auth0 · cgcladeraokta · Feb 18, 2025 · Feb 18, 2025 · Feb 18, 2025 · Feb 18, 2025
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -1,27 +1,32 @@
 version: 2.1
+
 orbs:
-  ship: auth0/[email protected]
   codecov: codecov/codecov@3
-parameters:
-  docker_image:
-    type: string
-    default: circleci/android:api-30
 
 jobs:
   build:
+    environment:
+      GRADLE_OPTS: -Dkotlin.compiler.execution.strategy=in-process
     docker:
-      - image: << pipeline.parameters.docker_image >>
+      - image: cimg/android:2022.03.1
+
     steps:
-    - checkout
-    - restore_cache:
-        keys:
-        - dep-{{ checksum "./guardian/build.gradle" }}-{{ checksum "./app/build.gradle" }}
-        - dep-
-    - run: ./gradlew clean test jacocoTestReport --continue --console=plain --max-workers 4
-    - save_cache:
-        key: dep-{{ checksum "./guardian/build.gradle" }}-{{ checksum "./app/build.gradle" }}
-        paths:
-        - ~/.gradle
-        - ~/.android
-        - /usr/local/android-sdk-linux/extras
-    - codecov/upload
+      - checkout
+
+      - run:
+          name: Run checks
+          command: ./gradlew clean test jacocoTestReport lint --continue --console=plain --max-workers=1 --no-daemon
+
+      - store_artifacts:
+          path: auth0/build/reports
+          destination: reports
+
+      - store_test_results:
+          path: auth0/build/test-results
+
+      - codecov/upload
+
+workflows:
+  build-and-test:
+    jobs:
+      - build
diff --git a/.github/actions/get-prerelease/action.yml b/.github/actions/get-prerelease/action.yml
@@ -0,0 +1,30 @@
+name: Return a boolean indicating if the version contains prerelease identifiers
+
+#
+# Returns a simple true/false boolean indicating whether the version indicates it's a prerelease or not.
+#
+# TODO: Remove once the common repo is public.
+#
+
+inputs:
+  version:
+    required: true
+
+outputs:
+  prerelease:
+    value: ${{ steps.get_prerelease.outputs.PRERELEASE }}
+
+runs:
+  using: composite
+
+  steps:
+    - id: get_prerelease
+      shell: bash
+      run: |
+        if [[ "${VERSION}" == *"beta"* || "${VERSION}" == *"alpha"* ]]; then
+          echo "PRERELEASE=true" >> $GITHUB_OUTPUT
+        else
+          echo "PRERELEASE=false" >> $GITHUB_OUTPUT
+        fi
+      env:
+        VERSION: ${{ inputs.version }}
diff --git a/.github/actions/get-release-notes/action.yml b/.github/actions/get-release-notes/action.yml
@@ -0,0 +1,42 @@
+name: Return the release notes extracted from the body of the PR associated with the release.
+
+#
+# Returns the release notes from the content of a pull request linked to a release branch. It expects the branch name to be in the format release/vX.Y.Z, release/X.Y.Z, release/vX.Y.Z-beta.N. etc.
+#
+# TODO: Remove once the common repo is public.
+#
+inputs:
+  version:
+    required: true
+  repo_name:
+    required: false
+  repo_owner:
+    required: true
+  token:
+    required: true
+
+outputs:
+  release-notes:
+    value: ${{ steps.get_release_notes.outputs.RELEASE_NOTES }}
+
+runs:
+  using: composite
+
+  steps:
+    - uses: actions/github-script@v7
+      id: get_release_notes
+      with:
+        result-encoding: string
+        script: |
+          const { data: pulls } = await github.rest.pulls.list({
+            owner: process.env.REPO_OWNER,
+            repo: process.env.REPO_NAME,
+            state: 'all',
+            head: `${process.env.REPO_OWNER}:release/${process.env.VERSION}`,
+          });
+          core.setOutput('RELEASE_NOTES', pulls[0].body);
+      env:
+        GITHUB_TOKEN: ${{ inputs.token }}
+        REPO_OWNER: ${{ inputs.repo_owner }}
+        REPO_NAME: ${{ inputs.repo_name }}
+        VERSION: ${{ inputs.version }}
diff --git a/.github/actions/get-version/action.yml b/.github/actions/get-version/action.yml
@@ -0,0 +1,21 @@
+name: Return the version extracted from the branch name
+
+#
+# Returns the version from the .version file.
+#
+# TODO: Remove once the common repo is public.
+#
+
+outputs:
+  version:
+    value: ${{ steps.get_version.outputs.VERSION }}
+
+runs:
+  using: composite
+
+  steps:
+    - id: get_version
+      shell: bash
+      run: |
+        VERSION=$(head -1 .version)
+        echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT
diff --git a/.github/actions/maven-publish/action.yml b/.github/actions/maven-publish/action.yml
@@ -0,0 +1,44 @@
+name: Publish release to Java
+
+inputs:
+  java-version:
+    required: true
+  ossr-username:
+    required: true
+  ossr-token:
+    required: true
+  signing-key:
+    required: true
+  signing-password:
+    required: true
+
+runs:
+  using: composite
+
+  steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Setup Java
+      shell: bash
+      run: |
+        curl -s "https://get.sdkman.io" | bash
+        source "/home/runner/.sdkman/bin/sdkman-init.sh"
+        sdk list java
+        sdk install java ${{ inputs.java-version }} && sdk default java ${{ inputs.java-version }}
+        export JAVA_HOME=${SDKMAN_DIR}/candidates/java/current
+        echo "JAVA_HOME is set to $JAVA_HOME"
+
+    - uses: gradle/wrapper-validation-action@56b90f209b02bf6d1deae490e9ef18b21a389cd4 # [email protected]
+      env:
+        JAVA_HOME: ${{ env.JAVA_HOME }}
+
+    - name: Publish Android/Java Packages to Maven
+      shell: bash
+      run: ./gradlew publish -PisSnapshot=false --stacktrace
+      env:
+        JAVA_HOME: ${{ env.JAVA_HOME }}
+        MAVEN_USERNAME: ${{ inputs.ossr-username }}
+        MAVEN_PASSWORD: ${{ inputs.ossr-token }}
+        SIGNING_KEY: ${{ inputs.signing-key}}
+        SIGNING_PASSWORD: ${{ inputs.signing-password}}
diff --git a/.github/actions/release-create/action.yml b/.github/actions/release-create/action.yml
@@ -0,0 +1,47 @@
+name: Create a GitHub release
+
+#
+# Creates a GitHub release with the given version.
+#
+# TODO: Remove once the common repo is public.
+#
+
+inputs:
+  token:
+    required: true
+  files:
+    required: false
+  name:
+    required: true
+  body:
+    required: true
+  tag:
+    required: true
+  commit:
+    required: true
+  draft:
+    default: false
+    required: false
+  prerelease:
+    default: false
+    required: false
+  fail_on_unmatched_files:
+    default: true
+    required: false
+
+runs:
+  using: composite
+
+  steps:
+    - uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844
+      with:
+        body: ${{ inputs.body }}
+        name: ${{ inputs.name }}
+        tag_name: ${{ inputs.tag }}
+        target_commitish: ${{ inputs.commit }}
+        draft: ${{ inputs.draft }}
+        prerelease: ${{ inputs.prerelease }}
+        fail_on_unmatched_files: ${{ inputs.fail_on_unmatched_files }}
+        files: ${{ inputs.files }}
+      env:
+        GITHUB_TOKEN: ${{ inputs.token }}
diff --git a/.github/actions/rl-scanner/action.yml b/.github/actions/rl-scanner/action.yml
@@ -0,0 +1,66 @@
+name: 'Reversing Labs Scanner'
+description: 'Runs the Reversing Labs scanner on a specified artifact.'
+inputs:
+  artifact-path:
+    description: 'Path to the artifact to be scanned.'
+    required: true
+  version:
+    description: 'Version of the artifact.'
+    required: true
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Set up Python
+      uses: actions/setup-python@v4
+      with:
+        python-version: '3.10'
+
+    - name: Install Python dependencies
+      shell: bash
+      run: |
+        pip install boto3 requests
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v1
+      with:
+        role-to-assume: ${{ env.PRODSEC_TOOLS_ARN }}
+        aws-region: us-east-1
+        mask-aws-account-id: true
+
+    - name: Install RL Wrapper
+      shell: bash
+      run: |
+        pip install rl-wrapper>=1.0.0 --index-url "https://${{ env.PRODSEC_TOOLS_USER }}:${{ env.PRODSEC_TOOLS_TOKEN }}@a0us.jfrog.io/artifactory/api/pypi/python-local/simple"
+    - name: Run RL Scanner
+      shell: bash
+      env:
+        RLSECURE_LICENSE: ${{ env.RLSECURE_LICENSE }}
+        RLSECURE_SITE_KEY: ${{ env.RLSECURE_SITE_KEY }}
+        SIGNAL_HANDLER_TOKEN: ${{ env.SIGNAL_HANDLER_TOKEN }}
+        PYTHONUNBUFFERED: 1
+      run: |
+        if [ ! -f "${{ inputs.artifact-path }}" ]; then
+          echo "Artifact not found: ${{ inputs.artifact-path }}"
+          exit 1
+        fi
+        rl-wrapper \
+          --artifact "${{ inputs.artifact-path }}" \
+          --name "${{ github.event.repository.name }}" \
+          --version "${{ inputs.version }}" \
+          --repository "${{ github.repository }}" \
+          --commit "${{ github.sha }}" \
+          --build-env "github_actions" \
+          --suppress_output
+        # Check the outcome of the scanner
+        if [ $? -ne 0 ]; then
+          echo "RL Scanner failed."
+          echo "scan-status=failed" >> $GITHUB_ENV
+          exit 1
+        else
+          echo "RL Scanner passed."
+          echo "scan-status=success" >> $GITHUB_ENV
+        fi
+outputs:
+  scan-status:
+    description: 'The outcome of the scan process.'
+    value: ${{ env.scan-status }}
diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml
@@ -0,0 +1,33 @@
+name: Configure CI
+description: Performs the initial configuration of the CI environment
+
+inputs:
+  java:
+    description: The Java version to use
+    required: false
+    default: 8.0.382-tem
+  gradle:
+    description: The Gradle version to use
+    required: false
+    default: 6.7.1
+
+runs:
+  using: composite
+
+  steps:
+    - name: Set up Java
+      uses: actions/setup-java@v4
+      with:
+        distribution: 'temurin'
+        java-version: '11'
+
+    - run: |
+        curl -s "https://get.sdkman.io" | bash
+        source "/home/runner/.sdkman/bin/sdkman-init.sh"
+        sdk install gradle ${{ inputs.gradle }} && sdk default gradle ${{ inputs.gradle }}
+      shell: bash
+
+    - run: ./gradlew androidDependencies
+      shell: bash
+
+    - uses: gradle/wrapper-validation-action@56b90f209b02bf6d1deae490e9ef18b21a389cd4 # [email protected]
diff --git a/.github/actions/tag-exists/action.yml b/.github/actions/tag-exists/action.yml
@@ -0,0 +1,36 @@
+name: Return a boolean indicating if a tag already exists for the repository
+
+#
+# Returns a simple true/false boolean indicating whether the tag exists or not.
+#
+# TODO: Remove once the common repo is public.
+#
+
+inputs:
+  token:
+    required: true
+  tag:
+    required: true
+
+outputs:
+  exists:
+    description: 'Whether the tag exists or not'
+    value: ${{ steps.tag-exists.outputs.EXISTS }}
+
+runs:
+  using: composite
+
+  steps:
+    - id: tag-exists
+      shell: bash
+      run: |
+        GET_API_URL="https://api.github.com/repos/${GITHUB_REPOSITORY}/git/ref/tags/${TAG_NAME}"
+        http_status_code=$(curl -LI $GET_API_URL -o /dev/null -w '%{http_code}\n' -s -H "Authorization: token ${GITHUB_TOKEN}")
+        if [ "$http_status_code" -ne "404" ] ; then
+          echo "EXISTS=true" >> $GITHUB_OUTPUT
+        else
+          echo "EXISTS=false" >> $GITHUB_OUTPUT
+        fi
+      env:
+        TAG_NAME: ${{ inputs.tag }}
+        GITHUB_TOKEN: ${{ inputs.token }}