Skip to content

VERIFICATION_GUIDE.md

Latest commit

 

History

History
94 lines (64 loc) · 2.86 KB

VERIFICATION_GUIDE.md

File metadata and controls

94 lines (64 loc) · 2.86 KB

MaybeEdgeScanner Verification & Build Guide

This guide defines the minimum verification bar for local development and CI.

See also:

1. Prerequisites

  • JDK 17
  • Android SDK and build-tools
  • Go 1.21+
  • Python 3 (for shared contract validation when the shared-contracts workspace is present)

2. Go Sidecar Verification

Run from go-sidecar/:

go test ./...
go vet ./...

Race checks require Linux/macOS with cgo enabled:

go test -race ./...

3. Android Verification

Run from repository root:

gradle --no-daemon :app:lintUniversalDebug
gradle --no-daemon :app:testUniversalDebugUnitTest
gradle --no-daemon :app:assembleUniversalDebug

assembleUniversalDebug produces the universal debug APK under app/build/outputs/apk/universal/debug/. ABI-flavored debug artifacts are available through the Gradle variant tasks when a device-specific package is needed.

4. Shared Contract Verification

From workspace root (when present):

py shared-contracts\validate_contracts.py

Expected summary includes OK schemas 22 and fixture pass lines.

5. CI Gates

The build.yml workflow enforces:

  1. Secret scanning (gitleaks)
  2. Go dependency lock resolution + test/vet/race
  3. Android lint, unit-test, and build checks
  4. Dependency image publication with SBOM/provenance enabled

6. Release Checks

Before every release:

  1. Manually bump APP_VERSION_NAME and APP_BASE_VERSION_CODE in gradle.properties.
  2. Commit that version bump before building or tagging the release.
  3. Run gradle --no-daemon :app:printResolvedVersion and confirm the output is not the previous release number.
  4. Provide release signing material through either:
    • signing.properties (STORE_FILE, STORE_PASSWORD, KEY_ALIAS, KEY_PASSWORD), or
    • environment variables: RELEASE_STORE_FILE, RELEASE_STORE_PASSWORD, RELEASE_KEY_ALIAS, RELEASE_KEY_PASSWORD.
  5. Build release artifact:
gradle --no-daemon :app:assembleUniversalRelease
  1. Generate pre-release SBOM artifacts:
powershell -ExecutionPolicy Bypass -File .\scripts\generate-sbom-artifacts.ps1
  1. Generate sidecar binary provenance manifest:
powershell -ExecutionPolicy Bypass -File .\scripts\generate-sidecar-provenance.ps1

Release builds fail if the committed version properties are missing or the version name is not an explicit semantic version. APK filenames include version name and version code so new artifacts do not silently overwrite previous release outputs. Release jobs also verify signed APK outputs with apksigner, package sidecar artifacts, and publish benchmark/compliance assets.