This repository was archived by the owner on Mar 7, 2026. It is now read-only.
fix(security): replace cleartext HTTP with raw sockets, harden deferr… #128
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| workflow_call: | |
| inputs: | |
| skip-emu-tests: | |
| description: "Skip emulator-based tests (screen tests and Maestro E2E)" | |
| type: boolean | |
| default: false | |
| concurrency: | |
| group: ci-${{ github.ref }} | |
| cancel-in-progress: true | |
| env: | |
| CARGO_TERM_COLOR: always | |
| RUST_BACKTRACE: 1 | |
| jobs: | |
| lint-rust: | |
| name: Lint Rust | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| working-directory: zeroclaw-android | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| - name: Apply submodule patches | |
| run: if ls ../patches/*.patch 1>/dev/null 2>&1; then git apply ../patches/*.patch; fi | |
| working-directory: zeroclaw | |
| - uses: dtolnay/rust-toolchain@stable | |
| with: | |
| components: rustfmt, clippy | |
| targets: aarch64-linux-android, x86_64-linux-android | |
| - uses: Swatinem/rust-cache@v2 | |
| with: | |
| workspaces: zeroclaw-android -> target | |
| - name: Check formatting | |
| run: cargo fmt --check | |
| - name: Run clippy | |
| run: cargo clippy -p zeroclaw-ffi --all-targets -- -D warnings | |
| lint-kotlin: | |
| name: Lint Kotlin | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| - name: Apply submodule patches | |
| run: if ls patches/*.patch 1>/dev/null 2>&1; then cd zeroclaw && git apply ../patches/*.patch; fi | |
| - uses: actions/setup-java@v4 | |
| with: | |
| distribution: temurin | |
| java-version: 17 | |
| - uses: android-actions/setup-android@v3 | |
| - name: Setup Gradle | |
| uses: gradle/actions/setup-gradle@v4 | |
| - name: Run spotlessCheck | |
| run: ./gradlew spotlessCheck | |
| - name: Run detekt | |
| run: ./gradlew detekt | |
| cargo-deny: | |
| name: Cargo Deny | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| - name: Apply submodule patches | |
| run: if ls patches/*.patch 1>/dev/null 2>&1; then cd zeroclaw && git apply ../patches/*.patch; fi | |
| - uses: EmbarkStudios/cargo-deny-action@v2 | |
| with: | |
| manifest-path: zeroclaw-android/Cargo.toml | |
| screen-test: | |
| name: Screen Tests | |
| if: ${{ !inputs.skip-emu-tests && github.event_name == 'pull_request' }} | |
| runs-on: ubuntu-latest | |
| needs: [test] | |
| timeout-minutes: 20 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| - name: Apply submodule patches | |
| run: if ls patches/*.patch 1>/dev/null 2>&1; then cd zeroclaw && git apply ../patches/*.patch; fi | |
| - uses: actions/setup-java@v4 | |
| with: | |
| distribution: temurin | |
| java-version: 17 | |
| - uses: android-actions/setup-android@v3 | |
| - name: Install NDK | |
| run: sdkmanager "ndk;27.2.12479018" | |
| - uses: dtolnay/rust-toolchain@stable | |
| with: | |
| targets: aarch64-linux-android, x86_64-linux-android | |
| - name: Install cargo-ndk | |
| run: cargo install cargo-ndk | |
| - uses: Swatinem/rust-cache@v2 | |
| with: | |
| workspaces: zeroclaw-android -> target | |
| - name: Setup Gradle | |
| uses: gradle/actions/setup-gradle@v4 | |
| - name: Enable KVM | |
| run: | | |
| echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules | |
| sudo udevadm control --reload-rules | |
| sudo udevadm trigger --name-match=kvm | |
| - name: Run Compose screen tests on managed device | |
| run: ./gradlew pixel7Api35DebugAndroidTest -Pandroid.testInstrumentationRunnerArguments.package=com.zeroclaw.android.screen | |
| maestro-test: | |
| name: Maestro E2E | |
| if: ${{ !inputs.skip-emu-tests && github.event_name == 'pull_request' }} | |
| runs-on: ubuntu-latest | |
| needs: [test] | |
| timeout-minutes: 20 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| - name: Apply submodule patches | |
| run: if ls patches/*.patch 1>/dev/null 2>&1; then cd zeroclaw && git apply ../patches/*.patch; fi | |
| - uses: actions/setup-java@v4 | |
| with: | |
| distribution: temurin | |
| java-version: 17 | |
| - uses: android-actions/setup-android@v3 | |
| - name: Install NDK | |
| run: sdkmanager "ndk;27.2.12479018" | |
| - uses: dtolnay/rust-toolchain@stable | |
| with: | |
| targets: aarch64-linux-android, x86_64-linux-android | |
| - name: Install cargo-ndk | |
| run: cargo install cargo-ndk | |
| - uses: Swatinem/rust-cache@v2 | |
| with: | |
| workspaces: zeroclaw-android -> target | |
| - name: Setup Gradle | |
| uses: gradle/actions/setup-gradle@v4 | |
| - name: Enable KVM | |
| run: | | |
| echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules | |
| sudo udevadm control --reload-rules | |
| sudo udevadm trigger --name-match=kvm | |
| - name: Install Maestro | |
| run: curl -Ls "https://get.maestro.mobile.dev" | bash | |
| - name: Build debug APK | |
| run: ./gradlew :app:assembleDebug | |
| - name: Start emulator and run Maestro flows | |
| uses: reactivecircus/android-emulator-runner@v2 | |
| with: | |
| api-level: 35 | |
| target: google_apis | |
| arch: x86_64 | |
| profile: pixel_7 | |
| heap-size: 512M | |
| ram-size: 4096M | |
| emulator-options: -no-snapshot-save -no-window -gpu swiftshader_indirect -noaudio -no-boot-anim | |
| disable-animations: true | |
| script: | | |
| adb shell settings put global window_animation_scale 0 | |
| adb shell settings put global transition_animation_scale 0 | |
| adb shell settings put global animator_duration_scale 0 | |
| adb install app/build/outputs/apk/debug/app-debug.apk | |
| $HOME/.maestro/bin/maestro test maestro/flows/ --exclude-tags real-daemon --debug-output maestro-output/ | |
| - name: Upload Maestro debug output | |
| if: failure() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: maestro-debug-output | |
| path: maestro-output/ | |
| retention-days: 7 | |
| build: | |
| name: Build | |
| runs-on: ubuntu-latest | |
| needs: [lint-rust, lint-kotlin, cargo-deny, test] | |
| if: ${{ !cancelled() && !contains(needs.*.result, 'failure') }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| - name: Apply submodule patches | |
| run: if ls patches/*.patch 1>/dev/null 2>&1; then cd zeroclaw && git apply ../patches/*.patch; fi | |
| - uses: actions/setup-java@v4 | |
| with: | |
| distribution: temurin | |
| java-version: 17 | |
| - uses: android-actions/setup-android@v3 | |
| - name: Install NDK | |
| run: sdkmanager "ndk;27.2.12479018" | |
| - uses: dtolnay/rust-toolchain@stable | |
| with: | |
| targets: aarch64-linux-android, x86_64-linux-android | |
| - name: Install cargo-ndk | |
| run: cargo install cargo-ndk | |
| - uses: Swatinem/rust-cache@v2 | |
| with: | |
| workspaces: zeroclaw-android -> target | |
| - name: Setup Gradle | |
| uses: gradle/actions/setup-gradle@v4 | |
| - name: Build release APK | |
| run: ./gradlew :app:assembleRelease | |
| - name: Upload APK | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: zeroclaw_android | |
| path: app/build/outputs/apk/release/app-release*.apk | |
| test: | |
| name: Test | |
| runs-on: ubuntu-latest | |
| needs: [lint-rust, lint-kotlin, cargo-deny] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| - name: Apply submodule patches | |
| run: if ls patches/*.patch 1>/dev/null 2>&1; then cd zeroclaw && git apply ../patches/*.patch; fi | |
| - uses: actions/setup-java@v4 | |
| with: | |
| distribution: temurin | |
| java-version: 17 | |
| - uses: android-actions/setup-android@v3 | |
| - name: Install NDK | |
| run: sdkmanager "ndk;27.2.12479018" | |
| - uses: dtolnay/rust-toolchain@stable | |
| with: | |
| targets: aarch64-linux-android, x86_64-linux-android | |
| - name: Install cargo-ndk | |
| run: cargo install cargo-ndk | |
| - uses: Swatinem/rust-cache@v2 | |
| with: | |
| workspaces: zeroclaw-android -> target | |
| - name: Setup Gradle | |
| uses: gradle/actions/setup-gradle@v4 | |
| - name: Run Rust tests | |
| working-directory: zeroclaw-android | |
| run: cargo test -p zeroclaw-ffi | |
| - name: Run Kotlin unit tests | |
| run: ./gradlew :app:testDebugUnitTest :lib:testDebugUnitTest | |
| version-sync: | |
| name: Version Sync Check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| - name: Apply submodule patches | |
| run: if ls patches/*.patch 1>/dev/null 2>&1; then cd zeroclaw && git apply ../patches/*.patch; fi | |
| - name: Check version consistency | |
| run: | | |
| CARGO_VERSION=$(grep '^version' zeroclaw-android/zeroclaw-ffi/Cargo.toml | head -1 | sed 's/.*"\(.*\)".*/\1/') | |
| LIB_VERSION=$(grep 'version = ' lib/build.gradle.kts | grep -v 'java\|jvm\|kotlin\|sdk\|Version' | head -1 | sed 's/.*"\(.*\)".*/\1/') | |
| echo "Cargo (zeroclaw-ffi) version: $CARGO_VERSION" | |
| echo "Lib publication version: $LIB_VERSION" | |
| if [ "$CARGO_VERSION" != "$LIB_VERSION" ]; then | |
| echo "::error::Version mismatch: zeroclaw-ffi Cargo.toml=$CARGO_VERSION, lib/build.gradle.kts publication=$LIB_VERSION" | |
| exit 1 | |
| fi | |
| echo "Versions match: $CARGO_VERSION" | |
| docs: | |
| name: API Docs | |
| runs-on: ubuntu-latest | |
| needs: [lint-kotlin] | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| permissions: | |
| pages: write | |
| id-token: write | |
| environment: | |
| name: github-pages | |
| url: ${{ steps.deploy.outputs.page_url }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| - name: Apply submodule patches | |
| run: if ls patches/*.patch 1>/dev/null 2>&1; then cd zeroclaw && git apply ../patches/*.patch; fi | |
| - uses: actions/setup-java@v4 | |
| with: | |
| distribution: temurin | |
| java-version: 17 | |
| - uses: android-actions/setup-android@v3 | |
| - name: Install NDK | |
| run: sdkmanager "ndk;27.2.12479018" | |
| - uses: dtolnay/rust-toolchain@stable | |
| with: | |
| targets: aarch64-linux-android, x86_64-linux-android | |
| - name: Install cargo-ndk | |
| run: cargo install cargo-ndk | |
| - uses: Swatinem/rust-cache@v2 | |
| with: | |
| workspaces: zeroclaw-android -> target | |
| - name: Setup Gradle | |
| uses: gradle/actions/setup-gradle@v4 | |
| - name: Generate API docs | |
| run: ./gradlew :app:dokkaGeneratePublicationHtml | |
| - name: Upload Pages artifact | |
| uses: actions/upload-pages-artifact@v3 | |
| with: | |
| path: app/build/dokka/html/ | |
| - name: Deploy to GitHub Pages | |
| id: deploy | |
| uses: actions/deploy-pages@v4 |