gitlab-ci: error if apps use insecure plain HTTP gradle repositories

It is very easy to mess up and include plain HTTP URLs for gradle
repositories, which can lead to gradle downloading code from HTTP and
immediately executing it.  The fix is almost always changing "http:" to
"https:".

https://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer

.gitlab-ci.yml

@@ -18,6 +18,7 @@ lint:
            export CHANGED="$CHANGED $appid";
            grep -q "^Repo *Type\W *git" $f && git -C build clone `sed -n "s,^Repo *:,,p" $f` $appid;
         done;
+        ./tools/audit-gradle.py $CHANGED;
       fi
     - export EXITVALUE=0
     - fdroid lint -f $CHANGED || {

tools/audit-gradle.py

@@ -0,0 +1,30 @@
+#!/usr/bin/env python3
+
+
+import os
+import re
+import sys
+
+# find all repositories that use plain HTTP urls (e.g. not HTTPS)
+url_pattern = re.compile('repositories\s*{[^}]*http://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+[^}]*}', re.DOTALL)
+
+exit_value = 0
+for appid in sys.argv:
+    gitdir = os.path.join('build', appid)
+    if not os.path.isdir(gitdir):
+        continue
+    for root, dirs, files in os.walk(gitdir):
+        for f in files:
+            if f.endswith('.gradle'):
+                path = os.path.join(root, f)
+                with open(path) as fp:
+                    data = fp.read()
+                for url in url_pattern.findall(data):
+                    print('Found plain HTTP URL for gradle repository:\n%s\n%s'
+                          % (path, url))
+                    exit_value += 1
+
+if exit_value:
+    print('gradle build uses plain HTTP URLs for repositories!  This is insecure!')
+    print('https://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer/')
+sys.exit(exit_value)