feat(controller): OTA updater security + correctness redesign (F15, PR A) #136
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Android Sanity Check (CI) | |
| on: | |
| # One run per PR (pull_request) and one post-merge on the integration branches. | |
| # Previously push:["**"] also ran on every feature-branch push, so an open PR | |
| # got two redundant concurrent runs. Feature branches are covered by their PR. | |
| push: | |
| branches: [ "main", "development" ] | |
| paths-ignore: | |
| - '**.md' | |
| - 'docs/**' | |
| - 'controller/docs/**' | |
| - 'tools/**' | |
| - '.github/**' | |
| - 'LICENSE' | |
| - '.gitignore' | |
| pull_request: | |
| branches: [ "main", "development" ] | |
| paths-ignore: | |
| - '**.md' | |
| - 'docs/**' | |
| - 'controller/docs/**' | |
| - 'tools/**' | |
| - '.github/**' | |
| - 'LICENSE' | |
| - '.gitignore' | |
| # Supersede in-flight runs: when a newer commit lands on the same branch/PR, cancel | |
| # the older run so a fixup doesn't leave a zombie ~50-min lint job running. | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| check-syntax: | |
| name: Lint & Compile Check | |
| runs-on: ubuntu-latest | |
| # M15: expose a token to the gradle steps so the native-artifact sync can fall | |
| # back to an authenticated GitHub API call when the unauthenticated one is | |
| # rate-limited (HTTP 403). secrets.GITHUB_TOKEN is provided automatically. | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| defaults: | |
| run: | |
| working-directory: ./controller | |
| steps: | |
| - name: Checkout Project Code | |
| uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| - name: Set up Java 17 | |
| uses: actions/setup-java@v4 | |
| with: | |
| distribution: 'zulu' | |
| java-version: '17' | |
| cache: 'gradle' | |
| - name: Grant Execute Permission to Gradlew | |
| run: chmod +x gradlew | |
| # Phase 0 safety net: unit tests are a BLOCKING gate. | |
| - name: Run Unit Tests | |
| run: ./gradlew testDebugUnitTest --stacktrace | |
| # Lint is a BLOCKING gate for :app. The existing backlog is grandfathered via the | |
| # committed app/lint-baseline.xml; any NEW lint error fails CI. Scoped to :app so | |
| # the vendored termux-core/upstream backlog does not block. | |
| - name: Run Android Lint (:app, blocking) | |
| run: ./gradlew :app:lintDebug | |
| - name: Compile Test (Assemble Debug) | |
| run: ./gradlew assembleDebug --stacktrace |