Skip to content
Container Build

feat(android): enable Firefox Android support with min version 142 #5

Sign in to view logs

feat(android): enable Firefox Android support with min version 142

feat(android): enable Firefox Android support with min version 142 #5

Workflow file for this run

.github/workflows/container-build.yml at 719c08a
# SPDX-License-Identifier: PMPL-1.0-or-later
name: Container Build
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
workflow_dispatch:
permissions: read-all
jobs:
container-build:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- name: Set up Podman
run: |
sudo apt-get update
sudo apt-get install -y podman
- name: Build container
run: |
podman build -f .containerization/Containerfile -t fireflag:${{ github.sha }} .
- name: Extract artifacts
run: |
CONTAINER_ID=$(podman create fireflag:${{ github.sha }})
mkdir -p build-output
podman cp $CONTAINER_ID:/build/extension/web-ext-artifacts/ build-output/ || true
podman rm $CONTAINER_ID
- name: Verify checksums
run: |
if [ -f build-output/web-ext-artifacts/SHA256SUMS ]; then
cd build-output/web-ext-artifacts
sha256sum -c SHA256SUMS
fi
- name: Upload extension artifact
uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4
with:
name: fireflag-extension-${{ github.sha }}
path: build-output/web-ext-artifacts/*.xpi
retention-days: 30
- name: Upload checksums
uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4
with:
name: fireflag-checksums-${{ github.sha }}
path: build-output/web-ext-artifacts/SHA256SUMS*
retention-days: 30
reproducibility-check:
runs-on: ubuntu-latest
needs: container-build
if: github.event_name == 'pull_request'
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- name: Set up Podman
run: |
sudo apt-get update
sudo apt-get install -y podman
- name: Build container (attempt 1)
run: |
podman build -f .containerization/Containerfile -t fireflag:build1 .
CONTAINER_ID=$(podman create fireflag:build1)
mkdir -p build1
podman cp $CONTAINER_ID:/build/extension/web-ext-artifacts/ build1/ || true
podman rm $CONTAINER_ID
- name: Build container (attempt 2)
run: |
# Clean and rebuild to test reproducibility
podman rmi fireflag:build1
podman build -f .containerization/Containerfile -t fireflag:build2 .
CONTAINER_ID=$(podman create fireflag:build2)
mkdir -p build2
podman cp $CONTAINER_ID:/build/extension/web-ext-artifacts/ build2/ || true
podman rm $CONTAINER_ID
- name: Compare builds
run: |
echo "Comparing build artifacts for reproducibility..."
# Note: Currently not fully reproducible due to timestamps in .xpi
# This is a known limitation that will be addressed
if diff -r build1/web-ext-artifacts build2/web-ext-artifacts; then
echo "✓ Builds are reproducible!"
else
echo "⚠ Builds differ (this is expected currently)"
echo "See .containerization/README.adoc for details"
fi
security-scan:
runs-on: ubuntu-latest
needs: container-build
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- name: Download artifact
uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4
with:
name: fireflag-extension-${{ github.sha }}
path: artifacts/
- name: Scan extension archive
run: |
# Unzip and scan contents
mkdir -p /tmp/extension
unzip artifacts/*.xpi -d /tmp/extension
# Basic security checks
echo "Checking for executable scripts..."
find /tmp/extension -type f -executable -name "*.js" -o -name "*.html"
echo "Verifying manifest..."
jq empty /tmp/extension/manifest.json
jq '.manifest_version == 3' /tmp/extension/manifest.json
- name: Run TruffleHog
uses: trufflesecurity/trufflehog@8a8ef8526528d8a4ff3e2c90be08e25ef8efbd9b # v3
with:
path: artifacts/
base: ''
head: ''
extra_args: --only-verified