SalesforceMobileSDK-iOS/.github/workflows/pr.yaml at dev · forcedotcom/SalesforceMobileSDK-iOS · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
name: Pull Request

on:
  # pull_request_target is used so secrets are available to fork PRs.
  # Mitigated by per-job Member Check (see "Check Write Permission" / "Validate Write Permission").
  pull_request_target:  # zizmor: ignore[dangerous-triggers]
    branches: [dev, master]
    paths-ignore:
      - '**/*.md'
      - 'LICENSE'
      - '.gitignore'
      - 'CODEOWNERS'

permissions:
  contents: read

jobs:
  static-analysis:
    runs-on: macos-latest
    permissions:
      contents: read
      pull-requests: write
      statuses: write
    env:
      BUNDLE_GEMFILE: ${{ github.workspace }}/.github/DangerFiles/Gemfile
    steps:
      - name: Check Write Permission
        uses: octokit/request-action@dad4362715b7fb2ddedf9772c8670824af564f0d  # v2.4.0
        id: check_permissions
        with:
          route: GET /repos/${{ github.repository }}/collaborators/${{ github.triggering_actor }}/permission
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Debug Permission Response
        env:
          PERMISSION_DATA: ${{ steps.check_permissions.outputs.data }}
        run: |
          echo "Permission raw response: $PERMISSION_DATA"
      - name: Validate Write Permission
        env:
          PERMISSION: ${{ fromJson(steps.check_permissions.outputs.data).permission }}
          ACTOR: ${{ github.triggering_actor }}
        run: |
          echo "User $ACTOR has permission: $PERMISSION"
          if [[ "$PERMISSION" != "write" && "$PERMISSION" != "admin" ]]; then
            echo "User $ACTOR does not have sufficient permission (write or admin) to proceed. Someone from the team needs to rerun this workflow AFTER it has been deemed safe."
            exit 1
          fi
      - name: Checkout
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4.3.1
        with:
          persist-credentials: false
          # We need a sufficient depth or Danger will occasionally run into issues checking which files were modified.
          fetch-depth: 100
          # This is dangerous without the member check
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Install Dependencies
        run: |
          npm install shelljs@0.8.5
          ./install.sh
      - name: Run Static Analysis
        # It would be nice to use xcbeaufity here but all the warnings and errors get annotated onto the PR, including
        # files not mofified in the PR which is annoying.
        run:
          xcodebuild analyze -workspace SalesforceMobileSDK.xcworkspace -scheme MobileSync -sdk 'iphonesimulator' \
          CLANG_ANALYZER_OUTPUT=plist-html CLANG_ANALYZER_OUTPUT_DIR=./clangReport RUN_CLANG_STATIC_ANALYZER=YES
      - uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f  # v1.310.0
        with:
          ruby-version: '3.3'
          bundler-cache: true
      - name: Report Static Analysis
        env:
          DANGER_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: bundle exec danger --dangerfile=.github/DangerFiles/StaticAnalysis.rb --danger_id=StaticAnalysis

  test-orchestrator:
    runs-on: macos-latest
    permissions:
      contents: read
      pull-requests: write
      statuses: write
    env:
      BUNDLE_GEMFILE: ${{ github.workspace }}/.github/DangerFiles/Gemfile
    outputs:
      libs: ${{ steps.test-orchestrator.outputs.libs }}
    steps:
      - name: Check Write Permission
        uses: octokit/request-action@dad4362715b7fb2ddedf9772c8670824af564f0d  # v2.4.0
        id: check_permissions
        with:
          route: GET /repos/${{ github.repository }}/collaborators/${{ github.triggering_actor }}/permission
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Debug Permission Response
        env:
          PERMISSION_DATA: ${{ steps.check_permissions.outputs.data }}
        run: |
          echo "Permission raw response: $PERMISSION_DATA"
      - name: Validate Write Permission
        env:
          PERMISSION: ${{ fromJson(steps.check_permissions.outputs.data).permission }}
          ACTOR: ${{ github.triggering_actor }}
        run: |
          echo "User $ACTOR has permission: $PERMISSION"
          if [[ "$PERMISSION" != "write" && "$PERMISSION" != "admin" ]]; then
            echo "User $ACTOR does not have sufficient permission (write or admin) to proceed. Someone from the team needs to rerun this workflow AFTER it has been deemed safe."
            exit 1
          fi
      - name: Checkout
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4.3.1
        with:
          persist-credentials: false
          # We need a sufficient depth or Danger will occasionally run into issues checking which files were modified.
          fetch-depth: 100
          # This is dangerous without the member check
          ref: ${{ github.event.pull_request.head.sha }}
      - uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f  # v1.310.0
        with:
          ruby-version: '3.3'
          bundler-cache: true
      - name: Determine Tests to Run
        id: test-orchestrator
        env:
          DANGER_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: bundle exec danger --dangerfile=.github/DangerFiles/TestOrchestrator.rb --danger_id="TestOrchestrator"

  ios-pr:
    needs: [test-orchestrator]
    strategy:
      fail-fast: false
      matrix:
        lib: ${{ fromJson(needs.test-orchestrator.outputs.libs) }}
        ios: [^26, ^18]
        include:
          - ios: ^26
            xcode: ^26
          - ios: ^18
            xcode: ^16
    uses: ./.github/workflows/reusable-test-workflow.yaml
    permissions:
      contents: read
      pull-requests: write
    with:
      lib: ${{ matrix.lib }}
      ios: ${{ matrix.ios }}
      xcode: ${{ matrix.xcode }}
      is_pr: true
    secrets:
      TEST_CREDENTIALS: ${{ secrets.TEST_CREDENTIALS }}
      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

  native-samples-pr:
    needs: [test-orchestrator]
    strategy:
      fail-fast: false
      matrix:
        app: [RestAPIExplorer, MobileSyncExplorer, AuthFlowTester]
        ios: [^26, ^18]
        include:
          - ios: ^26
            xcode: ^26
          - ios: ^18
            xcode: ^16
    uses: ./.github/workflows/reusable-build-workflow.yaml
    permissions:
      contents: read
    with:
      app: ${{ matrix.app }}
      ios: ${{ matrix.ios }}
      xcode: ${{ matrix.xcode }}
      is_pr: true

  ui-tests-pr:
    needs: [test-orchestrator]
    strategy:
      fail-fast: false
      matrix:
        ios: [^26, ^18]
        include:
          - ios: ^26
            xcode: ^26
          - ios: ^18
            xcode: ^16
    uses: ./.github/workflows/reusable-ui-test-workflow.yaml
    permissions:
      contents: read
      pull-requests: write
    with:
      is_pr: true
      ios: ${{ matrix.ios }}
      xcode: ${{ matrix.xcode }}
      pr_test: "AuthFlowTesterUITests/LegacyLoginTests/testCAOpaque_DefaultScopes_WebServerFlow"
      short_timeout: "3"
      long_timeout: "15"
    secrets:
      UI_TEST_CONFIG: ${{ secrets.UI_TEST_CONFIG }}
      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}