Kill switch #3713
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: PR Checks | |
| on: | |
| push: | |
| branches: [ develop, "release/**" ] | |
| pull_request: | |
| jobs: | |
| swiftlint: | |
| name: SwiftLint | |
| if: github.event_name == 'pull_request' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check out the code | |
| uses: actions/checkout@v3 | |
| - name: Run SwiftLint on files changed in the PR | |
| uses: norio-nomura/[email protected] | |
| with: | |
| args: --strict --force-exclude | |
| shellcheck: | |
| name: ShellCheck | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check out the code | |
| uses: actions/checkout@v3 | |
| - name: Run ShellCheck | |
| uses: ludeeus/action-shellcheck@master | |
| with: | |
| format: gcc | |
| ignore_paths: scripts/helpers | |
| scandir: scripts | |
| env: | |
| SHELLCHECK_OPTS: -x -P scripts -P scripts/helpers | |
| tests: | |
| name: Test | |
| strategy: | |
| matrix: | |
| flavor: [ "Sandbox", "Non-Sandbox" ] | |
| include: | |
| - scheme: DuckDuckGo Privacy Browser | |
| flavor: Non-Sandbox | |
| - scheme: DuckDuckGo Privacy Browser App Store | |
| flavor: Sandbox | |
| - active-arch: YES | |
| flavor: Non-Sandbox | |
| - active-arch: NO | |
| flavor: Sandbox | |
| - cache-key: | |
| flavor: Non-Sandbox | |
| - cache-key: sandbox- | |
| flavor: Sandbox | |
| runs-on: macos-13 | |
| timeout-minutes: 30 | |
| outputs: | |
| private-api-check-report: ${{ steps.private-api.outputs.report }} | |
| steps: | |
| - name: Register SSH keys for submodules access | |
| uses: webfactory/[email protected] | |
| with: | |
| ssh-private-key: | | |
| ${{ secrets.SSH_PRIVATE_KEY_FIND_IN_PAGE }} | |
| ${{ secrets.SSH_PRIVATE_KEY_PRIVACY_DASHBOARD }} | |
| - name: Check out the code | |
| uses: actions/checkout@v3 | |
| with: | |
| submodules: recursive | |
| - name: Set cache key hash | |
| run: | | |
| has_only_tags=$(jq '[ .pins[].state | has("version") ] | all' DuckDuckGo.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved) | |
| if [[ "$has_only_tags" == "true" ]]; then | |
| echo "cache_key_hash=${{ hashFiles('DuckDuckGo.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved') }}" >> $GITHUB_ENV | |
| else | |
| echo "Package.resolved contains dependencies specified by branch or commit, skipping cache." | |
| fi | |
| - name: Cache SPM | |
| if: env.cache_key_hash | |
| uses: actions/cache@v3 | |
| with: | |
| path: DerivedData/SourcePackages | |
| key: ${{ runner.os }}-spm-${{ matrix.cache-key }}${{ env.cache_key_hash }} | |
| restore-keys: | | |
| ${{ runner.os }}-spm-${{ matrix.cache-key }} | |
| - name: Select Xcode | |
| run: sudo xcode-select -s /Applications/Xcode_$(<.xcode-version).app/Contents/Developer | |
| - name: Install xcbeautify | |
| continue-on-error: true | |
| run: brew install xcbeautify | |
| - name: Build and test | |
| run: | | |
| echo "Runner ${RUNNER_NAME} (${RUNNER_TRACKING_ID})" | |
| export OS_ACTIVITY_MODE=debug | |
| set -o pipefail && xcodebuild test \ | |
| -scheme "${{ matrix.scheme }}" \ | |
| -derivedDataPath "DerivedData" \ | |
| -configuration "CI" \ | |
| ENABLE_TESTABILITY=true \ | |
| ONLY_ACTIVE_ARCH=${{ matrix.active-arch }} \ | |
| | tee ${{ matrix.flavor }}-xcodebuild.log \ | |
| | xcbeautify --report junit --report-path . --junit-report-filename ${{ matrix.flavor }}.xml | |
| - name: Check private API usage | |
| id: private-api | |
| run: | | |
| if [[ ${{ matrix.flavor }} != "Sandbox" ]]; then | |
| echo "Skipping private API usage check for ${{ matrix.flavor }} build" | |
| else | |
| binary_path="DerivedData/Build/Products/CI/DuckDuckGo App Store.app/Contents/MacOS/DuckDuckGo App Store" | |
| ./scripts/find_private_symbols.sh "${binary_path}" | tee private_api_report.txt | |
| cat private_api_report.txt >> $GITHUB_STEP_SUMMARY | |
| output=$(cat private_api_report.txt) | |
| output="${output//$'\n'/%0A}" # step outputs can't contain newline characters | |
| # | |
| # After a non-zero exit code is returned in GHA we can't do too much, | |
| # e.g. set step outputs, so the script always returns 0 and we can tell | |
| # that it's a failure if there's more than 1 line in the output. | |
| # | |
| report_num_lines=$(wc -l < private_api_report.txt | tr -d '[:space:]') | |
| if [[ $report_num_lines > 1 ]]; then | |
| echo "report=${output}" >> $GITHUB_OUTPUT | |
| exit 1 | |
| fi | |
| fi | |
| - name: Publish unit tests report | |
| uses: mikepenz/action-junit-report@v3 | |
| if: always() # always run even if the previous step fails | |
| with: | |
| check_name: "Test Report: ${{ matrix.flavor }}" | |
| report_paths: ${{ matrix.flavor }}.xml | |
| - name: Upload failed test log | |
| uses: actions/upload-artifact@v3 | |
| if: failure() | |
| with: | |
| name: ${{ matrix.flavor }}-xcodebuild.log | |
| path: ${{ matrix.flavor }}-xcodebuild.log | |
| private-api: | |
| name: Private API Report | |
| needs: tests | |
| if: ${{ success() || needs.tests.outputs.private-api-check-report }} | |
| uses: ./.github/workflows/private_api_report.yml | |
| with: | |
| report: ${{ needs.tests.outputs.private-api-check-report }} | |
| release-build: | |
| name: Make Release Build | |
| runs-on: macos-13 | |
| timeout-minutes: 30 | |
| steps: | |
| - name: Register SSH keys for submodules access | |
| uses: webfactory/[email protected] | |
| with: | |
| ssh-private-key: | | |
| ${{ secrets.SSH_PRIVATE_KEY_FIND_IN_PAGE }} | |
| ${{ secrets.SSH_PRIVATE_KEY_PRIVACY_DASHBOARD }} | |
| - name: Install Apple Developer ID Application certificate | |
| env: | |
| BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }} | |
| P12_PASSWORD: ${{ secrets.P12_PASSWORD }} | |
| KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} | |
| RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.RELEASE_PROVISION_PROFILE_BASE64 }} | |
| NETP_SYSEX_RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_SYSEX_RELEASE_PROVISION_PROFILE_BASE64 }} | |
| NETP_AGENT_RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_AGENT_RELEASE_PROVISION_PROFILE_BASE64 }} | |
| NETP_NOTIFICATIONS_RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_NOTIFICATIONS_RELEASE_PROVISION_PROFILE_BASE64 }} | |
| NETP_START_VPN_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_START_VPN_PROVISION_PROFILE_BASE64 }} | |
| NETP_STOP_VPN_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_STOP_VPN_PROVISION_PROFILE_BASE64 }} | |
| NETP_ENABLE_ON_DEMAND_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_ENABLE_ON_DEMAND_PROVISION_PROFILE_BASE64 }} | |
| run: | | |
| # create variables | |
| CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12 | |
| KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db | |
| RELEASE_PP_PATH=$RUNNER_TEMP/release_pp.provisionprofile | |
| NETP_SYSEX_RELEASE_PP_PATH=$RUNNER_TEMP/netp_sysex_release_pp.provisionprofile | |
| NETP_AGENT_RELEASE_PP_PATH=$RUNNER_TEMP/netp_agent_release_pp.provisionprofile | |
| NETP_NOTIFICATIONS_RELEASE_PP_PATH=$RUNNER_TEMP/netp_notifications_release_pp.provisionprofile | |
| NETP_START_VPN_PP_PATH=$RUNNER_TEMP/netp_start_vpn_pp.provisionprofile | |
| NETP_STOP_VPN_PP_PATH=$RUNNER_TEMP/netp_stop_vpn_pp.provisionprofile | |
| NETP_ENABLE_ON_DEMAND_PP_PATH=$RUNNER_TEMP/netp_enable_on_demand_pp.provisionprofile | |
| # import certificate from secrets | |
| echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH | |
| echo -n "$RELEASE_PROVISION_PROFILE_BASE64" | base64 --decode -o $RELEASE_PP_PATH | |
| echo -n "$NETP_SYSEX_RELEASE_PROVISION_PROFILE_BASE64" | base64 --decode -o $NETP_SYSEX_RELEASE_PP_PATH | |
| echo -n "$NETP_AGENT_RELEASE_PROVISION_PROFILE_BASE64" | base64 --decode -o $NETP_AGENT_RELEASE_PP_PATH | |
| echo -n "$NETP_NOTIFICATIONS_RELEASE_PROVISION_PROFILE_BASE64" | base64 --decode -o $NETP_NOTIFICATIONS_RELEASE_PP_PATH | |
| echo -n "$NETP_START_VPN_PROVISION_PROFILE_BASE64" | base64 --decode -o $NETP_START_VPN_PP_PATH | |
| echo -n "$NETP_STOP_VPN_PROVISION_PROFILE_BASE64" | base64 --decode -o $NETP_STOP_VPN_PP_PATH | |
| echo -n "$NETP_ENABLE_ON_DEMAND_PROVISION_PROFILE_BASE64" | base64 --decode -o $NETP_ENABLE_ON_DEMAND_PP_PATH | |
| # create temporary keychain | |
| security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
| security set-keychain-settings -lut 21600 $KEYCHAIN_PATH | |
| security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
| # import certificate to keychain | |
| security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH | |
| security list-keychain -d user -s $KEYCHAIN_PATH | |
| # apply provisioning profile | |
| mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles | |
| cp $RELEASE_PP_PATH \ | |
| $NETP_SYSEX_RELEASE_PP_PATH \ | |
| $NETP_AGENT_RELEASE_PP_PATH \ | |
| $NETP_NOTIFICATIONS_RELEASE_PP_PATH \ | |
| $NETP_START_VPN_PP_PATH \ | |
| $NETP_STOP_VPN_PP_PATH \ | |
| $NETP_ENABLE_ON_DEMAND_PP_PATH \ | |
| ~/Library/MobileDevice/Provisioning\ Profiles | |
| - name: Check out the code | |
| uses: actions/checkout@v3 | |
| with: | |
| submodules: recursive | |
| - name: Set cache key hash | |
| run: | | |
| has_only_tags=$(jq '[ .pins[].state | has("version") ] | all' DuckDuckGo.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved) | |
| if [[ "$has_only_tags" == "true" ]]; then | |
| echo "cache_key_hash=${{ hashFiles('DuckDuckGo.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved') }}" >> $GITHUB_ENV | |
| else | |
| echo "Package.resolved contains dependencies specified by branch or commit, skipping cache." | |
| fi | |
| - name: Cache SPM | |
| if: env.cache_key_hash | |
| uses: actions/cache@v3 | |
| with: | |
| path: DerivedData/SourcePackages | |
| key: ${{ runner.os }}-spm-test-release-${{ env.cache_key_hash }} | |
| restore-keys: | | |
| ${{ runner.os }}-spm-test-release-${{ matrix.cache-key }} | |
| - name: Select Xcode | |
| run: sudo xcode-select -s /Applications/Xcode_$(<.xcode-version).app/Contents/Developer | |
| - name: Install xcbeautify | |
| continue-on-error: true | |
| run: brew install xcbeautify | |
| - name: Build the app | |
| run: | | |
| export OS_ACTIVITY_MODE=debug | |
| set -o pipefail && xcodebuild \ | |
| -scheme "DuckDuckGo Privacy Browser" \ | |
| -derivedDataPath "DerivedData" \ | |
| -configuration "Release" \ | |
| | tee release-xcodebuild.log \ | |
| | xcbeautify | |
| - name: Upload failed test log | |
| uses: actions/upload-artifact@v3 | |
| if: failure() | |
| with: | |
| name: release-xcodebuild.log | |
| path: release-xcodebuild.log | |
| verify-autoconsent-bundle: | |
| name: 'Verify autoconsent bundle' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - uses: actions/setup-node@v3 | |
| with: | |
| node-version: 16 | |
| cache: 'npm' | |
| - name: Build bundle | |
| run: | | |
| npm ci | |
| npm run rebuild-autoconsent | |
| - name: Verify clean tree | |
| run: | | |
| git update-index --refresh | |
| git diff-index --quiet HEAD -- |