diff options
| author | Albin <albin@mullvad.net> | 2025-05-06 09:10:07 +0200 |
|---|---|---|
| committer | Albin <albin@mullvad.net> | 2025-05-06 09:10:07 +0200 |
| commit | 7909b095fc3db2068b53a9c744d66129b2b2df4a (patch) | |
| tree | 31740d099ef70991de1440be8b17ba96ba381102 | |
| parent | acdc0fb3be1c10d95203320498870fa7d36f9848 (diff) | |
| parent | f02507745a7ab1c4a76952aa9759e42ab3944f1a (diff) | |
| download | mullvadvpn-7909b095fc3db2068b53a9c744d66129b2b2df4a.tar.xz mullvadvpn-7909b095fc3db2068b53a9c744d66129b2b2df4a.zip | |
Merge branch 'add-ci-checks-that-permissions-are-not-added-through-third-droid-1977'
| -rw-r--r-- | .github/workflows/android-reproducible-builds.yml | 28 | ||||
| -rw-r--r-- | android/snapshot/manifest-permissions-oss.txt | 8 |
2 files changed, 36 insertions, 0 deletions
diff --git a/.github/workflows/android-reproducible-builds.yml b/.github/workflows/android-reproducible-builds.yml index f49612a15c..62855cc42f 100644 --- a/.github/workflows/android-reproducible-builds.yml +++ b/.github/workflows/android-reproducible-builds.yml @@ -142,3 +142,31 @@ jobs: - name: Compare files run: diff container/app-oss-prod-fdroid-unsigned.apk fdroidserver/app-oss-prod-fdroid-unsigned.apk + + # Included in this workflow since it's the only place + # release artifacts are built. Should eventually be moved. + check-permissions: + name: Check APK permissions + runs-on: ubuntu-latest + needs: [set-up-env, build-fdroid-app] + steps: + - name: Install apktool + run: sudo apt-get install -y apktool + + - name: Checkout repository + uses: actions/checkout@v4 + with: + ref: ${{ needs.set-up-env.outputs.COMMIT_HASH }} + + - name: Download container apk + uses: actions/download-artifact@v4 + with: + name: container-app + + - name: Extract resources + run: | + apktool d app-oss-prod-fdroid-unsigned.apk -s -o output + + - name: Compare manifest permissions with checked in snapshot + run: | + diff android/snapshot/manifest-permissions-oss.txt <(cat output/AndroidManifest.xml | grep uses-permission) diff --git a/android/snapshot/manifest-permissions-oss.txt b/android/snapshot/manifest-permissions-oss.txt new file mode 100644 index 0000000000..df7afec32b --- /dev/null +++ b/android/snapshot/manifest-permissions-oss.txt @@ -0,0 +1,8 @@ + <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/> + <uses-permission android:name="android.permission.FOREGROUND_SERVICE"/> + <uses-permission android:name="android.permission.INTERNET"/> + <uses-permission android:name="android.permission.QUERY_ALL_PACKAGES"/> + <uses-permission android:name="android.permission.POST_NOTIFICATIONS"/> + <uses-permission android:name="android.permission.FOREGROUND_SERVICE_SYSTEM_EXEMPTED"/> + <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED"/> + <uses-permission android:name="net.mullvad.mullvadvpn.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION"/> |