From 42aa6a2e912a545841ae9edfcaba489a30963908 Mon Sep 17 00:00:00 2001
From: melad <melad@simprints.com>
Date: Tue, 16 Jul 2024 15:46:51 +0300
Subject: [PATCH] [MS-531] App sweep integration

---
 .github/workflows/app-sweep.yml        | 54 ++++++++++++++++++++++++++
 .github/workflows/promote-artifact.yml |  4 ++
 2 files changed, 58 insertions(+)
 create mode 100644 .github/workflows/app-sweep.yml

diff --git a/.github/workflows/app-sweep.yml b/.github/workflows/app-sweep.yml
new file mode 100644
index 0000000000..fadc0e427e
--- /dev/null
+++ b/.github/workflows/app-sweep.yml
@@ -0,0 +1,54 @@
+# Upload release apk to App Sweep
+name: App Sweep Security Scan
+on:
+    workflow_dispatch:
+    workflow_call:
+jobs:
+    app-sweep:
+        name: App Sweep Security Scan
+        runs-on: ubuntu-latest
+        timeout-minutes: ${{ fromJSON(vars.JOB_TIMEOUT_MINUTES) }}
+        environment: internal
+        env:
+            BUILD_IS_DEBUGGABLE: ${{ vars.BUILD_IS_DEBUGGABLE }}
+            DB_IS_ENCRYPTED: ${{ vars.DB_IS_ENCRYPTED }}
+            RELEASE_GOOGLE_SERVICES_FILE: ${{ secrets.RELEASE_GOOGLE_SERVICES_FILE}}
+            GOOGLE_API_KEY_JSON: ${{secrets.GOOGLE_API_KEY_JSON}}
+
+            SIGNING_JKS_FILE: ${{secrets.SIGNING_JKS_FILE}}
+            SIGNING_KEYSTORE_PASSWORD: ${{secrets.SIGNING_KEYSTORE_PASSWORD}}
+            SIGNING_KEY_ALIAS: ${{secrets.SIGNING_KEY_ALIAS}}
+            SIGNING_KEY_PASSWORD: ${{secrets.SIGNING_KEY_PASSWORD}}
+
+        steps:
+            -   uses: actions/checkout@v4
+            -   name: Set up JDK 17
+                uses: actions/setup-java@v4
+                with:
+                    java-version: 17
+                    distribution: 'temurin'
+            -   name: Set up local.properties
+                run: |
+                    source ci/pipeline/setup
+                    echo "GITHUB_USERNAME=${{ secrets.GH_PACKAGE_NAME }}" >>  local.properties
+                    echo "GITHUB_TOKEN=${{ secrets.GH_PACKAGE_TOKEN }}" >>  local.properties
+
+            -   name: Update build properties
+                run: |
+                    source ci/deployment/build_properties_setup Internal  $BUILD_IS_DEBUGGABLE $DB_IS_ENCRYPTED
+
+            -   name: write Google API key file # This file needed by triplet the google play publishing lib
+                run: echo "$GOOGLE_API_KEY_JSON" >google_api_key.json
+            -   name: Write Google Services file
+                run: echo $RELEASE_GOOGLE_SERVICES_FILE > id/src/google-services.json
+            -   name: Set up signing properties
+                run: source ci/deployment/signing_properties_setup
+            -   name: Build release apk
+                run: ./gradlew id:assembleRelease
+            -   name: Upload release apk
+                uses: guardsquare/appsweep-action@main
+                with:
+                    appsweep_api_key: ${{ secrets.APPSWEEP_API_KEY }}
+                    input_file: id/build/outputs/apk/release/id-release.apk
+                    mapping_file: id/build/outputs/mapping/release/mapping.txt
+                    commit_hash: ${{ github.sha }}
diff --git a/.github/workflows/promote-artifact.yml b/.github/workflows/promote-artifact.yml
index 4152374b57..5cc6d93788 100644
--- a/.github/workflows/promote-artifact.yml
+++ b/.github/workflows/promote-artifact.yml
@@ -55,6 +55,10 @@ jobs:
                 if: ${{inputs.deployment-track == 'Alpha'}}
                 run: ./gradlew promoteArtifact --from-track internal --promote-track alpha
 
+            -   name: App sweep security scan
+                if: ${{inputs.deployment-track == 'Alpha'}}
+                uses: ./.github/workflows/app-sweep.yml
+
             -   name: Promote to production 25%
                 if: ${{inputs.deployment-track == 'Prod-25-Percent-Rollout'}}
                 run: ./gradlew promoteArtifact --from-track alpha --promote-track production --release-status inProgress --user-fraction .25