Malicious site protection App settings #9801
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: PR Checks | |
on: | |
push: | |
branches: [ main, "release/**" ] | |
pull_request: | |
jobs: | |
swiftlint: | |
name: SwiftLint | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- name: SwiftLint | |
uses: docker://norionomura/swiftlint:0.54.0_swift-5.9.0 | |
with: | |
args: swiftlint --reporter github-actions-logging --strict | |
shellcheck: | |
name: ShellCheck | |
runs-on: ubuntu-latest | |
steps: | |
- name: Check out the code | |
uses: actions/checkout@v3 | |
- name: Run ShellCheck | |
uses: ludeeus/action-shellcheck@master | |
with: | |
format: gcc | |
scandir: scripts | |
unit-tests: | |
name: Unit Tests | |
runs-on: macos-15 | |
timeout-minutes: 20 | |
outputs: | |
commit_author: ${{ steps.fetch_commit_author.outputs.commit_author }} | |
steps: | |
- name: Check out the code | |
uses: actions/checkout@v3 | |
with: | |
submodules: recursive | |
- name: Set cache key hash | |
run: | | |
has_only_tags=$(jq '[ .pins[].state | has("version") ] | all' DuckDuckGo.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved) | |
if [[ "$has_only_tags" == "true" ]]; then | |
echo "cache_key_hash=${{ hashFiles('DuckDuckGo.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved') }}" >> $GITHUB_ENV | |
else | |
echo "Package.resolved contains dependencies specified by branch or commit, skipping cache." | |
fi | |
- name: Cache SPM | |
if: env.cache_key_hash | |
uses: actions/cache@v3 | |
with: | |
path: DerivedData/SourcePackages | |
key: ${{ runner.os }}-spm-${{ env.cache_key_hash }} | |
restore-keys: | | |
${{ runner.os }}-spm- | |
- name: Install xcbeautify | |
run: brew install xcbeautify | |
- name: Select Xcode | |
run: sudo xcode-select -s /Applications/Xcode_$(<.xcode-version).app/Contents/Developer | |
- name: Build and test | |
run: | | |
set -o pipefail && xcodebuild test \ | |
-scheme "DuckDuckGo" \ | |
-destination "platform=iOS Simulator,name=iPhone 16,OS=18.1" \ | |
-derivedDataPath "DerivedData" \ | |
-skipPackagePluginValidation \ | |
-skipMacroValidation \ | |
DDG_SLOW_COMPILE_CHECK_THRESHOLD=250 \ | |
| tee xcodebuild.log \ | |
| xcbeautify --report junit --report-path . --junit-report-filename unittests.xml | |
- name: Upload logs if workflow failed | |
uses: actions/upload-artifact@v4 | |
if: failure() || cancelled() | |
with: | |
name: BuildLogs | |
path: | | |
xcodebuild.log | |
DerivedData/Logs/Test/*.xcresult | |
retention-days: 7 | |
- name: Publish unit tests report | |
uses: mikepenz/action-junit-report@v3 | |
with: | |
report_paths: unittests.xml | |
- name: Update Asana with failed unit tests | |
if: always() # always run even if the previous step fails | |
env: | |
ASANA_ACCESS_TOKEN: ${{ secrets.ASANA_ACCESS_TOKEN }} | |
WORKFLOW_URL: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}/attempts/${{ github.run_attempt }} | |
run: | | |
# Extract failed tests from the junit report | |
# Only keep failures unique by classname and name (column 1 and 2 of the yq output) | |
yq < unittests.xml -p xml -o json -r \ | |
$'[.testsuites.testsuite[].testcase] | flatten | map(select(.failure) | .+@classname + " " + .+@name + " \'" + .failure.+@message + "\' ${{ env.WORKFLOW_URL }}") | .[]' \ | |
| sort -u -k 1,2 \ | |
| xargs -L 1 ./scripts/report-failed-unit-test.sh -s ${{ vars.APPLE_CI_FAILING_TESTS_FAILED_TESTS_SECTION_ID }} | |
- name: Fetch latest commit author | |
if: always() && github.ref_name == 'main' | |
id: fetch_commit_author | |
env: | |
GH_TOKEN: ${{ github.token }} | |
run: | | |
head_commit=$(git rev-parse HEAD) | |
author=$(gh api https://api.github.com/repos/${{ github.repository }}/commits/${head_commit} --jq .author.login) | |
echo "commit_author=${author}" >> $GITHUB_OUTPUT | |
release-build: | |
name: Make Release Build | |
# Dependabot doesn't have access to all secrets, so we skip this job | |
if: github.actor != 'dependabot[bot]' | |
runs-on: macos-15 | |
timeout-minutes: 30 | |
steps: | |
- name: Register SSH keys for access to certificates | |
uses: webfactory/[email protected] | |
with: | |
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY_FASTLANE_MATCH }} | |
- name: Check out the code | |
uses: actions/checkout@v3 | |
with: | |
submodules: recursive | |
- name: Set cache key hash | |
run: | | |
has_only_tags=$(jq '[ .pins[].state | has("version") ] | all' DuckDuckGo.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved) | |
if [[ "$has_only_tags" == "true" ]]; then | |
echo "cache_key_hash=${{ hashFiles('DuckDuckGo.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved') }}" >> $GITHUB_ENV | |
else | |
echo "Package.resolved contains dependencies specified by branch or commit, skipping cache." | |
fi | |
- name: Cache SPM | |
if: env.cache_key_hash | |
uses: actions/cache@v3 | |
with: | |
path: DerivedData/SourcePackages | |
key: ${{ runner.os }}-spm-release-${{ env.cache_key_hash }} | |
restore-keys: | | |
${{ runner.os }}-spm-release- | |
- name: Install xcbeautify | |
run: brew install xcbeautify | |
- name: Select Xcode | |
run: sudo xcode-select -s /Applications/Xcode_$(<.xcode-version).app/Contents/Developer | |
- name: Prepare fastlane | |
run: bundle install | |
- name: Build the app | |
env: | |
APPLE_API_KEY_BASE64: ${{ secrets.APPLE_API_KEY_BASE64 }} | |
APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }} | |
APPLE_API_KEY_ISSUER: ${{ secrets.APPLE_API_KEY_ISSUER }} | |
MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }} | |
run: | | |
bundle exec fastlane sync_signing | |
set -o pipefail && xcodebuild \ | |
-scheme "DuckDuckGo" \ | |
-destination "platform=iOS Simulator,name=iPhone 16" \ | |
-derivedDataPath "DerivedData" \ | |
-configuration "Release" \ | |
-skipPackagePluginValidation \ | |
-skipMacroValidation \ | |
| xcbeautify | |
create-asana-task: | |
name: Create Asana Task | |
needs: [swiftlint, unit-tests, shellcheck, release-build] | |
if: failure() && github.ref_name == 'main' && github.run_attempt == 1 | |
runs-on: ubuntu-latest | |
steps: | |
- name: Create Asana Task | |
uses: duckduckgo/BrowserServicesKit/.github/actions/asana-failed-pr-checks@main | |
with: | |
action: create-task | |
asana-access-token: ${{ secrets.ASANA_ACCESS_TOKEN }} | |
asana-section-id: ${{ vars.APPLE_CI_FAILING_TESTS_IOS_POST_MERGE_SECTION_ID }} | |
commit-author: ${{ needs.unit-tests.outputs.commit_author }} | |
close-asana-task: | |
name: Close Asana Task | |
needs: [swiftlint, unit-tests, shellcheck, release-build] | |
if: success() && github.ref_name == 'main' && github.run_attempt > 1 | |
runs-on: ubuntu-latest | |
steps: | |
- name: Close Asana Task | |
uses: duckduckgo/BrowserServicesKit/.github/actions/asana-failed-pr-checks@main | |
with: | |
action: close-task | |
asana-access-token: ${{ secrets.ASANA_ACCESS_TOKEN }} | |
asana-section-id: ${{ vars.APPLE_CI_FAILING_TESTS_IOS_POST_MERGE_SECTION_ID }} |