Add GHA workflow to cut release branch

.github/workflows/build_appstore.yml

@@ -26,6 +26,10 @@ on:
         description: "Asana release task URL"
         required: true
         type: string
+      branch:
+        description: "Branch name"
+        required: false
+        type: string
     secrets:
       SSH_PRIVATE_KEY_FASTLANE_MATCH:
         required: true
@@ -60,9 +64,9 @@ jobs:
     - name: Assert release branch
       if: env.destination == 'appstore'
       run: |
-        case "${{ github.ref }}" in
-          refs/heads/release/*) ;;
-          refs/heads/hotfix/*) ;;
+        case "${{ inputs.branch || github.ref_name }}" in
+          release/*) ;;
+          hotfix/*) ;;
           *) echo "👎 Not a release or hotfix branch"; exit 1 ;;
         esac
 
@@ -76,7 +80,7 @@ jobs:
       uses: actions/checkout@v3
       with:
         submodules: recursive
-        ref: ${{ github.ref_name }}
+        ref: ${{ inputs.branch || github.ref_name }}
 
     - name: Select Xcode
       run: sudo xcode-select -s /Applications/Xcode_$(<.xcode-version).app/Contents/Developer
@@ -104,7 +108,7 @@ jobs:
         echo "app_version=${version}.${build_number}" >> $GITHUB_ENV
 
     - name: Upload dSYMs artifact
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
         name: DuckDuckGo-${{ env.destination }}-dSYM-${{ env.app_version }}
         path: ${{ env.dsyms_path }}

.github/workflows/build_notarized.yml

@@ -38,6 +38,10 @@ on:
         description: "Asana release task URL"
         required: true
         type: string
+      branch:
+        description: "Branch name"
+        required: false
+        type: string
     secrets:
       BUILD_CERTIFICATE_BASE64:
         required: true
@@ -103,7 +107,7 @@ jobs:
       uses: actions/checkout@v3
       with:
         submodules: recursive
-        ref: ${{ github.ref_name }}
+        ref: ${{ inputs.branch || github.ref_name }}
 
     - name: Install Apple Developer ID Application certificate
       uses: ./.github/actions/install-certs-and-profiles
@@ -155,13 +159,13 @@ jobs:
         echo "app-name=${{ env.app-name }}" >> $GITHUB_OUTPUT
 
     - name: Upload app artifact
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
         name: DuckDuckGo-${{ env.release-type }}-${{ env.app-version }}.app
         path: ${{ github.workspace }}/release/DuckDuckGo-${{ env.app-version }}.zip
 
     - name: Upload dSYMs artifact
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
         name: DuckDuckGo-${{ env.release-type }}-dSYM-${{ env.app-version }}
         path: ${{ github.workspace }}/release/DuckDuckGo-${{ env.app-version }}-dSYM.zip
@@ -205,7 +209,7 @@ jobs:
     steps:
 
     - name: Fetch app bundle
-      uses: actions/download-artifact@v3
+      uses: actions/download-artifact@v4
       with:
         name: DuckDuckGo-${{ env.release-type }}-${{ env.app-version }}.app
         path: ${{ github.workspace }}/dmg
@@ -234,7 +238,7 @@ jobs:
             "dmg"
 
     - name: Upload DMG artifact
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
         name: DuckDuckGo-${{ env.release-type }}-${{ env.app-version }}.dmg
         path: ${{ github.workspace }}/duckduckgo*-${{ env.app-version }}.dmg

.github/workflows/code_freeze.yml

@@ -0,0 +1,140 @@
+name: Code Freeze
+
+on:
+  workflow_dispatch:
+
+jobs:
+
+  create_release_branch:
+
+    name: Create Release Branch
+
+    runs-on: macos-13-xlarge
+    timeout-minutes: 10
+
+    outputs:
+      release_branch_name: ${{ steps.make_release_branch.outputs.release_branch_name }}
+      asana_task_url: ${{ steps.create_release_task.outputs.asana_task_url }}
+
+    steps:
+
+      - name: Assert main branch
+        run: |
+          if [ "${{ github.ref_name }}" != "main" ]; then
+            echo "👎 Not the main branch"
+            exit 1
+          fi
+
+      - name: Check out the code
+        uses: actions/checkout@v3
+        with:
+          submodules: recursive
+
+      - name: Prepare fastlane
+        run: bundle install
+
+      - name: Make release branch
+        id: make_release_branch
+        env:
+          APPLE_API_KEY_BASE64: ${{ secrets.APPLE_API_KEY_BASE64 }}
+          APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
+          APPLE_API_KEY_ISSUER: ${{ secrets.APPLE_API_KEY_ISSUER }}
+        run: |
+          git config --global user.name "Dax the Duck"
+          git config --global user.email "[email protected]"
+          bundle exec fastlane make_release_branch
+
+      - name: Create release task
+        id: create_release_task
+        env:
+          ASANA_ACCESS_TOKEN: ${{ secrets.ASANA_ACCESS_TOKEN }}
+        run: |
+          version="$(echo ${{ steps.make_release_branch.outputs.release_branch_name }} | cut -d '/' -f 2)"
+          task_name="macOS App Release $version"
+          asana_task_id="$(curl -fLSs -X POST "https://app.asana.com/api/1.0/task_templates/${{ vars.MACOS_RELEASE_TASK_TEMPLATE_ID }}/instantiateTask" \
+            -H "Authorization: Bearer ${{ env.ASANA_ACCESS_TOKEN }}" \
+            -H "Content-Type: application/json" \
+            -d "{ \"data\": { \"name\": \"$task_name\" }}" \
+            | jq -r .data.new_task.gid)"
+          echo "asana_task_url=https://app.asana.com/0/0/${asana_task_id}/f" >> $GITHUB_OUTPUT
+
+          assignee_id="$(curl -fLSs https://raw.githubusercontent.com/duckduckgo/BrowserServicesKit/main/.github/actions/asana-failed-pr-checks/user_ids.json \
+            | jq -r .${{ github.actor }})"
+
+          curl -fLSs -X PUT "https://app.asana.com/api/1.0/tasks/${asana_task_id}" \
+            -H "Authorization: Bearer ${{ env.ASANA_ACCESS_TOKEN }}" \
+            -H "Content-Type: application/json" \
+            --output /dev/null \
+            -d "{ \"data\": { \"assignee\": \"$assignee_id\" }}"
+
+  run_tests:
+
+    name: Run Tests
+
+    needs: create_release_branch
+    uses: ./.github/workflows/pr.yml
+    with:
+      branch: ${{ needs.create_release_branch.outputs.release_branch_name }}
+    secrets:
+      ASANA_ACCESS_TOKEN: ${{ secrets.ASANA_ACCESS_TOKEN }}
+
+  increment_build_number:
+
+    name: Increment Build Number
+
+    needs: [ create_release_branch, run_tests ]
+    runs-on: macos-13-xlarge
+    timeout-minutes: 10
+
+    steps:
+
+      - name: Check out the code
+        uses: actions/checkout@v3
+        with:
+          submodules: recursive
+          ref: ${{ needs.create_release_branch.outputs.release_branch_name }}
+
+      - name: Prepare fastlane
+        run: bundle install
+
+      - name: Increment build number
+        env:
+          APPLE_API_KEY_BASE64: ${{ secrets.APPLE_API_KEY_BASE64 }}
+          APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
+          APPLE_API_KEY_ISSUER: ${{ secrets.APPLE_API_KEY_ISSUER }}
+        run: |
+          git config --global user.name "Dax the Duck"
+          git config --global user.email "[email protected]"
+          bundle exec fastlane bump_internal_release update_embedded_files:false
+
+  prepare_release:
+    name: Prepare Release
+    needs: [ create_release_branch, increment_build_number ]
+    uses: ./.github/workflows/release.yml
+    with:
+      asana-task-url: ${{ needs.create_release_branch.outputs.asana_task_url }}
+      branch: ${{ needs.create_release_branch.outputs.release_branch_name }}
+    secrets:
+      BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
+      P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
+      KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
+      REVIEW_PROVISION_PROFILE_BASE64: ${{ secrets.REVIEW_PROVISION_PROFILE_BASE64 }}
+      RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.RELEASE_PROVISION_PROFILE_BASE64 }}
+      DBP_AGENT_RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.DBP_AGENT_RELEASE_PROVISION_PROFILE_BASE64 }}
+      DBP_AGENT_REVIEW_PROVISION_PROFILE_BASE64: ${{ secrets.DBP_AGENT_REVIEW_PROVISION_PROFILE_BASE64 }}
+      NETP_SYSEX_RELEASE_PROVISION_PROFILE_BASE64_V2: ${{ secrets.NETP_SYSEX_RELEASE_PROVISION_PROFILE_BASE64_V2 }}
+      NETP_SYSEX_REVIEW_PROVISION_PROFILE_BASE64_V2: ${{ secrets.NETP_SYSEX_REVIEW_PROVISION_PROFILE_BASE64_V2 }}
+      NETP_AGENT_RELEASE_PROVISION_PROFILE_BASE64_V2: ${{ secrets.NETP_AGENT_RELEASE_PROVISION_PROFILE_BASE64_V2 }}
+      NETP_AGENT_REVIEW_PROVISION_PROFILE_BASE64_V2: ${{ secrets.NETP_AGENT_REVIEW_PROVISION_PROFILE_BASE64_V2 }}
+      NETP_NOTIFICATIONS_RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_NOTIFICATIONS_RELEASE_PROVISION_PROFILE_BASE64 }}
+      NETP_NOTIFICATIONS_REVIEW_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_NOTIFICATIONS_REVIEW_PROVISION_PROFILE_BASE64 }}
+      APPLE_API_KEY_BASE64: ${{ secrets.APPLE_API_KEY_BASE64 }}
+      APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
+      APPLE_API_KEY_ISSUER: ${{ secrets.APPLE_API_KEY_ISSUER }}
+      ASANA_ACCESS_TOKEN: ${{ secrets.ASANA_ACCESS_TOKEN }}
+      MM_HANDLES_BASE64: ${{ secrets.MM_HANDLES_BASE64 }}
+      MM_WEBHOOK_URL: ${{ secrets.MM_WEBHOOK_URL }}
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }}
+      SSH_PRIVATE_KEY_FASTLANE_MATCH: ${{ secrets.SSH_PRIVATE_KEY_FASTLANE_MATCH }}

.github/workflows/pr.yml

@@ -5,6 +5,11 @@ on:
     branches: [ main, "release/**" ]
   pull_request:
   workflow_call:
+    inputs:
+      branch:
+        description: "Branch name"
+        required: false
+        type: string
     secrets:
       ASANA_ACCESS_TOKEN:
         required: true
@@ -38,7 +43,7 @@ jobs:
       if: github.event_name != 'pull_request' && github.event_name != 'push'
       uses: actions/checkout@v3
       with:
-        ref: ${{ github.ref_name }}
+        ref: ${{ inputs.branch || github.ref_name }}
 
     - name: Run ShellCheck
       uses: ludeeus/action-shellcheck@master
@@ -92,7 +97,7 @@ jobs:
       uses: actions/checkout@v3
       with:
         submodules: recursive
-        ref: ${{ github.ref_name }}
+        ref: ${{ inputs.branch || github.ref_name }}
 
     - name: Set cache key hash
       run: |
@@ -196,31 +201,31 @@ jobs:
           | xargs -L 1 ./scripts/report-failed-unit-test.sh
 
     - name: Upload failed unit tests log
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       if: failure()
       with:
         name: ${{ matrix.flavor }}-unittests-xcodebuild.log
         path: ${{ matrix.flavor }}-unittests-xcodebuild.log
         retention-days: 7
 
     - name: Upload failed unit tests xcresult
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       if: failure()
       with:
         name: ${{ matrix.flavor }}-unittests.xcresult
         path: ${{ matrix.flavor }}-unittests.xcresult
         retention-days: 7
 
     - name: Upload failed integration tests log
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       if: failure()
       with:
         name: ${{ matrix.flavor }}-integrationtests-xcodebuild.log
         path: ${{ matrix.flavor }}-integrationtests-xcodebuild.log
         retention-days: 7
 
     - name: Upload failed integration tests xcresult
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       if: failure()
       with:
         name: ${{ matrix.flavor }}-integrationtests.xcresult
@@ -319,7 +324,7 @@ jobs:
           | xcbeautify
 
     - name: Upload failed test log
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       if: failure()
       with:
         name: release-xcodebuild.log

.github/workflows/release.yml

@@ -13,6 +13,10 @@ on:
         description: "Asana release task URL"
         required: true
         type: string
+      branch:
+        description: "Branch name"
+        required: false
+        type: string
     secrets:
       BUILD_CERTIFICATE_BASE64:
         required: true
@@ -70,6 +74,7 @@ jobs:
       release-type: release
       create-dmg: true
       asana-task-url: ${{ github.event.inputs.asana-task-url || inputs.asana-task-url }}
+      branch: ${{ inputs.branch }}
     secrets:
       BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
       P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
@@ -99,6 +104,7 @@ jobs:
     with:
       destination: appstore
       asana-task-url: ${{ github.event.inputs.asana-task-url || inputs.asana-task-url }}
+      branch: ${{ inputs.branch }}
     secrets:
       SSH_PRIVATE_KEY_FASTLANE_MATCH: ${{ secrets.SSH_PRIVATE_KEY_FASTLANE_MATCH }}
       APPLE_API_KEY_BASE64: ${{ secrets.APPLE_API_KEY_BASE64 }}