-
Notifications
You must be signed in to change notification settings - Fork 9
/
config.yml
160 lines (152 loc) · 4.77 KB
/
config.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
version: 2.1
# === Scheduled Pipeline Parameters ===
parameters:
nightly-security-scan:
type: boolean
default: false
aliases:
- &environment
working_directory: ~/code
docker:
- image: cimg/android:2023.06.1
environment:
JVM_OPTS: -Xmx3200m
jobs:
"Run_Unit_Test_And_Build":
<<: *environment
steps:
- checkout
- restore_cache:
key: jars-{{ checksum "build.gradle" }}-{{ checksum "app/build.gradle" }}
- run:
name: Download Dependencies
command: |
sudo chmod +x gradlew
./gradlew androidDependencies
- save_cache:
paths:
- ~/.gradle
key: jars-{{ checksum "build.gradle" }}-{{ checksum "app/build.gradle" }}
- run:
name: Run Detekt
command: ./gradlew app:detekt vgscollect:detekt vgscollect-cardio:detekt --continue --parallel
- run:
name: Run Unit tests
command: ./gradlew testDebugUnitTest
- run:
name: Generate apk
command: ./gradlew assembleDebug assembleAndroidTest
- persist_to_workspace:
root: ~/code
paths:
- app
"Run_UI_Test":
<<: *environment
steps:
- attach_workspace:
at: ~/code
- run:
name: Check if release branch
command: |
if [[ $CIRCLE_BRANCH != *"release/"* ]] && [ $CIRCLE_BRANCH != master* ]; then
echo "Skipped, reason: UI tests should be running only on release branches or master!"
circleci-agent step halt
fi
- run:
name: Store Google Service Account
command: echo $GCLOUD_SERVICE_KEY | base64 -di > ${HOME}/gcloud-service-key.json
- run:
name: Authorize gcloud and set config defaults
command: |
sudo gcloud auth activate-service-account --key-file=${HOME}/gcloud-service-key.json
sudo gcloud --quiet config set project ${GOOGLE_PROJECT_ID}
- run:
name: Test with Firebase Test Lab
command: >
sudo gcloud firebase test android run \
--app app/build/outputs/apk/debug/app-debug.apk \
--test app/build/outputs/apk/androidTest/debug/app-debug-androidTest.apk \
--device model=hammerhead,version=23,locale=en,orientation=portrait \
--device model=redfin,version=30,locale=en,orientation=portrait \
--device model=bluejay,version=32,locale=en,orientation=portrait \
scan-sast-pr:
parameters:
default_branch:
type: string
default: master
environment:
JVM_OPTS: -Xmx3200m
SEMGREP_REPO_URL: << pipeline.project.git_url >>
SEMGREP_BRANCH: << pipeline.git.branch >>
SEMGREP_BASELINE_REF: << parameters.default_branch >>
docker:
- image: cimg/android:2023.06.1
steps:
- checkout
- restore_cache:
key: jars-{{ checksum "build.gradle" }}-{{ checksum "app/build.gradle" }}
- run:
name: Download Dependencies
command: |
sudo chmod +x gradlew
./gradlew androidDependencies
- save_cache:
paths:
- ~/.gradle
key: jars-{{ checksum "build.gradle" }}-{{ checksum "app/build.gradle" }}
- run:
name: Run Detekt
command: ./gradlew app:detekt vgscollect:detekt vgscollect-cardio:detekt --continue --parallel
- run:
name: Install Semprep
command: |
curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py
python3 get-pip.py
python3 -m pip install semgrep
- run:
name: "Semgrep diff scan"
command: semgrep ci
scan-sast-full:
<<: *environment
parameters:
default_branch:
type: string
default: master
environment:
SEMGREP_REPO_URL: << pipeline.project.git_url >>
SEMGREP_BRANCH: << pipeline.git.branch >>
docker:
- image: returntocorp/semgrep
steps:
- checkout
- run:
name: "Semgrep full scan"
command: semgrep ci
workflows:
main:
when:
not: << pipeline.parameters.nightly-security-scan >>
jobs:
- "Run_Unit_Test_And_Build"
- scan-sast-pr:
context:
- security-tools
- scan-sast-full:
filters:
# ignore any commit on any branch by default
branches:
ignore: /.*/
tags:
only:
- /production-.*/
context:
- security-tools
- "Run_UI_Test":
requires:
- "Run_Unit_Test_And_Build"
scheduled-security-scan:
when: << pipeline.parameters.nightly-security-scan >>
jobs:
- scan-sast-full:
context:
- security-tools