feat: security: Enable google safebrowsing and populate the API keys, b=no-bug, c=workflows, common, configs

2025-07-08 00:10:00 +02:00 · 2025-06-09 19:11:09 +02:00 · 2025-06-09 19:11:09 +02:00 · d786c6927f
commit d786c6927f
parent 35245078c9
4 changed files with 33 additions and 3 deletions
--- a/.github/workflows/linux-release-build.yml
+++ b/.github/workflows/linux-release-build.yml
@ -121,6 +121,11 @@ jobs:
          ./mach --no-interactive bootstrap --application-choice browser
          cd ..

+      - name: Insert API Keys
+        run: |
+          mkdir -p ~/.zen-keys
+          echo "${{ secrets.ZEN_SAFEBROWSING_API_KEY }}" > ~/.zen-keys/safebrowsing.dat
+
      - name: Build
        env:
          SURFER_COMPAT: ${{ matrix.arch }}
@ -142,6 +147,10 @@ jobs:
          export ZEN_RELEASE=1
          npm run package
      
+      - name: Remove API Keys
+        run: |
+          rm -rf ~/.zen-keys
+
      - name: Rename artifacts
        run: |
          mv dist/zen-*.tar.xz "zen.linux-${{ matrix.arch }}.tar.xz"
--- a/.github/workflows/macos-release-build.yml
+++ b/.github/workflows/macos-release-build.yml
@ -132,6 +132,11 @@ jobs:
      - name: Build language packs
        run: sh scripts/download-language-packs.sh

+      - name: Insert API Keys
+        run: |
+          mkdir -p ~/.zen-keys
+          echo "${{ secrets.ZEN_SAFEBROWSING_API_KEY }}" > ~/.zen-keys/safebrowsing.dat
+
      - name: Build Zen
        env:
          SURFER_COMPAT: ${{ matrix.arch }}
@ -152,6 +157,10 @@ jobs:
          export ZEN_RELEASE=1
          npm run package

+      - name: Remove API Keys
+        run: |
+          rm -rf ~/.zen-keys
+
      - name: Rename artifacts
        run: |
          echo "Tarballing DMG"
--- a/.github/workflows/windows-release-build.yml
+++ b/.github/workflows/windows-release-build.yml
@ -226,6 +226,11 @@ jobs:
          chmod +x ~/artifact/en-US.log
          chmod +x ~/artifact/merged.profdata

+      - name: Insert API Keys
+        run: |
+          mkdir -p ~/.zen-keys
+          echo "${{ secrets.ZEN_SAFEBROWSING_API_KEY }}" > ~/.zen-keys/safebrowsing.dat
+
      - name: Build
        if: ${{ !(inputs.generate-gpo && matrix.arch == 'aarch64') }}
        env:
@ -259,6 +264,11 @@ jobs:
          ls ./dist
          ls .

+
+      - name: Remove API Keys
+        run: |
+          rm -rf ~/.zen-keys
+
      - name: Move package for PGO upload
        if: ${{ inputs.generate-gpo && matrix.arch == 'x86_64' }}
        run: |
--- a/configs/common/mozconfig
+++ b/configs/common/mozconfig
@ -32,6 +32,11 @@ if ! test "$SCCACHE_GHA_ENABLED" = "false"; then
  fi
 fi

+# add safe browsing key if it exists on a file
+if test -f "$HOME/.zen-keys/safebrowsing.dat"; then
+  ac_add_options --with-google-safebrowsing-api-keyfile="$HOME/.zen-keys/safebrowsing.dat"
+fi
+
 if test "$ZEN_RELEASE"; then

  # TODO: Make this successful in builds
@ -96,10 +101,7 @@ fi

 ac_add_options --enable-unverified-updates

-ac_add_options --enable-raw
-ac_add_options --enable-webrtc
 ac_add_options --enable-jxl
-ac_add_options --enable-av1

 ac_add_options --with-unsigned-addon-scopes=app,system