-
Notifications
You must be signed in to change notification settings - Fork 9
305 lines (255 loc) · 11 KB
/
pr.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
name: PR Checks
on:
push:
branches: [ develop, "release/**" ]
pull_request:
jobs:
swiftlint:
name: SwiftLint
if: github.event_name == 'pull_request'
runs-on: ubuntu-latest
steps:
- name: Check out the code
uses: actions/checkout@v3
- name: Run SwiftLint on files changed in the PR
uses: norio-nomura/[email protected]
with:
args: --strict --force-exclude
shellcheck:
name: ShellCheck
runs-on: ubuntu-latest
steps:
- name: Check out the code
uses: actions/checkout@v3
- name: Run ShellCheck
uses: ludeeus/action-shellcheck@master
with:
format: gcc
ignore_paths: scripts/helpers
scandir: scripts
env:
SHELLCHECK_OPTS: -x -P scripts -P scripts/helpers
tests:
name: Test
strategy:
matrix:
flavor: [ "Sandbox", "Non-Sandbox" ]
include:
- scheme: DuckDuckGo Privacy Browser
flavor: Non-Sandbox
- scheme: DuckDuckGo Privacy Browser App Store
flavor: Sandbox
- active-arch: YES
flavor: Non-Sandbox
- active-arch: NO
flavor: Sandbox
- cache-key:
flavor: Non-Sandbox
- cache-key: sandbox-
flavor: Sandbox
runs-on: macos-13
timeout-minutes: 30
outputs:
private-api-check-report: ${{ steps.private-api.outputs.report }}
steps:
- name: Register SSH keys for submodules access
uses: webfactory/[email protected]
with:
ssh-private-key: |
${{ secrets.SSH_PRIVATE_KEY_FIND_IN_PAGE }}
${{ secrets.SSH_PRIVATE_KEY_PRIVACY_DASHBOARD }}
- name: Check out the code
uses: actions/checkout@v3
with:
submodules: recursive
- name: Set cache key hash
run: |
has_only_tags=$(jq '[ .pins[].state | has("version") ] | all' DuckDuckGo.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved)
if [[ "$has_only_tags" == "true" ]]; then
echo "cache_key_hash=${{ hashFiles('DuckDuckGo.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved') }}" >> $GITHUB_ENV
else
echo "Package.resolved contains dependencies specified by branch or commit, skipping cache."
fi
- name: Cache SPM
if: env.cache_key_hash
uses: actions/cache@v3
with:
path: DerivedData/SourcePackages
key: ${{ runner.os }}-spm-${{ matrix.cache-key }}${{ env.cache_key_hash }}
restore-keys: |
${{ runner.os }}-spm-${{ matrix.cache-key }}
- name: Select Xcode
run: sudo xcode-select -s /Applications/Xcode_$(<.xcode-version).app/Contents/Developer
- name: Install xcbeautify
continue-on-error: true
run: brew install xcbeautify
- name: Build and test
run: |
echo "Runner ${RUNNER_NAME} (${RUNNER_TRACKING_ID})"
export OS_ACTIVITY_MODE=debug
set -o pipefail && xcodebuild test \
-scheme "${{ matrix.scheme }}" \
-derivedDataPath "DerivedData" \
-configuration "CI" \
ENABLE_TESTABILITY=true \
ONLY_ACTIVE_ARCH=${{ matrix.active-arch }} \
| tee ${{ matrix.flavor }}-xcodebuild.log \
| xcbeautify --report junit --report-path . --junit-report-filename ${{ matrix.flavor }}.xml
- name: Check private API usage
id: private-api
run: |
if [[ ${{ matrix.flavor }} != "Sandbox" ]]; then
echo "Skipping private API usage check for ${{ matrix.flavor }} build"
else
binary_path="DerivedData/Build/Products/CI/DuckDuckGo App Store.app/Contents/MacOS/DuckDuckGo App Store"
./scripts/find_private_symbols.sh "${binary_path}" | tee private_api_report.txt
cat private_api_report.txt >> $GITHUB_STEP_SUMMARY
output=$(cat private_api_report.txt)
output="${output//$'\n'/%0A}" # step outputs can't contain newline characters
#
# After a non-zero exit code is returned in GHA we can't do too much,
# e.g. set step outputs, so the script always returns 0 and we can tell
# that it's a failure if there's more than 1 line in the output.
#
report_num_lines=$(wc -l < private_api_report.txt | tr -d '[:space:]')
if [[ $report_num_lines > 1 ]]; then
echo "report=${output}" >> $GITHUB_OUTPUT
exit 1
fi
fi
- name: Publish unit tests report
uses: mikepenz/action-junit-report@v3
if: always() # always run even if the previous step fails
with:
check_name: "Test Report: ${{ matrix.flavor }}"
report_paths: ${{ matrix.flavor }}.xml
- name: Upload failed test log
uses: actions/upload-artifact@v3
if: failure()
with:
name: ${{ matrix.flavor }}-xcodebuild.log
path: ${{ matrix.flavor }}-xcodebuild.log
private-api:
name: Private API Report
needs: tests
if: ${{ success() || needs.tests.outputs.private-api-check-report }}
uses: ./.github/workflows/private_api_report.yml
with:
report: ${{ needs.tests.outputs.private-api-check-report }}
release-build:
name: Make Release Build
runs-on: macos-13
timeout-minutes: 30
steps:
- name: Register SSH keys for submodules access
uses: webfactory/[email protected]
with:
ssh-private-key: |
${{ secrets.SSH_PRIVATE_KEY_FIND_IN_PAGE }}
${{ secrets.SSH_PRIVATE_KEY_PRIVACY_DASHBOARD }}
- name: Install Apple Developer ID Application certificate
env:
BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.RELEASE_PROVISION_PROFILE_BASE64 }}
NETP_SYSEX_RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_SYSEX_RELEASE_PROVISION_PROFILE_BASE64 }}
NETP_AGENT_RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_AGENT_RELEASE_PROVISION_PROFILE_BASE64 }}
NETP_NOTIFICATIONS_RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_NOTIFICATIONS_RELEASE_PROVISION_PROFILE_BASE64 }}
NETP_START_VPN_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_START_VPN_PROVISION_PROFILE_BASE64 }}
NETP_STOP_VPN_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_STOP_VPN_PROVISION_PROFILE_BASE64 }}
NETP_ENABLE_ON_DEMAND_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_ENABLE_ON_DEMAND_PROVISION_PROFILE_BASE64 }}
run: |
# create variables
CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
RELEASE_PP_PATH=$RUNNER_TEMP/release_pp.provisionprofile
NETP_SYSEX_RELEASE_PP_PATH=$RUNNER_TEMP/netp_sysex_release_pp.provisionprofile
NETP_AGENT_RELEASE_PP_PATH=$RUNNER_TEMP/netp_agent_release_pp.provisionprofile
NETP_NOTIFICATIONS_RELEASE_PP_PATH=$RUNNER_TEMP/netp_notifications_release_pp.provisionprofile
NETP_START_VPN_PP_PATH=$RUNNER_TEMP/netp_start_vpn_pp.provisionprofile
NETP_STOP_VPN_PP_PATH=$RUNNER_TEMP/netp_stop_vpn_pp.provisionprofile
NETP_ENABLE_ON_DEMAND_PP_PATH=$RUNNER_TEMP/netp_enable_on_demand_pp.provisionprofile
# import certificate from secrets
echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH
echo -n "$RELEASE_PROVISION_PROFILE_BASE64" | base64 --decode -o $RELEASE_PP_PATH
echo -n "$NETP_SYSEX_RELEASE_PROVISION_PROFILE_BASE64" | base64 --decode -o $NETP_SYSEX_RELEASE_PP_PATH
echo -n "$NETP_AGENT_RELEASE_PROVISION_PROFILE_BASE64" | base64 --decode -o $NETP_AGENT_RELEASE_PP_PATH
echo -n "$NETP_NOTIFICATIONS_RELEASE_PROVISION_PROFILE_BASE64" | base64 --decode -o $NETP_NOTIFICATIONS_RELEASE_PP_PATH
echo -n "$NETP_START_VPN_PROVISION_PROFILE_BASE64" | base64 --decode -o $NETP_START_VPN_PP_PATH
echo -n "$NETP_STOP_VPN_PROVISION_PROFILE_BASE64" | base64 --decode -o $NETP_STOP_VPN_PP_PATH
echo -n "$NETP_ENABLE_ON_DEMAND_PROVISION_PROFILE_BASE64" | base64 --decode -o $NETP_ENABLE_ON_DEMAND_PP_PATH
# create temporary keychain
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
# import certificate to keychain
security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security list-keychain -d user -s $KEYCHAIN_PATH
# apply provisioning profile
mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
cp $RELEASE_PP_PATH \
$NETP_SYSEX_RELEASE_PP_PATH \
$NETP_AGENT_RELEASE_PP_PATH \
$NETP_NOTIFICATIONS_RELEASE_PP_PATH \
$NETP_START_VPN_PP_PATH \
$NETP_STOP_VPN_PP_PATH \
$NETP_ENABLE_ON_DEMAND_PP_PATH \
~/Library/MobileDevice/Provisioning\ Profiles
- name: Check out the code
uses: actions/checkout@v3
with:
submodules: recursive
- name: Set cache key hash
run: |
has_only_tags=$(jq '[ .pins[].state | has("version") ] | all' DuckDuckGo.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved)
if [[ "$has_only_tags" == "true" ]]; then
echo "cache_key_hash=${{ hashFiles('DuckDuckGo.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved') }}" >> $GITHUB_ENV
else
echo "Package.resolved contains dependencies specified by branch or commit, skipping cache."
fi
- name: Cache SPM
if: env.cache_key_hash
uses: actions/cache@v3
with:
path: DerivedData/SourcePackages
key: ${{ runner.os }}-spm-test-release-${{ env.cache_key_hash }}
restore-keys: |
${{ runner.os }}-spm-test-release-${{ matrix.cache-key }}
- name: Select Xcode
run: sudo xcode-select -s /Applications/Xcode_$(<.xcode-version).app/Contents/Developer
- name: Install xcbeautify
continue-on-error: true
run: brew install xcbeautify
- name: Build the app
run: |
export OS_ACTIVITY_MODE=debug
set -o pipefail && xcodebuild \
-scheme "DuckDuckGo Privacy Browser" \
-derivedDataPath "DerivedData" \
-configuration "Release" \
| tee release-xcodebuild.log \
| xcbeautify
- name: Upload failed test log
uses: actions/upload-artifact@v3
if: failure()
with:
name: release-xcodebuild.log
path: release-xcodebuild.log
verify-autoconsent-bundle:
name: 'Verify autoconsent bundle'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version: 16
cache: 'npm'
- name: Build bundle
run: |
npm ci
npm run rebuild-autoconsent
- name: Verify clean tree
run: |
git update-index --refresh
git diff-index --quiet HEAD --