Skip to content

Build and deploy apps for testing #2623

Build and deploy apps for testing

Build and deploy apps for testing #2623

Workflow file for this run

name: Build and deploy apps for testing
on:
workflow_dispatch:
inputs:
PULL_REQUEST_NUMBER:
description: Pull Request number for correct placement of apps
required: true
pull_request_target:
types: [opened, synchronize, labeled]
branches: ['*ci-test/**']
env:
PULL_REQUEST_NUMBER: ${{ github.event.number || github.event.inputs.PULL_REQUEST_NUMBER }}
jobs:
validateActor:
runs-on: ubuntu-latest
outputs:
READY_TO_BUILD: ${{ fromJSON(steps.isExpensifyEmployee.outputs.IS_EXPENSIFY_EMPLOYEE) && fromJSON(steps.hasReadyToBuildLabel.outputs.HAS_READY_TO_BUILD_LABEL) }}
steps:
- name: Is Expensify employee
id: isExpensifyEmployee
run: |
if gh api /orgs/Expensify/teams/expensify-expensify/memberships/${{ github.actor }} --silent; then
echo "IS_EXPENSIFY_EMPLOYEE=true" >> "$GITHUB_OUTPUT"
else
echo "IS_EXPENSIFY_EMPLOYEE=false" >> "$GITHUB_OUTPUT"
fi
env:
GITHUB_TOKEN: ${{ secrets.OS_BOTIFY_TOKEN }}
- id: hasReadyToBuildLabel
name: Set HAS_READY_TO_BUILD_LABEL flag
run: |
echo "HAS_READY_TO_BUILD_LABEL=$(gh pr view "${{ env.PULL_REQUEST_NUMBER }}" --repo Expensify/App --json labels --jq '.labels[].name' | grep -q 'Ready To Build' && echo 'true')" >> "$GITHUB_OUTPUT"
if [[ "$HAS_READY_TO_BUILD_LABEL" != 'true' ]]; then
echo "The 'Ready to Build' label is not attached to the PR #${{ env.PULL_REQUEST_NUMBER }}"
fi
env:
GITHUB_TOKEN: ${{ github.token }}
getBranchRef:
runs-on: ubuntu-latest
needs: validateActor
if: ${{ fromJSON(needs.validateActor.outputs.READY_TO_BUILD) }}
outputs:
REF: ${{ steps.getHeadRef.outputs.REF }}
steps:
- name: Checkout
if: ${{ github.event_name == 'workflow_dispatch' }}
uses: actions/checkout@v4
- name: Check if pull request number is correct
if: ${{ github.event_name == 'workflow_dispatch' }}
id: getHeadRef
run: |
set -e
echo "REF=$(gh pr view ${{ github.event.inputs.PULL_REQUEST_NUMBER }} --json headRefOid --jq '.headRefOid')" >> "$GITHUB_OUTPUT"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
postGitHubCommentBuildStarted:
runs-on: ubuntu-latest
needs: [validateActor, getBranchRef]
if: ${{ fromJSON(needs.validateActor.outputs.READY_TO_BUILD) }}
steps:
- name: Add build start comment
uses: actions/github-script@v7
with:
github-token: ${{ github.token }}
script: |
const workflowURL = `https://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`;
github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: process.env.PULL_REQUEST_NUMBER,
body: `🚧 @${{ github.actor }} has triggered a test build. You can view the [workflow run here](${workflowURL}).`
});
buildAndroid:
name: Build Android app for testing
uses: ./.github/workflows/buildAndroid.yml
if: ${{ fromJSON(needs.validateActor.outputs.READY_TO_BUILD) }}
needs: [validateActor, getBranchRef]
secrets: inherit
with:
type: adhoc
ref: ${{ github.event.pull_request.head.sha || needs.getBranchRef.outputs.REF }}
pull_request_number: ${{ github.event.number || github.event.inputs.PULL_REQUEST_NUMBER }}
uploadAndroid:
name: Upload Android app to S3
needs: [buildAndroid]
runs-on: ubuntu-latest
outputs:
S3_APK_PATH: ${{ steps.exportS3Path.outputs.S3_APK_PATH }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Ruby
uses: ruby/[email protected]
with:
bundler-cache: true
- name: Download Android build artifacts
uses: actions/download-artifact@v4
with:
path: /tmp/artifacts
pattern: android-*-artifact
merge-multiple: true
- name: Log downloaded artifact paths
run: ls -R /tmp/artifacts
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1
- name: Upload AdHoc build to S3
run: bundle exec fastlane android upload_s3
env:
apkPath: /tmp/artifacts/${{ needs.buildAndroid.outputs.APK_FILE_NAME }}
S3_ACCESS_KEY: ${{ secrets.AWS_ACCESS_KEY_ID }}
S3_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
S3_BUCKET: ad-hoc-expensify-cash
S3_REGION: us-east-1
- name: Export S3 paths
id: exportS3Path
run: |
# $s3APKPath is set from within the Fastfile, android upload_s3 lane
echo "S3_APK_PATH=$s3APKPath" >> "$GITHUB_OUTPUT"
iOS:
name: Build and deploy iOS for testing
needs: [validateActor, getBranchRef]
if: ${{ fromJSON(needs.validateActor.outputs.READY_TO_BUILD) }}
env:
DEVELOPER_DIR: /Applications/Xcode_16.2.0.app/Contents/Developer
runs-on: macos-15-xlarge
steps:
- name: Checkout
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha || needs.getBranchRef.outputs.REF }}
- name: Configure MapBox SDK
run: ./scripts/setup-mapbox-sdk.sh ${{ secrets.MAPBOX_SDK_DOWNLOAD_TOKEN }}
- name: Create .env.adhoc file based on staging and add PULL_REQUEST_NUMBER env to it
run: |
cp .env.staging .env.adhoc
sed -i '' 's/ENVIRONMENT=staging/ENVIRONMENT=adhoc/' .env.adhoc
echo "PULL_REQUEST_NUMBER=$PULL_REQUEST_NUMBER" >> .env.adhoc
- name: Setup Node
id: setup-node
uses: ./.github/actions/composite/setupNode
- name: Setup XCode
run: sudo xcode-select -switch /Applications/Xcode_16.2.0.app
- name: Setup Ruby
uses: ruby/[email protected]
with:
bundler-cache: true
- name: Cache Pod dependencies
uses: actions/cache@v4
id: pods-cache
with:
path: ios/Pods
key: ${{ runner.os }}-pods-cache-${{ hashFiles('ios/Podfile.lock', 'firebase.json') }}
- name: Compare Podfile.lock and Manifest.lock
id: compare-podfile-and-manifest
run: echo "IS_PODFILE_SAME_AS_MANIFEST=${{ hashFiles('ios/Podfile.lock') == hashFiles('ios/Pods/Manifest.lock') }}" >> "$GITHUB_OUTPUT"
- name: Install cocoapods
uses: nick-fields/retry@3f757583fb1b1f940bc8ef4bf4734c8dc02a5847
if: steps.pods-cache.outputs.cache-hit != 'true' || steps.compare-podfile-and-manifest.outputs.IS_PODFILE_SAME_AS_MANIFEST != 'true' || steps.setup-node.outputs.cache-hit != 'true'
with:
timeout_minutes: 10
max_attempts: 5
command: scripts/pod-install.sh
- name: Decrypt AdHoc profile
run: cd ios && gpg --quiet --batch --yes --decrypt --passphrase="$LARGE_SECRET_PASSPHRASE" --output NewApp_AdHoc.mobileprovision NewApp_AdHoc.mobileprovision.gpg
env:
LARGE_SECRET_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
- name: Decrypt AdHoc Notification Service profile
run: cd ios && gpg --quiet --batch --yes --decrypt --passphrase="$LARGE_SECRET_PASSPHRASE" --output NewApp_AdHoc_Notification_Service.mobileprovision NewApp_AdHoc_Notification_Service.mobileprovision.gpg
env:
LARGE_SECRET_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
- name: Decrypt certificate
run: cd ios && gpg --quiet --batch --yes --decrypt --passphrase="$LARGE_SECRET_PASSPHRASE" --output Certificates.p12 Certificates.p12.gpg
env:
LARGE_SECRET_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1
- name: Build AdHoc app
run: bundle exec fastlane ios build_adhoc
- name: Upload AdHoc build to S3
run: bundle exec fastlane ios upload_s3
env:
S3_ACCESS_KEY: ${{ secrets.AWS_ACCESS_KEY_ID }}
S3_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
S3_BUCKET: ad-hoc-expensify-cash
S3_REGION: us-east-1
- name: Upload Artifact
uses: actions/upload-artifact@v4
with:
name: ios
path: ./ios_paths.json
desktop:
name: Build and deploy Desktop for testing
needs: [validateActor, getBranchRef]
if: ${{ fromJSON(needs.validateActor.outputs.READY_TO_BUILD) }}
runs-on: macos-14-large
steps:
- name: Checkout
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha || needs.getBranchRef.outputs.REF }}
- name: Create .env.adhoc file based on staging and add PULL_REQUEST_NUMBER env to it
run: |
cp .env.staging .env.adhoc
sed -i '' 's/ENVIRONMENT=staging/ENVIRONMENT=adhoc/' .env.adhoc
echo "PULL_REQUEST_NUMBER=$PULL_REQUEST_NUMBER" >> .env.adhoc
- name: Setup Node
uses: ./.github/actions/composite/setupNode
- name: Decrypt Developer ID Certificate
run: cd desktop && gpg --quiet --batch --yes --decrypt --passphrase="$DEVELOPER_ID_SECRET_PASSPHRASE" --output developer_id.p12 developer_id.p12.gpg
env:
DEVELOPER_ID_SECRET_PASSPHRASE: ${{ secrets.DEVELOPER_ID_SECRET_PASSPHRASE }}
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1
- name: Build desktop app for testing
run: npm run desktop-build-adhoc
env:
CSC_LINK: ${{ secrets.CSC_LINK }}
CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
APPLE_ID: ${{ secrets.APPLE_ID }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
GCP_GEOLOCATION_API_KEY: $${{ secrets.GCP_GEOLOCATION_API_KEY_STAGING }}
web:
name: Build and deploy Web
needs: [validateActor, getBranchRef]
if: ${{ fromJSON(needs.validateActor.outputs.READY_TO_BUILD) }}
runs-on: ubuntu-latest-xl
steps:
- name: Checkout
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha || needs.getBranchRef.outputs.REF }}
- name: Create .env.adhoc file based on staging and add PULL_REQUEST_NUMBER env to it
run: |
cp .env.staging .env.adhoc
sed -i 's/ENVIRONMENT=staging/ENVIRONMENT=adhoc/' .env.adhoc
echo "PULL_REQUEST_NUMBER=$PULL_REQUEST_NUMBER" >> .env.adhoc
- name: Setup Node
uses: ./.github/actions/composite/setupNode
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1
- name: Build web for testing
run: npm run build-adhoc
- name: Deploy to S3 for internal testing
run: aws s3 cp --recursive --acl public-read "$GITHUB_WORKSPACE"/dist s3://ad-hoc-expensify-cash/web/"$PULL_REQUEST_NUMBER"
postGithubComment:
runs-on: ubuntu-latest
name: Post a GitHub comment with app download links for testing
needs: [validateActor, getBranchRef, uploadAndroid, iOS, desktop, web]
if: ${{ always() }}
steps:
- name: Checkout
uses: actions/checkout@v4
if: ${{ fromJSON(needs.validateActor.outputs.READY_TO_BUILD) }}
with:
ref: ${{ github.event.pull_request.head.sha || needs.getBranchRef.outputs.REF }}
- name: Download Artifact
uses: actions/download-artifact@v4
if: ${{ fromJSON(needs.validateActor.outputs.READY_TO_BUILD) }}
- name: Read JSONs with iOS paths
id: get_ios_path
if: ${{ needs.iOS.result == 'success' }}
run: |
content_ios="$(cat ./ios/ios_paths.json)"
content_ios="${content_ios//'%'/'%25'}"
content_ios="${content_ios//$'\n'/'%0A'}"
content_ios="${content_ios//$'\r'/'%0D'}"
ios_path=$(echo "$content_ios" | jq -r '.html_path')
echo "ios_path=$ios_path" >> "$GITHUB_OUTPUT"
- name: Publish links to apps for download
if: ${{ fromJSON(needs.validateActor.outputs.READY_TO_BUILD) }}
uses: ./.github/actions/javascript/postTestBuildComment
with:
PR_NUMBER: ${{ env.PULL_REQUEST_NUMBER }}
GITHUB_TOKEN: ${{ github.token }}
ANDROID: ${{ needs.uploadAndroid.result }}
DESKTOP: ${{ needs.desktop.result }}
IOS: ${{ needs.iOS.result }}
WEB: ${{ needs.web.result }}
ANDROID_LINK: ${{ needs.uploadAndroid.outputs.S3_APK_PATH }}
DESKTOP_LINK: https://ad-hoc-expensify-cash.s3.amazonaws.com/desktop/${{ env.PULL_REQUEST_NUMBER }}/NewExpensify.dmg
IOS_LINK: ${{ steps.get_ios_path.outputs.ios_path }}
WEB_LINK: https://${{ env.PULL_REQUEST_NUMBER }}.pr-testing.expensify.com