Skip to content

chore: [IOAPPX-503] Rename workflows #7717

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
LazyAfternoons wants to merge 5 commits into
base: master
Choose a base branch
from
Open

chore: [IOAPPX-503] Rename workflows #7717

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
976ec13
chore: rename workflows
Dec 16, 2025
5a91943
chore: update names
Dec 16, 2025
4b7f63b
chore: update names
Dec 17, 2025
3e8b527
Merge branch 'master' into IOAPPX-503-give-name-to-wf
LazyAfternoons Dec 17, 2025
590f218
Merge branch 'master' into IOAPPX-503-give-name-to-wf
LazyAfternoons Jan 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/distribute-beta.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
name: Distribute latest uploaded beta
name: Distribute beta
on: workflow_dispatch
jobs:
distribute-android:
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/nightly-jobs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,49 +6,52 @@
- cron: '0 03 * * *'
jobs:
pagopa_specs_diff:
name: Check PagoPA API specs alignment
runs-on: ubuntu-latest
environment: dev
steps:
- name: checkout repo content
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab #v3.5.2
- name: setup python
uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b #v4.6.0
with:
python-version: '3.8'
- name: check api specs alignment
run: ./scripts/pagopa_api_check.sh
shell: bash
io_check_uris:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}
name: Check URIs validity in app
runs-on: ubuntu-latest
environment: dev
steps:
- name: checkout repo content
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab #v3.5.2
- name: setup python
uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b #v4.6.0
with:
python-version: '3.8'
- name: install pipenv
run: pip install pipenv
- name: check uris validity on static texts
run: |
cd scripts/check_urls
pipenv install
pipenv run python3 check_urls.py
io_check_cie_button_exists_ios:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}
name: Check that CIE button exists on iOS
runs-on: ubuntu-latest
environment: dev
steps:
- name: checkout repo content
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab #v3.5.2
- name: setup python
uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b #v4.6.0
with:
python-version: '3.8'
- name: install pipenv
run: pip install pipenv
- name: check cie button exists on ios
run: |
cd scripts/check_cie_button_exists
pipenv install
pipenv run python3 check_cie_button_exists_ios.py
Expand Down
6 changes: 3 additions & 3 deletions ...s/pr-title-conventional-commit-linter.yml → ...orkflows/pr-title-conventional-commit.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
name: "Check for conventional commit change type inside the PR title"
name: PR title conventional commit

on:
pull_request:
Expand All @@ -7,90 +7,90 @@
- edited
- reopened
- synchronize

jobs:
lint:
name: Validate PR Title
name: Check for conventional commit type in PR title
runs-on: ubuntu-22.04
env:
VALID_TYPES: "feat|fix|docs|style|refactor|perf|test|build|ci|chore|revert"
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
COMMENT_TITLE: "## PR Title Validation for conventional commit type"
# https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
TITLE: ${{ github.event.pull_request.title }}
steps:
- name: Check PR Title Format
id: lint
run: |
PR_TITLE="$TITLE"
if [[ "$PR_TITLE" =~ ^([a-z]+)(\(([ a-zA-Z0-9_-]+)\))?:[[:space:]]*(.+)$ ]]; then
TYPE=${BASH_REMATCH[1]}
CONTEXT=${BASH_REMATCH[3]}
DESCRIPTION=${BASH_REMATCH[4]}
echo fix: $TYPE
echo context: $CONTEXT
echo description: $DESCRIPTION
echo "PR_TYPE=$TYPE" >> $GITHUB_ENV
echo "PR_CONTEXT=$CONTEXT" >> $GITHUB_ENV
echo "PR_DESCRIPTION=$DESCRIPTION" >> $GITHUB_ENV
if [[ ! "$TYPE" =~ ^($VALID_TYPES)$ ]]; then
echo "VALIDATION_RESULT=warning" >> $GITHUB_ENV
else
echo "VALIDATION_RESULT=success" >> $GITHUB_ENV
fi
else
echo "VALIDATION_RESULT=failure" >> $GITHUB_ENV
fi

- name: Find Existing Comment
id: find_comment
run: |
EXISTING_COMMENT=$(gh api repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments \
--jq ".[] | select(.body | startswith(\"$COMMENT_TITLE\")) | .id")
COMMENT_COUNT=$(echo "$EXISTING_COMMENT" | wc -l)
if [ "$COMMENT_COUNT" -gt 1 ]; then
echo "Multiple comments found with the same title. Please review the comments."
exit 2
else
echo "EXISTING_COMMENT_ID=$EXISTING_COMMENT" >> $GITHUB_ENV
fi

- name: Add or Update Comment
run: |
COMMENT_BODY="$COMMENT_TITLE"$'\n\n'
if [[ "${{ env.VALIDATION_RESULT }}" == "success" ]]; then
COMMENT_BODY+=":white_check_mark: **All good!** PR title follows the conventional commit type."
elif [[ "${{ env.VALIDATION_RESULT }}" == "warning" ]]; then
COMMENT_BODY+=":warning: **PR title is valid**, but uses an unconventional type."
else
COMMENT_BODY+=":x: **PR title is invalid.**"$'\n'
COMMENT_BODY+="It must follow the format \`type(context): description\`."$'\n\n'
COMMENT_BODY+="**Valid types:**"$'\n'
COMMENT_BODY+="- \`feat\`"$'\n'
COMMENT_BODY+="- \`fix\`"$'\n'
COMMENT_BODY+="- \`docs\`"$'\n'
COMMENT_BODY+="- \`style\`"$'\n'
COMMENT_BODY+="- \`refactor\`"$'\n'
COMMENT_BODY+="- \`perf\`"$'\n'
COMMENT_BODY+="- \`test\`"$'\n'
COMMENT_BODY+="- \`build\`"$'\n'
COMMENT_BODY+="- \`ci\`"$'\n'
COMMENT_BODY+="- \`chore\`"$'\n'
COMMENT_BODY+="- \`revert\`"
fi

if [[ -n "${{ env.EXISTING_COMMENT_ID }}" ]]; then
# Update the existing comment
gh api repos/${{ github.repository }}/issues/comments/${{ env.EXISTING_COMMENT_ID }} \
-X PATCH -F body="$COMMENT_BODY"
else
# Create a new comment
gh api repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments \
-X POST -F body="$COMMENT_BODY"
fi

- name: Fail if Title Invalid
if: ${{ env.VALIDATION_RESULT == 'failure' }}
run: |
echo "Pull request title (${{ github.event.pull_request.title }}) is not properly formatted."
exit 1

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}
6 changes: 3 additions & 3 deletions .../workflows/pr-title-linter-and-linker.yml → .github/workflows/pr-title-jira.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
name: "Lint and Link PR title"
name: PR title Jira

on:
pull_request:
Expand All @@ -7,77 +7,77 @@
- edited
- reopened
- synchronize

jobs:
lint:
name: Validate PR Title And Link Jira Issue
name: Check for Jira issue in PR title
runs-on: ubuntu-22.04
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
COMMENT_TITLE: "## Jira Pull Request Link"
# https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
TITLE: ${{ github.event.pull_request.title }}
steps:
- name: Validate PR Title Format
id: lint
run: |
PR_TITLE="$TITLE"
if [[ "$PR_TITLE" =~ \[(#?[A-Z]*-[0-9]*,?){1,}\] ]]; then
echo "PR title is valid."
echo "VALIDATION_RESULT=success" >> $GITHUB_ENV
else
echo "PR title is invalid."
echo "VALIDATION_RESULT=failure" >> $GITHUB_ENV
fi

- name: Find Existing Jira Comment
id: find_comment
run: |
EXISTING_COMMENT=$(gh api repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments \
--jq ".[] | select(.body | startswith(\"$COMMENT_TITLE\")) | .id")
COMMENT_COUNT=$(echo "$EXISTING_COMMENT" | wc -l)
if [ "$COMMENT_COUNT" -gt 1 ]; then
echo "Multiple comments found with the same title. Please review the comments."
exit 2
else
echo "EXISTING_COMMENT_ID=$EXISTING_COMMENT" >> $GITHUB_ENV
fi

- name: Create or Update Jira Link Comment
run: |
if [[ "${{ env.VALIDATION_RESULT }}" == "success" ]]; then
PR_TITLE="$TITLE"
ISSUES_STR=$(awk -F'\\[|\\]' '{print $2}' <<< "$PR_TITLE" | sed "s/#//g")
IFS=',' read -ra ISSUES <<< "$ISSUES_STR"
JIRA_COMMENT_MARKDOWN="$COMMENT_TITLE"$'\n\n'
JIRA_COMMENT_MARKDOWN+="This Pull Request refers to Jira issues:"$'\n'

for ISSUE in "${ISSUES[@]}"; do
ISSUE=$(echo "$ISSUE" | sed 's/^ *//;s/ *$//') # Trim spaces
JIRA_COMMENT_MARKDOWN+="- [$ISSUE](https://pagopa.atlassian.net/browse/$ISSUE)"$'\n'
done

echo "Gira comment markdown: $JIRA_COMMENT_MARKDOWN"
COMMENT_BODY=$JIRA_COMMENT_MARKDOWN
else
COMMENT_BODY="${{ env.COMMENT_TITLE }}"$'\n\n'
COMMENT_BODY+=":x: It seems this Pull Request has no issues that refers to Jira!!!"$'\n'
COMMENT_BODY+="Please check it out."
fi

echo "Comment body: $COMMENT_BODY"

if [[ -n "${{ env.EXISTING_COMMENT_ID }}" ]]; then
echo Update existing comment
gh api repos/${{ github.repository }}/issues/comments/${{ env.EXISTING_COMMENT_ID }} \
-X PATCH -F body="$COMMENT_BODY"
else
gh api repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments \
-X POST -F body="$COMMENT_BODY"
fi

- name: Failure message
if: env.VALIDATION_RESULT != 'success'
run: |
echo "Pull request title (${{ github.event.pull_request.title }}) is not properly formatted or it is not related to any Jira issue"
exit 1

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}
2 changes: 2 additions & 0 deletions .github/workflows/publiccode-validation.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,12 @@
name: Publiccode validation
on: [push, pull_request]

jobs:
publiccode_validation:
name: Parse pubbliccode
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
- uses: italia/publiccode-parser-action@3244a5a109ae23f76cb379831abbad32927cad8c # v1
with:
publiccode: 'publiccode.yml'

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}
6 changes: 5 additions & 1 deletion .github/workflows/release-canary.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,257 +1,261 @@
name: Canary release
name: Release canary
on:
workflow_dispatch:
jobs:
run-static-checks:
uses: ./.github/workflows/staticcheck.yaml
prepare-canary-release:
name: Prepare canary release
needs: run-static-checks
runs-on: ubuntu-latest
outputs:
canaryVersion: ${{ steps.github-release-creation.outputs.CANARY_VERSION }}
steps:
- id: checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab #v3.5.2
with:
fetch-depth: 0
- id: setup-node
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version-file: ".node-version"
- id: yarn-cache
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
env:
cache-name: cache-node-modules
with:
# npm cache files are stored in `~/.npm` on Linux/macOS
path: ~/.npm
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/yarn.lock') }}
- id: install-packages
run: yarn install --frozen-lockfile
- id: replace-version-with-canary
run: |
UPDATED_BUILD_CODE=$(git rev-list HEAD --count)
node scripts/canary/replaceCanaryVersion.js $UPDATED_BUILD_CODE
mv ios/fastlane/Matchfile ios/fastlane/Matchfile_prod
mv ios/fastlane/Matchfile_canary ios/fastlane/Matchfile
- id: bump-version
run: |
git config --local user.email "github-actions[bot]@users.noreply.github.com"
git config --local user.name "github-actions[bot]"
git add .; git commit -m "Replace Matchfile for canary" --no-verify;
yarn release-canary
- id: push-tags
run: |
APP_VERSION=$(node -p -e "require('./package.json').version")
git push --no-verify origin tag $APP_VERSION
- id: github-release-creation
run: |
APP_VERSION=$(node -p -e "require('./package.json').version")
gh release create $APP_VERSION --generate-notes
echo "CANARY_VERSION=$APP_VERSION" >> $GITHUB_OUTPUT
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
release-android:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}
name: Release Android app on Play Store
needs: prepare-canary-release
environment: canary
runs-on: ubuntu-latest
steps:
- id: checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab #v3.5.2
with:
fetch-depth: 0
ref: ${{ needs.prepare-canary-release.outputs.canaryVersion }}
- id: setup-node
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version-file: ".node-version"
- id: yarn-cache
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
env:
cache-name: cache-node-modules
with:
# npm cache files are stored in `~/.npm` on Linux/macOS
path: ~/.npm
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/yarn.lock') }}
- id: install-packages
run: yarn install --frozen-lockfile
- id: download-locales
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
with:
name: locales
path: locales/
- id: download-api-client
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
with:
name: api-client
path: definitions/
- id: setup-jdk-17
uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 #v3.11.0
with:
java-version: '17'
distribution: 'temurin'
cache: gradle
- id: setup-android-sdk
uses: android-actions/setup-android@00854ea68c109d98c75d956347303bf7c45b0277 #v3.2.1
- id: setup-ruby
uses: ruby/setup-ruby@a4effe49ee8ee5b8b5091268c473a4628afb5651 #v1.245.0
with:
bundler-cache: true
- id: build-release-android
run: |
./scripts/android-release.sh ./android/app
cd android && bundle exec fastlane alpha_canary
shell: bash
env:
RUBYOPT: '-rostruct' # TODO: Remove when https://github.com/fastlane/fastlane/pull/21950 gets released
ENCODED_IOAPP_GOOGLE_SERVICES_JSON_FILE: ${{secrets.ENCODED_IOAPP_GOOGLE_SERVICES_JSON_FILE}}
ENCODED_IOAPP_JSON_KEY_FILE: ${{secrets.ENCODED_IOAPP_JSON_KEY_FILE}}
ENCODED_IO_APP_RELEASE_KEYSTORE: ${{secrets.ENCODED_IO_APP_RELEASE_KEYSTORE}}
ENCODED_IO_APP_SENTRY_PROPERTIES: ${{secrets.ENCODED_IO_APP_SENTRY_PROPERTIES}}
IO_APP_RELEASE_STORE_FILE : ${{secrets.IO_APP_RELEASE_STORE_FILE}}
IO_APP_RELEASE_STORE_PASSWORD: ${{secrets.IO_APP_RELEASE_STORE_PASSWORD}}
IO_APP_RELEASE_KEY_ALIAS: ${{secrets.IO_APP_RELEASE_KEY_ALIAS}}
IO_APP_RELEASE_KEY_PASSWORD: ${{secrets.IO_APP_RELEASE_KEY_PASSWORD}}
- id: download-universal-apk-from-store
# We don't want to fail whole job if the universal APK is not downloaded from the play store
continue-on-error: true
run: |
./scripts/android-release.sh ./android/app
cd android
VERSION_CODE=$(sed -n 's/.*versionCode \(.*\)/\1/p' "app/build.gradle")
echo "VERSION_CODE=$VERSION_CODE" >> $GITHUB_ENV
bundle exec fastlane download_canary_apk
env:
RUBYOPT: '-rostruct' # TODO: Remove when https://github.com/fastlane/fastlane/pull/21950 gets released
ENCODED_IOAPP_JSON_KEY_FILE: ${{ secrets.ENCODED_IOAPP_JSON_KEY_FILE }}
VERSION_CODE: ${{ env.VERSION_CODE }}
- id: upload-universal-apk
# We don't want to fail whole job if the universal APK upload step fails
continue-on-error: true
uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8
with:
name: io-app-canary-universal.apk
path: android/io-app-canary-universal.apk
- id: upload-aab
# We don't want to fail whole job if the AAB upload step fails
continue-on-error: true
uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8
with:
name: app-canary-release.aab
path: android/app/build/outputs/bundle/canaryRelease/app-canary-release.aab
- id: upload-android-assets-release
continue-on-error: true
run: |
APP_VERSION=$(node -p -e "require('./package.json').version")
gh release upload $APP_VERSION android/app/build/outputs/bundle/canaryRelease/app-canary-release.aab#android-app-canary-release.aab android/io-app-canary-universal.apk#io-app-canary-universal.apk
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
release-ios:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}
name: Release iOS app on App Store
needs: prepare-canary-release
environment: canary
runs-on: macos-15-xlarge
steps:
- id: set-xcode-version
run: sudo xcode-select -s '/Applications/Xcode_16.4.0.app/Contents/Developer'
shell: bash
- id: checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab #v3.5.2
with:
fetch-depth: 0
ref: ${{ needs.prepare-canary-release.outputs.canaryVersion }}
- id: setup-node
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version-file: ".node-version"
- id: yarn-cache
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
env:
cache-name: cache-node-modules
with:
# npm cache files are stored in `~/.npm` on Linux/macOS
path: ~/.npm
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/yarn.lock') }}
- id: install-packages
run: yarn install --frozen-lockfile
- id: download-locales
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
with:
name: locales
path: locales/
- id: download-api-client
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
with:
name: api-client
path: definitions/
- id: setup-ruby
uses: ruby/setup-ruby@a4effe49ee8ee5b8b5091268c473a4628afb5651 #v1.245.0
with:
bundler-cache: true
- id: prepare-ios-build
run: ./scripts/ios-release-build.sh
env:
APP_STORE_API_KEY_ID: ${{secrets.APP_STORE_API_KEY_ID}}
APP_STORE_API_PRIVATE_KEY: ${{secrets.APP_STORE_API_PRIVATE_KEY}}
ENCODED_IO_APP_SENTRY_PROPERTIES: ${{secrets.ENCODED_IO_APP_SENTRY_PROPERTIES}}
- id: add-ssh-deploy-key
run: |
echo -e "Host github.com
AddKeysToAgent yes
IdentityFile ~/.ssh/id_ed25519" > ~/.ssh/config
echo -e "$SSH_DEPLOY_KEY" > ~/.ssh/id_ed25519
chmod 400 ~/.ssh/id_ed25519
ssh-add ~/.ssh/id_ed25519
env:
SSH_DEPLOY_KEY: ${{secrets.SSH_CERTS_DEPLOY_KEY}}
- id: build-upload-app-store
name: Build & submit to App store
run: |
cd ios
bundle exec fastlane canary_ci_testflight
env:
LC_ALL: en_US.UTF-8
LANG: en_US.UTF-8
RUBYOPT: '-rostruct' # TODO: Remove when https://github.com/fastlane/fastlane/pull/21950 gets released
APP_STORE_API_KEY_ID: ${{secrets.APP_STORE_API_KEY_ID}}
APP_STORE_API_PRIVATE_KEY: ${{secrets.APP_STORE_API_PRIVATE_KEY}}
APP_STORE_API_KEY_ISSUER_ID: ${{secrets.APP_STORE_API_KEY_ISSUER_ID}}
ITMSTRANSPORTER_FORCE_ITMS_PACKAGE_UPLOAD: ${{secrets.ITMSTRANSPORTER_FORCE_ITMS_PACKAGE_UPLOAD}}
MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }}
- id: upload-dsym-files
# Sometimes the build-upload-app-store step fails for timeout,
# in this case we want to upload the dSYM files anyway
if: ${{ always() }}
# We don't want to fail whole job if the dSYM upload step fails
continue-on-error: true
uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.0.3
with:
name: IO.app.dSYM.zip
path: ios/IO.app.dSYM.zip
- id: upload-ipa
# We don't want to fail whole job if the IPA upload step fails
continue-on-error: true
uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8
with:
name: IO.ipa
path: ios/IO.ipa
- id: upload-ipa-release
continue-on-error: true
run: |
APP_VERSION=$(node -p -e "require('./package.json').version")
gh release upload $APP_VERSION ios/IO.ipa#IO-canary-iOS.ipa
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
notify-new-version:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}
name: Notifiy new version
runs-on: ubuntu-latest
needs:
- prepare-canary-release
- release-android
- release-ios
steps:
- id: checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab #v3.5.2
- id: comment-process-end
if: github.event.issue.number
run: |
gh issue comment ${{ github.event.issue.number }} -b "Release correctly created, [${{ needs.prepare-canary-release.outputs.canaryVersion }}](https://github.com/pagopa/io-app/releases/tag/${{ needs.prepare-canary-release.outputs.canaryVersion }})"
env:
Expand Down
5 changes: 4 additions & 1 deletion .github/workflows/release-new-cycle.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
name: Start a new release cycle on stores
name: Release new cycle
Copy link
Contributor

@mastro993 mastro993 Jan 20, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"Release new cycle” sounds a bit off, since you usually release an artifact, not a cycle.
Would “New release cycle” be clearer?

Copy link
Contributor Author

@LazyAfternoons LazyAfternoons Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd like to keep them imperative. Maybe we can rename the 3 publish workflow as:

  • Publish new app cycle;
  • Publish new app release candidate;
  • Promote latest release candidate to beta;
  • Publish Canary.

Does it make sense to you?

Copy link
Contributor

@mastro993 mastro993 Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, it makes sense. Thank you!

Copy link
Contributor Author

@LazyAfternoons LazyAfternoons Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, I think we could make it every more clear but I think we have to discuss this internally. Instead of using "cycle" and "release candidate" we could use:

  • Publish app version;
  • Publish app build;
  • Promote latest build to beta;
  • Publish app canary.

I think it might be more clearer as we basically release a new app version and then iterate over it by producing more builds.

on:
workflow_dispatch:
inputs:
Expand All @@ -15,246 +15,249 @@
run-static-checks:
uses: ./.github/workflows/staticcheck.yaml
bump-app-version:
name: Bump app version
needs: run-static-checks
runs-on: ubuntu-latest
environment: prod
outputs:
currentAppVersion: ${{ steps.github-release-creation.outputs.CURRENT_APP_VERSION }}
steps:
- id: checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab #v3.5.2
with:
fetch-depth: 0
ssh-key: ${{ secrets.SSH_DEPLOY_KEY }}
- id: setup-node
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version-file: ".node-version"
- id: yarn-cache
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
env:
cache-name: cache-node-modules
with:
# npm cache files are stored in `~/.npm` on Linux/macOS
path: ~/.npm
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/yarn.lock') }}
- id: install-packages
run: yarn install --frozen-lockfile
- id: bump-version
run: |
git config --local user.email "github-actions[bot]@users.noreply.github.com"
git config --local user.name "github-actions[bot]"

if [[ ${{ github.event.inputs.releaseLevel }} == "major" ]]; then
echo "Bumping the major version"
yarn start-breaking-cycle
elif [[ ${{ github.event.inputs.releaseLevel }} == "minor" ]]; then
echo "Bumping the minor version"
yarn start-release-cycle
elif [[ ${{ github.event.inputs.releaseLevel }} == "patch" ]]; then
echo "Bumping the patch version"
yarn start-fix-cycle
else
echo "Unknown release level: ${{ github.event.inputs.releaseLevel }}"
exit 1
fi
- id: push-tags
run: |
git push --no-verify --follow-tags origin HEAD:${GITHUB_REF#refs/heads/}
- id: github-release-creation
run: |
APP_VERSION=$(node -p -e "require('./package.json').version")
echo "CURRENT_APP_VERSION=$APP_VERSION" >> $GITHUB_OUTPUT
gh release create $APP_VERSION --latest --generate-notes
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
release-android:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}
name: Release Android app on Play Store
needs: bump-app-version
environment: prod
runs-on: ubuntu-latest
steps:
- id: checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab #v3.5.2
with:
fetch-depth: 0
ref: ${{ needs.bump-app-version.outputs.currentAppVersion }}
- id: setup-node
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version-file: ".node-version"
- id: yarn-cache
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
env:
cache-name: cache-node-modules
with:
# npm cache files are stored in `~/.npm` on Linux/macOS
path: ~/.npm
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/yarn.lock') }}
- id: install-packages
run: yarn install --frozen-lockfile
- id: download-locales
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
with:
name: locales
path: locales/
- id: download-api-client
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
with:
name: api-client
path: definitions/
- id: setup-jdk-17
uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 #v3.11.0
with:
java-version: '17'
distribution: 'temurin'
cache: gradle
- id: setup-android-sdk
uses: android-actions/setup-android@00854ea68c109d98c75d956347303bf7c45b0277 #v3.2.1
- id: setup-ruby
uses: ruby/setup-ruby@a4effe49ee8ee5b8b5091268c473a4628afb5651 #v1.245.0
with:
bundler-cache: true
- id: build-release-android
run: |
./scripts/android-release.sh ./android/app
cd android && bundle exec fastlane alpha
shell: bash
env:
RUBYOPT: '-rostruct' # TODO: Remove when https://github.com/fastlane/fastlane/pull/21950 gets released
ENCODED_IOAPP_GOOGLE_SERVICES_JSON_FILE: ${{secrets.ENCODED_IOAPP_GOOGLE_SERVICES_JSON_FILE}}
ENCODED_IOAPP_JSON_KEY_FILE: ${{secrets.ENCODED_IOAPP_JSON_KEY_FILE}}
ENCODED_IO_APP_RELEASE_KEYSTORE: ${{secrets.ENCODED_IO_APP_RELEASE_KEYSTORE}}
ENCODED_IO_APP_SENTRY_PROPERTIES: ${{secrets.ENCODED_IO_APP_SENTRY_PROPERTIES}}
IO_APP_RELEASE_STORE_FILE : ${{secrets.IO_APP_RELEASE_STORE_FILE}}
IO_APP_RELEASE_STORE_PASSWORD: ${{secrets.IO_APP_RELEASE_STORE_PASSWORD}}
IO_APP_RELEASE_KEY_ALIAS: ${{secrets.IO_APP_RELEASE_KEY_ALIAS}}
IO_APP_RELEASE_KEY_PASSWORD: ${{secrets.IO_APP_RELEASE_KEY_PASSWORD}}
- id: download-universal-apk-from-store
# We don't want to fail whole job if the universal APK is not downloaded from the play store
continue-on-error: true
run: |
./scripts/android-release.sh ./android/app
cd android
VERSION_CODE=$(sed -n 's/.*versionCode \(.*\)/\1/p' "app/build.gradle")
echo "VERSION_CODE=$VERSION_CODE" >> $GITHUB_ENV
bundle exec fastlane download_apk
env:
RUBYOPT: '-rostruct' # TODO: Remove when https://github.com/fastlane/fastlane/pull/21950 gets released
ENCODED_IOAPP_JSON_KEY_FILE: ${{secrets.ENCODED_IOAPP_JSON_KEY_FILE}}
VERSION_CODE: ${{ env.VERSION_CODE }}
- id: upload-universal-apk
# We don't want to fail whole job if the universal APK upload step fails
continue-on-error: true
uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8
with:
name: io-app-universal.apk
path: android/io-app-universal.apk
- id: upload-aab
# We don't want to fail whole job if the AAB upload step fails
continue-on-error: true
uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8
with:
name: app-release.aab
path: android/app/build/outputs/bundle/productionRelease/app-production-release.aab
- id: upload-android-assets-release
continue-on-error: true
run: |
APP_VERSION=$(node -p -e "require('./package.json').version")
gh release upload $APP_VERSION android/app/build/outputs/bundle/productionRelease/app-production-release.aab#android-app-release.aab android/io-app-universal.apk#io-app-universal.apk
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
release-ios:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}
name: Release iOS app on App Store
needs: bump-app-version
environment: prod
runs-on: macos-15-xlarge
steps:
- id: set-xcode-version
run: sudo xcode-select -s '/Applications/Xcode_16.4.0.app/Contents/Developer'
shell: bash
- id: checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab #v3.5.2
with:
fetch-depth: 0
ref: ${{ needs.bump-app-version.outputs.currentAppVersion }}
- id: setup-node
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version-file: ".node-version"
- id: yarn-cache
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
env:
cache-name: cache-node-modules
with:
# npm cache files are stored in `~/.npm` on Linux/macOS
path: ~/.npm
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/yarn.lock') }}
- id: install-packages
run: yarn install --frozen-lockfile
- id: download-locales
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
with:
name: locales
path: locales/
- id: download-api-client
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
with:
name: api-client
path: definitions/
- id: setup-ruby
uses: ruby/setup-ruby@a4effe49ee8ee5b8b5091268c473a4628afb5651 #v1.245.0
with:
bundler-cache: true
- id: prepare-ios-build
run: ./scripts/ios-release-build.sh
env:
APP_STORE_API_KEY_ID: ${{secrets.APP_STORE_API_KEY_ID}}
APP_STORE_API_PRIVATE_KEY: ${{secrets.APP_STORE_API_PRIVATE_KEY}}
ENCODED_IO_APP_SENTRY_PROPERTIES: ${{secrets.ENCODED_IO_APP_SENTRY_PROPERTIES}}
- id: add-ssh-deploy-key
run: |
echo -e "Host github.com
AddKeysToAgent yes
IdentityFile ~/.ssh/id_ed25519" > ~/.ssh/config
echo -e "$SSH_DEPLOY_KEY" > ~/.ssh/id_ed25519
chmod 400 ~/.ssh/id_ed25519
ssh-add ~/.ssh/id_ed25519
env:
SSH_DEPLOY_KEY: ${{secrets.SSH_CERTS_DEPLOY_KEY}}
- id: build-upload-app-store
name: Build & submit to App store
run: |
cd ios
bundle exec fastlane beta_circleci_testflight
env:
LC_ALL: en_US.UTF-8
LANG: en_US.UTF-8
RUBYOPT: '-rostruct' # TODO: Remove when https://github.com/fastlane/fastlane/pull/21950 gets released
APP_STORE_API_KEY_ID: ${{secrets.APP_STORE_API_KEY_ID}}
APP_STORE_API_PRIVATE_KEY: ${{secrets.APP_STORE_API_PRIVATE_KEY}}
APP_STORE_API_KEY_ISSUER_ID: ${{secrets.APP_STORE_API_KEY_ISSUER_ID}}
ITMSTRANSPORTER_FORCE_ITMS_PACKAGE_UPLOAD: ${{secrets.ITMSTRANSPORTER_FORCE_ITMS_PACKAGE_UPLOAD}}
MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }}
- id: upload-dsym-files
# Sometimes the build-upload-app-store step fails for timeout,
# in this case we want to upload the dSYM files anyway
if: ${{ always() }}
# We don't want to fail whole job if the dSYM upload step fails
continue-on-error: true
uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.0.3
with:
name: IO.app.dSYM.zip
path: ios/IO.app.dSYM.zip
- id: upload-ipa
# We don't want to fail whole job if the IPA upload step fails
continue-on-error: true
uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8
with:
name: IO.ipa
path: ios/IO.ipa
- id: upload-ipa-release
continue-on-error: true
run: |
APP_VERSION=$(node -p -e "require('./package.json').version")
gh release upload $APP_VERSION ios/IO.ipa#IO-iOS.ipa
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}
6 changes: 5 additions & 1 deletion .github/workflows/release-nightly.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
name: Nightly release new app version
name: Release nightly
on:
schedule:
- cron: '59 21 * * *'
Expand Down Expand Up @@ -58,237 +58,241 @@
env:
BRANCH_NAME: ${{ github.ref_name }}
run-static-checks:
name: Run static checks
needs: detect-changes
if: needs.detect-changes.outputs.has_changes == 'true'
uses: ./.github/workflows/staticcheck.yaml
bump-app-version:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}
name: Bump app version
needs: [detect-changes, run-static-checks]
runs-on: ubuntu-latest
environment: prod
outputs:
currentAppVersion: ${{ steps.github-release-creation.outputs.CURRENT_APP_VERSION }}
steps:
- id: checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab #v3.5.2
with:
fetch-depth: 0
ssh-key: ${{ secrets.SSH_DEPLOY_KEY }}
- id: setup-node
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version-file: ".node-version"
- id: yarn-cache
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
env:
cache-name: cache-node-modules
with:
# npm cache files are stored in `~/.npm` on Linux/macOS
path: ~/.npm
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/yarn.lock') }}
- id: install-packages
run: yarn install --frozen-lockfile
- id: bump-version
run: |
git config --local user.email "github-actions[bot]@users.noreply.github.com"
git config --local user.name "github-actions[bot]"
yarn release-rc
- id: push-tags
run: |
git push --no-verify --follow-tags origin HEAD:${GITHUB_REF#refs/heads/}
- id: github-release-creation
run: |
APP_VERSION=$(node -p -e "require('./package.json').version")
echo "CURRENT_APP_VERSION=$APP_VERSION" >> $GITHUB_OUTPUT
gh release create $APP_VERSION --latest --generate-notes
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
release-android:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}
name: Release Android app on Play Store
needs: bump-app-version
environment: prod
runs-on: ubuntu-latest
steps:
- id: checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab #v3.5.2
with:
fetch-depth: 0
ref: ${{ needs.bump-app-version.outputs.currentAppVersion }}
- id: setup-node
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version-file: ".node-version"
- id: yarn-cache
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
env:
cache-name: cache-node-modules
with:
# npm cache files are stored in `~/.npm` on Linux/macOS
path: ~/.npm
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/yarn.lock') }}
- id: install-packages
run: yarn install --frozen-lockfile
- id: download-locales
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
with:
name: locales
path: locales/
- id: download-api-client
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
with:
name: api-client
path: definitions/
- id: setup-jdk-17
uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 #v3.11.0
with:
java-version: '17'
distribution: 'temurin'
cache: gradle
- id: setup-android-sdk
uses: android-actions/setup-android@00854ea68c109d98c75d956347303bf7c45b0277 #v3.2.1
- id: setup-ruby
uses: ruby/setup-ruby@a4effe49ee8ee5b8b5091268c473a4628afb5651 #v1.245.0
with:
bundler-cache: true
- id: build-release-android
run: |
./scripts/android-release.sh ./android/app
cd android && bundle exec fastlane alpha
shell: bash
env:
RUBYOPT: '-rostruct' # TODO: Remove when https://github.com/fastlane/fastlane/pull/21950 gets released
ENCODED_IOAPP_GOOGLE_SERVICES_JSON_FILE: ${{secrets.ENCODED_IOAPP_GOOGLE_SERVICES_JSON_FILE}}
ENCODED_IOAPP_JSON_KEY_FILE: ${{secrets.ENCODED_IOAPP_JSON_KEY_FILE}}
ENCODED_IO_APP_RELEASE_KEYSTORE: ${{secrets.ENCODED_IO_APP_RELEASE_KEYSTORE}}
ENCODED_IO_APP_SENTRY_PROPERTIES: ${{secrets.ENCODED_IO_APP_SENTRY_PROPERTIES}}
IO_APP_RELEASE_STORE_FILE: ${{secrets.IO_APP_RELEASE_STORE_FILE}}
IO_APP_RELEASE_STORE_PASSWORD: ${{secrets.IO_APP_RELEASE_STORE_PASSWORD}}
IO_APP_RELEASE_KEY_ALIAS: ${{secrets.IO_APP_RELEASE_KEY_ALIAS}}
IO_APP_RELEASE_KEY_PASSWORD: ${{secrets.IO_APP_RELEASE_KEY_PASSWORD}}
- id: download-universal-apk-from-store
# We don't want to fail whole job if the universal APK is not downloaded from the play store
continue-on-error: true
run: |
./scripts/android-release.sh ./android/app
cd android
VERSION_CODE=$(sed -n 's/.*versionCode \(.*\)/\1/p' "app/build.gradle")
echo "VERSION_CODE=$VERSION_CODE" >> $GITHUB_ENV
bundle exec fastlane download_apk
env:
RUBYOPT: '-rostruct' # TODO: Remove when https://github.com/fastlane/fastlane/pull/21950 gets released
ENCODED_IOAPP_JSON_KEY_FILE: ${{secrets.ENCODED_IOAPP_JSON_KEY_FILE}}
VERSION_CODE: ${{ env.VERSION_CODE }}
- id: upload-universal-apk
# We don't want to fail whole job if the universal APK upload step fails
continue-on-error: true
uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8
with:
name: io-app-universal.apk
path: android/io-app-universal.apk
- id: upload-aab
# We don't want to fail whole job if the AAB upload step fails
continue-on-error: true
uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8
with:
name: app-release.aab
path: android/app/build/outputs/bundle/productionRelease/app-production-release.aab
- id: upload-android-assets-release
continue-on-error: true
run: |
APP_VERSION=$(node -p -e "require('./package.json').version")
gh release upload $APP_VERSION android/app/build/outputs/bundle/productionRelease/app-production-release.aab#android-app-release.aab android/io-app-universal.apk#io-app-universal.apk
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
release-ios:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}
name: Release iOS app on App Store
needs: bump-app-version
environment: prod
runs-on: macos-15-xlarge
steps:
- id: set-xcode-version
run: sudo xcode-select -s '/Applications/Xcode_16.4.0.app/Contents/Developer'
shell: bash
- id: checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab #v3.5.2
with:
fetch-depth: 0
ref: ${{ needs.bump-app-version.outputs.currentAppVersion }}
- id: setup-node
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version-file: ".node-version"
- id: yarn-cache
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
env:
cache-name: cache-node-modules
with:
# npm cache files are stored in `~/.npm` on Linux/macOS
path: ~/.npm
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/yarn.lock') }}
- id: install-packages
run: yarn install --frozen-lockfile
- id: download-locales
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
with:
name: locales
path: locales/
- id: download-api-client
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
with:
name: api-client
path: definitions/
- id: setup-ruby
uses: ruby/setup-ruby@a4effe49ee8ee5b8b5091268c473a4628afb5651 #v1.245.0
with:
bundler-cache: true
- id: prepare-ios-build
run: ./scripts/ios-release-build.sh
env:
APP_STORE_API_KEY_ID: ${{secrets.APP_STORE_API_KEY_ID}}
APP_STORE_API_PRIVATE_KEY: ${{secrets.APP_STORE_API_PRIVATE_KEY}}
ENCODED_IO_APP_SENTRY_PROPERTIES: ${{secrets.ENCODED_IO_APP_SENTRY_PROPERTIES}}
- id: add-ssh-deploy-key
run: |
echo -e "Host github.com
AddKeysToAgent yes
IdentityFile ~/.ssh/id_ed25519" > ~/.ssh/config
echo -e "$SSH_DEPLOY_KEY" > ~/.ssh/id_ed25519
chmod 400 ~/.ssh/id_ed25519
ssh-add ~/.ssh/id_ed25519
env:
SSH_DEPLOY_KEY: ${{secrets.SSH_CERTS_DEPLOY_KEY}}
- id: build-upload-app-store
name: Build & submit to App store
run: |
cd ios
bundle exec fastlane beta_circleci_testflight
env:
LC_ALL: en_US.UTF-8
LANG: en_US.UTF-8
RUBYOPT: '-rostruct' # TODO: Remove when https://github.com/fastlane/fastlane/pull/21950 gets released
APP_STORE_API_KEY_ID: ${{secrets.APP_STORE_API_KEY_ID}}
APP_STORE_API_PRIVATE_KEY: ${{secrets.APP_STORE_API_PRIVATE_KEY}}
APP_STORE_API_KEY_ISSUER_ID: ${{secrets.APP_STORE_API_KEY_ISSUER_ID}}
ITMSTRANSPORTER_FORCE_ITMS_PACKAGE_UPLOAD: ${{secrets.ITMSTRANSPORTER_FORCE_ITMS_PACKAGE_UPLOAD}}
MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }}
- id: upload-dsym-files
# Sometimes the build-upload-app-store step fails for timeout,
# in this case we want to upload the dSYM files anyway
if: ${{ always() }}
# We don't want to fail whole job if the dSYM upload step fails
continue-on-error: true
uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.0.3
with:
name: IO.app.dSYM.zip
path: ios/IO.app.dSYM.zip
- id: upload-ipa
# We don't want to fail whole job if the IPA upload step fails
continue-on-error: true
uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8
with:
name: IO.ipa
path: ios/IO.ipa
- id: upload-ipa-release
continue-on-error: true
run: |
APP_VERSION=$(node -p -e "require('./package.json').version")
gh release upload $APP_VERSION ios/IO.ipa#IO-iOS.ipa
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}
4 changes: 2 additions & 2 deletions .github/workflows/stale.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
name: Mark stale issues and pull requests
name: Stale

on:
schedule:
- cron: '0 2 1/7 * *'

jobs:
stale:

name: Mark stale issues and PRs
runs-on: ubuntu-latest
permissions:
issues: write
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/staticcheck.yaml → .github/workflows/static-checks.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,60 +1,63 @@
name: Static checks
on:
- pull_request
- merge_group
- workflow_call
jobs:
static-checks:
name: Typescript lint and prettier
runs-on: ubuntu-latest
concurrency:
group: ${{ github.workflow }}-pr-staticcheck-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
steps:
- id: checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
- id: setup
uses: ./.github/actions/setup-composite
- id: run-tsc
run: yarn tsc:noemit
- id: run-lint
run: yarn lint
- id: run-prettier
run: yarn prettier:check
unit-test:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}
name: Unit tests
runs-on: ubuntu-latest
environment: dev
needs: static-checks
strategy:
matrix:
shard: [1, 2, 3, 4, 5, 6, 7, 8, 9, 10]
steps:
- id: checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
- id: setup-node
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version-file: ".node-version"
- id: yarn-cache
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
env:
cache-name: cache-node-modules
with:
# npm cache files are stored in `~/.npm` on Linux/macOS
path: ~/.npm
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/yarn.lock') }}
- id: install-packages
run: yarn install --frozen-lockfile
- id: download-locales
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
with:
name: locales
path: locales/
- id: download-api-client
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
with:
name: api-client
path: definitions/
- id: run-test
run: yarn test:ci --shard=${{ matrix.shard }}/${{ strategy.job-total }}
- id: codecov-script
uses: codecov/codecov-action@84508663e988701840491b86de86b666e8a86bed # v4.3.0
with:
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/weekly-jobs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,27 +6,28 @@
- cron: '0 14 * * 5'
jobs:
check-outdated-dependencies:
name: Check outdated dependencies
runs-on: ubuntu-latest
environment: dev
steps:
- id: checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
- id: setup-node
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version-file: '.node-version'
- id: yarn-cache
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
env:
cache-name: cache-node-modules
with:
path: ~/.npm
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-build-${{ env.cache-name }}-
${{ runner.os }}-build-
${{ runner.os }}-
- id: install-packages
run: yarn install --frozen-lockfile --no-progress --non-interactive --network-concurrency 1
shell: bash
- id: check-outdated-dependencies
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/zendesk-trigger-manager.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ permissions: {}

jobs:
get-trigger-status:
name: Get Zendesk Trigger Status
# Run this job only if the user chose 'View Trigger Status'
if: github.event.inputs.action == 'View Trigger Status'
runs-on: ubuntu-latest
Expand Down Expand Up @@ -63,6 +64,7 @@ jobs:
echo "- **App Version Tag:** \`$APP_VERSION_TAG\`" >> $GITHUB_STEP_SUMMARY

update-trigger-app-version:
name: Update Zendesk Trigger for app version
# Run this job only if the user chose 'Update App Version'
if: github.event.inputs.action == 'Update App Version'
runs-on: ubuntu-latest
Expand Down Expand Up @@ -166,6 +168,7 @@ jobs:
fi

send-slack-notification:
name: Send Slack notification
# Run this job only if the user chose 'Update App Version'
if: github.event.inputs.action == 'Update App Version'
runs-on: ubuntu-latest
Expand Down
Loading