diff --git a/.github/workflows/pir_end_to_end_tests_files_changed_trigger.yml b/.github/workflows/pir_end_to_end_tests_files_changed_trigger.yml index 138a7fc409..3101c05e8e 100644 --- a/.github/workflows/pir_end_to_end_tests_files_changed_trigger.yml +++ b/.github/workflows/pir_end_to_end_tests_files_changed_trigger.yml @@ -2,10 +2,7 @@ name: PIR E2E Tests files changed trigger on: pull_request: - branches-ignore: # skip running on these branches since they are trigged by a different workflow - - hotfix/* - - release/* - paths: ['DBPE2ETests/**', 'LocalPackages/DataBrokerProtection/**', 'DuckDuckGoDBPBackgroundAgent/**', 'DuckDuckGo.xcodeproj/project.pbxproj'] + paths: ['LocalPackages/DataBrokerProtection/**'] jobs: call-sub-workflow: diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml deleted file mode 100644 index 9acedea50c..0000000000 --- a/.github/workflows/pr.yml +++ /dev/null @@ -1,455 +0,0 @@ -name: PR Checks - -on: - push: - branches: [ main, "release/**", "loremattei/**" ] - pull_request: - workflow_call: - inputs: - branch: - description: "Branch name" - required: false - type: string - secrets: - APPLE_API_KEY_BASE64: - required: true - APPLE_API_KEY_ID: - required: true - APPLE_API_KEY_ISSUER: - required: true - ASANA_ACCESS_TOKEN: - required: true - MATCH_PASSWORD: - required: true - SSH_PRIVATE_KEY_FASTLANE_MATCH: - required: true - -jobs: - swiftlint: - - name: SwiftLint - - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v4 - - name: SwiftLint - uses: docker://norionomura/swiftlint:0.54.0 - with: - args: swiftlint --reporter github-actions-logging --strict - - shellcheck: - - name: ShellCheck - - runs-on: ubuntu-latest - - steps: - - name: Check out the code - if: github.event_name == 'pull_request' || github.event_name == 'push' - uses: actions/checkout@v4 - - - name: Check out the code - if: github.event_name != 'pull_request' && github.event_name != 'push' - uses: actions/checkout@v4 - with: - ref: ${{ inputs.branch || github.ref_name }} - - - name: Run ShellCheck - uses: ludeeus/action-shellcheck@master - with: - format: gcc - ignore_paths: scripts/helpers - scandir: scripts - env: - SHELLCHECK_OPTS: -x -P scripts -P scripts/helpers - - bats: - - name: Test Shell Scripts - - runs-on: macos-14 - - steps: - - name: Check out the code - if: github.event_name == 'pull_request' || github.event_name == 'push' - uses: actions/checkout@v4 - - - name: Check out the code - if: github.event_name != 'pull_request' && github.event_name != 'push' - uses: actions/checkout@v4 - with: - ref: ${{ inputs.branch || github.ref_name }} - - - name: Install Bats - run: brew install bats-core - - - name: Run Bats tests - run: bats --formatter junit scripts/tests/* > bats-tests.xml - - - name: Publish unit tests report - uses: mikepenz/action-junit-report@v4 - if: always() # always run even if the previous step fails - with: - check_name: "Test Report: Shell Scripts" - report_paths: 'bats-tests.xml' - - tests: - name: Test - - strategy: - fail-fast: false - matrix: - flavor: [ "Sandbox", "Non-Sandbox" ] - include: - - scheme: DuckDuckGo Privacy Browser - flavor: Non-Sandbox - - scheme: DuckDuckGo Privacy Browser App Store - flavor: Sandbox - - active-arch: YES - flavor: Non-Sandbox - - active-arch: NO - flavor: Sandbox - - integration-tests-target: Integration Tests - flavor: Non-Sandbox - - integration-tests-target: Integration Tests App Store - flavor: Sandbox - - cache-key: - flavor: Non-Sandbox - - cache-key: sandbox- - flavor: Sandbox - - runs-on: macos-14-xlarge - timeout-minutes: 50 - - outputs: - private-api-check-report: ${{ steps.private-api.outputs.report }} - commit_author: ${{ steps.fetch_commit_author.outputs.commit_author }} - - steps: - - name: Register SSH keys for certificates repository and PIR fake broker repository access - uses: webfactory/ssh-agent@v0.7.0 - with: - ssh-private-key: | - ${{ secrets.SSH_PRIVATE_KEY_FASTLANE_MATCH }} - ${{ secrets.SSH_PRIVATE_KEY_PIR_FAKE_BROKER }} - - - name: Check out the code - uses: actions/checkout@v4 - with: - repository: DuckDuckGo/pir-fake-broker - ssh-key: ${{ secrets.SSH_PRIVATE_KEY_PIR_FAKE_BROKER }} - ref: loremattei/ci-integration - path: pir-fake-broker - - - name: Start PIR Fake Broker - run: | - cd pir-fake-broker - cd scripts - ./install-prerequisites.sh - ./setup-ci.sh - cd .. - pnpm start:all & - - - name: Check out the code - if: github.event_name == 'pull_request' || github.event_name == 'push' - uses: actions/checkout@v4 - with: - submodules: recursive - path: main - - - name: Check out the code - if: github.event_name != 'pull_request' && github.event_name != 'push' - uses: actions/checkout@v4 - with: - submodules: recursive - ref: ${{ inputs.branch || github.ref_name }} - path: main - - - name: Set up fastlane - run: | - cd main - bundle install - - - name: Sync code signing assets - env: - APPLE_API_KEY_BASE64: ${{ secrets.APPLE_API_KEY_BASE64 }} - APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }} - APPLE_API_KEY_ISSUER: ${{ secrets.APPLE_API_KEY_ISSUER }} - MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }} - SSH_PRIVATE_KEY_FASTLANE_MATCH: ${{ secrets.SSH_PRIVATE_KEY_FASTLANE_MATCH }} - run: | - cd main - bundle exec fastlane sync_signing_ci - - - name: Set cache key hash - run: | - cd main - has_only_tags=$(jq '[ .pins[].state | has("version") ] | all' DuckDuckGo.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved) - if [[ "$has_only_tags" == "true" ]]; then - echo "cache_key_hash=${{ hashFiles('DuckDuckGo.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved') }}" >> $GITHUB_ENV - else - echo "Package.resolved contains dependencies specified by branch or commit, skipping cache." - fi - - - name: Cache SPM - if: env.cache_key_hash - uses: actions/cache@v4 - with: - path: main/DerivedData/SourcePackages - key: ${{ runner.os }}-spm-${{ matrix.cache-key }}${{ env.cache_key_hash }} - restore-keys: | - ${{ runner.os }}-spm-${{ matrix.cache-key }} - - - name: Select Xcode - run: cd main && sudo xcode-select -s /Applications/Xcode_$(<.xcode-version).app/Contents/Developer - - # - name: Build and run unit tests - # run: | - # cd main - # echo "Runner ${RUNNER_NAME} (${RUNNER_TRACKING_ID})" - # export OS_ACTIVITY_MODE=debug - - # set -o pipefail && xcodebuild test \ - # -scheme "${{ matrix.scheme }}" \ - # -derivedDataPath "DerivedData" \ - # -configuration "CI" \ - # -skipPackagePluginValidation -skipMacroValidation \ - # ENABLE_TESTABILITY=true \ - # ONLY_ACTIVE_ARCH=${{ matrix.active-arch }} \ - # "-skip-testing:${{ matrix.integration-tests-target }}" \ - # | tee ${{ matrix.flavor }}-unittests-xcodebuild.log \ - # | xcbeautify --report junit --report-path . --junit-report-filename ${{ matrix.flavor }}-unittests.xml \ - # || { mv "$(grep -m 1 '.*\.xcresult' ${{ matrix.flavor }}-unittests-xcodebuild.log | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')" ./${{ matrix.flavor }}-unittests.xcresult && exit 1; } - - - name: Run integration tests - run: | - cd main - set -o pipefail && xcodebuild test \ - -scheme "${{ matrix.scheme }}" \ - -derivedDataPath "DerivedData" \ - -configuration "CI" \ - -skipPackagePluginValidation -skipMacroValidation \ - ENABLE_TESTABILITY=true \ - ONLY_ACTIVE_ARCH=${{ matrix.active-arch }} \ - "-only-testing:${{ matrix.integration-tests-target }}" \ - -retry-tests-on-failure \ - | tee ${{ matrix.flavor }}-integrationtests-xcodebuild.log \ - | xcbeautify --report junit --report-path . --junit-report-filename ${{ matrix.flavor }}-integrationtests.xml \ - || { mv "$(grep -m 1 '.*\.xcresult' ${{ matrix.flavor }}-integrationtests-xcodebuild.log | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')" ./${{ matrix.flavor }}-integrationtests.xcresult && exit 1; } - - - name: Check private API usage - id: private-api - run: | - cd main - if [[ ${{ matrix.flavor }} != "Sandbox" ]]; then - echo "Skipping private API usage check for ${{ matrix.flavor }} build" - else - binary_path="DerivedData/Build/Products/CI/DuckDuckGo App Store.app/Contents/MacOS/DuckDuckGo App Store" - ./scripts/find_private_symbols.sh "${binary_path}" | tee private_api_report.txt - - cat private_api_report.txt >> $GITHUB_STEP_SUMMARY - - output=$(cat private_api_report.txt) - output="${output//$'\n'/%0A}" # step outputs can't contain newline characters - - # - # After a non-zero exit code is returned in GHA we can't do too much, - # e.g. set step outputs, so the script always returns 0 and we can tell - # that it's a failure if there's more than 1 line in the output. - # - report_num_lines=$(wc -l < private_api_report.txt | tr -d '[:space:]') - if [[ $report_num_lines > 1 ]]; then - echo "report=${output}" >> $GITHUB_OUTPUT - exit 1 - fi - fi - - - name: Publish unit tests report - uses: mikepenz/action-junit-report@v4 - if: always() # always run even if the previous step fails - with: - check_name: "Test Report: ${{ matrix.flavor }}" - report_paths: '${{ matrix.flavor }}*.xml' - check_retries: true - - - name: Update Asana with failed unit tests - if: always() # always run even if the previous step fails - env: - ASANA_ACCESS_TOKEN: ${{ secrets.ASANA_ACCESS_TOKEN }} - WORKFLOW_URL: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}/attempts/${{ github.run_attempt }} - run: | - # Extract failed tests from the junit report - # Only keep failures unique by classname and name (column 1 and 2 of the yq output) - for file in "${{ matrix.flavor }}-unittests.xml" "${{ matrix.flavor }}-integrationtests.xml"; do - yq < "$file" -p xml -o json -r \ - $'[.testsuites.testsuite[].testcase] | flatten | map(select(.failure) | .+@classname + " " + .+@name + " \'" + .failure.+@message + "\' ${{ env.WORKFLOW_URL }}") | .[]' \ - | sort -u -k 1,2 \ - | xargs -L 1 ./scripts/report-failed-unit-test.sh - done - - - name: Upload failed unit tests log - uses: actions/upload-artifact@v4 - if: failure() - with: - name: ${{ matrix.flavor }}-unittests-xcodebuild.log - path: ${{ matrix.flavor }}-unittests-xcodebuild.log - retention-days: 7 - - - name: Upload failed unit tests xcresult - uses: actions/upload-artifact@v4 - if: failure() - with: - name: ${{ matrix.flavor }}-unittests.xcresult - path: ${{ matrix.flavor }}-unittests.xcresult - retention-days: 7 - - - name: Upload failed integration tests log - uses: actions/upload-artifact@v4 - if: failure() || cancelled() - with: - name: ${{ matrix.flavor }}-integrationtests-xcodebuild.log - path: ${{ matrix.flavor }}-integrationtests-xcodebuild.log - retention-days: 7 - - - name: Upload failed integration tests xcresult - uses: actions/upload-artifact@v4 - if: failure() || cancelled() - with: - name: ${{ matrix.flavor }}-integrationtests.xcresult - path: ${{ matrix.flavor }}-integrationtests.xcresult - retention-days: 7 - - - name: Fetch latest commit author - if: always() && github.ref_name == 'main' - id: fetch_commit_author - env: - GH_TOKEN: ${{ github.token }} - run: | - head_commit=$(git rev-parse HEAD) - author=$(gh api https://api.github.com/repos/${{ github.repository }}/commits/${head_commit} --jq .author.login) - echo "commit_author=${author}" >> $GITHUB_OUTPUT - - private-api: - name: Private API Report - needs: tests - if: ${{ success() || needs.tests.outputs.private-api-check-report }} - uses: ./.github/workflows/private_api_report.yml - with: - report: ${{ needs.tests.outputs.private-api-check-report }} - - release-build: - - name: Make Release Build - - # Dependabot doesn't have access to all secrets, so we skip this job - # workflow_call is used by bump_internal_release and is followed by a proper release job - if: github.actor != 'dependabot[bot]' && (github.event_name == 'push' || github.event_name == 'pull_request') - - runs-on: macos-14-xlarge - timeout-minutes: 30 - - steps: - - name: Register SSH key for certificates repository access - uses: webfactory/ssh-agent@v0.7.0 - with: - ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY_FASTLANE_MATCH }} - - - name: Check out the code - uses: actions/checkout@v4 - with: - submodules: recursive - - - name: Set up fastlane - run: bundle install - - - name: Sync code signing assets - env: - APPLE_API_KEY_BASE64: ${{ secrets.APPLE_API_KEY_BASE64 }} - APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }} - APPLE_API_KEY_ISSUER: ${{ secrets.APPLE_API_KEY_ISSUER }} - MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }} - SSH_PRIVATE_KEY_FASTLANE_MATCH: ${{ secrets.SSH_PRIVATE_KEY_FASTLANE_MATCH }} - run: bundle exec fastlane sync_signing_dmg_release - - - name: Set cache key hash - run: | - has_only_tags=$(jq '[ .pins[].state | has("version") ] | all' DuckDuckGo.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved) - if [[ "$has_only_tags" == "true" ]]; then - echo "cache_key_hash=${{ hashFiles('DuckDuckGo.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved') }}" >> $GITHUB_ENV - else - echo "Package.resolved contains dependencies specified by branch or commit, skipping cache." - fi - - - name: Cache SPM - if: env.cache_key_hash - uses: actions/cache@v4 - with: - path: DerivedData/SourcePackages - key: ${{ runner.os }}-spm-test-release-${{ env.cache_key_hash }} - restore-keys: | - ${{ runner.os }}-spm-test-release-${{ matrix.cache-key }} - - - name: Select Xcode - run: sudo xcode-select -s /Applications/Xcode_$(<.xcode-version).app/Contents/Developer - - - name: Build the app - run: | - export OS_ACTIVITY_MODE=debug - set -o pipefail && xcodebuild \ - -scheme "DuckDuckGo Privacy Browser" \ - -derivedDataPath "DerivedData" \ - -configuration "Release" \ - -skipPackagePluginValidation -skipMacroValidation \ - | tee release-xcodebuild.log \ - | xcbeautify - - - name: Upload failed test log - uses: actions/upload-artifact@v4 - if: failure() - with: - name: release-xcodebuild.log - path: release-xcodebuild.log - retention-days: 7 - - verify-autoconsent-bundle: - name: 'Verify autoconsent bundle' - runs-on: ubuntu-latest - - steps: - - name: Skip - run: | - echo "Skipping autoconsent bundle verification during an experiment" - - create-asana-task: - name: Create Asana Task - needs: [swiftlint, bats, tests, release-build, verify-autoconsent-bundle, private-api] - - if: failure() && github.ref_name == 'main' && github.run_attempt == 1 - - runs-on: ubuntu-latest - - steps: - - name: Create Asana Task - uses: duckduckgo/BrowserServicesKit/.github/actions/asana-failed-pr-checks@main - with: - action: create-task - asana-access-token: ${{ secrets.ASANA_ACCESS_TOKEN }} - asana-section-id: ${{ vars.APPLE_CI_FAILING_TESTS_MACOS_POST_MERGE_SECTION_ID }} - commit-author: ${{ needs.tests.outputs.commit_author }} - - close-asana-task: - name: Close Asana Task - needs: [swiftlint, bats, tests, release-build, verify-autoconsent-bundle, private-api] - - if: success() && github.ref_name == 'main' && github.run_attempt > 1 - - runs-on: ubuntu-latest - - steps: - - name: Close Asana Task - uses: duckduckgo/BrowserServicesKit/.github/actions/asana-failed-pr-checks@main - with: - action: close-task - asana-access-token: ${{ secrets.ASANA_ACCESS_TOKEN }} - asana-section-id: ${{ vars.APPLE_CI_FAILING_TESTS_MACOS_POST_MERGE_SECTION_ID }} diff --git a/soup b/soup new file mode 100644 index 0000000000..958d6799e1 --- /dev/null +++ b/soup @@ -0,0 +1 @@ +Soup \ No newline at end of file