diff --git a/.github/workflows/_build.yml b/.github/workflows/_build.yml new file mode 100644 index 00000000000..d78fbc3fd89 --- /dev/null +++ b/.github/workflows/_build.yml @@ -0,0 +1,139 @@ +name: _build + +permissions: + contents: read + +on: + workflow_call: + inputs: + product: + required: true + type: string + platform: + required: true + type: string + method: + required: true + type: string + sanitizers: + required: false + type: string + description: "Space-separated list of sanitizers (asan, tsan, ubsan)" + setup_command: + required: false + type: string + description: "Command to run before build (e.g., for setting up secrets or prerequisites)" + xcode: + required: false + type: string + default: 'Xcode_16.4' + os: + required: false + type: string + default: 'macos-15' + timeout_minutes: + required: false + type: number + default: 120 + max_attempts: + required: false + type: number + default: 3 + + # IMPORTANT: When adding new secrets to this workflow, update the + # 'has_secrets' logic in the 'check_secrets' job to include the new secret. + secrets: + plist_secret: + required: false + +jobs: + check_secrets: + runs-on: ubuntu-latest + outputs: + should_run: ${{ steps.determine_run.outputs.should_run }} + has_secrets: ${{ steps.determine_run.outputs.has_secrets }} + env: + plist_secret: ${{ secrets.plist_secret }} + steps: + - name: Determine if build should run and if secrets are present + id: determine_run + run: | + # 1. Check for secrets. + # - IMPORTANT: Extend this logic if adding new secrets. + if [[ -n "$plist_secret" ]]; then + has_secrets="true" + else + has_secrets="false" + fi + echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT + + # 2. Determine if the build job should run. + # - Skip if on a fork AND secrets are present. + repo_full_name=$(echo "${{ github.repository }}" | tr '[:upper:]' '[:lower:]') + if [[ "$repo_full_name" != "firebase/firebase-ios-sdk" && "$has_secrets" == "true" ]]; then + echo "should_run=false" >> $GITHUB_OUTPUT + else + echo "should_run=true" >> $GITHUB_OUTPUT + fi + + build: + needs: check_secrets + # Run on the main repo's scheduled jobs or pull requests and manual workflow invocations. + if: | + needs.check_secrets.outputs.should_run == 'true' && + ( + (github.repository == 'firebase/firebase-ios-sdk' && github.event_name == 'schedule') || + contains(fromJSON('["pull_request", "workflow_dispatch"]'), github.event_name) + ) + runs-on: ${{ inputs.os }} + env: + SANITIZERS: ${{ inputs.sanitizers }} + plist_secret: ${{ secrets.plist_secret }} + FIREBASECI_SECRETS_PRESENT: ${{ needs.check_secrets.outputs.has_secrets }} + FIREBASECI_IS_TRUSTED_ENV: ${{ github.repository == 'firebase/firebase-ios-sdk' && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) }} + FIREBASECI_USE_LATEST_GOOGLEAPPMEASUREMENT: 1 + steps: + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - uses: ruby/setup-ruby@354a1ad156761f5ee2b7b13fa8e09943a5e8d252 # v1 + if: inputs.method != 'spm' && inputs.method != 'spmbuildonly' && inputs.method != 'cmake' + - name: Setup Bundler + if: inputs.method != 'spm' && inputs.method != 'spmbuildonly' && inputs.method != 'cmake' + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3 + with: + timeout_minutes: 10 + max_attempts: 5 + retry_wait_seconds: 300 + command: scripts/setup_bundler.sh + - name: Xcode + run: sudo xcode-select -s /Applications/${{ inputs.xcode }}.app/Contents/Developer + - name: Install simulators + if: inputs.platform != 'macOS' && inputs.platform != 'catalyst' + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3 + with: + timeout_minutes: 15 + max_attempts: 5 + retry_wait_seconds: 120 + continue_on_error: true + command: | + if [[ "${{ inputs.platform }}" == "all" ]]; then + xcodebuild -downloadAllPlatforms + else + xcodebuild -downloadPlatform ${{ inputs.platform }} + fi + - name: Run setup command + if: inputs.setup_command != '' + run: ${{ inputs.setup_command }} + - name: Build + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3 + with: + timeout_minutes: ${{ inputs.timeout_minutes }} + max_attempts: ${{ inputs.max_attempts }} + retry_wait_seconds: 120 + command: | + scripts/build.sh "${{ inputs.product }}" "${{ inputs.platform }}" "${{ inputs.method }}" + - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + if: ${{ failure() }} + with: + name: xcodebuild-logs-${{ inputs.product }}-${{ inputs.platform }}-${{ inputs.method }} + path: xcodebuild-*.log + if-no-files-found: error diff --git a/.github/workflows/infra.samples.client_app.yml b/.github/workflows/infra.samples.client_app.yml index f4b432ec70b..8ac87bc5d49 100644 --- a/.github/workflows/infra.samples.client_app.yml +++ b/.github/workflows/infra.samples.client_app.yml @@ -1,5 +1,8 @@ name: infra.samples.client_app +permissions: + contents: read + on: workflow_dispatch: pull_request: @@ -25,7 +28,6 @@ concurrency: jobs: client-app-spm: - if: (github.repository == 'Firebase/firebase-ios-sdk' && github.event_name == 'schedule') || github.event_name == 'pull_request' strategy: matrix: #TODO(ncooke3): Add multi-platform support: tvOS, macOS, catalyst @@ -37,41 +39,36 @@ jobs: xcode: Xcode_16.2 - os: macos-15 xcode: Xcode_16.4 - runs-on: ${{ matrix.os }} - steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - - name: Xcode - run: sudo xcode-select -s /Applications/${{ matrix.xcode }}.app/Contents/Developer - - name: Build Client App - ${{ matrix.platform }} - run: scripts/third_party/travis/retry.sh ./scripts/build.sh ${{ matrix.scheme }} ${{ matrix.platform }} xcodebuild + uses: ./.github/workflows/_build.yml + with: + product: ${{ matrix.scheme }} + platform: ${{ matrix.platform }} + method: xcodebuild + os: ${{ matrix.os }} + xcode: ${{ matrix.xcode }} client-app-spm-source-firestore: - if: (github.repository == 'Firebase/firebase-ios-sdk' && github.event_name == 'schedule') || github.event_name == 'pull_request' - env: - FIREBASECI_USE_LATEST_GOOGLEAPPMEASUREMENT: 1 - FIREBASE_SOURCE_FIRESTORE: 1 - strategy: - matrix: - #TODO(ncooke3): Add multi-platform support: tvOS, macOS, catalyst - platform: [iOS] - scheme: [ClientApp] - os: [macos-14, macos-15] - include: - - os: macos-14 - xcode: Xcode_16.2 - - os: macos-15 - xcode: Xcode_16.4 - runs-on: ${{ matrix.os }} - steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - - name: Xcode - run: sudo xcode-select -s /Applications/${{ matrix.xcode }}.app/Contents/Developer - - name: Build Client App - ${{ matrix.platform }} - run: scripts/third_party/travis/retry.sh ./scripts/build.sh ${{ matrix.scheme }} ${{ matrix.platform }} xcodebuild + strategy: + matrix: + #TODO(ncooke3): Add multi-platform support: tvOS, macOS, catalyst + platform: [iOS] + scheme: [ClientApp] + os: [macos-14, macos-15] + include: + - os: macos-14 + xcode: Xcode_16.2 + - os: macos-15 + xcode: Xcode_16.4 + uses: ./.github/workflows/_build.yml + with: + product: ${{ matrix.scheme }} + platform: ${{ matrix.platform }} + method: xcodebuild + os: ${{ matrix.os }} + xcode: ${{ matrix.xcode }} + setup_command: echo "FIREBASE_SOURCE_FIRESTORE=1" >> $GITHUB_ENV client-app-cocoapods: - # Don't run on private repo unless it is a PR. - if: (github.repository == 'Firebase/firebase-ios-sdk' && github.event_name == 'schedule') || github.event_name == 'pull_request' strategy: matrix: scheme: [ClientApp-CocoaPods] @@ -81,15 +78,11 @@ jobs: xcode: Xcode_16.2 - os: macos-15 xcode: Xcode_16.4 - runs-on: ${{ matrix.os }} - steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - - uses: ruby/setup-ruby@354a1ad156761f5ee2b7b13fa8e09943a5e8d252 # v1 - - name: Setup Bundler - run: scripts/setup_bundler.sh - - name: Xcode - run: sudo xcode-select -s /Applications/${{ matrix.xcode }}.app/Contents/Developer - - name: Prereqs - run: scripts/install_prereqs.sh ClientApp iOS xcodebuild - - name: Build - run: scripts/build.sh ${{ matrix.scheme }} iOS xcodebuild + uses: ./.github/workflows/_build.yml + with: + product: ${{ matrix.scheme }} + platform: iOS + method: xcodebuild + os: ${{ matrix.os }} + xcode: ${{ matrix.xcode }} + setup_command: scripts/install_prereqs.sh ClientApp iOS xcodebuild diff --git a/.github/workflows/infra.samples.symbolcollision.yml b/.github/workflows/infra.samples.symbolcollision.yml index 1552078c3f4..47cb514aaa9 100644 --- a/.github/workflows/infra.samples.symbolcollision.yml +++ b/.github/workflows/infra.samples.symbolcollision.yml @@ -1,5 +1,8 @@ name: infra.samples.symbolcollision +permissions: + contents: read + # Tests the Pods listed in SymbolCollisionTest/Podfile for symbol collisions. on: @@ -19,25 +22,9 @@ concurrency: jobs: installation-test: - # Don't run on private repo unless it is a PR. - if: github.repository == 'Firebase/firebase-ios-sdk' || github.event_name == 'pull_request' - runs-on: macos-15 - - steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - - uses: ruby/setup-ruby@354a1ad156761f5ee2b7b13fa8e09943a5e8d252 # v1 - - name: Setup Bundler - run: scripts/setup_bundler.sh - - name: Xcode - run: sudo xcode-select -s /Applications/Xcode_16.4.app/Contents/Developer - - name: Install simulators in case they are missing. - uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3 - with: - timeout_minutes: 15 - max_attempts: 5 - retry_wait_seconds: 120 - command: sudo xcodebuild -downloadPlatform iOS - - name: Prereqs - run: scripts/install_prereqs.sh SymbolCollision iOS - - name: Build - run: scripts/build.sh SymbolCollision iOS + uses: ./.github/workflows/_build.yml + with: + product: SymbolCollision + platform: iOS + method: xcodebuild + setup_command: scripts/install_prereqs.sh SymbolCollision iOS diff --git a/.github/workflows/sdk.appcheck.yml b/.github/workflows/sdk.appcheck.yml index 4c7a10414a2..c47ff92a2c0 100644 --- a/.github/workflows/sdk.appcheck.yml +++ b/.github/workflows/sdk.appcheck.yml @@ -43,30 +43,20 @@ jobs: product: [FirebaseAppCheckInterop, FirebaseAppCheck] uses: ./.github/workflows/_cocoapods.yml with: - product: ${{ matrix.product }} + product: ${{ matrix.product }} buildonly_platforms: macOS diagnostics: - # Don't run on private repo unless it is a PR. - if: (github.repository == 'Firebase/firebase-ios-sdk' && github.event_name == 'schedule') || github.event_name == 'pull_request' - runs-on: macos-15 strategy: matrix: diagnostic: [tsan, asan, ubsan] - steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - - name: Xcode - run: sudo xcode-select -s /Applications/Xcode_16.4.app/Contents/Developer - - name: Initialize xcodebuild - run: scripts/setup_spm_tests.sh - - name: iOS Unit Tests - run: scripts/third_party/travis/retry.sh ./scripts/build.sh FirebaseAppCheckUnit iOS spm ${{ matrix.diagnostic }} - - name: Upload raw logs if failed - if: ${{ failure() }} - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 - with: - name: failure-xcodebuild-raw-logs - path: xcodebuild.log + uses: ./.github/workflows/_build.yml + with: + product: FirebaseAppCheckUnit + platform: iOS + method: spm + sanitizers: ${{ matrix.diagnostic }} + setup_command: scripts/setup_spm_tests.sh app_check-cron-only: needs: pod_lib_lint diff --git a/.github/workflows/sdk.auth.yml b/.github/workflows/sdk.auth.yml index 1e10683ec6a..6b9a28f9f34 100644 --- a/.github/workflows/sdk.auth.yml +++ b/.github/workflows/sdk.auth.yml @@ -92,7 +92,7 @@ jobs: timeout_minutes: 15 max_attempts: 5 retry_wait_seconds: 120 - command: sudo xcodebuild -downloadPlatform iOS + command: xcodebuild -downloadPlatform iOS - uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3 with: timeout_minutes: 15 diff --git a/.github/workflows/sdk.combine.yml b/.github/workflows/sdk.combine.yml index 82b59248751..b2c4becaf6f 100644 --- a/.github/workflows/sdk.combine.yml +++ b/.github/workflows/sdk.combine.yml @@ -51,55 +51,27 @@ concurrency: jobs: xcodebuild: - # Don't run on private repo unless it is a PR. - if: (github.repository == 'Firebase/firebase-ios-sdk' && github.event_name == 'schedule') || contains(fromJSON('["pull_request", "workflow_dispatch"]'), github.event_name) - runs-on: macos-15 - - strategy: - matrix: - target: [iOS] - - steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - - - uses: ruby/setup-ruby@354a1ad156761f5ee2b7b13fa8e09943a5e8d252 # v1 - - - name: Xcode - run: sudo xcode-select -s /Applications/Xcode_16.4.app/Contents/Developer - - - name: Install xcpretty - run: gem install xcpretty - - - name: Setup build - run: scripts/install_prereqs.sh CombineSwift ${{ matrix.target }} xcodebuild - - - name: Build and test - run: scripts/third_party/travis/retry.sh scripts/build.sh CombineSwift ${{ matrix.target }} xcodebuild + uses: ./.github/workflows/_build.yml + with: + product: CombineSwift + platform: iOS + method: xcodebuild + setup_command: scripts/install_prereqs.sh CombineSwift iOS xcodebuild + secrets: + plist_secret: ${{ secrets.GHASecretsGPGPassphrase1 }} storage-combine-integration: - # Don't run on private repo unless it is a PR. - if: (github.repository == 'Firebase/firebase-ios-sdk' && github.event_name == 'schedule') || contains(fromJSON('["pull_request", "workflow_dispatch"]'), github.event_name) - env: - plist_secret: ${{ secrets.GHASecretsGPGPassphrase1 }} - runs-on: macos-15 - steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - - uses: ruby/setup-ruby@354a1ad156761f5ee2b7b13fa8e09943a5e8d252 # v1 - - name: Xcode - run: sudo xcode-select -s /Applications/Xcode_16.4.app/Contents/Developer - - name: Setup Bundler - run: scripts/setup_bundler.sh - - name: Install xcpretty - run: gem install xcpretty - - name: Install Secret GoogleService-Info.plist - run: scripts/decrypt_gha_secret.sh scripts/gha-encrypted/storage-db-plist.gpg \ + uses: ./.github/workflows/_build.yml + with: + product: StorageCombine + platform: all + method: xcodebuild + setup_command: | + scripts/decrypt_gha_secret.sh scripts/gha-encrypted/storage-db-plist.gpg \ FirebaseStorage/Tests/Integration/Resources/GoogleService-Info.plist "$plist_secret" - - name: Install Credentials.h - run: scripts/decrypt_gha_secret.sh scripts/gha-encrypted/Storage/Credentials.h.gpg \ + scripts/decrypt_gha_secret.sh scripts/gha-encrypted/Storage/Credentials.h.gpg \ FirebaseStorage/Tests/ObjCIntegration/Credentials.h "$plist_secret" - - name: Install Credentials.swift - run: | scripts/decrypt_gha_secret.sh scripts/gha-encrypted/Storage/Credentials.swift.gpg \ FirebaseStorage/Tests/Integration/Credentials.swift "$plist_secret" - - name: BuildAndTest # can be replaced with pod lib lint with CocoaPods 1.10 - run: ([ -z $plist_secret ] || scripts/third_party/travis/retry.sh scripts/build.sh StorageCombine all) + secrets: + plist_secret: ${{ secrets.GHASecretsGPGPassphrase1 }} diff --git a/.github/workflows/sdk.database.yml b/.github/workflows/sdk.database.yml index ed9c83ab433..ebf78d7460b 100644 --- a/.github/workflows/sdk.database.yml +++ b/.github/workflows/sdk.database.yml @@ -51,28 +51,11 @@ jobs: buildonly_platforms: macOS integration: - # Don't run on private repo unless it is a PR. - if: (github.repository == 'Firebase/firebase-ios-sdk' && github.event_name == 'schedule') || github.event_name == 'pull_request' - runs-on: macos-15 - steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - - uses: ruby/setup-ruby@354a1ad156761f5ee2b7b13fa8e09943a5e8d252 # v1 - - name: Setup Bundler - run: scripts/setup_bundler.sh - - name: Install xcpretty - run: gem install xcpretty - - name: Xcode - run: sudo xcode-select -s /Applications/Xcode_16.4.app/Contents/Developer - - name: Install simulators in case they are missing. - uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3 - with: - timeout_minutes: 15 - max_attempts: 5 - retry_wait_seconds: 120 - command: sudo xcodebuild -downloadPlatform iOS - - name: IntegrationTest - # Only iOS to mitigate flakes. - run: scripts/third_party/travis/retry.sh scripts/build.sh Database iOS integration + uses: ./.github/workflows/_build.yml + with: + product: Database + platform: iOS + method: integration quickstart: uses: ./.github/workflows/_quickstart.yml diff --git a/.github/workflows/sdk.firebasepod.yml b/.github/workflows/sdk.firebasepod.yml index 6f55a3901e7..33d3ec2528c 100644 --- a/.github/workflows/sdk.firebasepod.yml +++ b/.github/workflows/sdk.firebasepod.yml @@ -20,28 +20,11 @@ concurrency: jobs: installation-test: + # Don't run on private repo. if: github.repository == 'Firebase/firebase-ios-sdk' - runs-on: macos-latest - steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - - uses: ruby/setup-ruby@354a1ad156761f5ee2b7b13fa8e09943a5e8d252 # v1 - - name: Setup Bundler - run: scripts/setup_bundler.sh - - name: Xcode - run: sudo xcode-select -s /Applications/Xcode_16.4.app/Contents/Developer - - name: Install simulators in case they are missing. - uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3 - with: - timeout_minutes: 15 - max_attempts: 5 - retry_wait_seconds: 120 - command: sudo xcodebuild -downloadPlatform iOS - - name: Prereqs - run: scripts/install_prereqs.sh FirebasePod iOS - - name: Build - run: scripts/build.sh FirebasePod iOS - - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 - if: ${{ failure() }} - with: - name: firebasepod-xcodebuild-build.log - path: xcodebuild-build.log + uses: ./.github/workflows/_build.yml + with: + product: FirebasePod + platform: iOS + method: xcodebuild + setup_command: scripts/install_prereqs.sh FirebasePod iOS diff --git a/.github/workflows/sdk.inappmessaging.yml b/.github/workflows/sdk.inappmessaging.yml index 363d3308826..c3c180c7419 100644 --- a/.github/workflows/sdk.inappmessaging.yml +++ b/.github/workflows/sdk.inappmessaging.yml @@ -38,35 +38,19 @@ jobs: platforms: iOS, tvOS tests: - # Don't run on private repo unless it is a PR. - if: (github.repository == 'Firebase/firebase-ios-sdk' && github.event_name == 'schedule') || github.event_name == 'pull_request' - -# TODO(#12770): Update to macos-14 when tests are updated for Xcode 15. - runs-on: macos-15 strategy: matrix: # TODO(#8682): Reenable iPad after fixing Xcode 13 test failures. # platform: [iOS, iPad] platform: [iOS] xcode: [Xcode_16.4] - steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - - uses: ruby/setup-ruby@354a1ad156761f5ee2b7b13fa8e09943a5e8d252 # v1 - - name: Setup Bundler - run: scripts/setup_bundler.sh - - name: Xcode - run: sudo xcode-select -s /Applications/${{ matrix.xcode }}.app/Contents/Developer - - name: Install simulators in case they are missing. - uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3 - with: - timeout_minutes: 15 - max_attempts: 5 - retry_wait_seconds: 120 - command: sudo xcodebuild -downloadPlatform ${{ matrix.platform }} - - name: Prereqs - run: scripts/install_prereqs.sh InAppMessaging ${{ matrix.platform }} xcodebuild - - name: Build and test - run: scripts/third_party/travis/retry.sh scripts/build.sh InAppMessaging ${{ matrix.platform }} xcodebuild + uses: ./.github/workflows/_build.yml + with: + product: InAppMessaging + platform: ${{ matrix.platform }} + method: xcodebuild + xcode: ${{ matrix.xcode }} + setup_command: scripts/install_prereqs.sh InAppMessaging ${{ matrix.platform }} xcodebuild fiam-cron-only: needs: pod_lib_lint diff --git a/.github/workflows/sdk.messaging.yml b/.github/workflows/sdk.messaging.yml index b810ce6bf62..a1c15e9149e 100644 --- a/.github/workflows/sdk.messaging.yml +++ b/.github/workflows/sdk.messaging.yml @@ -54,36 +54,19 @@ jobs: # TODO(#12205) Update the build.sh script for this job from "test" instead of "build" messaging-integration-tests: - # Don't run on private repo unless it is a PR. - if: (github.repository == 'Firebase/firebase-ios-sdk' && github.event_name == 'schedule') || github.event_name == 'pull_request' - env: - plist_secret: ${{ secrets.GHASecretsGPGPassphrase1 }} - runs-on: macos-15 - steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - - name: Install simulators in case they are missing. - uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3 - with: - timeout_minutes: 15 - max_attempts: 5 - retry_wait_seconds: 120 - command: sudo xcodebuild -downloadPlatform iOS - - name: Configure test keychain - run: scripts/configure_test_keychain.sh - - uses: ruby/setup-ruby@354a1ad156761f5ee2b7b13fa8e09943a5e8d252 # v1 - - name: Xcode - run: sudo xcode-select -s /Applications/Xcode_16.4.app/Contents/Developer - - name: Setup Bundler - run: scripts/setup_bundler.sh - - name: Install xcpretty - run: gem install xcpretty - - name: Install Secret GoogleService-Info.plist - run: | - mkdir FirebaseMessaging/Tests/IntegrationTests/Resources + uses: ./.github/workflows/_build.yml + with: + product: Messaging + platform: all + method: xcodebuild + setup_command: | + scripts/configure_test_keychain.sh + gem install xcpretty + mkdir -p FirebaseMessaging/Tests/IntegrationTests/Resources scripts/decrypt_gha_secret.sh scripts/gha-encrypted/messaging-sample-plist.gpg \ FirebaseMessaging/Tests/IntegrationTests/Resources/GoogleService-Info.plist "$plist_secret" - - name: BuildAndTest - run: ([ -z $plist_secret ] || scripts/third_party/travis/retry.sh scripts/build.sh Messaging all) + secrets: + plist_secret: ${{ secrets.GHASecretsGPGPassphrase1 }} quickstart: uses: ./.github/workflows/_quickstart.yml @@ -105,11 +88,6 @@ jobs: flags: '[ "--use-static-frameworks" ]' sample-build-test: - # Don't run on private repo unless it is a PR. - if: (github.repository == 'Firebase/firebase-ios-sdk' && github.event_name == 'schedule') || github.event_name == 'pull_request' - env: - plist_secret: ${{ secrets.GHASecretsGPGPassphrase1 }} - runs-on: macos-15 strategy: matrix: include: @@ -119,32 +97,15 @@ jobs: platform: iOS - target: MessagingSampleStandaloneWatchApp platform: watchOS - steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - - uses: ruby/setup-ruby@354a1ad156761f5ee2b7b13fa8e09943a5e8d252 # v1 - - name: Setup Bundler - run: scripts/setup_bundler.sh - - name: Xcode - run: sudo xcode-select -s /Applications/Xcode_16.4.app/Contents/Developer - - name: Install Secret GoogleService-Info.plist - run: | + uses: ./.github/workflows/_build.yml + with: + product: ${{ matrix.target }} + platform: ${{ matrix.platform }} + method: xcodebuild + setup_command: | scripts/decrypt_gha_secret.sh scripts/gha-encrypted/messaging-sample-plist.gpg \ FirebaseMessaging/Apps/Shared/GoogleService-Info.plist "$plist_secret" - - name: Prereqs - run: scripts/install_prereqs.sh ${{ matrix.target }} ${{ matrix.platform }} - - name: Install simulators in case they are missing. - uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3 - with: - timeout_minutes: 15 - max_attempts: 5 - retry_wait_seconds: 120 - command: sudo xcodebuild -downloadPlatform ${{ matrix.platform }} - - name: Build - run: ([ -z $plist_secret ] || scripts/build.sh ${{ matrix.target }} ${{ matrix.platform }}) - - name: Upload xcodebuild logs - if: failure() - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 - with: - name: xcodebuild-logs-${{ matrix.target }} - path: xcodebuild-*.log + scripts/install_prereqs.sh ${{ matrix.target }} ${{ matrix.platform }} + secrets: + plist_secret: ${{ secrets.GHASecretsGPGPassphrase1 }} diff --git a/.github/workflows/sdk.mlmodeldownloader.yml b/.github/workflows/sdk.mlmodeldownloader.yml index 03b5696437b..c4c7eb5bab5 100644 --- a/.github/workflows/sdk.mlmodeldownloader.yml +++ b/.github/workflows/sdk.mlmodeldownloader.yml @@ -61,31 +61,15 @@ jobs: plist_secret: ${{ secrets.GHASecretsGPGPassphrase1 }} mlmodeldownloader-sample-build-test: - # Don't run on private repo unless it is a PR. - if: github.repository == 'Firebase/firebase-ios-sdk' && (github.event_name == 'schedule' || github.event_name == 'pull_request') - env: - plist_secret: ${{ secrets.GHASecretsGPGPassphrase1 }} - runs-on: macos-15 - steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - - uses: ruby/setup-ruby@354a1ad156761f5ee2b7b13fa8e09943a5e8d252 # v1 - - name: Xcode - run: sudo xcode-select -s /Applications/Xcode_16.4.app/Contents/Developer - - name: Setup Bundler - run: scripts/setup_bundler.sh - - name: Install simulators in case they are missing. - uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3 - with: - timeout_minutes: 15 - max_attempts: 5 - retry_wait_seconds: 120 - command: sudo xcodebuild -downloadPlatform iOS - - name: Install GoogleService-Info.plist - run: | - mkdir FirebaseMLModelDownloader/Apps/Sample/Resources + uses: ./.github/workflows/_build.yml + with: + product: MLModelDownloaderSample + platform: iOS + method: xcodebuild + setup_command: | + mkdir -p FirebaseMLModelDownloader/Apps/Sample/Resources scripts/decrypt_gha_secret.sh scripts/gha-encrypted/MLModelDownloader/GoogleService-Info.plist.gpg \ FirebaseMLModelDownloader/Apps/Sample/Resources/GoogleService-Info.plist "$plist_secret" - - name: Prereqs - run: scripts/install_prereqs.sh MLModelDownloaderSample iOS - - name: Build - run: ([ -z $plist_secret ] || scripts/build.sh MLModelDownloaderSample iOS) + scripts/install_prereqs.sh MLModelDownloaderSample iOS + secrets: + plist_secret: ${{ secrets.GHASecretsGPGPassphrase1 }} diff --git a/.github/workflows/sdk.performance.integration.yml b/.github/workflows/sdk.performance.integration.yml index 976ad047341..ae0196e07cb 100644 --- a/.github/workflows/sdk.performance.integration.yml +++ b/.github/workflows/sdk.performance.integration.yml @@ -2,6 +2,9 @@ # Reference: https://github.community/t/on-schedule-per-branch/17525 name: sdk.performance.integration +permissions: + contents: read + on: workflow_dispatch: pull_request: @@ -23,24 +26,16 @@ jobs: # Public repository: Build and run the Integration Tests for the Firebase performance E2E Test App. performance-integration-tests: - if: github.repository == 'Firebase/firebase-ios-sdk' - env: - plist_secret: ${{ secrets.GHASecretsGPGPassphrase1 }} - runs-on: macos-15 - steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - - uses: ruby/setup-ruby@354a1ad156761f5ee2b7b13fa8e09943a5e8d252 # v1 - - name: Xcode - run: sudo xcode-select -s /Applications/Xcode_16.4.app/Contents/Developer - - name: Setup Bundler - run: scripts/setup_bundler.sh - - name: Install xcpretty - run: gem install xcpretty - - name: Install Secret GoogleService-Info.plist - run: | + uses: ./.github/workflows/_build.yml + with: + product: Performance + platform: all + method: integration + setup_command: | + gem install xcpretty scripts/decrypt_gha_secret.sh scripts/gha-encrypted/Performance/GoogleService-Info_e2e_autopush.plist.gpg \ FirebasePerformance/Tests/FIRPerfE2E/FIRPerfE2EAutopush/GoogleService-Info.plist "$plist_secret" scripts/decrypt_gha_secret.sh scripts/gha-encrypted/Performance/GoogleService-Info_e2e_prod.plist.gpg \ FirebasePerformance/Tests/FIRPerfE2E/FIRPerfE2EProd/GoogleService-Info.plist "$plist_secret" - - name: BuildAndTest # can be replaced with pod lib lint with CocoaPods 1.10 - run: scripts/third_party/travis/retry.sh scripts/build.sh Performance all integration + secrets: + plist_secret: ${{ secrets.GHASecretsGPGPassphrase1 }} diff --git a/.github/workflows/sdk.performance.yml b/.github/workflows/sdk.performance.yml index 03b621c4fd8..d9296bf6b79 100644 --- a/.github/workflows/sdk.performance.yml +++ b/.github/workflows/sdk.performance.yml @@ -48,31 +48,16 @@ jobs: # Build and run the unit tests for Firebase performance SDK. performance: - # Don't run on private repo unless it is a PR. - if: (github.repository == 'Firebase/firebase-ios-sdk' && github.event_name == 'schedule') || github.event_name == 'pull_request' - runs-on: macos-15 strategy: matrix: target: [iOS, tvOS] test: [unit, proddev] - steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - - uses: ruby/setup-ruby@354a1ad156761f5ee2b7b13fa8e09943a5e8d252 # v1 - - name: Xcode - run: sudo xcode-select -s /Applications/Xcode_16.4.app/Contents/Developer - - name: Install simulators in case they are missing. - uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3 - with: - timeout_minutes: 15 - max_attempts: 5 - retry_wait_seconds: 120 - command: sudo xcodebuild -downloadPlatform ${{ matrix.target }} - - name: Setup Bundler - run: scripts/setup_bundler.sh - - name: Install xcpretty - run: gem install xcpretty - - name: BuildAndTest # can be replaced with pod lib lint with CocoaPods 1.10 - run: scripts/third_party/travis/retry.sh scripts/build.sh Performance ${{ matrix.target }} ${{ matrix.test }} + uses: ./.github/workflows/_build.yml + with: + product: Performance + platform: ${{ matrix.target }} + method: ${{ matrix.test }} + setup_command: gem install xcpretty pod_lib_lint: uses: ./.github/workflows/_cocoapods.yml diff --git a/.github/workflows/sdk.remoteconfig.yml b/.github/workflows/sdk.remoteconfig.yml index 88720a6e81c..344991e02a4 100644 --- a/.github/workflows/sdk.remoteconfig.yml +++ b/.github/workflows/sdk.remoteconfig.yml @@ -44,43 +44,31 @@ jobs: product: FirebaseRemoteConfig target: FirebaseRemoteConfig-Unit-unit - remoteconfig: - # Don't run on private repo unless it is a PR. - if: (github.repository == 'Firebase/firebase-ios-sdk' && github.event_name == 'schedule') || github.event_name == 'pull_request' - env: + remoteconfig-fakeconsole: + uses: ./.github/workflows/_build.yml + with: + product: RemoteConfig + platform: iOS + method: fakeconsole + + remoteconfig-integration: + uses: ./.github/workflows/_build.yml + with: + product: RemoteConfig + platform: iOS + method: integration + setup_command: | + gem install xcpretty + echo "USE_REAL_CONSOLE=1" >> $GITHUB_ENV + scripts/decrypt_gha_secret.sh scripts/gha-encrypted/RemoteConfigSwiftAPI/GoogleService-Info.plist.gpg \ + FirebaseRemoteConfig/Tests/Swift/SwiftAPI/GoogleService-Info.plist "$plist_secret" + # Generate Access Token only if secret is present (handled by script logic usually, but here explicit) + if [[ -n "$plist_secret" ]]; then + scripts/generate_access_token.sh "$plist_secret" scripts/gha-encrypted/RemoteConfigSwiftAPI/ServiceAccount.json.gpg \ + FirebaseRemoteConfig/Tests/Swift/AccessToken.json + fi + secrets: plist_secret: ${{ secrets.GHASecretsGPGPassphrase1 }} - USE_REAL_CONSOLE: true - runs-on: macos-15 - strategy: - matrix: - target: [iOS] - steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - - uses: ruby/setup-ruby@354a1ad156761f5ee2b7b13fa8e09943a5e8d252 # v1 - - name: Setup Bundler - run: scripts/setup_bundler.sh - - name: Install xcpretty - run: gem install xcpretty - - name: Install Secret GoogleService-Info.plist - run: scripts/decrypt_gha_secret.sh scripts/gha-encrypted/RemoteConfigSwiftAPI/GoogleService-Info.plist.gpg \ - FirebaseRemoteConfig/Tests/Swift/SwiftAPI/GoogleService-Info.plist "$plist_secret" - - name: Generate Access Token for RemoteConfigConsoleAPI in IntegrationTests - if: matrix.target == 'iOS' - run: ([ -z $plist_secret ] || scripts/generate_access_token.sh "$plist_secret" scripts/gha-encrypted/RemoteConfigSwiftAPI/ServiceAccount.json.gpg - FirebaseRemoteConfig/Tests/Swift/AccessToken.json) - - name: Xcode - run: sudo xcode-select -s /Applications/Xcode_16.4.app/Contents/Developer - - name: Fake Console API Tests - uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3 - with: - timeout_minutes: 15 - max_attempts: 3 - retry_wait_seconds: 120 - command: scripts/build.sh RemoteConfig ${{ matrix.target }} fakeconsole - - name: IntegrationTest - if: matrix.target == 'iOS' - # No retry to avoid exhausting AccessToken quota. - run: ([ -z $plist_secret ] || scripts/build.sh RemoteConfig iOS integration) pod_lib_lint: uses: ./.github/workflows/_cocoapods.yml @@ -98,27 +86,12 @@ jobs: plist_secret: ${{ secrets.GHASecretsGPGPassphrase1 }} sample-build-test: - # Don't run on private repo unless it is a PR. - if: (github.repository == 'Firebase/firebase-ios-sdk' && github.event_name == 'schedule') || github.event_name == 'pull_request' - runs-on: macos-15 - steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - - name: Install simulators in case they are missing. - uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3 - with: - timeout_minutes: 15 - max_attempts: 5 - retry_wait_seconds: 120 - command: sudo xcodebuild -downloadPlatform iOS - - uses: ruby/setup-ruby@354a1ad156761f5ee2b7b13fa8e09943a5e8d252 # v1 - - name: Setup Bundler - run: scripts/setup_bundler.sh - - name: Xcode - run: sudo xcode-select -s /Applications/Xcode_16.4.app/Contents/Developer - - name: Prereqs - run: scripts/install_prereqs.sh RemoteConfigSample iOS - - name: Build - run: scripts/build.sh RemoteConfigSample iOS + uses: ./.github/workflows/_build.yml + with: + product: RemoteConfigSample + platform: iOS + method: xcodebuild + setup_command: scripts/install_prereqs.sh RemoteConfigSample iOS remoteconfig-cron-only: needs: pod_lib_lint diff --git a/.github/workflows/sdk.sessions.integration.yml b/.github/workflows/sdk.sessions.integration.yml index 786aea42403..f726409a8c5 100644 --- a/.github/workflows/sdk.sessions.integration.yml +++ b/.github/workflows/sdk.sessions.integration.yml @@ -2,6 +2,9 @@ # Reference: https://github.community/t/on-schedule-per-branch/17525 name: sdk.sessions.integration +permissions: + contents: read + on: workflow_dispatch: pull_request: @@ -24,23 +27,15 @@ jobs: # Public repository: Build and run the Integration Tests for the Firebase sessions E2E Test App across all environments. sessions-integration-tests: - if: github.repository == 'Firebase/firebase-ios-sdk' - env: - plist_secret: ${{ secrets.GHASecretsGPGPassphrase1 }} - runs-on: macos-15 - steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - - name: Xcode - run: sudo xcode-select -s /Applications/Xcode_16.4.app/Contents/Developer - - uses: ruby/setup-ruby@354a1ad156761f5ee2b7b13fa8e09943a5e8d252 # v1 - - name: Setup Bundler - run: scripts/setup_bundler.sh - - name: Install xcpretty - run: gem install xcpretty - - name: Install Secret GoogleService-Info.plist - run: | + uses: ./.github/workflows/_build.yml + with: + product: Sessions + platform: all + method: integration + setup_command: | + gem install xcpretty scripts/decrypt_gha_secret.sh scripts/gha-encrypted/Sessions/GoogleService-Info_TestApp.plist.gpg \ FirebaseSessions/Tests/TestApp/Shared/GoogleService-Info.plist "$plist_secret" - - name: BuildAndTest # can be replaced with pod lib lint with CocoaPods 1.10 - run: scripts/third_party/travis/retry.sh scripts/build.sh Sessions all integration + secrets: + plist_secret: ${{ secrets.GHASecretsGPGPassphrase1 }} diff --git a/.github/workflows/sdk.storage.yml b/.github/workflows/sdk.storage.yml index 2755e582b4f..44eabc6a488 100644 --- a/.github/workflows/sdk.storage.yml +++ b/.github/workflows/sdk.storage.yml @@ -38,49 +38,23 @@ jobs: target: FirebaseStorage-Unit-unit storage-integration-tests: - # Don't run on private repo unless it is a PR. - if: (github.repository == 'Firebase/firebase-ios-sdk' && github.event_name == 'schedule') || github.event_name == 'pull_request' strategy: matrix: - language: [Swift, ObjC] - include: - - os: macos-15 - xcode: Xcode_16.4 - env: - plist_secret: ${{ secrets.GHASecretsGPGPassphrase1 }} - runs-on: ${{ matrix.os }} - steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - - uses: ruby/setup-ruby@354a1ad156761f5ee2b7b13fa8e09943a5e8d252 # v1 - - name: Setup Bundler - run: scripts/setup_bundler.sh - - name: Install xcpretty - run: gem install xcpretty - - name: Install Secret GoogleService-Info.plist - run: scripts/decrypt_gha_secret.sh scripts/gha-encrypted/storage-db-plist.gpg \ - FirebaseStorage/Tests/Integration/Resources/GoogleService-Info.plist "$plist_secret" - - name: Install Credentials.h - run: scripts/decrypt_gha_secret.sh scripts/gha-encrypted/Storage/Credentials.h.gpg \ - FirebaseStorage/Tests/ObjCIntegration/Credentials.h "$plist_secret" - - name: Install Credentials.swift - run: | + product: [StorageSwift, StorageObjC] + uses: ./.github/workflows/_build.yml + with: + product: ${{ matrix.product }} + platform: all + method: xcodebuild + setup_command: | + scripts/decrypt_gha_secret.sh scripts/gha-encrypted/storage-db-plist.gpg \ + FirebaseStorage/Tests/Integration/Resources/GoogleService-Info.plist "$plist_secret" + scripts/decrypt_gha_secret.sh scripts/gha-encrypted/Storage/Credentials.h.gpg \ + FirebaseStorage/Tests/ObjCIntegration/Credentials.h "$plist_secret" scripts/decrypt_gha_secret.sh scripts/gha-encrypted/Storage/Credentials.swift.gpg \ - FirebaseStorage/Tests/Integration/Credentials.swift "$plist_secret" - - name: Xcode - run: sudo xcode-select -s /Applications/${{ matrix.xcode }}.app/Contents/Developer - - name: Install simulators in case they are missing. - uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3 - with: - timeout_minutes: 15 - max_attempts: 5 - retry_wait_seconds: 120 - command: sudo xcodebuild -downloadPlatform iOS - - uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3 - with: - timeout_minutes: 15 - max_attempts: 3 - retry_wait_seconds: 120 - command: ([ -z $plist_secret ] || scripts/build.sh Storage${{ matrix.language }} all) + FirebaseStorage/Tests/Integration/Credentials.swift "$plist_secret" + secrets: + plist_secret: ${{ secrets.GHASecretsGPGPassphrase1 }} quickstart: uses: ./.github/workflows/_quickstart.yml diff --git a/scripts/check_secrets.sh b/scripts/check_secrets.sh index 04f7c27383e..988acee7083 100755 --- a/scripts/check_secrets.sh +++ b/scripts/check_secrets.sh @@ -22,13 +22,20 @@ echo "GITHUB_HEAD_REF: ${GITHUB_HEAD_REF:-}" check_secrets() { - # GitHub Actions: Secrets are available if we're not running on a fork. - # See https://help.github.com/en/actions/automating-your-workflow-with-github-actions/using-environment-variables - # TODO- Both GITHUB_BASE_REF and GITHUB_HEAD_REF are set in main repo - # PRs even thought the docs say otherwise. They are not set in cron jobs on main. - # Investigate how do to distinguish fork PRs from main repo PRs. - if [[ -n "${GITHUB_WORKFLOW:-}" ]]; then - return 0 + # 1. Prioritize explicit workflow signal (FIREBASECI_SECRETS_PRESENT). + if [[ -n "${FIREBASECI_SECRETS_PRESENT:-}" ]]; then + if [[ "${FIREBASECI_SECRETS_PRESENT:-}" == "true" || "${FIREBASECI_IS_TRUSTED_ENV:-}" == "true" ]]; then + return 0 # Secrets are available, or it's a trusted env where they might be. + fi + return 1 # We don't expect secrets (e.g., fork PR). Skip gracefully. fi + + # 2. Fallback for un-migrated/legacy workflows: assume secrets if in GHA. + # - This maintains original behavior for workflows not yet updated with FIREBASECI_SECRETS_PRESENT. + if [[ -n "$GITHUB_WORKFLOW" ]]; then + return 0 # Assume secrets if running in GHA (legacy behavior). + fi + + # 3. Default: No secrets available. return 1 }