Fix Github PAT appearing in Android and iOS app builds (#151)

Also adds a regression test.

.github/workflows/release.yml

@@ -37,11 +37,6 @@ jobs:
       - name: Check out code
         uses: actions/checkout@v3
 
-      - name: Configure git for private modules
-        env:
-          TOKEN: ${{ secrets.MACHINE_USER_PAT }}
-        run: git config --global url."https://defined-machine:${TOKEN}@github.com".insteadOf "https://github.com"
-
       - name: Install the appstore connect key material
         env:
           AC_API_KEY_SECRET_BASE64: ${{ secrets.AC_API_KEY_SECRET_BASE64 }}
@@ -58,20 +53,28 @@ jobs:
           GOOGLE_PLAY_API_JWT_PATH="$RUNNER_TEMP/gp_api.json"
           echo "GOOGLE_PLAY_API_JWT_PATH=$GOOGLE_PLAY_API_JWT_PATH" >> $GITHUB_ENV
           echo -n "$GOOGLE_PLAY_API_JWT_BASE64" | base64 --decode --output "$GOOGLE_PLAY_API_JWT_PATH"
-          
+
           GOOGLE_PLAY_KEYSTORE_PATH="$RUNNER_TEMP/gp_signing.jks"
           echo "GOOGLE_PLAY_KEYSTORE_PATH=$GOOGLE_PLAY_KEYSTORE_PATH" >> $GITHUB_ENV
           echo -n "$GOOGLE_PLAY_KEYSTORE_BASE64" | base64 --decode --output "$GOOGLE_PLAY_KEYSTORE_PATH"
 
+      - name: Place Github token for fastlane match
+        env:
+          TOKEN: ${{ secrets.MACHINE_USER_PAT }}
+        run:
+          echo "MATCH_GIT_BASIC_AUTHORIZATION=$(echo -n "defined-machine:${TOKEN}" | base64)" >> $GITHUB_ENV
+
       - name: Get build name and number, install dependencies
+        env:
+          TOKEN: ${{ secrets.MACHINE_USER_PAT }}
         run: |
           go install golang.org/x/mobile/cmd/gomobile@latest
           gomobile init
-          
+
           flutter pub get
-          
+
           touch env.sh
-          
+
           cd android
           fastlane release_build_number
           echo "BUILD_NUMBER=$(cat ../release_build_number)" >> $GITHUB_ENV
@@ -81,11 +84,23 @@ jobs:
 
       - name: Build iOS
         env:
+          TOKEN: ${{ secrets.MACHINE_USER_PAT }}
           MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }}
         run: |
           cd ios
           pod install
           fastlane build
+          cd -
+
+          # verify that the github token didn't make it into the output
+          mkdir -p build/app/test-ios
+          cp ios/MobileNebula.ipa build/app/test-ios
+          cd build/app/test-ios
+          unzip MobileNebula.ipa
+          if find . | xargs strings 2>/dev/null | grep -qF "${TOKEN}" ; then
+            echo "Token found in iOS build"
+            exit 1
+          fi
 
       - name: Collect iOS artifacts
         uses: actions/upload-artifact@v3
@@ -96,11 +111,22 @@ jobs:
 
       - name: Build Android
         env:
+          TOKEN: ${{ secrets.MACHINE_USER_PAT }}
           ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
           GOOGLE_PLAY_KEYSTORE_PASSWORD: ${{ secrets.GOOGLE_PLAY_KEYSTORE_PASSWORD }}
         run: |
           flutter build appbundle --build-number="$BUILD_NUMBER" --build-name="$BUILD_NAME"
 
+          # verify that the github token didn't make it into the output
+          mkdir -p build/app/test-android
+          cp build/app/outputs/bundle/release/app-release.aab build/app/test-android
+          cd build/app/test-android
+          unzip app-release.aab
+          if find . | xargs strings 2>/dev/null | grep -qF "${TOKEN}" ; then
+            echo "Token found in Android build"
+            exit 1
+          fi
+
       - name: Collect Android artifacts
         uses: actions/upload-artifact@v3
         with: