Closed juleskers closed 12 months ago
juleskers
commented
12 months ago HA! and because I've now opened a PR, it's running again, even though nothing changed...
I guess it's redundant to build for "PR against master" if we already build "branches=*" anyway?
juleskers
commented
12 months ago @pserwylo: I think you should definitely have a look at at least the gradle-validation step, with an eye for porting it to all of your other projects. https://github.com/gradle/wrapper-validation-action#readme
Supply chain attacks against ones personal laptop are no joke!
pserwylo
commented
12 months ago @pserwylo: I think you should definitely have a look at at least the gradle-validation step, with an eye for porting it to all of your other projects. https://github.com/gradle/wrapper-validation-action#readme
Supply chain attacks against ones personal laptop are no joke!
Sounds sensible. Random note though, most of the time we trust F-Droid, which has its own Gradle setup, and I trust the team much more than my own laptop. For apps built before August 2021, I publish the F-Droid build directly to Google play (Lexica, Super retro mega wars, baby dots, some other apps of mine). That signature is what gets delivered to end users of Google Play.
For more recent apps of mine, I still upload the F-Droid build to Google Play, but they then strip that signature and add their own. Alas, for PianOli, I need to build on my laptop because someone took our package id!
juleskers
commented
12 months ago Random note though, most of the time we trust F-Droid, which has its own Gradle setup, and I trust the team much more than my own laptop.
The point of that validation is, the wrapper gets executed, with the user permission, not just for builds, but even each time your IDE refreshes its settings (git checkout of new branch? Wrapper runs. Open project? Wrapper runs. Change a typo in build.gradle? Wrapper runs. Etc.)
It's a very attractive target to add malware hooks to. Not just "send all ssh keys and signing keys to criminals"-type, but even stupid stuff like "start a crypto-miner in the background", or "join a botnet as anonymising relay node".
For more recent apps of mine, I still upload the F-Droid build to Google Play, but they then strip that signature and add their own.
Sigh, Google really likes to meddle in everything, don't they..
Alas, for PianOli, I need to build on my laptop because someone took our package id!
Yeah, really annoying that we can't get that reset.. I mean, I get that it's good security practice to permanently "burn" any ID that has ever been installed, to prevent hijacking old installs via updates, but still.. It sucks if other people squat..
Also, I guess we could add a CI job here that publishes to gplay 😇 (but yeah, key management becomes tricky.. Then again, github secrets are fairly secure, as long as all Repo admins have 2FA enabled)
Since my review comments crossed @pserwylo 's merge, here is an updated actions-yaml with my suggestions.
Since I made the mistake of opening the lint-report from the output, some linter-cleanups are thrown in as well :sweat_smile:
This has run through successfully: https://github.com/nicolasbrailo/PianOli/actions/runs/6267155391/job/17019621693