Merge branch 'main' into pld-add-codeql

.github/pull_request_template.md

@@ -1,6 +1,6 @@
 **IMPORTANT: Where possible all PRs must be linked to a Github issue**
 
-Fixes #[issue number] or Closes #[issue number]
+Fixes [link to issue]
 
 **Engineer Checklist**
 - [ ] I have written **Unit tests** for any new feature(s) and edge cases for bug fixes
@@ -17,4 +17,4 @@ Fixes #[issue number] or Closes #[issue number]
 - [ ] I have verifed the [CHANGELOG.md](./CHANGELOG.md) file has any notable changes to the codebase
 - [ ] I have verified the solution has been implemented in a configurable and generic way for reuseable components
 - [ ] I have built and run the FHIRCore app to verify the change fixes the issue and/or does not break the app
-
+

.github/release

@@ -0,0 +1,20 @@
+# .github/release.yml
+---
+changelog:
+  exclude:
+    labels:
+      - ignore-for-release
+    authors:
+      - dependabot
+  categories:
+    - title: Added 🎉
+      labels:
+        - new-feature
+        - Enhancement
+        - breaking-change
+    - title: Fixed 🛠
+      labels:
+        - bug-fix
+    - title: Changed
+      labels:
+        - "*"

.github/workflows/apk-release.yml

@@ -15,6 +15,7 @@ env:
 
 jobs:
   release:
+    if: false
     runs-on: ubuntu-latest
     steps:
       - name: Cancel previous workflow runs
@@ -40,10 +41,10 @@ jobs:
         with:
           fetch-depth: 2
 
-      - name: Set up JDK 11
+      - name: Set up JDK 17
         uses: actions/setup-java@v1
         with:
-          java-version: 11
+          java-version: 17
 
       - name: Grant execute permission for gradlew
         run: chmod +x gradlew

.github/workflows/ci.yml

@@ -11,10 +11,11 @@ env:
  FHIRCORE_USERNAME: ${{ secrets.FHIRCORE_USERNAME }}
  FHIRCORE_ACCESS_TOKEN: ${{ secrets.FHIRCORE_ACCESS_TOKEN }}
  CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+ MAPBOX_SDK_TOKEN: ${{ secrets.MAPBOX_SDK_TOKEN }}
 
 jobs:
   engine-tests:
-    runs-on: macos-latest
+    runs-on: macos-13
     strategy:
       matrix:
         api-level: [30]
@@ -29,10 +30,18 @@ jobs:
         with:
           fetch-depth: 2
 
-      - name: Set up JDK 11
+      - name: Set up JDK 17
         uses: actions/setup-java@v1
         with:
-          java-version: 11
+          java-version: 17
+
+      - name: Add empty local.properties
+        run: touch local.properties
+        working-directory: android
+
+      - name: Add empty keystore.properties
+        run: touch keystore.properties
+        working-directory: android
 
       - name: Grant execute permission for gradlew
         run: chmod +x gradlew
@@ -86,7 +95,7 @@ jobs:
         run:  bash <(curl -s https://codecov.io/bash) -F engine -f "engine/build/reports/jacoco/fhircoreJacocoReport/fhircoreJacocoReport.xml"
 
   geowidget-tests:
-    runs-on: macos-latest
+    runs-on: macos-13
     strategy:
       matrix:
         api-level: [30]
@@ -101,10 +110,18 @@ jobs:
         with:
           fetch-depth: 2
 
-      - name: Set up JDK 11
+      - name: Set up JDK 17
         uses: actions/setup-java@v1
         with:
-          java-version: 11
+          java-version: 17
+
+      - name: Add empty local.properties
+        run: touch local.properties
+        working-directory: android
+
+      - name: Add empty keystore.properties
+        run: touch keystore.properties
+        working-directory: android
 
       - name: Grant execute permission for gradlew
         run: chmod +x gradlew
@@ -158,7 +175,7 @@ jobs:
         run:  bash <(curl -s https://codecov.io/bash) -F geowidget -f "geowidget/build/reports/jacoco/fhircoreJacocoReport/fhircoreJacocoReport.xml"
 
   quest-tests:
-    runs-on: macos-latest
+    runs-on: macos-13
     strategy:
       matrix:
         api-level: [30]
@@ -172,10 +189,18 @@ jobs:
         with:
           fetch-depth: 2
 
-      - name: Set up JDK 11
+      - name: Set up JDK 17
         uses: actions/setup-java@v1
         with:
-          java-version: 11
+          java-version: 17
+
+      - name: Add empty local.properties
+        run: touch local.properties
+        working-directory: android
+
+      - name: Add empty keystore.properties
+        run: touch keystore.properties
+        working-directory: android
 
       - name: Grant execute permission for gradlew
         run: chmod +x gradlew
@@ -221,7 +246,8 @@ jobs:
           force-avd-creation: true
           emulator-options: -no-snapshot-save -no-window -gpu swiftshader_indirect -noaudio -no-boot-anim -camera-back none
           disable-animations: true
-          script: ./gradlew -PlocalPropertiesFile=local.properties :quest:clean :quest:fhircoreJacocoReport --stacktrace
+          script: ./gradlew clean  -PlocalPropertiesFile=local.properties :quest:fhircoreJacocoReport --stacktrace -Pandroid.testInstrumentationRunnerArguments.notPackage=org.smartregister.fhircore.quest.performance
+          # ./gradlew -PlocalPropertiesFile=local.properties :quest:clean && ./gradlew -PlocalPropertiesFile=local.properties :quest:assembleOpensrpDebugAndroidTest --stacktrace && /Users/runner/Library/Android/sdk/platform-tools/adb install quest/build/outputs/apk/androidTest/opensrp/debug/quest-opensrp-debug-androidTest.apk && ./gradlew -PlocalPropertiesFile=local.properties :quest:assembleOpensrpDebug --stacktrace && /Users/runner/Library/Android/sdk/platform-tools/adb install quest/build/outputs/apk/opensrp/debug/quest-opensrp-debug.apk && /Users/runner/Library/Android/sdk/platform-tools/adb shell am instrument -w -e package org.smartregister.fhircore.quest.ui.profile -e coverage "true" org.smartregister.opensrp.test/org.smartregister.fhircore.quest.QuestTestRunner && /Users/runner/Library/Android/sdk/platform-tools/adb shell run-as org.smartregister.opensrp cat "/data/user/0/org.smartregister.opensrp/files/coverage.ec" > quest/coverage.ec && ./gradlew -PlocalPropertiesFile=local.properties :quest:fhircoreJacocoReport --stacktrace
 
       - name: Upload Quest module test coverage report to Codecov
         if: matrix.api-level == 30 # Only upload coverage on API level 30

.github/workflows/dependency-check.yml

@@ -0,0 +1,74 @@
+name: Dependency Check Scan
+
+on:
+  push:
+    branches:
+      # - main
+      - security-automation-additions-latest-main
+  pull_request:
+    types: [opened, synchronize, reopened]
+    branches:
+      # - main
+      - security-automation-additions-latest-main
+  workflow_dispatch:
+    # inputs:    
+env:
+  FHIR_BASE_URL: ${{secrets.FHIR_BASE_URL}}
+  OAUTH_BASE_URL: ${{secrets.OAUTH_BASE_URL}}
+  OAUTH_CIENT_ID: ${{secrets.OAUTH_CLIENT_ID}}
+  OAUTH_CLIENT_SECRET: ${{secrets.OAUTH_CLIENT_SECRET}}
+  OAUTH_SCOPE: ${{secrets.OAUTH_SCOPE}}
+  MAPBOX_SDK_TOKEN: ${{secrets.MAPBOX_SDK_TOKEN}}
+
+jobs:
+  dependency-check:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Set up JDK
+        uses: actions/setup-java@v3
+        with:
+          java-version: 11
+          distribution: temurin
+
+      - name: Grant execute permission for gradlew
+        run: chmod +x gradlew
+        working-directory: android
+
+      - name: Run Dependency Check
+        run: |
+          cd android
+          ./gradlew dependencyCheckAggregate 
+
+      - name: Upload Dependency Check report in XML format
+        uses: actions/upload-artifact@v2
+        with:
+          name: dependency-check-report
+          path: android/build/reports/dependency-check-report.xml
+
+#       - name: import dependency check report into defectdojo
+#         run: |
+#            curl -X POST -H "Content-Type: application/json" \
+#            -H "Authorization: Token ${DEFECTDOJO_API_KEY}" \
+#            -d @android/build/reports/dependency-check-report.xml \
+#            "${DEFECTDOJO_API_URL}/api/v2/engagements/45/tests/247/import-scan/"
+#          env:
+#            DEFECTDOJO_API_URL: ${{ secrets.DEFECTDOJO_API_URL }}
+#            DEFECTDOJO_API_KEY: ${{ secrets.DEFECTDOJO_API_KEY }}
+
+
+
+      # - name: Run Dependency Check
+      #   uses: dependency-check/Dependency-Check_Action@main
+      #   env:
+      #     JAVA_HOME: /opt/jdk
+      #   with:
+      #     project: "fhircore"
+      #     path: "."
+      #     format: 'XML'
+      #     out: 'reports'

.github/workflows/docs.yml

@@ -3,6 +3,8 @@ name: Docs
 on:
   push:
     branches: [ main ]
+env:
+  MAPBOX_SDK_TOKEN: ${{ secrets.MAPBOX_SDK_TOKEN }}
 
 jobs:
   build-and-deploy-docusaurus:
@@ -40,10 +42,18 @@ jobs:
       - name: Checkout 🛎️
         uses: actions/[email protected]
 
-      - name: Set up JDK 11
+      - name: Set up JDK 17
         uses: actions/setup-java@v1
         with:
-          java-version: 11
+          java-version: 17
+
+      - name: Add empty local.properties
+        run: touch local.properties
+        working-directory: android
+
+      - name: Add empty keystore.properties
+        run: touch keystore.properties
+        working-directory: android
 
       - name: Grant execute permission for gradlew
         run: chmod +x gradlew

.github/workflows/manual-release.yml

@@ -0,0 +1,112 @@
+name: Manual Release
+run-name: Generating a FHIR Core Release 🚀
+on: 
+   workflow_dispatch:
+    inputs:
+      buildType:
+        description: 'Select Build Type'     
+        required: true
+        default: 'Release'
+        type: choice
+        options:
+          - Debug
+          - DebugNonProxy
+          - Release
+      flavor:
+        description: 'Release flavor e.g. sidBunda'
+        type: string   
+        required: true
+      isAab:
+        description: 'Generate as AAB (Playstore release only)'     
+        required: true
+        type: boolean
+        default: false
+env:
+  MAPBOX_SDK_TOKEN: ${{ secrets.MAPBOX_SDK_TOKEN }}
+jobs:
+   build:
+      runs-on: ubuntu-latest
+      permissions:
+         id-token: write
+         contents: read
+      steps:
+         - uses: actions/checkout@v3
+         - name: Import Secrets from Vault
+           id: import-secrets
+           uses: hashicorp/[email protected]
+           with:
+              url: https://vault.onalabs.org
+              token: ${{ secrets.VAULT_TOKEN }}
+              tlsSkipVerify: true
+              ignoreNotFound: true
+              secrets: |
+                kv-v2-fhircore/data/opensrp-shared KEYSTORE_FILE | KEYSTORE_FILE;
+                kv-v2-fhircore/data/opensrp-shared KEYSTORE_PROPERTIES_FILE | KEYSTORE_PROPERTIES_FILE;
+                kv-v2-fhircore/data/${{ github.event.inputs.flavor }} LOCAL_PROPERTIES_FILE | LOCAL_PROPERTIES_FILE;
+   
+         - name: Checkout 🛎️
+           uses: actions/checkout@v2
+           with:
+             fetch-depth: 2
+
+         - name: Set up JDK 17
+           uses: actions/setup-java@v1
+           with:
+             java-version: 17
+
+         - name: Grant execute permission for gradlew
+           run: chmod +x gradlew
+           working-directory: android
+
+         - name: Decode & Generate local.properties file
+           run: echo $LOCAL_PROPERTIES | base64 -di > local.properties
+           working-directory: android
+           env:
+             LOCAL_PROPERTIES: ${{ steps.import-secrets.outputs.LOCAL_PROPERTIES_FILE }} 
+
+         - name: Decode & Generate Keystore file
+           run: echo $ENCODED_KEYSTORE | base64 -di > "${HOME}"/fhircore.keystore.jks
+           env:
+             ENCODED_KEYSTORE: ${{ steps.import-secrets.outputs.KEYSTORE_FILE }}  
+
+         - name: Decode & Generate keystore.properties file
+           run: echo $KEYSTORE_PROPERTIES | base64 -di > keystore.properties
+           working-directory: android
+           env:
+             KEYSTORE_PROPERTIES: ${{ steps.import-secrets.outputs.KEYSTORE_PROPERTIES_FILE }} 
+
+         - id: product-flavor
+           name: Generate Product Flavor identifier
+           run: |
+             flavorCapitalized=$(echo ${{ github.event.inputs.flavor }} | sed 's/.*/\u&/')
+             buildTypeCapitalized=$(echo ${{ github.event.inputs.buildType }} | sed 's/.*/\u&/')
+             buildTypeLowerlized=$(echo ${{ github.event.inputs.buildType }} | sed 's/.*/\l&/')
+             branchTag=$(echo ${{ github.ref }} |  cut -d/ -f3)
+             echo "idCapitalized=$flavorCapitalized$buildTypeCapitalized" >> $GITHUB_OUTPUT 
+             echo "buildTypeLowerlized=$buildTypeLowerlized" >> $GITHUB_OUTPUT 
+             echo "branchTag=$branchTag" >> $GITHUB_OUTPUT 
+             
+         - name: Generate AAB (Android App Bundle) file
+           if: github.event.inputs.isAab == 'true' 
+           run: ./gradlew :quest:bundle${{steps.product-flavor.outputs.idCapitalized}} --stacktrace
+           working-directory: android
+
+         - name: Upload AAB Artifact
+           if: github.event.inputs.isAab == 'true'
+           uses: actions/upload-artifact@v4
+           with:
+            name: ${{ steps.product-flavor.outputs.branchTag }}-${{ github.event.inputs.flavor }}-${{ steps.product-flavor.outputs.buildTypeLowerlized }}.aab 
+            path: android/quest/build/outputs/bundle/${{ github.event.inputs.flavor }}${{ github.event.inputs.buildType }}/quest-${{ github.event.inputs.flavor }}-${{ steps.product-flavor.outputs.buildTypeLowerlized }}.aab     
+
+         - name: Generate APK (Android App PacKage) file
+           if: github.event.inputs.isAab == 'false' 
+           run: ./gradlew :quest:assemble${{steps.product-flavor.outputs.idCapitalized}} --stacktrace
+           working-directory: android
+
+         - name: Upload APK Artifact
+           if: github.event.inputs.isAab == 'false' 
+           uses: actions/upload-artifact@v4
+           with:
+            name: ${{ steps.product-flavor.outputs.branchTag }}-${{ github.event.inputs.flavor }}-${{ steps.product-flavor.outputs.buildTypeLowerlized }}.apk 
+            path: android/quest/build/outputs/apk/${{ github.event.inputs.flavor }}/${{ steps.product-flavor.outputs.buildTypeLowerlized }}/quest-${{ github.event.inputs.flavor }}-${{ steps.product-flavor.outputs.buildTypeLowerlized }}.apk     
+