name: RN APK Build on: push: branches: - main jobs: build: runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 with: fetch-depth: 0 # ---------------- JAVA (Gradle + SonarScanner need JDK on Ubuntu) ---------------- # - name: Setup Java # uses: actions/setup-java@v4 # with: # distribution: temurin # java-version: 17 # cache: gradle # ---------------- NODE ---------------- # - name: Setup Node # uses: actions/setup-node@v4 # with: # node-version: 20 # cache: npm - name: Install dependencies run: npm ci # ---------------- TRIVY (filesystem scan; avoid trivy-action — it pulls actions/cache node24) ---------------- # - name: Install Trivy # run: | # mkdir -p "${HOME}/bin" # curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b "${HOME}/bin" v0.70.0 # echo "${HOME}/bin" >> "${GITHUB_PATH}" # "${HOME}/bin/trivy" --version # Use "${HOME}/bin/trivy" — act/Gitea may not prepend GITHUB_PATH before the next step. # Gitea only orchestrates the job; checkout + report.json live on the runner machine (this server), not on the Gitea host. - name: Trivy filesystem scan run: | "${HOME}/bin/trivy" fs -f json -o report.json \ --skip-dirs node_modules,android/.gradle,android/build,ios/Pods,ios/build,.git \ --exit-code 0 \ . report_path="${GITHUB_WORKSPACE:-$(pwd)}/report.json" echo "Runner host: $(hostname)" echo "report.json (on this runner, under job workspace): ${report_path}" ls -la report.json mkdir -p /home/azureuser/builds cp -f report.json /home/azureuser/builds/trivy-report.json echo "Persistent copy (survives after job workspace is removed): /home/azureuser/builds/trivy-report.json" - name: Upload Trivy report to MongoDB run: node /home/azureuser/uploadJSONMongoDB/scripts/upload-report-to-mongodb.js # - name: Upload Trivy report # uses: actions/upload-artifact@v3 # with: # name: trivy-fs-report # path: report.json # ---------------- SONARQUBE ---------------- # In Gitea: Settings → Secrets → SONAR_TOKEN (and optionally SONAR_URL). - name: SonarQube Scan uses: SonarSource/sonarqube-scan-action@v6 env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} SONAR_HOST_URL: ${{ secrets.SONAR_URL }} # ---------------- ANDROID SDK (required on Ubuntu: ANDROID_HOME / sdk.dir) ---------------- - name: Setup Android SDK uses: android-actions/setup-android@v3 with: packages: >- tools platform-tools platforms;android-36 build-tools;36.0.0 ndk;27.1.12297006 - name: Point Gradle to the SDK run: | printf 'sdk.dir=%s\n' "${ANDROID_SDK_ROOT}" > android/local.properties cat android/local.properties - name: Grant Gradle execute permission run: chmod +x android/gradlew # ---------------- BUILD APK ---------------- - name: Build Release APK run: | cd android ./gradlew assembleRelease --stacktrace --info # ---------------- VERIFY APK ---------------- - name: Check APK Output run: | ls -R android/app/build/outputs/apk # ---------------- SAVE TO VM ---------------- - name: Save APK to VM folder run: | mkdir -p /home/azureuser/builds cp android/app/build/outputs/apk/release/*.apk /home/azureuser/builds/ # ---------------- VERIFY FINAL ---------------- - name: Verify APK in VM run: | ls -l /home/azureuser/builds # ---------------- (OPTIONAL) ARTIFACT ---------------- - name: Upload APK (optional) uses: actions/upload-artifact@v3 with: name: app-release path: android/app/build/outputs/apk/release/*.apk