name: RN APK Build on: push: branches: - main jobs: build: runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 with: fetch-depth: 0 # Host runner: no ~/.bashrc. Jobs may run as root while nvm lives under a normal user # (e.g. /home/azureuser/.nvm). Prefer system Node, then that user's nvm. # - name: Put Node on PATH (host runner) # run: | # set -euo pipefail # if command -v node >/dev/null 2>&1; then # echo "Using node already on PATH: $(command -v node)" # echo "PATH=$PATH" >> "$GITHUB_ENV" # node -v # exit 0 # fi # NVM_DIR_RESOLVED="" # for dir in "${NVM_DIR:-}" "${HOME}/.nvm" "/home/azureuser/.nvm" "/home/ubuntu/.nvm"; do # [ -z "$dir" ] && continue # if [ -s "$dir/nvm.sh" ]; then # NVM_DIR_RESOLVED="$dir" # break # fi # done # if [ -z "$NVM_DIR_RESOLVED" ]; then # echo "Node not found. Either symlink node to /usr/local/bin or install nvm under HOME," >&2 # echo "or under /home/azureuser/.nvm for this runner." >&2 # exit 1 # fi # export NVM_DIR="$NVM_DIR_RESOLVED" # # shellcheck source=/dev/null # . "$NVM_DIR/nvm.sh" # nvm use 20 2>/dev/null || nvm use default # echo "PATH=$PATH" >> "$GITHUB_ENV" # command -v node # node -v # ---------------- JAVA (Gradle + SonarScanner need JDK on Ubuntu) ---------------- # - name: Setup Java # uses: actions/setup-java@v4 # with: # distribution: temurin # java-version: 17 # cache: gradle # ---------------- NODE ---------------- # - name: Setup Node # uses: actions/setup-node@v4 # with: # node-version: 20 # cache: npm - name: Install dependencies run: npm ci # ---------------- TRIVY (filesystem scan; avoid trivy-action — it pulls actions/cache node24) ---------------- # - name: Install Trivy # run: | # mkdir -p "${HOME}/bin" # curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b "${HOME}/bin" v0.70.0 # echo "${HOME}/bin" >> "${GITHUB_PATH}" # "${HOME}/bin/trivy" --version # Use "${HOME}/bin/trivy" — act/Gitea may not prepend GITHUB_PATH before the next step. # Gitea only orchestrates the job; output path is on the runner. With ubuntu-latest:host this is the VM; with Docker jobs, mount /home/azureuser or use artifacts. - name: Trivy filesystem scan run: | TRIVY_REPORT="/home/azureuser/Trivy/report.json" mkdir -p /home/azureuser/Trivy "${HOME}/bin/trivy" fs -f json -o "${TRIVY_REPORT}" \ --skip-dirs node_modules,android/.gradle,android/build,ios/Pods,ios/build,.git \ --exit-code 0 \ . echo "Runner host: $(hostname)" echo "Trivy JSON report: ${TRIVY_REPORT}" ls -la "${TRIVY_REPORT}" # Download this artifact from the Gitea run UI — file leaves the ephemeral job container without docker cp. # - name: Upload Trivy report (artifact) # uses: actions/upload-artifact@v3 # with: # name: trivy-fs-report # path: /home/azureuser/Trivy/report.json # Optional: persist on the VM host. In act_runner config.yaml set (then restart runner): # container: # options: "-v /home/azureuser/gitea-reports:/gitea-reports" # If your config uses valid_volumes, allow that host path (see act_runner config.example.yaml). # - name: Copy Trivy report to host bind mount (if configured) # run: | # TRIVY_REPORT="/home/azureuser/Trivy/report.json" # if [ -d /gitea-reports ] && [ -w /gitea-reports ]; then # out="/gitea-reports/trivy-report-${GITHUB_RUN_ID:-$(date +%s)}.json" # cp -f "${TRIVY_REPORT}" "${out}" # echo "Copied to bind mount (see host dir mapped to /gitea-reports): ${out}" # else # echo "Skip host copy: no /gitea-reports volume. Use artifact above, or add runner container.options volume — see workflow comment." # fi # ---------------- SONARQUBE ---------------- # In Gitea: Settings → Secrets → SONAR_TOKEN (and optionally SONAR_URL). - name: SonarQube Scan uses: SonarSource/sonarqube-scan-action@v6 env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} SONAR_HOST_URL: ${{ secrets.SONAR_URL }} # ---------------- ANDROID SDK (required on Ubuntu: ANDROID_HOME / sdk.dir) ---------------- - name: Setup Android SDK uses: android-actions/setup-android@v3 with: packages: >- tools platform-tools platforms;android-36 build-tools;36.0.0 ndk;27.1.12297006 - name: Point Gradle to the SDK run: | printf 'sdk.dir=%s\n' "${ANDROID_SDK_ROOT}" > android/local.properties cat android/local.properties - name: Grant Gradle execute permission run: chmod +x android/gradlew # ---------------- BUILD APK ---------------- - name: Build Release APK run: | cd android ./gradlew assembleRelease --stacktrace --info # ---------------- VERIFY APK ---------------- - name: Check APK Output run: | ls -R android/app/build/outputs/apk # ---------------- SAVE TO VM ---------------- - name: Save APK to VM folder run: | mkdir -p /home/azureuser/builds cp android/app/build/outputs/apk/release/*.apk /home/azureuser/builds/ # ---------------- VERIFY FINAL ---------------- - name: Verify APK in VM run: | ls -l /home/azureuser/builds # ---------------- (OPTIONAL) ARTIFACT ---------------- # - name: Upload APK (optional) # uses: actions/upload-artifact@v3 # with: # name: app-release # path: android/app/build/outputs/apk/release/*.apk