dotanuki-labs / android-archives-watchdog Goto Github PK
View Code? Open in Web Editor NEWA tool to shift-left sensitive changes on your Android deployable archives
License: MIT License
A tool to shift-left sensitive changes on your Android deployable archives
License: MIT License
Release this project with proper OSS goodies
It would be nice having a --debug
flag that allows this automation to output every meaningful information related to the processing, especially everything related to analyzing Android archives, eg
$> aaw compare -a my.apk -b my.product.android.toml --verbose
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These problems occurred while renovating this repository. View logs.
This repository currently has no open or pending branches.
.github/workflows/ci.yaml
actions/checkout v4.1.6
actions/checkout v4.1.6
actions/setup-java v4.2.1
gradle/actions v3.3.2
gradle/actions v3.3.2
actions/upload-artifact v4.3.3
actions/checkout v4.1.6
actions/setup-java v4.2.1
actions/download-artifact v4.1.7
actions/checkout v4.1.6
actions/upload-artifact v4.3.3
ubuntu 22.04
ubuntu 22.04
ubuntu 22.04
ubuntu 22.04
.github/workflows/publish.yaml
actions/checkout v4.1.6
actions/setup-java v4.2.1
softprops/action-gh-release v2.0.5
ubuntu 22.04
gradle.properties
settings.gradle.kts
org.gradle.toolchains.foojay-resolver-convention 0.8.0
com.gradle.develocity 3.17.4
build.gradle.kts
gradle/libs.versions.toml
com.github.ajalt.clikt:clikt 4.4.0
com.github.ajalt.mordant:mordant 2.6.0
io.arrow-kt:arrow-core 1.2.4
com.android.tools:sdklib 31.4.0
com.android.tools.apkparser:apkanalyzer 31.4.0
com.android.tools.apkparser:binary-resources 31.4.0
com.android.tools:repository 31.4.0
com.android.tools:sdk-common 31.4.0
com.android.tools:common 31.4.0
com.android.tools.build:bundletool 1.16.0
org.jetbrains.kotlinx:kotlinx-serialization-core 1.6.3
org.jetbrains.kotlinx:kotlinx-serialization-core-jvm 1.6.3
org.jetbrains.kotlinx:kotlinx-serialization-json 1.6.3
net.peanuuutz.tomlkt:tomlkt 0.3.7
junit:junit 4.13.2
com.google.guava:guava 33.2.0-jre
com.google.truth:truth 1.4.2
org.jetbrains.kotlin.jvm 1.9.24
org.jetbrains.kotlin.plugin.serialization 1.9.24
io.gitlab.arturbosch.detekt 1.23.6
org.jlleitschuh.gradle.ktlint 12.1.1
com.github.johnrengelman.shadow 8.1.1
com.adarshr.test-logger 4.0.0
Right now, this tool only supports artifacts packaged in the apk
format. In order to support the aab
format we can take advantage of bundletool, either as a standalone binary or as dependency.
Provide CLI to extract from an .apk
or an .aab
, so we can list
$> arw overview --target=path/to/myapp.aab
We'd like to also generate a configuration file arw.toml
as long as we can have information about what's inside a releasable:
$> arw generate --target=path/to/myapp.aab
We'd like to have E2E tests as part of our test suite, using projects like
Rather than listing and dumping everything we find inside an artifact, we'd like to trust a few package patterns in order to simplify the baseline with sensitive components to keep on track.
An example of such an extension:
applicationId = "com.my.product.android"
trustedPackages = [
"com.android.*",
"com.my.company.*"
]
# More configuration ....
Right now, the approach of converting .aab
to a universal .apk
with bundletool
has a few issues related to apk signing, which generates non-trivial CLI output as part of the execution.
For instance, the default debug.keystore
may not be available in the CI environment at runtime, which generates:
WARNING: The APKs won't be signed and thus not installable unless you also pass a keystore via the flag --ks.
See the command help for more information.
In addition, when available bundletool
will also pollute the output with a log:
INFO: The APKs will be signed with the debug keystore found at '<path/to/home>/.android/debug.keystore'.
Eventually both issues can be tackled by suppling a custom signing key to bundletool
.
We want a CLI interface like
$> arw --apk path/to/some/app.apk --baseline path/to/arw.toml
which will
.toml
fileOpen questions
Right now, compare
will output differences between archives and baselines only to stdout
and plain text.
However, it'd useful to have different (structured) formats - eg json
- so the output can be post-processed afterward. That would enable an enriched PR decoration for example. On Github Actions:
aaw compare -a app/build/output/release/my.apk -b my.org.product.toml --json > comparison.json
# Convert with tools like https://github.com/haltcase/tablemark-cli or in bash with jq
markdown=$(convert_to_markdown comparison.json)
gh pr comment ${{ github.event.pull_request.number }} --body "$markdown" --edit-last
In addition, we could output markdown directly.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.