Merge branch 'main' into feature/fix-document-comments

Author: w-goog

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,31 @@
+---
+name: Bug Report
+about: Submit a bug report if something isn't working as expected.
+title: ""
+labels: bug, triage
+assignees: ""
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Tap on '....'
+3. Scroll down to '....'
+4. See error
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Environment**
+- Device: [ e.g. iPhone 13, MacBook Pro, etc ]
+- OS: [ e.g. iOS 15, macOS 11, etc ]
+- Browser: [ e.g. Safari, Chrome, etc ]
+
+**Additional context**
+Add any other context about the problem here.

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1 @@
+blank_issues_enabled: false

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,19 @@
+---
+name: Feature Request
+about: Make a feature request if you have a suggestion for something new.
+title: ""
+labels: enhancement, triage
+assignees: ""
+---
+
+**Is your feature request related to a problem you're having? Please describe.**
+A clear and concise description of what the problem is.
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.

.github/workflows/builds.yml

@@ -1,6 +1,11 @@
 name: Build GSI for Valid Architectures	
 
 on:
+  push:
+    branches:
+      - main
+  pull_request:
+  workflow_dispatch:
   schedule:
     - cron: '0 8 * * *' # Cron uses UTC; run at nightly at midnight PST
 
@@ -10,10 +15,12 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [macos-11, macos-12]
+        os: [macos-15]
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
+    - name: Select Xcode
+      run: sudo xcode-select -s /Applications/Xcode_16.4.app/Contents/Developer
     - name: Archive for iOS
       run: |
         xcodebuild \

.github/workflows/integration_tests.yml

@@ -0,0 +1,114 @@
+name: integration_tests
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+
+  grab-pr-body:
+    runs-on: ubuntu-latest
+    outputs:
+      PR_BODY: ${{ steps.body.outputs.PR_BODY }}
+    steps:
+    - id: body
+      env:
+        PR_BODY: ${{ github.event.pull_request.body }} 
+      run: |
+        {
+          echo "PR_BODY<<EOF"
+          echo "$PR_BODY" 
+          echo "EOF"
+        } >> "$GITHUB_OUTPUT"
+
+  check-pr-body-for-key:
+    runs-on: ubuntu-latest
+    needs: grab-pr-body
+    outputs:
+      RUN_INTEGRATION: ${{ steps.check_key.outputs.RUN_INTEGRATION }}
+    steps:
+    - id: check_key
+      env:
+        PR_BODY: ${{ needs.grab-pr-body.outputs.PR_BODY }}
+        SKIP_KEY: "SKIP_INTEGRATION_TESTS=YES"
+      name: Check for key and set bool to skip integration tests
+      run: |
+        if [[ "$PR_BODY" == *"$SKIP_KEY"* ]]; then
+          echo "Skipping integration tests for PR body:"
+          echo "$PR_BODY"
+          echo "RUN_INTEGRATION=no" >> "$GITHUB_OUTPUT"
+        else
+          echo "Running integration tests for PR body:"
+          echo "$PR_BODY"
+          echo "RUN_INTEGRATION=yes" >> "$GITHUB_OUTPUT"
+        fi
+
+  swift-button-functional-test:
+    runs-on: macos-15
+    needs: check-pr-body-for-key
+    # Don't run if triggered by a PR from a fork since our Secrets won't be provided to the runner.
+    if: ${{ needs.check-pr-body-for-key.outputs.RUN_INTEGRATION == 'yes' && !github.event.pull_request.head.repo.fork }}
+    defaults:
+      run:
+        working-directory: Samples/Swift/DaysUntilBirthday
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v3
+    - name: Select Xcode
+      run: sudo xcode-select -s /Applications/Xcode_16.4.app/Contents/Developer
+    - name: Build test target for Google Sign-in button for Swift
+      run: |
+        xcodebuild \
+          -project DaysUntilBirthday.xcodeproj \
+          build-for-testing \
+          -scheme DaysUntilBirthday\ \(iOS\) \
+          -sdk iphonesimulator \
+    - name: Run test target for Google Sign-in button for Swift
+      env:
+        EMAIL_SECRET : ${{ secrets.EMAIL_SECRET }}
+        PASSWORD_SECRET : ${{ secrets.PASSWORD_SECRET }}
+      run: |
+        xcodebuild \
+          -project DaysUntilBirthday.xcodeproj \
+          test-without-building \
+          -scheme DaysUntilBirthday\ \(iOS\) \
+          -sdk iphonesimulator \
+          -destination 'platform=iOS Simulator,name=iPhone 16,OS=18.6' \
+          EMAIL_SECRET=$EMAIL_SECRET \
+          PASSWORD_SECRET=$PASSWORD_SECRET
+
+  app-check-api-token-tests:
+    runs-on: macos-15
+    # Don't run if triggered by a PR from a fork since our Secrets won't be provided to the runner.
+    if: "!github.event.pull_request.head.repo.fork"
+    defaults:
+      run:
+        working-directory: Samples/Swift/AppAttestExample
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v3
+    - name: Select Xcode
+      run: sudo xcode-select -s /Applications/Xcode_16.4.app/Contents/Developer
+    - name: Build test target for App Check Example
+      run: |
+        xcodebuild \
+          -project AppAttestExample.xcodeproj \
+          build-for-testing \
+          -scheme AppAttestExample \
+          -sdk iphonesimulator \
+    - name: Run test target for App Check Example
+      env:
+        AppCheckDebugToken : ${{ secrets.APP_CHECK_DEBUG_TOKEN }}
+        APP_CHECK_WEB_API_KEY : ${{ secrets.APP_CHECK_WEB_API_KEY }}
+      run: |
+        xcodebuild \
+          -project AppAttestExample.xcodeproj \
+          test-without-building \
+          -scheme AppAttestExample \
+          -sdk iphonesimulator \
+          -destination 'platform=iOS Simulator,name=iPhone 16,OS=18.6' \
+          AppCheckDebugToken=$AppCheckDebugToken \
+          APP_CHECK_WEB_API_KEY=$APP_CHECK_WEB_API_KEY

.github/workflows/pr_notification.yml

@@ -10,10 +10,19 @@ jobs:
     steps:
     - name: Pull Request Details
       run: |
-        echo "Pull Request: ${{ github.event.pull_request.title }}"
-        echo "Author: ${{ github.event.pull_request.user.login }}"
+        echo "Pull Request: ${{ github.event.pull_request.number }}"
+        echo "Author: ${GITHUB_EVENT_PULL_REQUEST_USER_LOGIN}"
+      env:
+        GITHUB_EVENT_PULL_REQUEST_USER_LOGIN: ${{ github.event.pull_request.user.login }}
 
     - name: Google Chat Notification
+      shell: bash
+      env:
+        TITLE: ${{ github.event.pull_request.title }}
+        LABELS: ${{ join(github.event.pull_request.labels.*.name, ', ') }}
+        GITHUB_EVENT_PULL_REQUEST_HEAD_REPO_FULL_NAME: ${{ github.event.pull_request.head.repo.full_name }}
+        GITHUB_EVENT_PULL_REQUEST_USER_LOGIN: ${{ github.event.pull_request.user.login }}
+        GITHUB_EVENT_PULL_REQUEST_HTML_URL: ${{ github.event.pull_request.html_url }}
       run: |
         curl --location --request POST '${{ secrets.WEBHOOK_URL }}' \
         --header 'Content-Type: application/json' \
@@ -30,19 +39,19 @@ jobs:
                     {
                       "keyValue": {
                         "topLabel": "Repo",
-                        "content": "${{ github.event.pull_request.head.repo.full_name }}"
+                        "content": "${GITHUB_EVENT_PULL_REQUEST_HEAD_REPO_FULL_NAME}"
                       }
                     },
                     {
                       "keyValue": {
                         "topLabel": "Title",
-                        "content": "${{ github.event.pull_request.title }}"
+                        "content": "'"$TITLE"'"
                       }
                     },
                     {
                       "keyValue": {
                         "topLabel": "Creator",
-                        "content": "${{ github.event.pull_request.user.login }}"
+                        "content": "${GITHUB_EVENT_PULL_REQUEST_USER_LOGIN}"
                       }
                     },
                     {
@@ -66,7 +75,7 @@ jobs:
                     {
                       "keyValue": {
                         "topLabel": "Labels",
-                        "content": "- ${{ join(github.event.pull_request.labels.*.name, ', ') }}"
+                        "content": "- '"$LABELS"'"
                       }
                     },
                     {
@@ -76,7 +85,7 @@ jobs:
                             "text": "Open Pull Request",
                             "onClick": {
                               "openLink": {
-                                "url": "${{ github.event.pull_request.html_url }}"
+                                "url": "${GITHUB_EVENT_PULL_REQUEST_HTML_URL}"
                               }
                             }
                           }

.github/workflows/push_notification.yml

@@ -8,12 +8,17 @@ on:
 jobs:
   notify-push-main:
     runs-on: ubuntu-latest
+    env:
+      COMMIT: ${{ github.event.head_commit.message }}
     steps:
     - name: Main Branch Push
       run: |
         echo "Workflow initiated by event with name: ${{ github.event_name }}"
-        echo "Pushing commit to main: ${{ github.event.head_commit.id }}"
-        echo "Pushed by: ${{ github.event.pusher.name }}"
+        echo "Pushing commit to main: ${GITHUB_EVENT_HEAD_COMMIT_ID}"
+        echo "Pushed by: ${GITHUB_EVENT_PUSHER_NAME}"
+      env:
+        GITHUB_EVENT_HEAD_COMMIT_ID: ${{ github.event.head_commit.id }}
+        GITHUB_EVENT_PUSHER_NAME: ${{ github.event.pusher.name }}
 
     - name: Push Notification to Google Chat
       run: |
@@ -24,21 +29,21 @@ jobs:
             {
               "header": {
                 "title": "Push to main branch",
-                "subtitle": "${{ github.event.head_commit.message }}"
+                "subtitle": "'"$COMMIT"'"
               },
               "sections": [
                 {
                   "widgets": [
                     {
                       "keyValue": {
                         "topLabel": "Repo",
-                        "content": "${{ github.event.repository.full_name }}"
+                        "content": "${GITHUB_EVENT_REPOSITORY_FULL_NAME}"
                       }
                     },
                     {
                       "keyValue": {
                         "topLabel": "Committed by",
-                        "content": "${{ github.event.head_commit.author.username }}"
+                        "content": "${GITHUB_EVENT_HEAD_COMMIT_AUTHOR_USERNAME}"
                       }
                     },
                     {
@@ -48,7 +53,7 @@ jobs:
                             "text": "Ref comparison",
                             "onClick": {
                               "openLink": {
-                                "url": "${{ github.event.compare }}"
+                                "url": "${GITHUB_EVENT_COMPARE}"
                               }
                             }
                           }
@@ -61,4 +66,8 @@ jobs:
             }
           ]
         }'
+      env:
+        GITHUB_EVENT_REPOSITORY_FULL_NAME: ${{ github.event.repository.full_name }}
+        GITHUB_EVENT_HEAD_COMMIT_AUTHOR_USERNAME: ${{ github.event.head_commit.author.username }}
+        GITHUB_EVENT_COMPARE: ${{ github.event.compare }}
 

.github/workflows/scorecards.yml

@@ -0,0 +1,62 @@
+name: Scorecards supply-chain security
+on:
+  # Only the default branch is supported.
+  branch_protection_rule:
+  schedule:
+    - cron: '36 4 * * 3'
+  push:
+    branches: [ "main" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecards analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Used to receive a badge. (Upcoming feature)
+      id-token: write
+      # Needs for private repositories.
+      contents: read
+      actions: read
+    
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@3e15ea8318eee9b333819ec77a36aca8d39df13e # tag=v1.1.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) Read-only PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecards on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+          # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
+
+          # Publish the results for public repositories to enable scorecard badges. For more details, see
+          # https://github.com/ossf/scorecard-action#publishing-results. 
+          # For private repositories, `publish_results` will automatically be set to `false`, regardless 
+          # of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # tag=v4.6.2
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+      
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # tag=v1.0.26
+        with:
+          sarif_file: results.sarif