Is there a good way to run native mobile app GUI tests with GitHub Actions?
A VM/container emulator like anbox, waydroid, (or all of ChromeOS Flex in KVM) in a GitHub Action is probably enough to run GUI tests?
A SLSA builder for Android apps would be good: "Build your own SLSA 3+ provenance builder on GitHub Actions" https://slsa.dev/blog/2023/08/bring-your-own-builder-github
FWIU e.g. Fdroid does not do SafetyNet-like SAST scans of APKs.
Thats what F-Droid and Google store (and the apple store) do: they stand their assets as "if we lied, you know where to find us" regarding the provenance of what they pass. They do of course, also routinely (ok not Apple mostly) pass apps which do heinous bad things, because it turns out there's only so much automated tests can find.
As you observe, sometimes the promise is hollow. (F-Droid)
Fdroid does not claim to scan all uploaded APKs AFAIU. Fdroid > Security Model: https://f-droid.org/en/docs/Security_Model/ :
> There is a big emphasis on operating in the public and making everything publicly available. We include source tarballs and build logs when we publish binaries
What's a ballpark figure for what the monthly cost to Fdroid would be to scan all uploaded APKs for security vulnerabilities?
Practically, it should be easy to add an upload_scan_and_post_back_to_the_pull_request task to each project's e.g. GitHub Actions YAML build definition; but then how does or how can SLSA help prove that the scan results were actually requested and merging and releasing were prevented if positive?