Merge branch 'main' of https://github.com/thunderbird/thunderbird-and…

…roid into add_expand_accessibility
thunderbird · Dec 18, 2024 · 8a1ce1d · 8a1ce1d
2 parents 711d090 + d579dc0
commit 8a1ce1d
Show file tree

Hide file tree

Showing 11 changed files with 330 additions and 15 deletions.
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -1 +1,3 @@
 * @cketti @wmontwe
+/.github/ @coreycb @jfx2006 @dandarnell
+
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -3,6 +3,7 @@ name: CodeQL - Code scanning
 on:
   schedule:
     - cron: '0 10 * * 1'
+  workflow_dispatch:
 
 jobs:
   codeql-scan:
@@ -28,13 +29,13 @@ jobs:
         with:
           cache-read-only: true
 
-      - uses: github/codeql-action/init@36b4953ccc146c80e767661afed94af92787aa99 # v3.27.7
+      - uses: github/codeql-action/init@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9
         with:
           languages: java
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@6b4953ccc146c80e767661afed94af92787aa99 # v3.27.7
+        uses: github/codeql-action/autobuild@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@6b4953ccc146c80e767661afed94af92787aa99 # v3.27.7
+        uses: github/codeql-action/analyze@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9
 
diff --git a/.github/workflows/daily_builds.yml b/.github/workflows/daily_builds.yml
@@ -7,6 +7,7 @@ on:
 
 jobs:
   trigger_daily_build:
+    if: ${{ github.repository_owner == 'thunderbird' }}
     uses: ./.github/workflows/shippable_builds.yml
     secrets: inherit
     permissions:

diff --git a/.github/workflows/fluidscan.yml b/.github/workflows/fluidscan.yml
@@ -0,0 +1,37 @@
+name: Fluidattacks - Code scanning
+on:
+  schedule:
+    - cron: '0 10 * * 1'
+  workflow_dispatch:
+
+jobs:
+  fluidattacks-scan:
+
+    runs-on: ubuntu-latest
+
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
+        with:
+          persist-credentials: false
+
+      - name: "Run Fluidattacks scanner"
+        run: |
+          bash scripts/run-fluidattacks-scanner.sh
+
+      - name: "Upload scan results"
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        with:
+          name: SARIF scan results
+          path: fluidscan-results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@babb554ede22fd5605947329c4d04d8e7a0b8155 # v3.27.7
+        with:
+          sarif_file: fluidscan-results.sarif
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -0,0 +1,64 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '19 22 * * 3'
+  push:
+    branches: [ "main" ]
+  workflow_dispatch:
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      # Uncomment the permissions below if installing in a private repository.
+      # contents: read
+      # actions: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+        with:
+          results_file: results.sarif
+          results_format: sarif
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9
+        with:
+          sarif_file: results.sarif
diff --git a/.github/workflows/shippable_builds.yml b/.github/workflows/shippable_builds.yml
@@ -152,7 +152,7 @@ jobs:
   notify_build_start:
     name: Notify Build Start
     runs-on: ubuntu-latest
-    needs: [dump_config]
+    needs: [ dump_config ]
     if: ${{ needs.dump_config.outputs.releaseType == 'beta' || needs.dump_config.outputs.releaseType == 'release' }}
     environment: notify_matrix
     outputs:
@@ -188,7 +188,7 @@ jobs:
   release_commit:
     name: Release Bumps
     runs-on: ubuntu-latest
-    needs: [dump_config, get_environment]
+    needs: [ dump_config, get_environment ]
     environment: ${{ needs.get_environment.outputs.releaseEnv }}
     strategy:
       max-parallel: 1
@@ -428,7 +428,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 90
     if: ${{ !failure() && !cancelled() }} # Run if release_commit is skipped
-    needs: [dump_config, get_environment, release_commit]
+    needs: [ dump_config, get_environment, release_commit ]
     strategy:
       matrix:
         include: "${{ fromJSON(needs.dump_config.outputs.matrixInclude) }}"
@@ -558,7 +558,7 @@ jobs:
     name: Sign Packages
     runs-on: ubuntu-latest
     if: ${{ !failure() && !cancelled() }} # Run if previous step is skipped
-    needs: [build_unsigned, dump_config]
+    needs: [ build_unsigned, dump_config ]
     strategy:
       matrix:
         include: "${{ fromJSON(needs.dump_config.outputs.matrixInclude) }}"
@@ -605,7 +605,7 @@ jobs:
 
   notify_pre_publish:
     name: Notify Publish Approval
-    needs: [dump_config, sign_mobile, notify_build_start]
+    needs: [ dump_config, sign_mobile, notify_build_start ]
     if: "${{ contains(fromJSON('[\"beta\", \"release\"]'), needs.dump_config.outputs.releaseType) }}"
     runs-on: ubuntu-latest
     environment: notify_matrix
@@ -624,7 +624,7 @@ jobs:
     # The environment has a deployment protection rule requiring approval from a set of named reviewers
     # before proceeding.
     name: Wait for Approval
-    needs: [dump_config, sign_mobile]
+    needs: [ dump_config, sign_mobile ]
     if: "${{ contains(fromJSON('[\"beta\", \"release\"]'), needs.dump_config.outputs.releaseType) }}"
     environment: publish_hold
     runs-on: ubuntu-latest
@@ -636,7 +636,7 @@ jobs:
 
   publish_release:
     name: Publish Release
-    needs: [pre_publish, dump_config, release_commit]
+    needs: [ pre_publish, dump_config, release_commit ]
     if: ${{ !failure() && !cancelled() }} # Run if previous step is skipped
     runs-on: ubuntu-latest
     strategy:
@@ -794,8 +794,7 @@ jobs:
               ${APP_NAME^} ${VERSION_NAME} (${VERSION_CODE}) Daily Build
 
               The Daily version is an unstable testing and development platform, make sure you back up important data regularly!
-              If you find any issues, get in touch at https://github.com/thunderbird/thunderbird-android/issues/ and find us on Matrix at https://matrix.to/#/#tb-android-dev:mozilla.org
-              Be prepared to debug the code in Android Studio :-)
+              If you find any issues, get in touch at https://github.com/thunderbird/thunderbird-android/issues/
 
               - Built from GitHub commit: ${COMMIT_URL}
               - Built with GitHub workflow: ${WORKFLOW_URL}
@@ -940,6 +939,7 @@ jobs:
           playTargetTrack: ${{ matrix.playTargetTrack }}
           applicationId: ${{ steps.pkginfo.outputs.APPLICATION_ID }}
           releaseTarget: ${{ matrix.releaseTarget }}
+          releaseType: ${{ env.RELEASE_TYPE }}
           appSha: ${{ steps.shanotes.outputs.app_sha }}
           appName: ${{ matrix.appName }}
           skipGooglePlay: ${{ inputs.skipGooglePlay }}
@@ -979,11 +979,12 @@ jobs:
 
             if (process.env.skipFtp != "true" && process.env.releaseTarget.includes("ftp") && process.env.packageFormat == 'apk') {
               await core.summary
-                .addRaw(`Published to FTP at `)
+                .addRaw(`Published to FTP at`)
+                .addEOL()
                 .addLink(process.env.ftpUrlPath, process.env.ftpUrlPath)
                 .addEOL();
 
-              if (needs.dump_config.outputs.releaseType === 'daily') {
+              if (process.env.releaseType == 'daily') {
                 await core.summary
                   .addLink(process.env.ftpUrlPathNightlyLatest, process.env.ftpUrlPathNightlyLatest)
                   .addEOL();
@@ -994,7 +995,7 @@ jobs:
   notify_build_result:
     name: Notify Build Result
     if: ${{ always() }}
-    needs: [dump_config, release_commit, build_unsigned, sign_mobile, publish_release, notify_build_start]
+    needs: [ dump_config, release_commit, build_unsigned, sign_mobile, publish_release, notify_build_start ]
     runs-on: ubuntu-latest
     environment: notify_matrix
     steps:

diff --git a/.github/workflows/validate-gradle.yml b/.github/workflows/validate-gradle.yml
@@ -0,0 +1,13 @@
+name: "Validate Gradle Wrapper"
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  validate-gradle:
+    name: "validate-gradle"
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: gradle/actions/wrapper-validation@cc4fc85e6b35bafd578d5ffbc76a5518407e1af0 # v4.2.1
diff --git a/.github/workflows/validate-workflows.yml b/.github/workflows/validate-workflows.yml
@@ -0,0 +1,28 @@
+name: "Validate Workflows"
+
+on:
+  push:
+  pull_request:
+  workflow_dispatch:
+    inputs:
+      dryRun:
+        type: boolean
+        description: Dry run
+        default: true
+      debug:
+        type: boolean
+        description: Debug mode
+        default: false
+
+jobs:
+  validate-workflows:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Ensure GitHub actions are SHA pinned
+        env:
+          DRY_RUN: ${{ !inputs.dryRun && '--no-dry-run' || '' }}
+          DEBUG: ${{ inputs.debug && '--debug' || '' }}
+        run: |
+          bash scripts/validate-github-actions-pinned.sh $DRY_RUN $DEBUG
diff --git a/config/fluidattacks/config.yaml b/config/fluidattacks/config.yaml
@@ -0,0 +1,28 @@
+# Taken from: https://appdefensealliance.dev/casa/tier-2/ast-guide/static-scan
+# as that is out of date, updated to the latest version of the scanner, see below
+# https://help.fluidattacks.com/portal/en/kb/articles/validate-casa-tier-2-requirements
+namespace: thunderbird-android
+working_dir: /repo
+language: EN
+output:
+  file_path: /repo/fluidscan-results.sarif
+  format: SARIF
+#apk:
+#  include:
+#    - ./app-k9mail/build/outputs/apk/foss/release/app-k9mail-foss-release.apk
+#    - ./app-k9mail/build/outputs/apk/full/release/app-k9mail-full-release.apk
+#    - ./app-thunderbird/build/outputs/apk/foss/release/app-thunderbird-full-release.apk
+#    - ./app-thunderbird/build/outputs/apk/foss/release/app-thunderbird-full-release.apk
+sast:
+  include:
+    - .
+  exclude:
+    - glob(**/build/**)
+    - glob(**/test/**)
+sca:
+  include:
+    - .
+  exclude:
+    - glob(**/test/**)
+file_size_limit: false
+tracing_opt_out: true
diff --git a/scripts/run-fluidattacks-scanner.sh b/scripts/run-fluidattacks-scanner.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+function fail() {
+  echo "Error: $*"
+  exit 1
+}
+
+# Check if tools are installed
+command -v docker &> /dev/null || fail "Docker is not installed"
+
+# Default values
+debug=false
+
+# Parse command-line arguments
+for arg in "$@"; do
+  case $arg in
+    --debug)
+      debug=true
+      shift
+      ;;
+    *)
+      fail "Unknown argument: $arg"
+      ;;
+  esac
+done
+
+if [ "$debug" = true ]; then
+  docker run --rm -v "$(pwd)":/repo -it fluidattacks/cli:latest /bin/bash
+  exit
+fi
+docker run --rm -v "$(pwd)":/repo fluidattacks/cli:latest skims scan /repo/config/fluidattacks/config.yaml
Original file line number	Diff line number	Diff line change
		@@ -1 +1,3 @@
		* @cketti @wmontwe
		/.github/ @coreycb @jfx2006 @dandarnell