Merge branch 'alex/malware-protection-1' into alex/malware-protection-5

.github/actions/asana-get-build-variants-list/action.yml

@@ -19,9 +19,12 @@ inputs:
     required: true
     type: string
 outputs:
-  build-variants:
-    description: "The list of build variants to create"
-    value: ${{ steps.get-build-variants-task.outputs.build-variants }}
+  build-variants-1:
+    description: "The list of build variants to create (batch 1)"
+    value: ${{ steps.get-build-variants-task.outputs.build-variants-1 }}
+  build-variants-2:
+    description: "The list of build variants to create (batch 2)"
+    value: ${{ steps.get-build-variants-task.outputs.build-variants-2 }}
 runs:
   using: "composite"
   steps:

.github/actions/asana-get-build-variants-list/get_build_variants_list.sh

@@ -22,9 +22,7 @@ _create_origins_and_variants() {
 	jq -c '.data[]
 		| select(.custom_fields[] | select(.name == "'"${origin_field}"'").text_value != null)
 		| {origin: (.custom_fields[] | select(.name == "'"${origin_field}"'") | .text_value), variant: (.custom_fields[] | select(.name == "'"${atb_field}"'") | .text_value)}
-		| if .variant != null then {origin}, {origin, variant} else {origin} end' <<< "$response" \
-		| tr '\n' ',' \
-		| sed 's/,$//'
+		| if .variant != null then {origin}, {origin, variant} else {origin} end' <<< "$response"
 }
 
 # Fetch all the Asana tasks in the section specified by ORIGIN_ASANA_SECTION_ID for a project.
@@ -56,7 +54,7 @@ _fetch_origin_tasks() {
 		fi
 	done
 
-	echo "${origin_variants}"
+	printf "%s\n" "${origin_variants[@]}"
 }
 
 # Create a JSON string from the list of ATB items passed.
@@ -70,9 +68,7 @@ _create_atb_variant_pairs() {
 	# remove the trailing comma at the end of the line.
 	jq -R -c 'split(",") 
 		| map({variant: .}) 
-		| .[]' <<< "$response" \
-		| tr '\n' ',' \
-		| sed 's/,$//'
+		| .[]' <<< "$response"
 }
 
 # Fetches all the ATB variants defined in the ATB_ASANA_TASK_ID at the Variants list (comma separated) section.
@@ -92,19 +88,53 @@ _fetch_atb_variants() {
 
 	variants_list=("$(_create_atb_variant_pairs "$atb_variants")")
 
-	echo "${variants_list}"
+	printf "%s\n" "${variants_list[@]}"
+}
+
+split_array_into_chunks() {
+    local array=("$@")
+    local chunk_size=256
+    local total_elements=${#array[@]}
+    local chunks=()
+	local items
+
+    for ((i = 0; i < total_elements; i += chunk_size)); do
+		# Format the list of variants in a JSON object suitable for being consumed by GitHub Actions matrix.
+		# For more info see https://docs.github.com/en/actions/using-jobs/using-a-matrix-for-your-jobs#example-adding-configurations.
+		items="$(echo "${array[@]:i:chunk_size}" |  tr ' ' ',')"
+		chunks+=("{\"include\": [${items}]}")
+    done
+
+	printf "%s\n" "${chunks[@]}"
 }
 
 main() {
+	local variants=()
+	local items=()
+
 	# fetch ATB variants
-	local atb_variants=$(_fetch_atb_variants)
+	variants+=("$(_fetch_atb_variants)")
 	# fetch Origin variants
-	local origin_variants=$(_fetch_origin_tasks)
-	# merges the two list together. Use `include` keyword for later usage in matrix. 
-	# for more info see https://docs.github.com/en/actions/using-jobs/using-a-matrix-for-your-jobs#example-adding-configurations.
-	local merged_variants="{\"include\": [${atb_variants},${origin_variants}]}"
-	# write in GitHub output
-	echo "build-variants=${merged_variants}" >> "$GITHUB_OUTPUT"
+	variants+=("$(_fetch_origin_tasks "$origin_batch")")
+
+	while read -r variant; do
+		items+=("$variant")
+	done <<< "$(printf "%s\n" "${variants[@]}")"
+
+	echo "Found ${#items[@]} variants"
+
+	local chunks=()
+	while read -r chunk; do
+		chunks+=("$chunk")
+	done <<< "$(split_array_into_chunks "${items[@]}")"
+
+	local i=1
+    for chunk in "${chunks[@]}"; do
+		# Save to GitHub output
+		echo "Storing chunk #${i}"
+		echo "build-variants-${i}=${chunk}" >> "$GITHUB_OUTPUT"
+		i=$((i + 1))
+    done
 }
 
-main 
+main "$@"

.github/workflows/build_appstore.yml

@@ -77,7 +77,7 @@ jobs:
         esac
 
     - name: Register SSH key for certificates repository access
-      uses: webfactory/ssh-agent@v0.7.0
+      uses: webfactory/ssh-agent@v0.9.0
       with:
         ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY_FASTLANE_MATCH }}
 

.github/workflows/build_hotfix_release.yml

@@ -72,16 +72,21 @@ jobs:
         id: task-id
         run: bundle exec fastlane run asana_extract_task_id task_url:"${{ github.event.inputs.asana-task-url }}"
 
-      - name: Update Asana tasks for the release
+      - name: Update Asana for the release
+        id: update-asana
+        continue-on-error: true
         env:
           ASANA_ACCESS_TOKEN: ${{ secrets.ASANA_ACCESS_TOKEN }}
-          GH_TOKEN: ${{ github.token }}
+          GITHUB_TOKEN: ${{ github.token }}
           BRANCH: ${{ github.ref_name }}
         run: |
-          version="$(cut -d '/' -f 2 <<< "$BRANCH")"
-          # 'internal', because we start with making a build that still needs to be tested before being published
-          # and we want Asana tasks to be moved to "Validation" and not already to "Done"
-          ./scripts/update_asana_for_release.sh internal ${{ steps.task-id.outputs.asana_task_id }} ${{ vars.MACOS_APP_BOARD_VALIDATION_SECTION_ID }} "${version}"
+          bundle exec fastlane run update_asana_for_release \
+            platform:macos \
+            release_type:internal \
+            github_handle:"${{ github.actor }}" \
+            is_scheduled_release:"${{ github.event_name == 'schedule' }}" \
+            release_task_id:"${{ steps.task-id.outputs.asana_task_id }}" \
+            target_section_id:"${{ vars.MACOS_APP_BOARD_VALIDATION_SECTION_ID }}"
 
   prepare_release:
     name: Prepare Release

.github/workflows/build_notarized.yml

@@ -93,7 +93,7 @@ jobs:
 
     steps:
     - name: Register SSH key for certificates repository access
-      uses: webfactory/ssh-agent@v0.7.0
+      uses: webfactory/ssh-agent@v0.9.0
       with:
         ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY_FASTLANE_MATCH }}
 

.github/workflows/create_variant.yml

@@ -1,3 +1,5 @@
+name: Create DMG Variant
+
 on:
   workflow_dispatch:
     inputs:
@@ -51,7 +53,7 @@ jobs:
     steps:
 
     - name: Register SSH key for certificates repository access
-      uses: webfactory/ssh-agent@v0.7.0
+      uses: webfactory/ssh-agent@v0.9.0
       with:
         ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY_FASTLANE_MATCH }}
 

.github/workflows/create_variants.yml

@@ -36,7 +36,8 @@ jobs:
     timeout-minutes: 15
 
     outputs:
-      build-variants: ${{ steps.get-build-variants.outputs.build-variants }}
+      build-variants-1: ${{ steps.get-build-variants.outputs.build-variants-1 }}
+      build-variants-2: ${{ steps.get-build-variants.outputs.build-variants-2 }}
 
     steps:
       - name: Check out repository
@@ -69,14 +70,35 @@ jobs:
           path: ${{ github.workspace }}/duckduckgo.dmg
           retention-days: 1
 
-  create-variants:
+  create-variants-1:
 
     name: Create Variant
     needs: [set-up-variants, download-dmg-and-upload-artifact]
 
     strategy:
       fail-fast: false
-      matrix: ${{ fromJSON(needs.set-up-variants.outputs.build-variants) }}
+      matrix: ${{ fromJSON(needs.set-up-variants.outputs.build-variants-1) }}
+    uses: ./.github/workflows/create_variant.yml
+    with:
+      atb-variant: ${{ matrix.variant }}
+      origin-variant: ${{ matrix.origin }}
+    secrets:
+      APPLE_API_KEY_BASE64: ${{ secrets.APPLE_API_KEY_BASE64 }}
+      APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
+      APPLE_API_KEY_ISSUER: ${{ secrets.APPLE_API_KEY_ISSUER }}
+      AWS_ACCESS_KEY_ID_RELEASE_S3: ${{ secrets.AWS_ACCESS_KEY_ID_RELEASE_S3 }}
+      AWS_SECRET_ACCESS_KEY_RELEASE_S3: ${{ secrets.AWS_SECRET_ACCESS_KEY_RELEASE_S3 }}
+      MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }}
+      SSH_PRIVATE_KEY_FASTLANE_MATCH: ${{ secrets.SSH_PRIVATE_KEY_FASTLANE_MATCH }}
+
+  create-variants-2:
+
+    name: Create Variant
+    needs: [set-up-variants, download-dmg-and-upload-artifact]
+
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJSON(needs.set-up-variants.outputs.build-variants-2) }}
     uses: ./.github/workflows/create_variant.yml
     with:
       atb-variant: ${{ matrix.variant }}
@@ -93,14 +115,29 @@ jobs:
   mattermost:
 
     name: Send Mattermost message
-    needs: create-variants
+    needs: [create-variants-1, create-variants-2]
     runs-on: macos-15
 
     env:
-      success: ${{ needs.create-variants.result == 'success' }}
-      failure: ${{ needs.create-variants.result == 'failure' }}
+      success: ${{ needs.create-variants-1.result == 'success' && needs.create-variants-2.result == 'success' }}
+      failure: ${{ needs.create-variants-1.result == 'failure' || needs.create-variants-2.result == 'failure' }}
 
     steps:
+      - name: Check out the code
+        if: ${{ env.success || env.failure }} # Don't execute when cancelled
+        uses: actions/checkout@v4
+        with:
+          sparse-checkout: |
+            .github
+            Gemfile
+            Gemfile.lock
+            fastlane
+            scripts
+
+      - name: Set up fastlane
+        if: ${{ env.success || env.failure }} # Don't execute when cancelled
+        run: bundle install
+
       - name: Send Mattermost message
         if: ${{ env.success || env.failure }} # Don't execute when cancelled
         env:

.github/workflows/hotfix.yml

@@ -28,6 +28,7 @@ jobs:
       - name: Check out the code
         uses: actions/checkout@v4
         with:
+          token: ${{ secrets.GHA_ELEVATED_PERMISSIONS_TOKEN }}
           submodules: recursive
           fetch-depth: 0 # Fetch all history and tags in order to extract Asana task URLs from git log
 
@@ -41,44 +42,17 @@ jobs:
           APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
           APPLE_API_KEY_ISSUER: ${{ secrets.APPLE_API_KEY_ISSUER }}
           # Elevated permissions token is needed here to use GH git/refs API (used by fastlane)
-          GH_TOKEN: ${{ secrets.GHA_ELEVATED_PERMISSIONS_TOKEN }}
-        run: |
-          git config --global user.name "Dax the Duck"
-          git config --global user.email "[email protected]"
-          last_release="$(gh api repos/${{ github.repository }}/releases/latest | jq -r .tag_name)"
-          echo "last_release=$last_release" >> $GITHUB_OUTPUT
-          bundle exec fastlane prepare_hotfix version:"$last_release"
-
-      - name: Create release task
-        id: create_release_task
-        env:
+          GITHUB_TOKEN: ${{ secrets.GHA_ELEVATED_PERMISSIONS_TOKEN }}
           ASANA_ACCESS_TOKEN: ${{ secrets.ASANA_ACCESS_TOKEN }}
         run: |
-          version="$(echo ${{ steps.make_release_branch.outputs.release_branch_name }} | cut -d '/' -f 2)"
-          task_name="macOS App Hotfix Release $version"
-          asana_task_id="$(curl -fLSs -X POST "https://app.asana.com/api/1.0/task_templates/${{ vars.MACOS_HOTFIX_TASK_TEMPLATE_ID }}/instantiateTask" \
-            -H "Authorization: Bearer ${{ env.ASANA_ACCESS_TOKEN }}" \
-            -H "Content-Type: application/json" \
-            -d "{ \"data\": { \"name\": \"$task_name\" }}" \
-            | jq -r .data.new_task.gid)"
-          echo "marketing_version=${version}" >> $GITHUB_OUTPUT
-          echo "asana_task_id=${asana_task_id}" >> $GITHUB_OUTPUT
-          echo "asana_task_url=https://app.asana.com/0/0/${asana_task_id}/f" >> $GITHUB_OUTPUT
+          bundle exec fastlane run start_new_release \
+            platform:"macos" \
+            github_handle:"${{ github.actor }}" \
+            is_hotfix:"true"
 
-          curl -fLSs -X POST "https://app.asana.com/api/1.0/sections/${{ vars.MACOS_APP_DEVELOPMENT_RELEASE_SECTION_ID }}/addTask" \
-            -H "Authorization: Bearer ${{ env.ASANA_ACCESS_TOKEN }}" \
-            -H "Content-Type: application/json" \
-            --output /dev/null \
-            -d "{\"data\": {\"task\": \"${asana_task_id}\"}}"
-
-          assignee_id="$(curl -fLSs https://raw.githubusercontent.com/duckduckgo/BrowserServicesKit/main/.github/actions/asana-failed-pr-checks/user_ids.json \
-            | jq -r .${{ github.actor }})"
-
-          curl -fLSs -X PUT "https://app.asana.com/api/1.0/tasks/${asana_task_id}" \
-            -H "Authorization: Bearer ${{ env.ASANA_ACCESS_TOKEN }}" \
-            -H "Content-Type: application/json" \
-            --output /dev/null \
-            -d "{ \"data\": { \"assignee\": \"$assignee_id\" }}"
+      # Necessary as make_release_branch will checkout a hotfix branch and the plugins may be differnet
+      - name: Reinstall fastlane
+        run: bundle install
 
       - name: Report success
         env:
@@ -88,5 +62,5 @@ jobs:
           WORKFLOW_URL: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
         run: |
           bundle exec fastlane run asana_add_comment \
-            task_url:"${{ steps.create_release_task.outputs.asana_task_url }}" \
+            task_url:"${{ steps.make_release_branch.outputs.asana_task_url }}" \
             template_name:"hotfix-branch-ready"

.github/workflows/pir_end_to_end_tests.yml

@@ -32,7 +32,7 @@ jobs:
 
     steps:
     - name: Register SSH keys for certificates repository and PIR fake broker repository access
-      uses: webfactory/ssh-agent@v0.7.0
+      uses: webfactory/ssh-agent@v0.9.0
       with:
         ssh-private-key: |
                         ${{ secrets.SSH_PRIVATE_KEY_FASTLANE_MATCH }}

.github/workflows/pr.yml

@@ -128,7 +128,7 @@ jobs:
 
     steps:
     - name: Register SSH key for certificates repository access
-      uses: webfactory/ssh-agent@v0.7.0
+      uses: webfactory/ssh-agent@v0.9.0
       with:
         ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY_FASTLANE_MATCH }}
 
@@ -322,7 +322,7 @@ jobs:
 
     steps:
     - name: Register SSH key for certificates repository access
-      uses: webfactory/ssh-agent@v0.7.0
+      uses: webfactory/ssh-agent@v0.9.0
       with:
         ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY_FASTLANE_MATCH }}
 

.github/workflows/publish_dmg_release.yml

@@ -254,6 +254,7 @@ jobs:
         env:
           ASANA_ACCESS_TOKEN: ${{ secrets.ASANA_ACCESS_TOKEN }}
           BRANCH: ${{ github.ref_name }}
+          GITHUB_TOKEN: ${{ github.token }}
         run: |
           bundle exec fastlane run update_asana_for_release \
             platform:macos \

.github/workflows/sync_end_to_end.yml

@@ -56,7 +56,7 @@ jobs:
       run: screenresolution set 1920x1080x32@60
 
     - name: Register SSH key for certificates repository access
-      uses: webfactory/ssh-agent@v0.7.0
+      uses: webfactory/ssh-agent@v0.9.0
       with:
         ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY_FASTLANE_MATCH }}
 

.github/workflows/sync_end_to_end_legacy_os.yml

@@ -42,7 +42,7 @@ jobs:
     timeout-minutes: 60
     steps:
     - name: Register SSH key for certificates repository access
-      uses: webfactory/ssh-agent@v0.7.0
+      uses: webfactory/ssh-agent@v0.9.0
       with:
         ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY_FASTLANE_MATCH }}
 

.github/workflows/ui_tests.yml

@@ -64,7 +64,7 @@ jobs:
       run: screenresolution set 1920x1080x32@60
 
     - name: Register SSH key for certificates repository access
-      uses: webfactory/ssh-agent@v0.7.0
+      uses: webfactory/ssh-agent@v0.9.0
       with:
         ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY_FASTLANE_MATCH }}
 

Configuration/BuildNumber.xcconfig

@@ -1 +1 @@
-CURRENT_PROJECT_VERSION = 313
+CURRENT_PROJECT_VERSION = 318

Configuration/Version.xcconfig

@@ -1 +1 @@
-MARKETING_VERSION = 1.115.0
+MARKETING_VERSION = 1.116.0