feat: security: Enable google safebrowsing and populate the API keys, b=no-bug, c=workflows, common, configs

mr-cheffy · mr-cheffy · commit d786c6927f83 · 2025-06-09T19:11:09.000+02:00
diff --git a/.github/workflows/linux-release-build.yml b/.github/workflows/linux-release-build.yml
@@ -121,6 +121,11 @@ jobs:
           ./mach --no-interactive bootstrap --application-choice browser
           cd ..
 
+      - name: Insert API Keys
+        run: |
+          mkdir -p ~/.zen-keys
+          echo "${{ secrets.ZEN_SAFEBROWSING_API_KEY }}" > ~/.zen-keys/safebrowsing.dat
+
       - name: Build
         env:
           SURFER_COMPAT: ${{ matrix.arch }}
@@ -141,6 +146,10 @@ jobs:
           export SURFER_PLATFORM="linux"
           export ZEN_RELEASE=1
           npm run package
+      
+      - name: Remove API Keys
+        run: |
+          rm -rf ~/.zen-keys
 
       - name: Rename artifacts
         run: |
diff --git a/.github/workflows/macos-release-build.yml b/.github/workflows/macos-release-build.yml
@@ -132,6 +132,11 @@ jobs:
       - name: Build language packs
         run: sh scripts/download-language-packs.sh
 
+      - name: Insert API Keys
+        run: |
+          mkdir -p ~/.zen-keys
+          echo "${{ secrets.ZEN_SAFEBROWSING_API_KEY }}" > ~/.zen-keys/safebrowsing.dat
+
       - name: Build Zen
         env:
           SURFER_COMPAT: ${{ matrix.arch }}
@@ -152,6 +157,10 @@ jobs:
           export ZEN_RELEASE=1
           npm run package
 
+      - name: Remove API Keys
+        run: |
+          rm -rf ~/.zen-keys
+
       - name: Rename artifacts
         run: |
           echo "Tarballing DMG"
diff --git a/.github/workflows/windows-release-build.yml b/.github/workflows/windows-release-build.yml
@@ -226,6 +226,11 @@ jobs:
           chmod +x ~/artifact/en-US.log
           chmod +x ~/artifact/merged.profdata
 
+      - name: Insert API Keys
+        run: |
+          mkdir -p ~/.zen-keys
+          echo "${{ secrets.ZEN_SAFEBROWSING_API_KEY }}" > ~/.zen-keys/safebrowsing.dat
+
       - name: Build
         if: ${{ !(inputs.generate-gpo && matrix.arch == 'aarch64') }}
         env:
@@ -259,6 +264,11 @@ jobs:
           ls ./dist
           ls .
 
+
+      - name: Remove API Keys
+        run: |
+          rm -rf ~/.zen-keys
+
       - name: Move package for PGO upload
         if: ${{ inputs.generate-gpo && matrix.arch == 'x86_64' }}
         run: |
diff --git a/configs/common/mozconfig b/configs/common/mozconfig
@@ -32,6 +32,11 @@ if ! test "$SCCACHE_GHA_ENABLED" = "false"; then
   fi
 fi
 
+# add safe browsing key if it exists on a file
+if test -f "$HOME/.zen-keys/safebrowsing.dat"; then
+  ac_add_options --with-google-safebrowsing-api-keyfile="$HOME/.zen-keys/safebrowsing.dat"
+fi
+
 if test "$ZEN_RELEASE"; then
 
   # TODO: Make this successful in builds
@@ -96,10 +101,7 @@ fi
 
 ac_add_options --enable-unverified-updates
 
-ac_add_options --enable-raw
-ac_add_options --enable-webrtc
 ac_add_options --enable-jxl
-ac_add_options --enable-av1
 
 ac_add_options --with-unsigned-addon-scopes=app,system
 
