Merge pull request #490 from RADAR-base/release-1.4.2

Update GitHub Actions

Author: this-Aditya

.github/workflows/main.yml

@@ -1,43 +1,33 @@
-# Continuous integration, including test and integration test
 name: CI
 
-# Run in master and dev branches and in all pull requests to those branches
 on:
   push:
     branches: [ master, dev ]
   pull_request:
     branches: [ master, dev ]
 
-env:
-  DOCKER_IMAGE: radarbase/radar-output-restructure
-
 jobs:
-  # Build and test the code
   build:
-    # The type of runner that the job will run on
     runs-on: ubuntu-latest
 
-    # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
-      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v5
 
-      - uses: actions/setup-java@v3
+      - uses: actions/setup-java@v5
         with:
-          java-version: 17
           distribution: temurin
+          java-version: 17
 
-      - uses: gradle/gradle-build-action@v2
+      - name: Setup Gradle
+        uses: gradle/actions/setup-gradle@v3
 
       - name: Decrypt libraries
         run: ./.github/scripts/decrypt_libraries.sh
         env:
           E4LINK_PASSPHRASE: ${{ secrets.E4LINK_PASSPHRASE }}
 
-      # Compile the code
       - name: Compile code
         run: ./gradlew assembleDebug
 
-      # Gradle check
       - name: Check
         run: ./gradlew testDebugUnitTest lintDebug

.github/workflows/publish_snapshots.yml .github/workflows/publish-snapshots.yml.github/workflows/publish_snapshots.yml renamed to .github/workflows/publish-snapshots.yml

@@ -1,41 +1,37 @@
-# Create release files
 name: Release
 
 on:
   release:
     types: [published]
 
-env:
-  DOCKER_IMAGE: radarbase/radar-output-restructure
-
 jobs:
   upload:
-    # The type of runner that the job will run on
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
 
-    # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
-      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v3
-      - uses: actions/setup-java@v3
+      - uses: actions/checkout@v5
+
+      - uses: actions/setup-java@v5
         with:
           distribution: temurin
           java-version: 17
 
-      - uses: gradle/gradle-build-action@v2
+      - name: Setup Gradle
+        uses: gradle/actions/setup-gradle@v3
 
       - name: Decrypt libraries
         run: ./.github/scripts/decrypt_libraries.sh
         env:
           E4LINK_PASSPHRASE: ${{ secrets.E4LINK_PASSPHRASE }}
 
-      # Compile code
       - name: Compile code
         run: ./gradlew assembleRelease
 
-      # Upload it to GitHub
       - name: Upload to GitHub
-        uses: AButler/upload-release-assets@v2.0
+        uses: AButler/upload-release-assets@v3.0
         with:
           files: '*/build/outputs/aar/*;plugins/*/build/outputs/aar/*'
           repo-token: ${{ secrets.GITHUB_TOKEN }}
@@ -47,6 +43,6 @@ jobs:
 
       - name: Publish
         env:
-          OSSRH_USER: ${{ secrets.OSSRH_USER }}
-          OSSRH_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
+          OSSRH_USER: ${{ secrets.OSSRH_USER_TOKEN_ID }}
+          OSSRH_PASSWORD: ${{ secrets.OSSRH_USER_TOKEN_SECRET }}
         run: ./gradlew -Psigning.gnupg.keyName=${{ secrets.OSSRH_GPG_SECRET_KEY_NAME }} -Psigning.gnupg.executable=gpg -Psigning.gnupg.passphrase=${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }} publish closeAndReleaseSonatypeStagingRepository

.github/workflows/release.yml

@@ -0,0 +1,116 @@
+name: Snyk scheduled test
+
+on:
+  schedule:
+    - cron: '0 2 * * 1'
+  push:
+    branches:
+      - master
+  workflow_dispatch:
+
+env:
+  MODULES: >-
+    [{
+    'name': 'radar-commons-android',
+    'build_file': 'radar-commons-android/build.gradle',
+    },{
+    'name': 'avro-android',
+    'build_file': 'avro-android/build.gradle',
+    },{
+    'name': 'radar-android-empatica',
+    'build_file': 'plugins/radar-android-empatica/build.gradle',
+    },{
+    'name': 'radar-android-faros',
+    'build_file': 'plugins/radar-android-faros/build.gradle',
+    },{
+    'name': 'radar-android-application-status',
+    'build_file': 'plugins/radar-android-application-status/build.gradle',
+    },{
+    'name': 'radar-android-audio',
+    'build_file': 'plugins/radar-android-audio/build.gradle',
+    },{
+    'name': 'radar-android-google-activity',
+    'build_file': 'plugins/radar-android-google-activity/build.gradle',
+    },{
+    'name': 'radar-android-google-places',
+    'build_file': 'plugins/radar-android-google-places/build.gradle',
+    },{
+    'name': 'radar-android-google-sleep',
+    'build_file': 'plugins/radar-android-google-sleep/build.gradle',
+    },{
+    'name': 'radar-android-login-oauth2',
+    'build_file': 'plugins/radar-android-login-oauth2/build.gradle',
+    },{
+    'name': 'radar-android-login-qr',
+    'build_file': 'plugins/radar-android-login-qr/build.gradle',
+    },{
+    'name': 'radar-android-phone',
+    'build_file': 'plugins/radar-android-phone/build.gradle',
+    },{
+    'name': 'radar-android-phone-audio-input',
+    'build_file': 'plugins/radar-android-phone-audio-input/build.gradle',
+    },{
+    'name': 'radar-android-phone-telephony',
+    'build_file': 'plugins/radar-android-phone-telephony/build.gradle',
+    },{
+    'name': 'radar-android-phone-usage',
+    'build_file': 'plugins/radar-android-phone-usage/build.gradle',
+    },{
+    'name': 'radar-android-polar',
+    'build_file': 'plugins/radar-android-polar/build.gradle',
+    },{
+    'name': 'radar-android-weather',
+    'build_file': 'plugins/radar-android-weather/build.gradle',
+    }]
+
+jobs:
+  prepare-matrix:
+    name: Prepare Matrix Output
+    runs-on: ubuntu-latest
+    permissions: {}
+    outputs:
+      modules: ${{ steps.step1.outputs.matrix }}
+    steps:
+      - name: Create Matrix Variable
+        id: step1
+        run: echo "matrix=${{env.MODULES}}" >> $GITHUB_OUTPUT
+
+  security:
+    needs: prepare-matrix
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    strategy:
+      matrix:
+        module: ${{ fromJson(needs.prepare-matrix.outputs.modules ) }}
+
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Decrypt libraries
+        run: ./.github/scripts/decrypt_libraries.sh
+        env:
+          E4LINK_PASSPHRASE: ${{ secrets.E4LINK_PASSPHRASE }}
+
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/gradle-8-jdk17@master
+        continue-on-error: true # To make sure that SARIF upload gets called
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: >-
+            --file=${{ matrix.module.build_file }}
+            --configuration-matching='^runtimeClasspath$'
+            --fail-on=upgradable
+            --severity-threshold=high
+            --policy-path=.snyk
+            --org=radar-base
+            --sarif-file-output=snyk.sarif
+
+      # Detected vulnerabilities will appear on Github in Security->Code_scanning_alerts tab
+      - name: Upload result to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: snyk.sarif
+          category: ${{ matrix.module.module }}

.github/workflows/scheduled-snyk.yaml

@@ -1,4 +1,5 @@
 name: Snyk test
+
 on:
   pull_request:
     branches:
@@ -8,33 +9,24 @@ on:
 jobs:
   security:
     runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-      - uses: snyk/actions/setup@master
-        with:
-          snyk-version: v1.1032.0
 
-      - uses: actions/setup-java@v3
-        with:
-          distribution: temurin
-          java-version: 17
+    steps:
+      - uses: actions/checkout@v5
 
       - name: Decrypt libraries
         run: ./.github/scripts/decrypt_libraries.sh
         env:
           E4LINK_PASSPHRASE: ${{ secrets.E4LINK_PASSPHRASE }}
 
-      - name: Setup Gradle
-        uses: gradle/gradle-build-action@v2
-
       - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/gradle-8-jdk17@master
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-        run: >
-          snyk test
-          --all-sub-projects
-          --configuration-matching="^runtimeClasspath$"
-          --fail-on=upgradable
-          --org=radar-base
-          --policy-path=.snyk
-          --severity-threshold=high
+        with:
+          args: >-
+            --all-projects
+            --configuration-matching="^runtimeClasspath$"
+            --severity-threshold=high
+            --fail-on=upgradable
+            --org=radar-base
+            --policy-path=.snyk

.github/workflows/scheduled_snyk.yaml

@@ -2,9 +2,4 @@
 version: v1.931.0
 # ignores vulnerabilities until expiry date; change duration by modifying expiry date
 ignore:
-  SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744:
-    - '*':
-        reason: Not using createTempFile/Dir
-        expires: 2023-10-27T10:04:03.174Z
-        created: 2022-06-27T10:04:03.177Z
 patch: {}

.github/workflows/snyk.yaml

@@ -24,11 +24,11 @@ android.defaults.buildfeatures.buildconfig=true
 # http://www.gradle.org/docs/current/userguide/multi_project_builds.html#sec:decoupled_projects
 # org.gradle.parallel=true
 
-project_version=1.4.1-SNAPSHOT
+project_version=1.4.1
 
 java_version=17
 kotlin_version=1.9.23
-gradle_version=8.7
+gradle_version=8.13
 
 gradle_android_version=8.2.0
 unmock_plugin_version=0.7.9

.snyk

@@ -1,6 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.7-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.13-bin.zip
 networkTimeout=10000
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists