Work around GitHub false-positive for passing secret to another action (#3396)

* run bundle/deploy on main pushes * don't fetch from origin if not necessary * fix false-postive for secret in outputs rm test test 'false' rm test use in both places workaround "secret" string add a manual testflight deployment option for android add a manual testflight deployment option for android add a manual testflight deployment option for android * rm test code
2024-04-03 18:04:48 -07:00 · 2024-04-03 18:04:48 -07:00 · a356b1be1a
commit a356b1be1a
parent cad0590694
2 changed files with 49 additions and 4 deletions
--- a/.github/workflows/build-submit-android.yml
+++ b/.github/workflows/build-submit-android.yml
@ -8,6 +8,7 @@ on:
        type: choice
        description: Build profile to use
        options:
+          - testflight-android
          - production

 jobs:
@ -59,7 +60,41 @@ jobs:
          echo "$json" > google-services.json

      - name: 🏗️ EAS Build
-        run: yarn use-build-number-with-bump eas build -p android --profile production --local --output build.aab --non-interactive
+        run: yarn use-build-number-with-bump eas build -p android --profile ${{ inputs.profile || 'testflight-android' }} --local --output build.aab --non-interactive

      - name: 🚀 Deploy
+        if: ${{ inputs.profile == 'production' }}
        run: eas submit -p android --non-interactive --path build.aab
+
+      - name: ✍️ Rename bundle
+        if: ${{ inputs.profile != 'production' }}
+        run: mv build.aab build.apk
+
+      - name: ⏰ Get a timestamp
+        id: timestamp
+        if: ${{ inputs.profile != 'production' }}
+        uses: nanzm/get-time-action@master
+        with:
+          format: 'MM-DD-HH-mm-ss'
+
+      - name: 🚀 Upload Artifact
+        id: upload-artifact
+        if: ${{ inputs.profile != 'production' }}
+        uses: actions/upload-artifact@v4
+        with:
+          retention-days: 30
+          compression-level: 0
+          name: build-${{ steps.timestamp.outputs.time }}.apk
+          path: build.apk
+
+      - name: 🔔 Notify Slack
+        if: ${{ inputs.profile != 'production' }}
+        uses: slackapi/slack-github-action@v1.25.0
+        with:
+          payload: |
+            {
+              "text": "Android build is ready for testing. Download the artifact here: ${{ steps.upload-artifact.outputs.artifact-url }}"
+            }
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_CLIENT_ALERT_WEBHOOK }}
+          SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
--- a/.github/workflows/bundle-deploy-eas-update.yml
+++ b/.github/workflows/bundle-deploy-eas-update.yml
@ -23,7 +23,8 @@ jobs:
    name: Bundle and Deploy EAS Update
    runs-on: ubuntu-latest
    outputs:
-      fingerprint-diff: ${{ steps.fingerprint.outputs.fingerprint-diff }}
+      fingerprint-is-different: ${{ steps.fingerprint-debug.outputs.fingerprint-is-different }}
+
    steps:
      - name: Check for EXPO_TOKEN
        run: >
@ -83,9 +84,17 @@ jobs:
          previous-git-commit: ${{ steps.base-commit.outputs.base-commit }}

      - name: 👀 Debug fingerprint
+        id: fingerprint-debug
        run: |
+          echo "fingerprint-diff=${{ steps.fingerprint.outputs.fingerprint-diff }}"
          echo "previousGitCommit=${{ steps.fingerprint.outputs.previous-git-commit }} currentGitCommit=${{ steps.fingerprint.outputs.current-git-commit }}"
          echo "isPreviousFingerprintEmpty=${{ steps.fingerprint.outputs.previous-fingerprint == '' }}"
+          
+          if [ "${{ steps.fingerprint.outputs.fingerprint-diff }}" != '[]' ]; then
+            echo fingerprint-is-different="true" >> "$GITHUB_OUTPUT"
+          else
+            echo fingerprint-is-different="false" >> "$GITHUB_OUTPUT"
+          fi

      - name: 🔨 Setup EAS
        uses: expo/expo-github-action@v8
@ -126,6 +135,7 @@ jobs:
          RUNTIME_VERSION: ${{ inputs.runtimeVersion }}
          CHANNEL_NAME: ${{ inputs.channel || 'testflight' }}

+
  # GitHub actions are horrible so let's just copy paste this in
  buildIfNecessaryIOS:
    name: Build and Submit iOS
@ -133,7 +143,7 @@ jobs:
    needs: [bundleDeploy]
    # Gotta check if its NOT '[]' because any md5 hash in the outputs is detected as a possible secret and won't be
    # available here
-    if: ${{ inputs.channel != 'production' && needs.bundleDeploy.outputs.fingerprint-diff != '[]' }}
+    if: ${{ inputs.channel != 'production' && needs.bundleDeploy.outputs.fingerprint-is-different == 'true' }}
    steps:
      - name: Check for EXPO_TOKEN
        run: >
@ -198,7 +208,7 @@ jobs:
    needs: [ bundleDeploy ]
    # Gotta check if its NOT '[]' because any md5 hash in the outputs is detected as a possible secret and won't be
    # available here
-    if: ${{ inputs.channel != 'production' && needs.bundleDeploy.outputs.fingerprint-diff != '[]' }}
+    if: ${{ inputs.channel != 'production' && needs.bundleDeploy.outputs.fingerprint-is-different == 'true' }}

    steps:
      - name: Check for EXPO_TOKEN