.github/workflows/bump_internal_release.yml

name: Bump Internal Release

on:
  schedule:
    - cron: '0 5 * * 2-5' # Run at 05:00 UTC, Tuesday through Friday
  workflow_dispatch:
    inputs:
      asana-task-url:
        description: "Asana release task URL"
        required: false
        type: string
      base-branch:
        description: "Base branch (defaults to main, only override for testing)"
        required: false
        type: string
      skip-appstore:
        description: "Skip App Store release and only make a DMG build"
        default: false
        type: boolean

jobs:

  validate_input_conditions:

    name: Validate Input Conditions

    # This doesn't need Xcode, so could technically run on Ubuntu, but find_asana_release_task.sh
    # uses BSD-specific `date` syntax, that doesn't work with GNU `date` (available on Linux).
    runs-on: macos-14
    timeout-minutes: 10

    outputs:
      skip-release: ${{ steps.check-for-changes.outputs.skip-release }}
      asana-task-url: ${{ steps.set-parameters.outputs.asana-task-url }}
      release-branch: ${{ steps.set-parameters.outputs.release-branch }}
      skip-appstore: ${{ steps.set-parameters.outputs.skip-appstore }}

    steps:

      - name: Assert release branch
        run: |
          case "${{ github.ref_name }}" in
            release/*) ;;
            main) ;;
            *) echo "👎 Not a release or main branch"; exit 1 ;;
          esac

      - name: Check out the code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0 # Fetch all history and tags in order to extract Asana task URLs from git log

      # When running on schedule there are no inputs, so the workflow has to find the Asana task
      - name: Find Asana release task
        id: find-asana-task
        if: github.event.inputs.asana-task-url == null
        uses: ./.github/actions/asana-find-release-task
        with:
          access-token: ${{ secrets.ASANA_ACCESS_TOKEN }}

      # When running on schedule, only proceed if there are changes to the release branch (i.e. HEAD is not tagged)
      - name: Check if there are changes to the release branch
        id: check-for-changes
        env:
          release_branch: ${{ steps.find-asana-task.outputs.release-branch || github.ref_name }}
        run: |
          if [[ "${{ github.event_name }}" != "schedule" ]]; then
            echo "skip-release=false" >> $GITHUB_OUTPUT
          else
            latest_tag="$(git describe --tags --abbrev=0)"
            latest_tag_sha="$(git rev-parse "$latest_tag")"
            release_branch_sha="$(git rev-parse "origin/${release_branch}")"

            if [[ "${latest_tag_sha}" == "${release_branch_sha}" ]]; then
              echo "::warning::Release branch's HEAD is already tagged. Skipping automatic release."
              echo "skip-release=true" >> $GITHUB_OUTPUT
            else
              changed_files="$(git diff --name-only "$latest_tag".."origin/${release_branch}")"
              if grep -q -v -e '.github' -e 'scripts' <<< "$changed_files"; then
                echo "::warning::New code changes found in the release branch since the last release. Will bump internal release now."
                echo "skip-release=false" >> $GITHUB_OUTPUT
              else
                echo "::warning::No changes to the release branch (or only changes to scripts and workflows). Skipping automatic release."
                echo "skip-release=true" >> $GITHUB_OUTPUT
              fi
            fi
          fi

      - name: Extract Asana Task ID
        id: task-id
        if: github.event.inputs.asana-task-url
        uses: ./.github/actions/asana-extract-task-id
        with:
          task-url: ${{ github.event.inputs.asana-task-url }}

      - name: Set parameters
        id: set-parameters
        env:
          ASANA_TASK_URL: ${{ steps.find-asana-task.outputs.task-url || github.event.inputs.asana-task-url }}
          RELEASE_BRANCH: ${{ steps.find-asana-task.outputs.release-branch || github.ref_name }}
          TASK_ID: ${{ steps.find-asana-task.outputs.task-id || steps.task-id.outputs.task-id }}
          SKIP_APPSTORE: ${{ github.event.inputs.skip-appstore || false }} # make sure this is set to false on scheduled runs
        run: |
          if [[ "${RELEASE_BRANCH}" == "main" ]]; then
            echo "::error::Workflow run from main branch and release branch wasn't found. Please re-run the workflow and specify a release branch."
            exit 1
          fi
          echo "release-branch=${RELEASE_BRANCH}" >> $GITHUB_OUTPUT
          echo "task-id=${TASK_ID}" >> $GITHUB_OUTPUT
          echo "asana-task-url=${ASANA_TASK_URL}" >> $GITHUB_OUTPUT
          echo "skip-appstore=${SKIP_APPSTORE}" >> $GITHUB_OUTPUT

      - name: Validate release notes
        env:
          TASK_ID: ${{ steps.set-parameters.outputs.task-id }}
          ASANA_ACCESS_TOKEN: ${{ secrets.ASANA_ACCESS_TOKEN }}
        run: |
          curl -fLSs "https://app.asana.com/api/1.0/tasks/${TASK_ID}?opt_fields=notes" \
            -H "Authorization: Bearer ${ASANA_ACCESS_TOKEN}" \
            | jq -r .data.notes \
            | ./scripts/extract_release_notes.sh -r > raw_release_notes.txt
          raw_release_notes="$(<raw_release_notes.txt)"
          if [[ ${#raw_release_notes} == 0 || "$raw_release_notes" == *"<-- Add release notes here -->"* ]]; then
            echo "::error::Release notes are empty or contain a placeholder. Please add release notes to the Asana task and restart the workflow."
            exit 1
          fi

  run_tests:

    name: Run Tests

    needs: validate_input_conditions

    if: needs.validate_input_conditions.outputs.skip-release == 'false'
    uses: ./.github/workflows/pr.yml
    with:
      branch: ${{ needs.validate_input_conditions.outputs.release-branch }}
    secrets:
      ASANA_ACCESS_TOKEN: ${{ secrets.ASANA_ACCESS_TOKEN }}
      BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
      P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
      KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
      APPSTORE_CI_PROVISION_PROFILE_BASE64: ${{ secrets.APPSTORE_CI_PROVISION_PROFILE_BASE64 }}
      CI_PROVISION_PROFILE_BASE64: ${{ secrets.CI_PROVISION_PROFILE_BASE64 }}
      DBP_AGENT_APPSTORE_CI_PROVISION_PROFILE_BASE64: ${{ secrets.DBP_AGENT_APPSTORE_CI_PROVISION_PROFILE_BASE64 }}
      DBP_AGENT_CI_PROVISION_PROFILE_BASE64: ${{ secrets.DBP_AGENT_CI_PROVISION_PROFILE_BASE64 }}
      DBP_AGENT_RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.DBP_AGENT_RELEASE_PROVISION_PROFILE_BASE64 }}
      DBP_AGENT_REVIEW_PROVISION_PROFILE_BASE64: ${{ secrets.DBP_AGENT_REVIEW_PROVISION_PROFILE_BASE64 }}
      INTEGRATION_TESTS_APPSTORE_CI_PROVISION_PROFILE_BASE64: ${{ secrets.INTEGRATION_TESTS_APPSTORE_CI_PROVISION_PROFILE_BASE64 }}
      INTEGRATION_TESTS_CI_PROVISION_PROFILE_BASE64: ${{ secrets.INTEGRATION_TESTS_CI_PROVISION_PROFILE_BASE64 }}
      NETP_AGENT_RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_AGENT_RELEASE_PROVISION_PROFILE_BASE64 }}
      NETP_AGENT_REVIEW_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_AGENT_REVIEW_PROVISION_PROFILE_BASE64 }}
      NETP_NOTIFICATIONS_CI_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_NOTIFICATIONS_CI_PROVISION_PROFILE_BASE64 }}
      NETP_NOTIFICATIONS_RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_NOTIFICATIONS_RELEASE_PROVISION_PROFILE_BASE64 }}
      NETP_NOTIFICATIONS_REVIEW_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_NOTIFICATIONS_REVIEW_PROVISION_PROFILE_BASE64 }}
      NETP_SYSEX_RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_SYSEX_RELEASE_PROVISION_PROFILE_BASE64 }}
      NETP_SYSEX_REVIEW_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_SYSEX_REVIEW_PROVISION_PROFILE_BASE64 }}
      RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.RELEASE_PROVISION_PROFILE_BASE64 }}
      REVIEW_PROVISION_PROFILE_BASE64: ${{ secrets.REVIEW_PROVISION_PROFILE_BASE64 }}
      UNIT_TESTS_APPSTORE_CI_PROVISION_PROFILE_BASE64: ${{ secrets.UNIT_TESTS_APPSTORE_CI_PROVISION_PROFILE_BASE64 }}
      UNIT_TESTS_CI_PROVISION_PROFILE_BASE64: ${{ secrets.UNIT_TESTS_CI_PROVISION_PROFILE_BASE64 }}
      VPN_APPEX_APPSTORE_CI_PROVISION_PROFILE_BASE64: ${{ secrets.VPN_APPEX_APPSTORE_CI_PROVISION_PROFILE_BASE64 }}
      VPN_APP_APPSTORE_CI_PROVISION_PROFILE_BASE64: ${{ secrets.VPN_APP_APPSTORE_CI_PROVISION_PROFILE_BASE64 }}
      VPN_APP_CI_PROVISION_PROFILE_BASE64: ${{ secrets.VPN_APP_CI_PROVISION_PROFILE_BASE64 }}
      VPN_PROXY_EXTENSION_CI_PROVISION_PROFILE_BASE64: ${{ secrets.VPN_PROXY_EXTENSION_CI_PROVISION_PROFILE_BASE64 }}

  increment_build_number:

    name: Increment Build Number

    needs: [ validate_input_conditions, run_tests ]
    runs-on: macos-14-xlarge
    timeout-minutes: 10

    steps:

      - name: Check out the code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0 # Fetch all history and tags in order to extract Asana task URLs from git log
          ref: ${{ needs.validate_input_conditions.outputs.release-branch }}
          submodules: recursive

      - name: Select Xcode
        run: sudo xcode-select -s /Applications/Xcode_$(<.xcode-version).app/Contents/Developer

      - name: Prepare fastlane
        run: bundle install

      - name: Increment build number
        env:
          APPLE_API_KEY_BASE64: ${{ secrets.APPLE_API_KEY_BASE64 }}
          APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
          APPLE_API_KEY_ISSUER: ${{ secrets.APPLE_API_KEY_ISSUER }}
        run: |
          git config --global user.name "Dax the Duck"
          git config --global user.email "dax@duckduckgo.com"
          bundle exec fastlane bump_internal_release update_embedded_files:false

      - name: Extract Asana Task ID
        id: task-id
        uses: ./.github/actions/asana-extract-task-id
        with:
          task-url: ${{ needs.validate_input_conditions.outputs.asana-task-url }}

      - name: Update Asana tasks for the release
        env:
          ASANA_ACCESS_TOKEN: ${{ secrets.ASANA_ACCESS_TOKEN }}
          GH_TOKEN: ${{ github.token }}
          BRANCH: ${{ needs.validate_input_conditions.outputs.release-branch }}
        run: |
          version="$(cut -d '/' -f 2 <<< "$BRANCH")"
          ./scripts/update_asana_for_release.sh internal ${{ steps.task-id.outputs.task-id }} ${{ vars.MACOS_APP_BOARD_VALIDATION_SECTION_ID }} "${version}"

  prepare_release:
    name: Prepare Release
    needs: [ validate_input_conditions, increment_build_number ]
    uses: ./.github/workflows/release.yml
    with:
      asana-task-url: ${{ needs.validate_input_conditions.outputs.asana-task-url }}
      branch: ${{ needs.validate_input_conditions.outputs.release-branch }}
      skip-appstore: ${{ needs.validate_input_conditions.outputs.skip-appstore == 'true' }}
    secrets:
      BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
      P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
      KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
      APPSTORE_CI_PROVISION_PROFILE_BASE64: ${{ secrets.APPSTORE_CI_PROVISION_PROFILE_BASE64 }}
      CI_PROVISION_PROFILE_BASE64: ${{ secrets.CI_PROVISION_PROFILE_BASE64 }}
      DBP_AGENT_APPSTORE_CI_PROVISION_PROFILE_BASE64: ${{ secrets.DBP_AGENT_APPSTORE_CI_PROVISION_PROFILE_BASE64 }}
      DBP_AGENT_CI_PROVISION_PROFILE_BASE64: ${{ secrets.DBP_AGENT_CI_PROVISION_PROFILE_BASE64 }}
      DBP_AGENT_RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.DBP_AGENT_RELEASE_PROVISION_PROFILE_BASE64 }}
      DBP_AGENT_REVIEW_PROVISION_PROFILE_BASE64: ${{ secrets.DBP_AGENT_REVIEW_PROVISION_PROFILE_BASE64 }}
      INTEGRATION_TESTS_APPSTORE_CI_PROVISION_PROFILE_BASE64: ${{ secrets.INTEGRATION_TESTS_APPSTORE_CI_PROVISION_PROFILE_BASE64 }}
      INTEGRATION_TESTS_CI_PROVISION_PROFILE_BASE64: ${{ secrets.INTEGRATION_TESTS_CI_PROVISION_PROFILE_BASE64 }}
      NETP_AGENT_RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_AGENT_RELEASE_PROVISION_PROFILE_BASE64 }}
      NETP_AGENT_REVIEW_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_AGENT_REVIEW_PROVISION_PROFILE_BASE64 }}
      NETP_NOTIFICATIONS_CI_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_NOTIFICATIONS_CI_PROVISION_PROFILE_BASE64 }}
      NETP_NOTIFICATIONS_RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_NOTIFICATIONS_RELEASE_PROVISION_PROFILE_BASE64 }}
      NETP_NOTIFICATIONS_REVIEW_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_NOTIFICATIONS_REVIEW_PROVISION_PROFILE_BASE64 }}
      NETP_SYSEX_RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_SYSEX_RELEASE_PROVISION_PROFILE_BASE64 }}
      NETP_SYSEX_REVIEW_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_SYSEX_REVIEW_PROVISION_PROFILE_BASE64 }}
      RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.RELEASE_PROVISION_PROFILE_BASE64 }}
      REVIEW_PROVISION_PROFILE_BASE64: ${{ secrets.REVIEW_PROVISION_PROFILE_BASE64 }}
      UNIT_TESTS_APPSTORE_CI_PROVISION_PROFILE_BASE64: ${{ secrets.UNIT_TESTS_APPSTORE_CI_PROVISION_PROFILE_BASE64 }}
      UNIT_TESTS_CI_PROVISION_PROFILE_BASE64: ${{ secrets.UNIT_TESTS_CI_PROVISION_PROFILE_BASE64 }}
      VPN_APPEX_APPSTORE_CI_PROVISION_PROFILE_BASE64: ${{ secrets.VPN_APPEX_APPSTORE_CI_PROVISION_PROFILE_BASE64 }}
      VPN_APP_APPSTORE_CI_PROVISION_PROFILE_BASE64: ${{ secrets.VPN_APP_APPSTORE_CI_PROVISION_PROFILE_BASE64 }}
      VPN_APP_CI_PROVISION_PROFILE_BASE64: ${{ secrets.VPN_APP_CI_PROVISION_PROFILE_BASE64 }}
      VPN_PROXY_EXTENSION_CI_PROVISION_PROFILE_BASE64: ${{ secrets.VPN_PROXY_EXTENSION_CI_PROVISION_PROFILE_BASE64 }}
      APPLE_API_KEY_BASE64: ${{ secrets.APPLE_API_KEY_BASE64 }}
      APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
      APPLE_API_KEY_ISSUER: ${{ secrets.APPLE_API_KEY_ISSUER }}
      ASANA_ACCESS_TOKEN: ${{ secrets.ASANA_ACCESS_TOKEN }}
      MM_HANDLES_BASE64: ${{ secrets.MM_HANDLES_BASE64 }}
      MM_WEBHOOK_URL: ${{ secrets.MM_WEBHOOK_URL }}
      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
      AWS_ACCESS_KEY_ID_RELEASE_S3: ${{ secrets.AWS_ACCESS_KEY_ID_RELEASE_S3 }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
      AWS_SECRET_ACCESS_KEY_RELEASE_S3: ${{ secrets.AWS_SECRET_ACCESS_KEY_RELEASE_S3 }}
      MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }}
      SSH_PRIVATE_KEY_FASTLANE_MATCH: ${{ secrets.SSH_PRIVATE_KEY_FASTLANE_MATCH }}

  tag_and_merge:
    name: Tag and Merge Branch
    needs: [ validate_input_conditions, prepare_release ]
    uses: ./.github/workflows/tag_release.yml
    with:
      asana-task-url: ${{ needs.validate_input_conditions.outputs.asana-task-url }}
      branch: ${{ needs.validate_input_conditions.outputs.release-branch }}
      base-branch: ${{ github.event.inputs.base-branch || 'main' }}
      prerelease: true
      internal-release-bump: true
    secrets:
      ASANA_ACCESS_TOKEN: ${{ secrets.ASANA_ACCESS_TOKEN }}
      GHA_ELEVATED_PERMISSIONS_TOKEN: ${{ secrets.GHA_ELEVATED_PERMISSIONS_TOKEN }}

  publish_release:
    name: Publish DMG Release
    needs: [ validate_input_conditions, tag_and_merge ]
    uses: ./.github/workflows/publish_dmg_release.yml
    with:
      asana-task-url: ${{ needs.validate_input_conditions.outputs.asana-task-url }}
      branch: ${{ needs.validate_input_conditions.outputs.release-branch }}
    secrets:
      ASANA_ACCESS_TOKEN: ${{ secrets.ASANA_ACCESS_TOKEN }}
      AWS_ACCESS_KEY_ID_RELEASE_S3: ${{ secrets.AWS_ACCESS_KEY_ID_RELEASE_S3 }}
      AWS_SECRET_ACCESS_KEY_RELEASE_S3: ${{ secrets.AWS_SECRET_ACCESS_KEY_RELEASE_S3 }}
      GHA_ELEVATED_PERMISSIONS_TOKEN: ${{ secrets.GHA_ELEVATED_PERMISSIONS_TOKEN }}
      SPARKLE_PRIVATE_KEY: ${{ secrets.SPARKLE_PRIVATE_KEY }}