ci: 守护 Android manifest 禁全局明文(#25 控制面已 https)

新增 ci/scan-cleartext.sh 扫描 client/android AndroidManifest.xml,
防止将来把 usesCleartextTraffic="true" 重新加回(退回明文态)。
CI 新增 cleartext-scan job,并把该脚本纳入 lint job 的 shellcheck 覆盖
(单独挂载 ci/ 目录,不动 scripts/ci 既有挂载)。

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_013nMthbVEmQquxBRKb9Fj8u
This commit is contained in:
wangjia
2026-07-06 16:41:59 +08:00
parent a5aea9438a
commit 1b091f3be0
2 changed files with 31 additions and 0 deletions
+19
View File
@@ -57,6 +57,14 @@ jobs:
/mnt/scripts/ci/test.sh \
/mnt/scripts/ci/backup-db.sh
- name: shellcheck CI 脚本(ci/)
run: |
docker run --rm \
-v "$PWD/ci:/mnt/ci:ro" \
koalaman/shellcheck:stable \
-S warning \
/mnt/ci/scan-cleartext.sh
# ── Job 2: OpenAPI Sync Check ────────────────────────────────────────────
openapi-check:
name: OpenAPI Sync Check
@@ -85,6 +93,17 @@ jobs:
- name: scan UI text resources for prohibited words
run: bash ci/scan-redline.sh
# ── Job 3b: Cleartext Scan (Android 禁全局明文,#25 控制面已 https) ──────
cleartext-scan:
name: Cleartext Scan — Android 禁明文
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: scan Android manifest for global cleartext
run: bash ci/scan-cleartext.sh
# ── Job 4: Flutter 客户端(分析 + 单测/组件测试)────────────────────────
flutter-client:
name: Flutter — analyze + test
+12
View File
@@ -0,0 +1,12 @@
#!/usr/bin/env bash
# scan-cleartext.sh — 禁止 Android manifest 重新开启全局明文(控制面已 https/CF Tunnel)。
# usesCleartextTraffic="true" 会让全 app 允许明文 HTTP,退回 #25 之前的不安全态。
set -euo pipefail
MANIFEST="client/android/app/src/main/AndroidManifest.xml"
if grep -q 'usesCleartextTraffic="true"' "$MANIFEST"; then
echo "$MANIFEST 含 usesCleartextTraffic=\"true\":控制面已 https,禁止全局明文。" >&2
echo " 如个别调试域名确需明文,请用 res/xml/network_security_config.xml 按域白名单,勿开全局。" >&2
exit 1
fi
echo "✅ Android manifest 未开启全局明文"