Skip to content

Kill switch

Kill switch #3712

Workflow file for this run

name: PR Checks
on:
push:
branches: [ develop, "release/**" ]
pull_request:
jobs:
swiftlint:
name: SwiftLint
if: github.event_name == 'pull_request'
runs-on: ubuntu-latest
steps:
- name: Check out the code
uses: actions/checkout@v3
- name: Run SwiftLint on files changed in the PR
uses: norio-nomura/[email protected]
with:
args: --strict --force-exclude
shellcheck:
name: ShellCheck
runs-on: ubuntu-latest
steps:
- name: Check out the code
uses: actions/checkout@v3
- name: Run ShellCheck
uses: ludeeus/action-shellcheck@master
with:
format: gcc
ignore_paths: scripts/helpers
scandir: scripts
env:
SHELLCHECK_OPTS: -x -P scripts -P scripts/helpers
tests:
name: Test
strategy:
matrix:
flavor: [ "Sandbox", "Non-Sandbox" ]
include:
- scheme: DuckDuckGo Privacy Browser
flavor: Non-Sandbox
- scheme: DuckDuckGo Privacy Browser App Store
flavor: Sandbox
- active-arch: YES
flavor: Non-Sandbox
- active-arch: NO
flavor: Sandbox
- cache-key:
flavor: Non-Sandbox
- cache-key: sandbox-
flavor: Sandbox
runs-on: macos-13
timeout-minutes: 30
outputs:
private-api-check-report: ${{ steps.private-api.outputs.report }}
steps:
- name: Register SSH keys for submodules access
uses: webfactory/[email protected]
with:
ssh-private-key: |
${{ secrets.SSH_PRIVATE_KEY_FIND_IN_PAGE }}
${{ secrets.SSH_PRIVATE_KEY_PRIVACY_DASHBOARD }}
- name: Check out the code
uses: actions/checkout@v3
with:
submodules: recursive
- name: Set cache key hash
run: |
has_only_tags=$(jq '[ .pins[].state | has("version") ] | all' DuckDuckGo.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved)
if [[ "$has_only_tags" == "true" ]]; then
echo "cache_key_hash=${{ hashFiles('DuckDuckGo.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved') }}" >> $GITHUB_ENV
else
echo "Package.resolved contains dependencies specified by branch or commit, skipping cache."
fi
- name: Cache SPM
if: env.cache_key_hash
uses: actions/cache@v3
with:
path: DerivedData/SourcePackages
key: ${{ runner.os }}-spm-${{ matrix.cache-key }}${{ env.cache_key_hash }}
restore-keys: |
${{ runner.os }}-spm-${{ matrix.cache-key }}
- name: Select Xcode
run: sudo xcode-select -s /Applications/Xcode_$(<.xcode-version).app/Contents/Developer
- name: Install xcbeautify
continue-on-error: true
run: brew install xcbeautify
- name: Build and test
run: |
echo "Runner ${RUNNER_NAME} (${RUNNER_TRACKING_ID})"
export OS_ACTIVITY_MODE=debug
set -o pipefail && xcodebuild test \
-scheme "${{ matrix.scheme }}" \
-derivedDataPath "DerivedData" \
-configuration "CI" \
ENABLE_TESTABILITY=true \
ONLY_ACTIVE_ARCH=${{ matrix.active-arch }} \
| tee ${{ matrix.flavor }}-xcodebuild.log \
| xcbeautify --report junit --report-path . --junit-report-filename ${{ matrix.flavor }}.xml
- name: Check private API usage
id: private-api
run: |
if [[ ${{ matrix.flavor }} != "Sandbox" ]]; then
echo "Skipping private API usage check for ${{ matrix.flavor }} build"
else
binary_path="DerivedData/Build/Products/CI/DuckDuckGo App Store.app/Contents/MacOS/DuckDuckGo App Store"
./scripts/find_private_symbols.sh "${binary_path}" | tee private_api_report.txt
cat private_api_report.txt >> $GITHUB_STEP_SUMMARY
output=$(cat private_api_report.txt)
output="${output//$'\n'/%0A}" # step outputs can't contain newline characters
#
# After a non-zero exit code is returned in GHA we can't do too much,
# e.g. set step outputs, so the script always returns 0 and we can tell
# that it's a failure if there's more than 1 line in the output.
#
report_num_lines=$(wc -l < private_api_report.txt | tr -d '[:space:]')
if [[ $report_num_lines > 1 ]]; then
echo "report=${output}" >> $GITHUB_OUTPUT
exit 1
fi
fi
- name: Publish unit tests report
uses: mikepenz/action-junit-report@v3
if: always() # always run even if the previous step fails
with:
check_name: "Test Report: ${{ matrix.flavor }}"
report_paths: ${{ matrix.flavor }}.xml
- name: Upload failed test log
uses: actions/upload-artifact@v3
if: failure()
with:
name: ${{ matrix.flavor }}-xcodebuild.log
path: ${{ matrix.flavor }}-xcodebuild.log
private-api:
name: Private API Report
needs: tests
if: ${{ success() || needs.tests.outputs.private-api-check-report }}
uses: ./.github/workflows/private_api_report.yml
with:
report: ${{ needs.tests.outputs.private-api-check-report }}
release-build:
name: Make Release Build
runs-on: macos-13
timeout-minutes: 30
steps:
- name: Register SSH keys for submodules access
uses: webfactory/[email protected]
with:
ssh-private-key: |
${{ secrets.SSH_PRIVATE_KEY_FIND_IN_PAGE }}
${{ secrets.SSH_PRIVATE_KEY_PRIVACY_DASHBOARD }}
- name: Install Apple Developer ID Application certificate
env:
BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.RELEASE_PROVISION_PROFILE_BASE64 }}
NETP_SYSEX_RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_SYSEX_RELEASE_PROVISION_PROFILE_BASE64 }}
NETP_AGENT_RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_AGENT_RELEASE_PROVISION_PROFILE_BASE64 }}
NETP_NOTIFICATIONS_RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_NOTIFICATIONS_RELEASE_PROVISION_PROFILE_BASE64 }}
NETP_START_VPN_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_START_VPN_PROVISION_PROFILE_BASE64 }}
NETP_STOP_VPN_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_STOP_VPN_PROVISION_PROFILE_BASE64 }}
NETP_ENABLE_ON_DEMAND_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_ENABLE_ON_DEMAND_PROVISION_PROFILE_BASE64 }}
run: |
# create variables
CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
RELEASE_PP_PATH=$RUNNER_TEMP/release_pp.provisionprofile
NETP_SYSEX_RELEASE_PP_PATH=$RUNNER_TEMP/netp_sysex_release_pp.provisionprofile
NETP_AGENT_RELEASE_PP_PATH=$RUNNER_TEMP/netp_agent_release_pp.provisionprofile
NETP_NOTIFICATIONS_RELEASE_PP_PATH=$RUNNER_TEMP/netp_notifications_release_pp.provisionprofile
NETP_START_VPN_PP_PATH=$RUNNER_TEMP/netp_start_vpn_pp.provisionprofile
NETP_STOP_VPN_PP_PATH=$RUNNER_TEMP/netp_stop_vpn_pp.provisionprofile
NETP_ENABLE_ON_DEMAND_PP_PATH=$RUNNER_TEMP/netp_enable_on_demand_pp.provisionprofile
# import certificate from secrets
echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH
echo -n "$RELEASE_PROVISION_PROFILE_BASE64" | base64 --decode -o $RELEASE_PP_PATH
echo -n "$NETP_SYSEX_RELEASE_PROVISION_PROFILE_BASE64" | base64 --decode -o $NETP_SYSEX_RELEASE_PP_PATH
echo -n "$NETP_AGENT_RELEASE_PROVISION_PROFILE_BASE64" | base64 --decode -o $NETP_AGENT_RELEASE_PP_PATH
echo -n "$NETP_NOTIFICATIONS_RELEASE_PROVISION_PROFILE_BASE64" | base64 --decode -o $NETP_NOTIFICATIONS_RELEASE_PP_PATH
echo -n "$NETP_START_VPN_PROVISION_PROFILE_BASE64" | base64 --decode -o $NETP_START_VPN_PP_PATH
echo -n "$NETP_STOP_VPN_PROVISION_PROFILE_BASE64" | base64 --decode -o $NETP_STOP_VPN_PP_PATH
echo -n "$NETP_ENABLE_ON_DEMAND_PROVISION_PROFILE_BASE64" | base64 --decode -o $NETP_ENABLE_ON_DEMAND_PP_PATH
# create temporary keychain
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
# import certificate to keychain
security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security list-keychain -d user -s $KEYCHAIN_PATH
# apply provisioning profile
mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
cp $RELEASE_PP_PATH \
$NETP_SYSEX_RELEASE_PP_PATH \
$NETP_AGENT_RELEASE_PP_PATH \
$NETP_NOTIFICATIONS_RELEASE_PP_PATH \
$NETP_START_VPN_PP_PATH \
$NETP_STOP_VPN_PP_PATH \
$NETP_ENABLE_ON_DEMAND_PP_PATH \
~/Library/MobileDevice/Provisioning\ Profiles
- name: Check out the code
uses: actions/checkout@v3
with:
submodules: recursive
- name: Set cache key hash
run: |
has_only_tags=$(jq '[ .pins[].state | has("version") ] | all' DuckDuckGo.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved)
if [[ "$has_only_tags" == "true" ]]; then
echo "cache_key_hash=${{ hashFiles('DuckDuckGo.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved') }}" >> $GITHUB_ENV
else
echo "Package.resolved contains dependencies specified by branch or commit, skipping cache."
fi
- name: Cache SPM
if: env.cache_key_hash
uses: actions/cache@v3
with:
path: DerivedData/SourcePackages
key: ${{ runner.os }}-spm-test-release-${{ env.cache_key_hash }}
restore-keys: |
${{ runner.os }}-spm-test-release-${{ matrix.cache-key }}
- name: Select Xcode
run: sudo xcode-select -s /Applications/Xcode_$(<.xcode-version).app/Contents/Developer
- name: Install xcbeautify
continue-on-error: true
run: brew install xcbeautify
- name: Build the app
run: |
export OS_ACTIVITY_MODE=debug
set -o pipefail && xcodebuild \
-scheme "DuckDuckGo Privacy Browser" \
-derivedDataPath "DerivedData" \
-configuration "Release" \
| tee release-xcodebuild.log \
| xcbeautify
- name: Upload failed test log
uses: actions/upload-artifact@v3
if: failure()
with:
name: release-xcodebuild.log
path: release-xcodebuild.log
verify-autoconsent-bundle:
name: 'Verify autoconsent bundle'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version: 16
cache: 'npm'
- name: Build bundle
run: |
npm ci
npm run rebuild-autoconsent
- name: Verify clean tree
run: |
git update-index --refresh
git diff-index --quiet HEAD --