Improved Semaphore CI configuration (#3210)

* Updated gradle to 9.5.0

* Updated CI scripts with --no-daemon, --build-cache, and --max-workers=2 flags

* Refactored Semaphore CI caching strategy and separated checksums

* wip

* Refactored CI scripts for improved robustness and emulator handling

- Updated shebangs to `#!/usr/bin/env bash` and added `set -euo pipefail` for better error handling.
- Improved emulator setup in `ci-setup-and-run-emulator.sh` by ensuring a fresh AVD state and configuring hardware parameters like RAM and GPU.
- Optimized `ci-wait-for-emulator.sh` with more reliable boot completion checks and a retry loop for internet connectivity.
- Added existence checks for directories and files in artifact and test result publishing scripts to prevent errors when files are missing.
- Cleaned up redundant script headers and refactored argument handling in instrumentation test scripts.

* Removed --max-workers=2 from CI scripts and semaphore configuration

* Removed native and redundant build caches from Semaphore configuration

* Removed ninja-build installation from semaphore.yml

* Configured emulator DNS server and added resolution checks in CI scripts

* Replaced -dns-server flag with /etc/hosts entries in emulator CI scripts

* Removed hosts file modifications and adb remount from ci-wait-for-emulator.sh

* Updated ci-wait-for-emulator.sh to restart adb if root fails

* Updated ci-setup-and-run-emulator.sh to use avdmanager for AVD deletion

* Commented out debug logging in ci-setup-and-run-emulator.sh

* Added DNS initialization check to ci-wait-for-emulator.sh

* Updated ci-wait-for-emulator.sh to increase ping attempts and remove DNS property checks

* Added network diagnostic logging and improved ping verification in ci-wait-for-emulator.sh

* Enabled HTTP logging and updated CI configuration to run debug instrumentation tests

* Refactored ci-wait-for-emulator.sh to improve network setup and verification

* Added CI failure debug script and updated Semaphore configuration

* Add Ubuntu 24.04 Docker image for Android emulator SDK environment

* Refactor Android emulator setup into shared scripts

* Refactoring

* Slipped KVM for Docker image

* Modified Dockerfile

* Modified Dockerfile

* Modified Dockerfile

* Added docker/HttpsTestWebServer

* Updated docker/TestEnvironment

* ci(android): replace emulator iptables setup with /system/etc/hosts routing for flowcrypt.test domains

* ci(semaphore): redirect local HTTPS traffic from 443 to mock server on 1212 for emulator UI tests

* ci(semaphore): fix emulator routing by redirecting 10.0.2.2:443 to 1212 and add fes.flowcrypt.test host mapping

* docker(https-test-webserver): run dnsmasq alongside nginx and expose host DNS for *.flowcrypt.test

- install dnsmasq in HttpsTestWebServer image
- add dnsmasq config mapping *.flowcrypt.test to 127.0.0.1
- add entrypoint to start dnsmasq and nginx in one container
- switch run.sh to host networking with NET_ADMIN/NET_BIND_SERVICE
- expose DNS ports (53 tcp/udp) and HTTPS (443)

* Modified ci-after-fail-debug.sh

* Restored some files

* ci(android): force emulator DNS via host and harden 443->1212 redirect for flowcrypt.test tests

* Improved ci-after-fail-debug.sh

* Added ci-setup-DNS.sh

* Fix ci-setup-DNS.sh usage on CI

* Fixed ci-setup-DNS.sh

* Modified ci-wait-for-emulator.sh

* Modified ci-wait-for-emulator.sh and run-emulator.sh

* wip

* Restored ci-instrumentation-tests-flaky.sh

* Restored build.gradle.kts

* i(dns): align HttpsTestWebServer dnsmasq with CI DNS setup and add startup DNS checks

* Restored some configurations in semaphore.yml

* Updated gradle to 9.5.1

* Improved ci-wait-for-emulator.sh

* docker(test-env): route emulator DNS via host dnsmasq and document host-network adb behavior

* Temporary disabled ComposeScreenPasswordProtectedDisallowedTermsReFetchConfigurationFlowTest.kt

* Improved ci-wait-for-emulator.sh

* Updated docker/TestEnvironment/Dockerfile

* docs(readme): align DNS test setup docs with ci-setup-DNS.sh
Alternative: docs: replace manual dnsmasq steps with ci-setup-DNS.sh usage

* docs(readme): fixed redundant git difference

* switched to use -gpu auto for emulators on CI

Author: DenBond7

.semaphore/semaphore.yml

@@ -25,47 +25,28 @@ global_job_config:
       value: /home/semaphore/Android/Sdk
   prologue:
     commands:
-      # fix DNS to ping *.localhost and *.flowcrypt.test
       - sudo apt-get update
-      - sudo apt install -y dnsmasq resolvconf
-      - echo "#added by flowcrypt" | sudo tee -a /etc/dnsmasq.conf
-      - echo "listen-address=127.0.0.1" | sudo tee -a /etc/dnsmasq.conf
-      - echo "address=/test/127.0.0.1" | sudo tee -a /etc/dnsmasq.conf
-      - echo "address=/localhost/127.0.0.1" | sudo tee -a /etc/dnsmasq.conf
-      - echo "server=8.8.8.8" | sudo tee -a /etc/dnsmasq.conf
-      # redirect the systemd-resolved to use the localhost as the primary nameserver
-      - sudo sed -i '1inameserver 127.0.0.1\' /etc/resolv.conf
-      - sudo systemctl restart dnsmasq
-      # print some debug info
-      - ping fel.localhost -c 1
-      - ping fel.flowcrypt.test -c 1
       # use JAVA 21 by default
       - sem-version java 21
       # general settings
       - export PATH=${ANDROID_HOME}/emulator:${ANDROID_HOME}/cmdline-tools/latest/bin:${ANDROID_HOME}/platform-tools:${PATH}
       - sudo rm -rf ~/.rbenv ~/.phpbrew
       - checkout
+      # fix DNS to ping *.localhost and *.flowcrypt.test
+      - ./script/ci-setup-DNS.sh
       # init environment variables
-      - export SUM=$(checksum build.gradle.kts)-$(checksum FlowCrypt/build.gradle.kts)-$(checksum ./script/ci-install-android-sdk.sh)
-      - export APP_GRADLE_CACHE=gradle-cache-$SUM # per conf files hash
-      - export ANDROID_SDK_CACHE=android-sdk-$SUM # per conf files hash
-      - export BUILD_CXX_CACHE=build-cxx-cache-$SEMAPHORE_GIT_BRANCH-$SUM  # per branch and conf files hash
-      - export BUILD_NATIVE_CACHE=build-native-cache-$SEMAPHORE_GIT_BRANCH-$SUM  # per branch and conf files hash
-      - export BUILD_CACHE=build-cache-$SEMAPHORE_GIT_BRANCH-$SUM  # per branch and conf files hash
+      - export GRADLE_SUM=$(checksum build.gradle.kts)-$(checksum FlowCrypt/build.gradle.kts)
+      - export SDK_SUM=$(checksum ./script/ci-install-android-sdk.sh)
+      - export APP_GRADLE_CACHE=project-gradle-cache-$GRADLE_SUM # project .gradle cache, per Gradle config hash
+      - export ANDROID_SDK_CACHE=android-sdk-$SDK_SUM # Android SDK cache, per SDK installer hash
       # restore app caches
       - cache restore $APP_GRADLE_CACHE
-      - cache restore $BUILD_CXX_CACHE
-      - cache restore $BUILD_NATIVE_CACHE
-      - cache restore $BUILD_CACHE
       # restore global caches
       - cache restore $ANDROID_SDK_CACHE
       - cache restore gradle-wrapper
-      - cache restore gradle-cache
-      - cache restore android-build-cache
+      - cache restore gradle-cache-$GRADLE_SUM
       # Install Android dependencies if needed
       - ./script/ci-install-android-sdk.sh
-      # Install ninja
-      - sudo apt install -y ninja-build
 blocks:
   - name: 'Build'
     execution_time_limit:
@@ -79,27 +60,20 @@ blocks:
             # print Java version
             - java -version
             # compile project
-            - ./gradlew --console=plain assembleConsumerUiTests
+            - ./gradlew --console=plain --no-daemon --build-cache assembleConsumerUiTests
       epilogue:
         on_pass:
           commands:
             # store app cache
             - echo "Store the app cache"
             - cache has_key $APP_GRADLE_CACHE || cache store $APP_GRADLE_CACHE .gradle
-            - cache has_key $BUILD_CXX_CACHE || cache store $BUILD_CXX_CACHE FlowCrypt/.cxx
-            - cache has_key $BUILD_NATIVE_CACHE || cache store $BUILD_NATIVE_CACHE FlowCrypt/.externalNativeBuild
-            - cache has_key $BUILD_CACHE || cache store $BUILD_CACHE FlowCrypt/build
 
             # clean and store global cache
             - echo "Store the global cache"
             - find ~/.gradle/caches/ -name "*.lock" -type f -delete # https://medium.com/cirruslabs/mastering-gradle-caching-and-incremental-builds-37eb1af7fcde
             - cache has_key $ANDROID_SDK_CACHE || cache store $ANDROID_SDK_CACHE $ANDROID_HOME
-            - cache delete gradle-wrapper
-            - cache delete gradle-cache
-            - cache delete android-build-cache
-            - cache store gradle-wrapper ~/.gradle/wrapper
-            - cache store gradle-cache ~/.gradle/caches
-            - cache store android-build-cache ~/.android/build-cache
+            - cache has_key gradle-wrapper || cache store gradle-wrapper ~/.gradle/wrapper
+            - cache has_key gradle-cache-$GRADLE_SUM || cache store gradle-cache-$GRADLE_SUM ~/.gradle/caches
 
   - name: 'Testing'
     task:
@@ -188,6 +162,8 @@ blocks:
           commands:
             # collect and store debug info as artifacts
             - ./script/ci-get-and-publish-debug-info-as-artifact.sh
+            # print debug info
+            - ./script/ci-after-fail-debug.sh
 
 after_pipeline:
   task:

FlowCrypt/build.gradle.kts

@@ -6,8 +6,6 @@
 
 import com.android.build.api.artifact.SingleArtifact
 import com.android.build.api.variant.ResValue
-import org.gradle.api.GradleException
-import java.io.File
 import com.android.ddmlib.DdmPreferences
 import java.io.FileInputStream
 import java.text.SimpleDateFormat

FlowCrypt/src/androidTest/java/com/flowcrypt/email/ui/gmailapi/passwordprotected/ComposeScreenPasswordProtectedDisallowedTermsReFetchConfigurationFlowTest.kt

@@ -40,6 +40,7 @@ import okhttp3.mockwebserver.Dispatcher
 import okhttp3.mockwebserver.MockResponse
 import okhttp3.mockwebserver.RecordedRequest
 import org.hamcrest.Matchers.allOf
+import org.junit.Ignore
 import org.junit.Rule
 import org.junit.Test
 import org.junit.rules.RuleChain
@@ -63,6 +64,7 @@ import java.util.concurrent.TimeUnit
   subject = "",
   isNew = true
 )
+@Ignore("temporary disabled")
 class ComposeScreenPasswordProtectedDisallowedTermsReFetchConfigurationFlowTest :
   BaseComposeScreenPasswordProtectedDisallowedTermsTest(
     ACCOUNT_ENTITY_WITH_EXISTING_OPTIONAL_PARAMETERS

README.md

@@ -15,18 +15,20 @@ This guide follows Google's recommendations for [testing apps on Android](https:
 Please follow these steps to setup your virtual or physical device:
 
 - [Set up your test environment](https://developer.android.com/training/testing/espresso/setup#set-up-environment).
-- Some of the tests use [MockWebServer](https://github.com/square/okhttp/tree/master/mockwebserver). We run a local mock web server via [FlowCryptMockWebServerRule](https://github.com/FlowCrypt/flowcrypt-android/blob/master/FlowCrypt/src/androidTest/java/com/flowcrypt/email/rules/FlowCryptMockWebServerRule.kt). It uses [TestConstants.MOCK_WEB_SERVER_PORT](https://github.com/FlowCrypt/flowcrypt-android/blob/master/FlowCrypt/src/androidTest/java/com/flowcrypt/email/TestConstants.kt#L19) as a port. Unfortunately, the Android system doesn't allow us to use the `HTTPS 433` port by default to run a web server on the `localhost (127.0.0.1)`. That's why we have to run a mock web server on another port (for example, `1212`) and route all traffic from `127.0.0.1:433` to `127.0.0.1:1212`. For that purpose, you can use the [script/ci-wait-for-emulator.sh](https://github.com/FlowCrypt/flowcrypt-android/blob/master/script/ci-wait-for-emulator.sh#L13) script.
+- Some of the tests use [MockWebServer](https://github.com/square/okhttp/tree/master/mockwebserver). We run a local mock web server via [FlowCryptMockWebServerRule](https://github.com/FlowCrypt/flowcrypt-android/blob/master/FlowCrypt/src/androidTest/java/com/flowcrypt/email/rules/FlowCryptMockWebServerRule.kt). It uses [TestConstants.MOCK_WEB_SERVER_PORT](https://github.com/FlowCrypt/flowcrypt-android/blob/master/FlowCrypt/src/androidTest/java/com/flowcrypt/email/TestConstants.kt#L19) as a port. Unfortunately, the Android system doesn't allow us to use the `HTTPS 443` port by default to run a web server on the `localhost (127.0.0.1)`. That's why we have to run a mock web server on another port (for example, `1212`) and route all traffic from `127.0.0.1:443` to `127.0.0.1:1212`. For that purpose, you can use the [script/ci-wait-for-emulator.sh](https://github.com/FlowCrypt/flowcrypt-android/blob/master/script/ci-wait-for-emulator.sh#L13) script.
 - Additionally, the test environment should handle all requests to `*.flowcrypt.test`. All traffic to `*.flowcrypt.test` should be routed to `localhost (127.0.0.1)`. You can use a DNS server to do this. For example, using these commands:
 
 ```bash
-1. sudo apt install -y dnsmasq resolvconf
-2. echo "#added by flowcrypt" | sudo tee -a /etc/dnsmasq.conf
-3. echo "listen-address=127.0.0.1" | sudo tee -a /etc/dnsmasq.conf
-4. echo "address=/flowcrypt.test/127.0.0.1" | sudo tee -a /etc/dnsmasq.conf
-5. echo "address=/localhost/127.0.0.1" | sudo tee -a /etc/dnsmasq.conf
-6. sudo systemctl restart dnsmasq
+./script/ci-setup-DNS.sh
 ```
 
+The script:
+- Installs `dnsmasq` and `dnsutils`.
+- Creates `/etc/dnsmasq.d/flowcrypt.conf` with local rules for `*.test` and `*.localhost`.
+- Sets `no-resolv` with upstream DNS servers (`8.8.8.8` and `1.1.1.1`).
+- Sets `/etc/resolv.conf` to `nameserver 127.0.0.1`.
+- Restarts `dnsmasq` and verifies resolution with `dig` and `ping`.
+
 ### ✔️ Test types
 
 We have two types of tests:

docker/HttpsTestWebServer/Dockerfile

@@ -0,0 +1,17 @@
+FROM nginx:1.27-alpine
+
+RUN apk add --no-cache dnsmasq bind-tools iputils
+
+COPY docker/HttpsTestWebServer/nginx.conf /etc/nginx/conf.d/default.conf
+
+COPY FlowCrypt/src/androidTest/resources/ssl/server_combined.pem \
+     /etc/nginx/certs/server_combined.pem
+
+COPY docker/HttpsTestWebServer/dnsmasq.conf /etc/dnsmasq.d/flowcrypt-test.conf
+COPY docker/HttpsTestWebServer/entrypoint.sh /entrypoint.sh
+
+RUN chmod +x /entrypoint.sh
+
+EXPOSE 53/udp 53/tcp 443
+
+ENTRYPOINT ["/entrypoint.sh"]

docker/HttpsTestWebServer/dnsmasq.conf

@@ -0,0 +1,17 @@
+bind-interfaces
+listen-address=127.0.0.1
+port=53
+
+# Do not read /etc/resolv.conf to avoid recursive localhost DNS loops.
+no-resolv
+
+# Upstream DNS for public domains.
+server=8.8.8.8
+server=1.1.1.1
+
+# Local test domains.
+address=/test/127.0.0.1
+address=/localhost/127.0.0.1
+
+log-queries
+log-facility=-

docker/HttpsTestWebServer/entrypoint.sh

@@ -0,0 +1,25 @@
+#!/bin/sh
+
+#
+# © 2016-present FlowCrypt a.s. Limitations apply. Contact human@flowcrypt.com
+# Contributors: denbond7
+#
+
+set -e
+
+dnsmasq --no-daemon --conf-file=/etc/dnsmasq.d/flowcrypt-test.conf --log-facility=- &
+
+echo "Configuring resolver to use dnsmasq..."
+printf "nameserver 127.0.0.1\n" > /etc/resolv.conf
+
+echo "Checking dnsmasq directly..."
+dig @127.0.0.1 fel.localhost +short
+dig @127.0.0.1 fel.flowcrypt.test +short
+dig @127.0.0.1 www.google.com +short
+
+echo "Checking resolver..."
+ping -c 1 fel.localhost
+ping -c 1 fel.flowcrypt.test
+ping -c 1 www.google.com
+
+exec nginx -g 'daemon off;'

docker/HttpsTestWebServer/nginx.conf

@@ -0,0 +1,15 @@
+server {
+    listen 443 ssl;
+
+    server_name
+        flowcrypt.test
+        *.flowcrypt.test;
+
+    ssl_certificate     /etc/nginx/certs/server_combined.pem;
+    ssl_certificate_key /etc/nginx/certs/server_combined.pem;
+
+    location / {
+        default_type text/plain;
+        return 200 "hello from docker https mock server\n";
+    }
+}

docker/HttpsTestWebServer/rebuild.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+#
+# © 2016-present FlowCrypt a.s. Limitations apply. Contact human@flowcrypt.com
+# Contributors: denbond7
+#
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+REPO_ROOT="$(realpath "$SCRIPT_DIR/../..")"
+
+docker build \
+  -t flowcrypt-https-test-server \
+  -f "$SCRIPT_DIR/Dockerfile" \
+  "$REPO_ROOT"

docker/HttpsTestWebServer/run.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+#
+# © 2016-present FlowCrypt a.s. Limitations apply. Contact human@flowcrypt.com
+# Contributors: denbond7
+#
+
+set -euo pipefail
+
+docker rm -f flowcrypt-https-test-server 2>/dev/null || true
+
+docker run --rm \
+  --name flowcrypt-https-test-server \
+  --network host \
+  --cap-add NET_ADMIN \
+  --cap-add NET_BIND_SERVICE \
+  flowcrypt-https-test-server