build_appstore.yml

name: Make App Store Connect Release

on: 
  workflow_dispatch:
    inputs:
      destination:
        description: "Upload destination (TestFlight or App Store)"
        required: true
        default: appstore
        type: choice
        options:
        - testflight
        - testflight_review
        - appstore
      asana-task-url:
        description: "Asana release task URL"
        required: false
        type: string
  workflow_call:
    inputs:
      destination:
        description: "Upload destination (TestFlight or App Store)"
        required: true
        default: appstore
        type: string
      asana-task-url:
        description: "Asana release task URL"
        required: true
        type: string
      branch:
        description: "Branch name"
        required: false
        type: string
    secrets:
      SSH_PRIVATE_KEY_FASTLANE_MATCH:
        required: true
      APPLE_API_KEY_BASE64:
        required: true
      APPLE_API_KEY_ID:
        required: true
      APPLE_API_KEY_ISSUER:
        required: true
      MATCH_PASSWORD:
        required: true
      ASANA_ACCESS_TOKEN:
        required: true
      MM_HANDLES_BASE64:
        required: true
      MM_WEBHOOK_URL:
        required: true

jobs:
  make-release:

    name: Make App Store Connect Release

    runs-on: macos-13-xlarge

    env:
      destination: ${{ github.event.inputs.destination || inputs.destination }}
      asana-task-url: ${{ github.event.inputs.asana-task-url || inputs.asana-task-url }}

    steps:

    - name: Assert release branch
      if: env.destination == 'appstore'
      run: |
        case "${{ inputs.branch || github.ref_name }}" in
          release/*) ;;
          hotfix/*) ;;
          *) echo "👎 Not a release or hotfix branch"; exit 1 ;;
        esac

    - name: Register SSH keys for submodules access
      uses: webfactory/ssh-agent@v0.7.0
      with:
        ssh-private-key: |
          ${{ secrets.SSH_PRIVATE_KEY_FASTLANE_MATCH }}

    - name: Check out the code
      uses: actions/checkout@v3
      with:
        submodules: recursive
        ref: ${{ inputs.branch || github.ref_name }}

    - name: Select Xcode
      run: sudo xcode-select -s /Applications/Xcode_$(<.xcode-version).app/Contents/Developer

    - name: Prepare fastlane
      run: bundle install

    - name: Install xcbeautify
      continue-on-error: true
      run: brew install xcbeautify

    - name: Archive and Upload the App
      env:
        APPLE_API_KEY_BASE64: ${{ secrets.APPLE_API_KEY_BASE64 }}
        APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
        APPLE_API_KEY_ISSUER: ${{ secrets.APPLE_API_KEY_ISSUER }}
        MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }}
      run: |
        bundle exec fastlane release_${{ env.destination }}
        dsyms_path="${{ github.workspace }}/DuckDuckGo-AppStore.app.dSYM.zip"
        mv -f "${{ github.workspace }}/DuckDuckGo App Store.app.dSYM.zip" "${dsyms_path}"
        version="$(cut -d ' ' -f 3 < Configuration/Version.xcconfig)"
        build_number="$(cut -d ' ' -f 3 < Configuration/BuildNumber.xcconfig)"
        echo "dsyms_path=${dsyms_path}" >> $GITHUB_ENV
        echo "app_version=${version}.${build_number}" >> $GITHUB_ENV

    - name: Upload dSYMs artifact
      uses: actions/upload-artifact@v4
      with:
        name: DuckDuckGo-${{ env.destination }}-dSYM-${{ env.app_version }}
        path: ${{ env.dsyms_path }}

    - name: Get Asana Task ID
      id: get-task-id
      if: env.asana-task-url
      uses: ./.github/actions/asana-extract-task-id
      with:
        task-url: ${{ env.asana-task-url }}

    - name: Upload debug symbols to Asana
      if: env.asana-task-url
      env:
        ASANA_ACCESS_TOKEN: ${{ secrets.ASANA_ACCESS_TOKEN }}
      run: |
        asana_dsyms_path="${{ github.workspace }}/DuckDuckGo-AppStore-${{ env.app_version }}-dSYM.zip"
        mv -f "${{ env.dsyms_path }}" "$asana_dsyms_path"

        curl -s "https://app.asana.com/api/1.0/tasks/${{ steps.get-task-id.outputs.task-id }}/attachments" \
          -H "Authorization: Bearer ${{ env.ASANA_ACCESS_TOKEN }}" \
          --form "file=@${asana_dsyms_path};type=application/zip"

    - name: Send Mattermost message
      env:
        WORKFLOW_URL: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
        DESTINATION: ${{ env.destination }}
      run: |
        export MM_USER_HANDLE=$(base64 -d <<< ${{ secrets.MM_HANDLES_BASE64 }} | jq ".${{ github.actor }}" | tr -d '"')

        if [[ -z "${MM_USER_HANDLE}" ]]; then
            echo "Mattermost user handle not known for ${{ github.actor }}, skipping sending message"
        else

            curl -s -H 'Content-type: application/json' \
                -d "$(envsubst < ./scripts/assets/appstore-release-mm-template.json)" \
                ${{ secrets.MM_WEBHOOK_URL }}
        fi