From f584e4411093dcf733f35bc233f0138ffcf513b3 Mon Sep 17 00:00:00 2001 From: Sujal Date: Thu, 20 Feb 2025 21:58:53 +0530 Subject: [PATCH] Update android.yml --- .github/workflows/android.yml | 35 ++++++++++++++--------------------- 1 file changed, 14 insertions(+), 21 deletions(-) diff --git a/.github/workflows/android.yml b/.github/workflows/android.yml index 675f5a38f..28af29e99 100644 --- a/.github/workflows/android.yml +++ b/.github/workflows/android.yml @@ -19,14 +19,15 @@ concurrency: cancel-in-progress: true jobs: - build-and-upload: + build: name: Run tests and generate APK runs-on: ubuntu-latest - # Run this job for push, pull_request, and workflow_dispatch (not pull_request_target) - if: github.event_name == 'push' || github.event_name == 'pull_request' || github.event_name == 'workflow_dispatch' steps: - name: Checkout code uses: actions/checkout@v3 + with: + # Use base_ref for pull_request_target to avoid untrusted fork code + ref: ${{ github.event_name == 'pull_request_target' && github.base_ref || github.ref }} - name: Set up JDK uses: actions/setup-java@v3 @@ -45,12 +46,14 @@ jobs: restore-keys: gradle-packages-${{ runner.os }} - name: Access test login credentials + # Skip secrets for pull_request_target to avoid exposing them to fork code + if: github.event_name != 'pull_request_target' run: | echo "TEST_USER_NAME=${{ secrets.TEST_USER_NAME }}" >> local.properties echo "TEST_USER_PASSWORD=${{ secrets.TEST_USER_PASSWORD }}" >> local.properties - name: AVD cache - if: github.event_name != 'pull_request' + if: github.event_name != 'pull_request' && github.event_name != 'pull_request_target' uses: actions/cache@v3 id: avd-cache with: @@ -60,7 +63,7 @@ jobs: key: avd-tablet-api-24 - name: Create AVD and generate snapshot for caching - if: steps.avd-cache.outputs.cache-hit != 'true' && github.event_name != 'pull_request' + if: steps.avd-cache.outputs.cache-hit != 'true' && github.event_name != 'pull_request' && github.event_name != 'pull_request_target' uses: reactivecircus/android-emulator-runner@v2 with: api-level: 24 @@ -70,7 +73,7 @@ jobs: script: echo "Generated AVD snapshot for caching." - name: Run Instrumentation tests - if: github.event_name != 'pull_request' + if: github.event_name != 'pull_request' && github.event_name != 'pull_request_target' uses: reactivecircus/android-emulator-runner@v2 with: api-level: 24 @@ -85,15 +88,15 @@ jobs: ./gradlew connectedBetaDebugAndroidTest --stacktrace - name: Run Unit tests with unified coverage - if: github.event_name != 'pull_request' + if: github.event_name != 'pull_request' && github.event_name != 'pull_request_target' run: ./gradlew -Pcoverage testBetaDebugUnitTestUnifiedCoverage --stacktrace - name: Run Unit tests without unified coverage - if: github.event_name == 'pull_request' + if: github.event_name == 'pull_request' || github.event_name == 'pull_request_target' run: ./gradlew -Pcoverage testBetaDebugUnitTestCoverage --stacktrace - name: Upload Test Report to Codecov - if: github.event_name != 'pull_request' + if: github.event_name != 'pull_request' && github.event_name != 'pull_request_target' run: | curl -Os https://uploader.codecov.io/latest/linux/codecov chmod +x codecov @@ -117,20 +120,10 @@ jobs: name: prodDebugAPK path: app/build/outputs/apk/prod/debug/app-*.apk - comment-on-pr: - name: Comment on PR with APK links - runs-on: ubuntu-latest - if: github.event_name == 'pull_request_target' - needs: build-and-upload - steps: - - name: Checkout base branch - uses: actions/checkout@v3 - with: - ref: ${{ github.base_ref }} - - name: Comment on PR with APK download links + if: github.event_name == 'pull_request_target' # Only run for pull_request_target to ensure write permissions env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} # GITHUB_TOKEN has write permissions in pull_request_target uses: actions/github-script@v6 with: script: |