diff options
| -rw-r--r-- | .github/workflows/android-reproducible-builds.yml | 28 | ||||
| -rw-r--r-- | android/snapshot/manifest-permissions-oss.txt | 8 |
2 files changed, 36 insertions, 0 deletions
diff --git a/.github/workflows/android-reproducible-builds.yml b/.github/workflows/android-reproducible-builds.yml index f49612a15c..62855cc42f 100644 --- a/.github/workflows/android-reproducible-builds.yml +++ b/.github/workflows/android-reproducible-builds.yml @@ -142,3 +142,31 @@ jobs: - name: Compare files run: diff container/app-oss-prod-fdroid-unsigned.apk fdroidserver/app-oss-prod-fdroid-unsigned.apk + + # Included in this workflow since it's the only place + # release artifacts are built. Should eventually be moved. + check-permissions: + name: Check APK permissions + runs-on: ubuntu-latest + needs: [set-up-env, build-fdroid-app] + steps: + - name: Install apktool + run: sudo apt-get install -y apktool + + - name: Checkout repository + uses: actions/checkout@v4 + with: + ref: ${{ needs.set-up-env.outputs.COMMIT_HASH }} + + - name: Download container apk + uses: actions/download-artifact@v4 + with: + name: container-app + + - name: Extract resources + run: | + apktool d app-oss-prod-fdroid-unsigned.apk -s -o output + + - name: Compare manifest permissions with checked in snapshot + run: | + diff android/snapshot/manifest-permissions-oss.txt <(cat output/AndroidManifest.xml | grep uses-permission) diff --git a/android/snapshot/manifest-permissions-oss.txt b/android/snapshot/manifest-permissions-oss.txt new file mode 100644 index 0000000000..df7afec32b --- /dev/null +++ b/android/snapshot/manifest-permissions-oss.txt @@ -0,0 +1,8 @@ + <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/> + <uses-permission android:name="android.permission.FOREGROUND_SERVICE"/> + <uses-permission android:name="android.permission.INTERNET"/> + <uses-permission android:name="android.permission.QUERY_ALL_PACKAGES"/> + <uses-permission android:name="android.permission.POST_NOTIFICATIONS"/> + <uses-permission android:name="android.permission.FOREGROUND_SERVICE_SYSTEM_EXEMPTED"/> + <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED"/> + <uses-permission android:name="net.mullvad.mullvadvpn.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION"/> |