle-home-cache-cleanup: true - cache-read-only: true results: if: ${{ always() }} @@ -67,12 +57,14 @@ jobs: - name: Report failure to healthchecks.io # see https://stackoverflow.com/a/67532120/4907315 if: ${{ contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') }} + shell: bash run: curl --retry 3 "https://hc-ping.com/${HC_PING_SLUG}/fail" env: HC_PING_SLUG: ${{ secrets.HC_PING_SLUG }} - name: Report success to healthchecks.io if: ${{ contains(needs.*.result, 'success') }} + shell: bash + run: curl --retry 3 "https://hc-ping.com/${HC_PING_SLUG}" env: HC_PING_SLUG: ${{ secrets.HC_PING_SLUG }} - run: curl --retry 3 "https://hc-ping.com/${HC_PING_SLUG}" diff --git a/.github/workflows/sync_crowdin.yml b/.github/workflows/sync_crowdin.yml index aec71aa75..473bc6bee 100644 --- a/.github/workflows/sync_crowdin.yml +++ b/.github/workflows/sync_crowdin.yml @@ -8,20 +8,12 @@ jobs: sync-crowdin: runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - - name: Set up JDK - uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 - with: - distribution: temurin - java-version: 20 + - name: Setup build environment + uses: android-password-store/android-password-store/.github/reusable-workflows/setup-gradle@develop - name: Download new translations from Crowdin - uses: gradle/actions/setup-gradle@6cec5d49d4d6d4bb982fbed7047db31ea6d38f11 # v3 - with: - arguments: --no-configuration-cache crowdin - gradle-home-cache-cleanup: true + shell: bash + run: ./gradlew --no-configuration-cache crowdin env: CROWDIN_LOGIN: ${{ secrets.CROWDIN_LOGIN }} CROWDIN_PROJECT_KEY: ${{ secrets.CROWDIN_PROJECT_KEY }} diff --git a/.github/workflows/update_publicsuffix_data.yml b/.github/workflows/update_publicsuffix_data.yml index ac340177d..22b907a54 100644 --- a/.github/workflows/update_publicsuffix_data.yml +++ b/.github/workflows/update_publicsuffix_data.yml @@ -8,30 +8,21 @@ jobs: update-publicsuffix-data: runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - - name: Set up JDK - uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 - with: - distribution: temurin - java-version: 20 + - name: Setup build environment + uses: android-password-store/android-password-store/.github/reusable-workflows/setup-gradle@develop - name: Download new publicsuffix data - uses: gradle/actions/setup-gradle@6cec5d49d4d6d4bb982fbed7047db31ea6d38f11 # v3 - with: - arguments: updatePSL - gradle-home-cache-cleanup: true + shell: bash + run: ./gradlew updatePSL - name: Check if PR is required + shell: bash run: if [[ $(git status -s) != '' ]]; then echo "UPDATED=true" >> $GITHUB_ENV; fi - name: Verify update publicsuffixes file - uses: gradle/actions/setup-gradle@6cec5d49d4d6d4bb982fbed7047db31ea6d38f11 # v3 if: "${{ env.UPDATED == 'true' }}" - with: - arguments: :autofill-parser:test -PslimTests - gradle-home-cache-cleanup: true + shell: bash + run: ./gradlew :autofill-parser:test -PslimTests - name: Create Pull Request id: cpr diff --git a/.github/workflows/validate_gradle_wrapper.yml b/.github/workflows/validate_gradle_wrapper.yml deleted file mode 100644 index 90273365f..000000000 --- a/.github/workflows/validate_gradle_wrapper.yml +++ /dev/null @@ -1,27 +0,0 @@ -name: Validate Gradle Wrapper -on: - push: - branches: - - develop - paths: - - ".github/workflows/validate_gradle_wrapper.yml" - - "gradle/**" - - "gradlew" - - "gradlew.bat" - pull_request: - paths: - - ".github/workflows/validate_gradle_wrapper.yml" - - "gradle/**" - - "gradlew" - - "gradlew.bat" - -jobs: - validation: - name: Wrapper validation - runs-on: ubuntu-latest - steps: - - name: Checkout repository - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - - name: Validate Gradle Wrapper - uses: gradle/wrapper-validation-action@460a3ca55fc5d559238a0efc7fa9f7465df8585d # v3.3.0