chore: app updates and security policy

Author: borisolver

.github/workflows/release-mobile.yml

@@ -0,0 +1,86 @@
+name: Release Mobile
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+concurrency:
+  group: release-mobile-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  android:
+    name: Android Release
+    runs-on: ubuntu-latest
+    env:
+      ANDROID_PACKAGE_NAME: com.cleanapp
+      ANDROID_TRACK: production
+      GOOGLE_PLAY_SERVICE_ACCOUNT_JSON: ${{ secrets.GOOGLE_PLAY_SERVICE_ACCOUNT_JSON }}
+      ANDROID_KEYSTORE_BASE64: ${{ secrets.ANDROID_KEYSTORE_BASE64 }}
+      ANDROID_KEY_ALIAS: ${{ secrets.ANDROID_KEY_ALIAS }}
+      ANDROID_KEYSTORE_PASSWORD: ${{ secrets.ANDROID_KEYSTORE_PASSWORD }}
+      ANDROID_KEY_PASSWORD: ${{ secrets.ANDROID_KEY_PASSWORD }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: npm
+
+      - name: Setup Java
+        uses: actions/setup-java@v4
+        with:
+          distribution: temurin
+          java-version: 17
+
+      - name: Setup Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          bundler-cache: true
+
+      - name: Install JS deps
+        run: npm ci
+
+      - name: Fastlane Android Release
+        run: bundle exec fastlane android release
+
+  ios:
+    name: iOS Release
+    runs-on: macos-latest
+    env:
+      IOS_BUNDLE_ID: io.cleanapp
+      IOS_TEAM_ID: ${{ secrets.IOS_TEAM_ID }}
+      APP_STORE_CONNECT_ISSUER_ID: ${{ secrets.APP_STORE_CONNECT_ISSUER_ID }}
+      APP_STORE_CONNECT_KEY_ID: ${{ secrets.APP_STORE_CONNECT_KEY_ID }}
+      APP_STORE_CONNECT_KEY_BASE64: ${{ secrets.APP_STORE_CONNECT_KEY_BASE64 }}
+      MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }}
+      MATCH_GIT_URL: ${{ secrets.MATCH_GIT_URL }}
+      MATCH_GIT_BASIC_AUTHORIZATION: ${{ secrets.MATCH_GIT_BASIC_AUTHORIZATION }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: npm
+
+      - name: Setup Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          bundler-cache: true
+
+      - name: Install JS deps
+        run: npm ci
+
+      - name: Install iOS Pods
+        run: bundle exec pod install --project-directory=ios
+
+      - name: Fastlane iOS Release
+        run: bundle exec fastlane ios release

.github/workflows/secret-scan.yml

@@ -0,0 +1,19 @@
+name: Secret Scan
+
+on:
+  push:
+    branches: ["**"]
+  pull_request:
+
+jobs:
+  gitleaks:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Run gitleaks
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}

.gitignore

@@ -22,6 +22,27 @@ DerivedData
 *.xcuserstate
 **/.xcode.env.local
 
+# Secrets
+*.p8
+*.p12
+*.pfx
+*.pem
+*.key
+*.der
+*.crt
+*.cer
+*.csr
+*.certSigningRequest
+*.p7b
+*.p7s
+*.mobileprovision
+*.jks
+*.keystore
+.env.*
+.secrets
+**/fastlane/*.log
+fastlane_release.log
+
 # Android/IntelliJ
 #
 build/
@@ -31,7 +52,6 @@ local.properties
 *.iml
 *.hprof
 .cxx/
-*.keystore
 !debug.keystore
 .kotlin/
 
@@ -55,6 +75,9 @@ yarn-error.log
 
 # Bundle artifact
 *.jsbundle
+*.dSYM
+*.dSYM.zip
+*.xcarchive
 
 # Ruby / CocoaPods
 **/Pods/
@@ -76,4 +99,4 @@ yarn-error.log
 
 # Env
 .env
-.env.local
+.env.local

AGENTS.md

@@ -0,0 +1,22 @@
+# Mandatory Agent Rules
+
+These rules apply to **all automated agents** working in this repo:
+
+## 1) No Secrets in Git
+Never commit or stage any secret material. Examples:
+- `.p12`, `.p8`, `.mobileprovision`, `.cer`, `.csr`, `.key`, `.pem`
+- `.env`, `.env.*` or any file containing tokens/keys
+- API tokens or service credentials in source or config
+
+If you find secrets in the working tree, leave them untracked and notify the user.
+
+## 2) Always Respect .gitignore
+Before staging changes, verify no secret files are included.
+
+## 3) Use Secret Scanning
+If you touch release, build, or deployment code:
+- Run or ensure CI runs the gitleaks check.
+- Do not bypass failures.
+
+## 4) If You Suspect a Leak
+Stop and notify the user immediately. Do not push or open PRs until resolved.

Gemfile

@@ -8,3 +8,4 @@ gem 'cocoapods', '>= 1.13', '!= 1.15.0', '!= 1.15.1'
 gem 'activesupport', '>= 6.1.7.5', '!= 7.1.0'
 gem 'xcodeproj', '< 1.26.0'
 gem 'concurrent-ruby', '< 1.3.4'
+gem 'fastlane'