Update check.yml, codeql.yml, and 2 more files...

2024-09-14 18:32:47 +02:00 · 2024-09-14 18:32:47 +02:00 · fad079b718
commit fad079b718
parent 759b719f8a
4 changed files with 98 additions and 118 deletions
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@ -1,36 +0,0 @@
 name: Quality check
 on:
  push:
    branches:
      - develop
  pull_request:
    types: [ opened, synchronize, reopened ]
 permissions:
  contents: read
 jobs:
  build:
    name: Check code quality.
    runs-on: ubuntu-latest
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
        with:
          egress-policy: audit
      - name: Clone the repository.
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      - name: Get packages for the Flutter project.
        run: scripts/pub_get_all.sh
      - name: Update the flutter version file.
        run: scripts/update_flutter_version.sh
      - name: Static analysis.
        run: ./flutterw analyze
      - name: Unit tests.
        run: ./flutterw test
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@ -1,71 +0,0 @@
 name: "CodeQL Advanced"
 on:
  push:
    branches: [ "develop", "main" ]
  pull_request:
    branches: [ "develop", "main" ]
  schedule:
    - cron: '17 8 * * 3'
 # Declare default permissions as read only.
 permissions: read-all
 jobs:
  analyze:
    name: Analyze (${{ matrix.language }})
    runs-on: ubuntu-latest
    permissions:
      # required for all workflows
      security-events: write
      # required to fetch internal or private CodeQL packs
      packages: read
    strategy:
      fail-fast: false
      matrix:
        include:
        - language: java-kotlin
          build-mode: manual
        # Use 'java-kotlin' to analyze code written in Java, Kotlin or both
        # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
        # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
        # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
        # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
    steps:
    - name: Checkout repository
      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
    - name: Get packages for the Flutter project.
      run: scripts/pub_get_all.sh
    - name: Update the flutter version file.
      run: scripts/update_flutter_version.sh
    - name: Static analysis.
      run: ./flutterw analyze
    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
      uses: github/codeql-action/init@v3
      with:
        languages: ${{ matrix.language }}
        build-mode: ${{ matrix.build-mode }}
    # # ℹ️ Command-line programs to run using the OS shell.
    # # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
    # - if: matrix.build-mode == 'manual'
    #   shell: bash
    #   run: |
    #     echo 'If you are using a "manual" build mode for one or more of the' \
    #       'languages you are analyzing, replace this with the commands to build' \
    #       'your code, for example:'
    #     echo '  make bootstrap'
    #     echo '  make release'
    #     exit 1
    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v3
      with:
        category: "/language:${{matrix.language}}"
--- a/.github/workflows/quality-check.yml
+++ b/.github/workflows/quality-check.yml
@ -0,0 +1,89 @@
 name: Quality check
 on:
  push:
    branches: [ "develop", "main" ]
  pull_request:
    branches: [ "develop", "main" ]
    types: [ opened, synchronize, reopened ]
  schedule:
    - cron: '17 8 * * 3'
 # Declare default permissions as read only.
 permissions: read-all
 jobs:
  analyze_flutter:
    name: Flutter static analysis and tests.
    runs-on: ubuntu-latest
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
        with:
          egress-policy: audit
      - name: Checkout repository.
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      - name: Get packages for the Flutter project.
        run: scripts/pub_get_all.sh
      - name: Static analysis.
        run: ./flutterw analyze
      - name: Unit tests.
        run: ./flutterw test
  analyze_codeql:
    name: Analyze (${{ matrix.language }}) with CodeQL.
    runs-on: ubuntu-latest
    permissions:
      # required for all workflows
      security-events: write
      # required to fetch internal or private CodeQL packs
      packages: read
    strategy:
      fail-fast: false
      matrix:
        include:
          - language: java-kotlin
            build-mode: manual
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
        with:
          egress-policy: audit
      # Building relies on the Android Gradle plugin,
      # which requires a modern Java version (not the default one).
      - name: Set up JDK for Android Gradle plugin.
        uses: actions/setup-java@2dfa2011c5b2a0f1489bf9e433881c92c1631f88 # v4.3.0
        with:
          distribution: 'temurin'
          java-version: '21'
      - name: Checkout repository
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      - name: Get packages for the Flutter project.
        run: scripts/pub_get_all.sh
      # Initializes the CodeQL tools for scanning.
      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
          languages: ${{ matrix.language }}
          build-mode: ${{ matrix.build-mode }}
      - if: matrix.build-mode == 'manual'
        shell: bash
        run: |
          scripts/apply_flavor_play.sh
          ./flutterw build apk -t lib/main_play.dart --flavor play
      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v3
        with:
          category: "/language:${{matrix.language}}"
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -20,12 +20,15 @@ jobs:
        with:
          egress-policy: audit
-      - uses: actions/setup-java@2dfa2011c5b2a0f1489bf9e433881c92c1631f88 # v4.3.0
+      # Building relies on the Android Gradle plugin,
      # which requires a modern Java version (not the default one).
      - name: Set up JDK for Android Gradle plugin.
        uses: actions/setup-java@2dfa2011c5b2a0f1489bf9e433881c92c1631f88 # v4.3.0
        with:
-          distribution: 'zulu'
+          distribution: 'temurin'
-          java-version: '17'
+          java-version: '21'
-      - name: Clone the repository.
+      - name: Checkout repository.
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      - name: Get packages for the Flutter project.
@ -34,12 +37,6 @@ jobs:
      - name: Update the flutter version file.
        run: scripts/update_flutter_version.sh
      - name: Static analysis.
        run: ./flutterw analyze
      - name: Unit tests.
        run: ./flutterw test
      - name: Build signed artifacts.
        # `KEY_JKS` should contain the result of:
        # gpg -c --armor keystore.jks
@ -98,7 +95,8 @@ jobs:
        with:
          egress-policy: audit
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Checkout repository.
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      - name: Get appbundle from artifacts.
        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8