From 3d7bad5649d3ac4d5307bfd53538db5715c6ae77 Mon Sep 17 00:00:00 2001 From: John Maguire Date: Wed, 31 Jan 2024 15:42:45 -0500 Subject: [PATCH] Fix Github PAT appearing in Android and iOS app builds (#151) Also adds a regression test. --- .github/workflows/release.yml | 44 ++++++++++++++++++++++++++++------- 1 file changed, 35 insertions(+), 9 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e4b4d17..da7ad50 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -37,11 +37,6 @@ jobs: - name: Check out code uses: actions/checkout@v3 - - name: Configure git for private modules - env: - TOKEN: ${{ secrets.MACHINE_USER_PAT }} - run: git config --global url."https://defined-machine:${TOKEN}@github.com".insteadOf "https://github.com" - - name: Install the appstore connect key material env: AC_API_KEY_SECRET_BASE64: ${{ secrets.AC_API_KEY_SECRET_BASE64 }} @@ -58,20 +53,28 @@ jobs: GOOGLE_PLAY_API_JWT_PATH="$RUNNER_TEMP/gp_api.json" echo "GOOGLE_PLAY_API_JWT_PATH=$GOOGLE_PLAY_API_JWT_PATH" >> $GITHUB_ENV echo -n "$GOOGLE_PLAY_API_JWT_BASE64" | base64 --decode --output "$GOOGLE_PLAY_API_JWT_PATH" - + GOOGLE_PLAY_KEYSTORE_PATH="$RUNNER_TEMP/gp_signing.jks" echo "GOOGLE_PLAY_KEYSTORE_PATH=$GOOGLE_PLAY_KEYSTORE_PATH" >> $GITHUB_ENV echo -n "$GOOGLE_PLAY_KEYSTORE_BASE64" | base64 --decode --output "$GOOGLE_PLAY_KEYSTORE_PATH" + - name: Place Github token for fastlane match + env: + TOKEN: ${{ secrets.MACHINE_USER_PAT }} + run: + echo "MATCH_GIT_BASIC_AUTHORIZATION=$(echo -n "defined-machine:${TOKEN}" | base64)" >> $GITHUB_ENV + - name: Get build name and number, install dependencies + env: + TOKEN: ${{ secrets.MACHINE_USER_PAT }} run: | go install golang.org/x/mobile/cmd/gomobile@latest gomobile init - + flutter pub get - + touch env.sh - + cd android fastlane release_build_number echo "BUILD_NUMBER=$(cat ../release_build_number)" >> $GITHUB_ENV @@ -81,11 +84,23 @@ jobs: - name: Build iOS env: + TOKEN: ${{ secrets.MACHINE_USER_PAT }} MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }} run: | cd ios pod install fastlane build + cd - + + # verify that the github token didn't make it into the output + mkdir -p build/app/test-ios + cp ios/MobileNebula.ipa build/app/test-ios + cd build/app/test-ios + unzip MobileNebula.ipa + if find . | xargs strings 2>/dev/null | grep -qF "${TOKEN}" ; then + echo "Token found in iOS build" + exit 1 + fi - name: Collect iOS artifacts uses: actions/upload-artifact@v3 @@ -96,11 +111,22 @@ jobs: - name: Build Android env: + TOKEN: ${{ secrets.MACHINE_USER_PAT }} ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }} GOOGLE_PLAY_KEYSTORE_PASSWORD: ${{ secrets.GOOGLE_PLAY_KEYSTORE_PASSWORD }} run: | flutter build appbundle --build-number="$BUILD_NUMBER" --build-name="$BUILD_NAME" + # verify that the github token didn't make it into the output + mkdir -p build/app/test-android + cp build/app/outputs/bundle/release/app-release.aab build/app/test-android + cd build/app/test-android + unzip app-release.aab + if find . | xargs strings 2>/dev/null | grep -qF "${TOKEN}" ; then + echo "Token found in Android build" + exit 1 + fi + - name: Collect Android artifacts uses: actions/upload-artifact@v3 with: