From f11072411757aca91f9266df0d466a99c77e29cb Mon Sep 17 00:00:00 2001 From: Nick Cooke Date: Tue, 2 Jul 2024 10:45:38 -0400 Subject: [PATCH 1/5] [Infra] Migrate release.yml to use Firebase/SpecsReleasing repo --- .github/workflows/release.yml | 11 +++++------ .../Sources/SpecRepoBuilder/main.swift | 2 +- scripts/remove_data.sh | 4 ---- scripts/setup_quickstart.sh | 2 +- 4 files changed, 7 insertions(+), 12 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c187970d752..ae1973278a7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -53,8 +53,7 @@ jobs: scripts/release_testing_setup.sh release_testing - name: Clean spec repo run: | - botaccess=`cat bot-access.txt` - git clone --quiet https://"$botaccess"@github.com/FirebasePrivate/SpecsTesting.git "${local_repo}" + git clone --quiet https://github.com/Firebase/SpecsReleasing.git "${local_repo}" cd "${local_repo}" # Remove all unhidden dirs, i.e. all podspec dir from the spec repo. rm -Rf -- */ @@ -97,11 +96,11 @@ jobs: botaccess=`cat bot-access.txt` cd scripts/create_spec_repo/ swift build - pod repo add --silent "${local_repo}" https://"$botaccess"@github.com/FirebasePrivate/SpecsTesting.git + pod repo add --silent "${local_repo}" https://"$botaccess"@github.com/Firebase/SpecsReleasing.git BOT_TOKEN="${botaccess}" ${GITHUB_WORKSPACE}/scripts/third_party/travis/retry.sh .build/debug/spec-repo-builder \ --sdk-repo "${local_sdk_repo_dir}" \ --local-spec-repo-name "${local_repo}" \ - --pod-sources 'https://${BOT_TOKEN}@github.com/FirebasePrivate/SpecsTesting' "https://github.com/firebase/SpecsStaging.git" "https://github.com/CocoaPods/Specs.git" \ + --pod-sources 'https://${BOT_TOKEN}@github.com/Firebase/SpecsReleasing' "https://github.com/firebase/SpecsStaging.git" "https://github.com/CocoaPods/Specs.git" \ --include-pods "${targeted_pod}" --keep-repo - name: Clean Artifacts if: ${{ always() }} @@ -138,13 +137,13 @@ jobs: botaccess=`cat bot-access.txt` cd scripts/create_spec_repo/ swift build - pod repo add --silent "${local_repo}" https://"$botaccess"@github.com/FirebasePrivate/SpecsTesting.git + pod repo add --silent "${local_repo}" https://"$botaccess"@github.com/Firebase/SpecsReleasing.git # ${ALLOWWARNINGS:+--allow-warnings} will add --allow-warnings to the # command if ${ALLOWWARNINGS} is not null. BOT_TOKEN="${botaccess}" ${GITHUB_WORKSPACE}/scripts/third_party/travis/retry.sh .build/debug/spec-repo-builder \ --sdk-repo "${local_sdk_repo_dir}" \ --local-spec-repo-name "${local_repo}" \ - --pod-sources 'https://${BOT_TOKEN}@github.com/FirebasePrivate/SpecsTesting' "https://github.com/firebase/SpecsStaging.git" "https://github.com/CocoaPods/Specs.git" \ + --pod-sources 'https://${BOT_TOKEN}@github.com/Firebase/SpecsReleasing' "https://github.com/firebase/SpecsStaging.git" "https://github.com/CocoaPods/Specs.git" \ --include-pods "${targeted_pod}" \ --keep-repo ${ALLOWWARNINGS:+--allow-warnings} - name: Clean Artifacts diff --git a/scripts/create_spec_repo/Sources/SpecRepoBuilder/main.swift b/scripts/create_spec_repo/Sources/SpecRepoBuilder/main.swift index a6ec9ede9fb..44ed9f2da96 100644 --- a/scripts/create_spec_repo/Sources/SpecRepoBuilder/main.swift +++ b/scripts/create_spec_repo/Sources/SpecRepoBuilder/main.swift @@ -140,7 +140,7 @@ struct SpecRepoBuilder: ParsableCommand { var excludePods: [String] = [] @Option(help: "GitHub Account Name.") - var githubAccount: String = "FirebasePrivate" + var githubAccount: String = "Firebase" @Option(help: "GitHub Repo Name.") var sdkRepoName: String = "SpecsTesting" diff --git a/scripts/remove_data.sh b/scripts/remove_data.sh index a99d0940b7c..04dcf25ae8f 100755 --- a/scripts/remove_data.sh +++ b/scripts/remove_data.sh @@ -22,8 +22,4 @@ if [[ ! -z "$LEGACY" ]]; then DIR="${SDK}/Legacy${SDK}Quickstart" fi -# By default, remove potential secrets used in specs repo URLs. -sed -i "" "s/https:\/\/.*@github.com\/FirebasePrivate\/SpecsTesting.git/https:\/\/github.com\/FirebasePrivate\/SpecsTesting.git/g" quickstart-ios/"${DIR}"/Podfile quickstart-ios/"${DIR}"/Podfile.lock -sed -i "" "s/https:\/\/.*@github.com\/FirebasePrivate\/SpecsReleasing.git/https:\/\/github.com\/FirebasePrivate\/SpecsReleasing.git/g" quickstart-ios/"${DIR}"/Podfile quickstart-ios/"${DIR}"/Podfile.lock - rm -f quickstart-ios/"${DIR}"/GoogleService-Info.plist diff --git a/scripts/setup_quickstart.sh b/scripts/setup_quickstart.sh index 5d0ea72ad4c..840b1eaebdc 100755 --- a/scripts/setup_quickstart.sh +++ b/scripts/setup_quickstart.sh @@ -53,7 +53,7 @@ if check_secrets || [[ ${SAMPLE} == "installations" ]]; then $scripts_dir/localize_podfile.swift "$WORKSPACE_DIR"/Podfile "$RELEASE_TESTING" if [ "$RELEASE_TESTING" == "nightly_release_testing" ]; then set +x - sed -i "" '1i\'$'\n'"source 'https://${BOT_TOKEN}@github.com/FirebasePrivate/SpecsTesting.git'"$'\n' "$PODFILE" + sed -i "" '1i\'$'\n'"source 'https://github.com/Firebase/SpecsReleasing.git'"$'\n' "$PODFILE" set -x echo "Source of Podfile for nightly release testing is updated." fi From 1530068c5b14e1ac7b60f6ec0e122d7febc43781 Mon Sep 17 00:00:00 2001 From: Nick Cooke Date: Tue, 2 Jul 2024 10:55:36 -0400 Subject: [PATCH 2/5] release.yml renames --- .github/workflows/release.yml | 42 +++++++++++++++++------------------ 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ae1973278a7..a19ef5cbdaf 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -26,7 +26,7 @@ jobs: # 'podspec_repo_branch' of this repo will be validated and pushed to the # testing repo. local_sdk_repo_dir: /tmp/test/firebase-ios-sdk - local_repo: specstesting + local_repo: specsreleasing podspec_repo_branch: main outputs: matrix: ${{ steps.generate_matrix.outputs.matrix }} @@ -43,7 +43,7 @@ jobs: run: | scripts/decrypt_gha_secret.sh scripts/gha-encrypted/release-testing-token.txt.gpg \ bot-access.txt "$bot_token_secret" - - name: Update SpecsTesting repo setup + - name: Update SpecsReleasing repo setup run: | botaccess=`cat bot-access.txt` BOT_TOKEN="${botaccess}" test_version="${nightly_version}" \ @@ -71,14 +71,14 @@ jobs: path: | ${{ env.local_sdk_repo_dir }}/*.podspec ${{ env.local_sdk_repo_dir }}/*.podspec.json - buildup_SpecsTesting_repo_FirebaseCore: + buildup_SpecsReleasing_repo_FirebaseCore: needs: specs_checking # Don't run on private repo unless it is a PR. if: github.repository == 'Firebase/firebase-ios-sdk' runs-on: macos-14 env: bot_token_secret: ${{ secrets.GHASecretsGPGPassphrase1 }} - local_repo: specstesting + local_repo: specsreleasing local_sdk_repo_dir: /tmp/test/firebase-ios-sdk targeted_pod: FirebaseCore steps: @@ -91,7 +91,7 @@ jobs: run: | scripts/decrypt_gha_secret.sh scripts/gha-encrypted/release-testing-token.txt.gpg \ bot-access.txt "$bot_token_secret" - - name: Update SpecsTesting repo + - name: Update SpecsReleasing repo run: | botaccess=`cat bot-access.txt` cd scripts/create_spec_repo/ @@ -108,8 +108,8 @@ jobs: pod repo remove "${local_repo}" rm -rf bot-access.txt - buildup_SpecsTesting_repo: - needs: [buildup_SpecsTesting_repo_FirebaseCore, specs_checking] + buildup_SpecsReleasing_repo: + needs: [buildup_SpecsReleasing_repo_FirebaseCore, specs_checking] # Don't run on private repo unless it is a PR. if: github.repository == 'Firebase/firebase-ios-sdk' runs-on: macos-14 @@ -118,7 +118,7 @@ jobs: matrix: ${{fromJson(needs.specs_checking.outputs.matrix)}} env: bot_token_secret: ${{ secrets.GHASecretsGPGPassphrase1 }} - local_repo: specstesting + local_repo: specsreleasing local_sdk_repo_dir: /tmp/test/firebase-ios-sdk targeted_pod: ${{ matrix.podspec }} steps: @@ -131,7 +131,7 @@ jobs: run: | scripts/decrypt_gha_secret.sh scripts/gha-encrypted/release-testing-token.txt.gpg \ bot-access.txt "$bot_token_secret" - - name: Update SpecsTesting repo + - name: Update SpecsReleasing repo run: | [[ ${{ matrix.allowwarnings }} == true ]] && ALLOWWARNINGS=true botaccess=`cat bot-access.txt` @@ -155,7 +155,7 @@ jobs: abtesting_quickstart: # Don't run on private repo unless it is a PR. if: (github.repository == 'Firebase/firebase-ios-sdk' && github.event_name == 'schedule') || github.event_name == 'pull_request' || github.event_name == 'workflow_dispatch' - needs: buildup_SpecsTesting_repo + needs: buildup_SpecsReleasing_repo env: plist_secret: ${{ secrets.GHASecretsGPGPassphrase1 }} signin_secret: ${{ secrets.GHASecretsGPGPassphrase1 }} @@ -194,7 +194,7 @@ jobs: auth_quickstart: # Don't run on private repo unless it is a PR. if: (github.repository == 'Firebase/firebase-ios-sdk' && github.event_name == 'schedule') || github.event_name == 'pull_request' || github.event_name == 'workflow_dispatch' - needs: buildup_SpecsTesting_repo + needs: buildup_SpecsReleasing_repo env: plist_secret: ${{ secrets.GHASecretsGPGPassphrase1 }} signin_secret: ${{ secrets.GHASecretsGPGPassphrase1 }} @@ -227,7 +227,7 @@ jobs: crashlytics_quickstart: # Don't run on private repo unless it is a PR. if: (github.repository == 'Firebase/firebase-ios-sdk' && github.event_name == 'schedule') || github.event_name == 'pull_request' || github.event_name == 'workflow_dispatch' - needs: buildup_SpecsTesting_repo + needs: buildup_SpecsReleasing_repo env: plist_secret: ${{ secrets.GHASecretsGPGPassphrase1 }} signin_secret: ${{ secrets.GHASecretsGPGPassphrase1 }} @@ -277,7 +277,7 @@ jobs: database_quickstart: # Don't run on private repo unless it is a PR. if: (github.repository == 'Firebase/firebase-ios-sdk' && github.event_name == 'schedule') || github.event_name == 'pull_request' || github.event_name == 'workflow_dispatch' - needs: buildup_SpecsTesting_repo + needs: buildup_SpecsReleasing_repo env: plist_secret: ${{ secrets.GHASecretsGPGPassphrase1 }} signin_secret: ${{ secrets.GHASecretsGPGPassphrase1 }} @@ -314,7 +314,7 @@ jobs: dynamiclinks_quickstart: # Don't run on private repo unless it is a PR. if: (github.repository == 'Firebase/firebase-ios-sdk' && github.event_name == 'schedule') || github.event_name == 'pull_request' || github.event_name == 'workflow_dispatch' - needs: buildup_SpecsTesting_repo + needs: buildup_SpecsReleasing_repo env: plist_secret: ${{ secrets.GHASecretsGPGPassphrase1 }} signin_secret: ${{ secrets.GHASecretsGPGPassphrase1 }} @@ -357,7 +357,7 @@ jobs: firestore_quickstart: # Don't run on private repo unless it is a PR. if: (github.repository == 'Firebase/firebase-ios-sdk' && github.event_name == 'schedule') || github.event_name == 'pull_request' || github.event_name == 'workflow_dispatch' - needs: buildup_SpecsTesting_repo + needs: buildup_SpecsReleasing_repo env: plist_secret: ${{ secrets.GHASecretsGPGPassphrase1 }} signin_secret: ${{ secrets.GHASecretsGPGPassphrase1 }} @@ -394,7 +394,7 @@ jobs: # functions_quickstart: # # Don't run on private repo unless it is a PR. # if: (github.repository == 'Firebase/firebase-ios-sdk' && github.event_name == 'schedule') || github.event_name == 'pull_request' || github.event_name == 'workflow_dispatch' - # needs: buildup_SpecsTesting_repo + # needs: buildup_SpecsReleasing_repo # env: # plist_secret: ${{ secrets.GHASecretsGPGPassphrase1 }} # signin_secret: ${{ secrets.GHASecretsGPGPassphrase1 }} @@ -436,7 +436,7 @@ jobs: inappmessaging_quickstart: # Don't run on private repo unless it is a PR. if: (github.repository == 'Firebase/firebase-ios-sdk' && github.event_name == 'schedule') || github.event_name == 'pull_request' || github.event_name == 'workflow_dispatch' - needs: buildup_SpecsTesting_repo + needs: buildup_SpecsReleasing_repo env: plist_secret: ${{ secrets.GHASecretsGPGPassphrase1 }} signin_secret: ${{ secrets.GHASecretsGPGPassphrase1 }} @@ -475,7 +475,7 @@ jobs: messaging_quickstart: # Don't run on private repo unless it is a PR. if: (github.repository == 'Firebase/firebase-ios-sdk' && github.event_name == 'schedule') || github.event_name == 'pull_request' || github.event_name == 'workflow_dispatch' - needs: buildup_SpecsTesting_repo + needs: buildup_SpecsReleasing_repo env: plist_secret: ${{ secrets.GHASecretsGPGPassphrase1 }} signin_secret: ${{ secrets.GHASecretsGPGPassphrase1 }} @@ -514,7 +514,7 @@ jobs: remoteconfig_quickstart: # Don't run on private repo unless it is a PR. if: (github.repository == 'Firebase/firebase-ios-sdk' && github.event_name == 'schedule') || github.event_name == 'pull_request' || github.event_name == 'workflow_dispatch' - needs: buildup_SpecsTesting_repo + needs: buildup_SpecsReleasing_repo env: plist_secret: ${{ secrets.GHASecretsGPGPassphrase1 }} signin_secret: ${{ secrets.GHASecretsGPGPassphrase1 }} @@ -547,7 +547,7 @@ jobs: storage_quickstart: # Don't run on private repo unless it is a PR. if: (github.repository == 'Firebase/firebase-ios-sdk' && github.event_name == 'schedule') || github.event_name == 'pull_request' || github.event_name == 'workflow_dispatch' - needs: buildup_SpecsTesting_repo + needs: buildup_SpecsReleasing_repo env: plist_secret: ${{ secrets.GHASecretsGPGPassphrase1 }} signin_secret: ${{ secrets.GHASecretsGPGPassphrase1 }} @@ -585,7 +585,7 @@ jobs: performance_quickstart: # Don't run on private repo unless it is a PR. if: (github.repository == 'Firebase/firebase-ios-sdk' && github.event_name == 'schedule') || github.event_name == 'pull_request' || github.event_name == 'workflow_dispatch' - needs: buildup_SpecsTesting_repo + needs: buildup_SpecsReleasing_repo env: plist_secret: ${{ secrets.GHASecretsGPGPassphrase1 }} signin_secret: ${{ secrets.GHASecretsGPGPassphrase1 }} From 19553be8517b51c6f7d401dafaecab13f42ef23c Mon Sep 17 00:00:00 2001 From: Nick Cooke Date: Tue, 2 Jul 2024 11:01:52 -0400 Subject: [PATCH 3/5] Remove tokens from podfile sources --- .github/workflows/release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a19ef5cbdaf..42ebf9c7374 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -100,7 +100,7 @@ jobs: BOT_TOKEN="${botaccess}" ${GITHUB_WORKSPACE}/scripts/third_party/travis/retry.sh .build/debug/spec-repo-builder \ --sdk-repo "${local_sdk_repo_dir}" \ --local-spec-repo-name "${local_repo}" \ - --pod-sources 'https://${BOT_TOKEN}@github.com/Firebase/SpecsReleasing' "https://github.com/firebase/SpecsStaging.git" "https://github.com/CocoaPods/Specs.git" \ + --pod-sources 'https://github.com/Firebase/SpecsReleasing' "https://github.com/firebase/SpecsStaging.git" "https://github.com/CocoaPods/Specs.git" \ --include-pods "${targeted_pod}" --keep-repo - name: Clean Artifacts if: ${{ always() }} @@ -143,7 +143,7 @@ jobs: BOT_TOKEN="${botaccess}" ${GITHUB_WORKSPACE}/scripts/third_party/travis/retry.sh .build/debug/spec-repo-builder \ --sdk-repo "${local_sdk_repo_dir}" \ --local-spec-repo-name "${local_repo}" \ - --pod-sources 'https://${BOT_TOKEN}@github.com/Firebase/SpecsReleasing' "https://github.com/firebase/SpecsStaging.git" "https://github.com/CocoaPods/Specs.git" \ + --pod-sources 'https://github.com/Firebase/SpecsReleasing' "https://github.com/firebase/SpecsStaging.git" "https://github.com/CocoaPods/Specs.git" \ --include-pods "${targeted_pod}" \ --keep-repo ${ALLOWWARNINGS:+--allow-warnings} - name: Clean Artifacts From b2685b7a54adc8b5e0f4a1c791176c591dd785a1 Mon Sep 17 00:00:00 2001 From: Nick Cooke Date: Tue, 2 Jul 2024 11:08:39 -0400 Subject: [PATCH 4/5] Fix CI --- .github/workflows/release.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 42ebf9c7374..9e581e04ee7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -53,7 +53,8 @@ jobs: scripts/release_testing_setup.sh release_testing - name: Clean spec repo run: | - git clone --quiet https://github.com/Firebase/SpecsReleasing.git "${local_repo}" + botaccess=`cat bot-access.txt` + git clone --quiet https://"$botaccess"@github.com/Firebase/SpecsReleasing.git "${local_repo}" cd "${local_repo}" # Remove all unhidden dirs, i.e. all podspec dir from the spec repo. rm -Rf -- */ From 9438b68be7792ef079b11ed01779851f9ce39e43 Mon Sep 17 00:00:00 2001 From: Nick Cooke Date: Tue, 2 Jul 2024 12:02:52 -0400 Subject: [PATCH 5/5] Rotate secret --- .../gha-encrypted/release-testing-token.txt.gpg | Bin 187 -> 189 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/scripts/gha-encrypted/release-testing-token.txt.gpg b/scripts/gha-encrypted/release-testing-token.txt.gpg index 7a93dc33980e56efb54ed95ad67cc861c2d11bc9..5828c0c2eb23be907e519ff1066e9479b5f66404 100644 GIT binary patch literal 189 zcmV;u07Cza4Fm}T2!2iqE)DKUd zMg0Gy3kMyeu__nm0*bcS3om3-fkXqS?<=^uGGyz}-2M6r!rbEglZJ*Jar=Qj#?srv z_X6!#w;QR@6aZ-+TVg7tEPpBKjbB~P1VWII{vR~tEe|~VoV2h$i?GUi} r%?`a_RO1-aS@^(D1nQ&Hrsf2;LvW&l@%`Ql4gsF!o*)PCjB%1rpoL!f literal 187 zcmV;s07UaIG2Qa1nq