Update GitHub Actions (#13)

StanfordBDHG · Jun 30, 2023 · 330c7c3 · 330c7c3
1 parent d2ee865
commit 330c7c3
Show file tree

Hide file tree

Showing 6 changed files with 164 additions and 7 deletions.
diff --git a/.github/workflows/action-release-tag.yml b/.github/workflows/action-release-tag.yml
@@ -0,0 +1,59 @@
+#
+# This source file is part of the Stanford Biodesign for Digital Health open-source project
+#
+# SPDX-FileCopyrightText: 2022 Stanford University and the project authors (see CONTRIBUTORS.md)
+#
+# SPDX-License-Identifier: MIT
+#
+
+name: Action Tag Release
+
+on:
+  workflow_call:
+    inputs:
+      user:
+        description: 'Optional GitHub username that is associated with the GitHub Personal Access Token (PAT)'
+        type: string
+        required: false
+        default: ''
+    secrets:
+      access-token:
+        description: 'GitHub Personal Access Token (PAT) if the default branch is protected and needs a specific access token to push tags to the branch'
+        required: false
+
+jobs:
+  tagrelease:
+    name: Action Tag Release
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.access-token || github.token }}
+      - name: Retrieve version
+        run: |
+          VERSION=$(git describe --tags --abbrev=0 --match="v[0-9]*.[0-9]*.[0-9]*" || echo "")
+
+          if [ -z "$VERSION" ]
+          then
+            echo "Did not identify a tag using semantic versioning in the commit history"
+            exit 0
+          fi
+
+          MAJOR=${VERSION%%.*}
+          MINOR=${VERSION%.*}
+
+          echo "Push Tags $MAJOR and $MINOR for $VERSION"
+          
+          git config user.name "${{ inputs.user || github.actor }}"
+          git config user.email "${{ inputs.user || github.actor }}@users.noreply.github.com"
+          
+          git switch --detach ${VERSION}
+          
+          git push origin :refs/tags/${MAJOR}
+          git tag -fa "${MAJOR}" -m "${MAJOR}"
+          git push origin --tags
+
+          git push origin :refs/tags/${MINOR}
+          git tag -fa "${MINOR}" -m "${MINOR}"
+          git push origin --tags
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,23 @@
+#
+# This source file is part of the Stanford Biodesign for Digital Health open-source project
+#
+# SPDX-FileCopyrightText: 2022 Stanford University and the project authors (see CONTRIBUTORS.md)
+#
+# SPDX-License-Identifier: MIT
+#
+
+name: Release
+
+on:
+  release:
+    types: [created]
+  workflow_dispatch:
+
+jobs:
+  releasetag:
+    name: Tag Release
+    uses: ./.github/workflows/action-release-tag.yml
+    secrets:
+      access-token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
+    with:
+      user: PaulsAutomationBot
diff --git a/.github/workflows/reuse.yml b/.github/workflows/reuse.yml
@@ -9,7 +9,6 @@
 name: REUSE Compliance Check
 
 on:
-  pull_request:
   workflow_call:
 
 jobs:

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -0,0 +1,21 @@
+#
+# This source file is part of the Stanford Biodesign for Digital Health open-source project
+#
+# SPDX-FileCopyrightText: 2022 Stanford University and the project authors (see CONTRIBUTORS.md)
+#
+# SPDX-License-Identifier: MIT
+#
+
+name: Test
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  reuse_action:
+    name: REUSE Compliance Check
+    uses: ./.github/workflows/reuse.yml
diff --git a/.github/workflows/xcodebuild-or-fastlane.yml b/.github/workflows/xcodebuild-or-fastlane.yml
@@ -21,11 +21,21 @@ on:
         required: false
         type: string
         default: '["macos-latest"]'
+      xcodeversion:
+        description: 'The Xcode version used for the build'
+        required: false
+        type: string
+        default: 'latest-stable'
       scheme:
         description: 'The scheme in the Xcode project. Either use `scheme` to use xcodebuild, `fastlanelane` to use fastlane, or a custom command using `customcommand`'
         required: false
         type: string
         default: ''
+      test:
+        description: 'A flag indicating if the tests of the Xcode project scheme should run'
+        required: false
+        type: boolean
+        default: true
       fastlanelane:
         description: 'The lane of the fastlane command. Either use `scheme` to use xcodebuild, `fastlanelane` to use fastlane, or a custom command using `customcommand`'
         required: false
@@ -56,6 +66,36 @@ on:
         required: false
         type: boolean
         default: false
+      codeql:
+        description: 'Use CodeQL code scanning'
+        required: false
+        type: boolean
+        default: false
+    secrets:
+      BUILD_CERTIFICATE_BASE64:
+        description: 'The Base64 version of the Apple signing certificate to build your iOS application.'
+        required: false
+      P12_PASSWORD:
+        description: 'The password for the Apple signing certificate.'
+        required: false
+      BUILD_PROVISION_PROFILE_BASE64:
+        description: 'The Base64 version of the Apple provisioning profile to build your iOS application.'
+        required: false
+      KEYCHAIN_PASSWORD:
+        description: 'A password for the keychain that will be created on the runner instance.'
+        required: false
+      APP_STORE_CONNECT_API_KEY_ID:
+        description: 'The key ID of the API key created in the App Store Connect API keys section.'
+        required: false
+      APP_STORE_CONNECT_ISSUER_ID:
+        description: 'The issuer ID of the App Store Connect API is displayed in the App Store Connect API keys section.'
+        required: false
+      APP_STORE_CONNECT_API_KEY_BASE64:
+        description: 'The content of the key created in App Store Connect condensed into a Base64 representation, e.g., using base64 -i AuthKey_ABCDEFGHIJ.p8 | pbcopy.'
+        required: false
+      APPLE_ID:
+        description: 'The Apple ID you use to access the App Store Connect API.'
+        required: false
 
 jobs:
   build_and_test:
@@ -69,7 +109,7 @@ jobs:
     - uses: maxim-lobanov/setup-xcode@v1
       if: "!env.selfhosted"
       with:
-        xcode-version: latest-stable
+        xcode-version: ${{ inputs.xcodeversion }}
     - name: Check environment
       run: |
           xcodebuild -version
@@ -133,6 +173,12 @@ jobs:
         # apply provisioning profile
         mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
         cp $PP_PATH ~/Library/MobileDevice/Provisioning\ Profiles
+    - name: Initialize CodeQL
+      if: ${{ inputs.codeql }}
+      uses: github/codeql-action/init@v2
+      with:
+        languages: swift
+        db-location: '${{ inputs.path }}/.codeql'
     - name: Run custom command
       if: ${{ inputs.customcommand != '' }}
       run: ${{ inputs.customcommand }}
@@ -147,12 +193,18 @@ jobs:
     - name: Build and test (xcodebuild)
       if: ${{ inputs.scheme != '' }}
       run: |
+          if ${{ inputs.test }}; then
+              XCODECOMMAND="test"
+              CODECOVERAGEFLAG="-enableCodeCoverage YES"
+          else
+              XCODECOMMAND="build"
+          fi
           set -o pipefail \
-          && xcodebuild test \
+          && xcodebuild $XCODECOMMAND \
             -scheme ${{ inputs.scheme }} \
             -sdk iphonesimulator \
-            -destination "name=iPhone 14 Pro Max" \
-            -enableCodeCoverage YES \
+            -destination "name=iPhone 14 Pro" \
+            $CODECOVERAGEFLAG \
             -derivedDataPath ".derivedData" \
             -resultBundlePath ${{ inputs.scheme }}.xcresult \
             CODE_SIGN_IDENTITY="" \
@@ -166,8 +218,11 @@ jobs:
         APP_STORE_CONNECT_ISSUER_ID: ${{ secrets.APP_STORE_CONNECT_ISSUER_ID }}
         APP_STORE_CONNECT_API_KEY_BASE64: ${{ secrets.APP_STORE_CONNECT_API_KEY_BASE64 }}
         APPLE_ID: ${{ secrets.APPLE_ID }}
+    - name: Perform CodeQL Analysis
+      if: ${{ inputs.codeql }}
+      uses: github/codeql-action/analyze@v2
     - name: Upload artifact
-      if: always()
+      if: ${{ (success() || failure()) && inputs.artifactname != '' }}
       uses: actions/upload-artifact@v3
       with:
         name: ${{ inputs.artifactname }}

diff --git a/SECURITY.md b/SECURITY.md
@@ -10,7 +10,7 @@ SPDX-License-Identifier: MIT
 
 # Security Policy
 
-Please report security vulnerabilities to the Stanford Biodesign for Digital Health team at [email protected].
+Please report security vulnerabilities using the GitHub [privately reporting a security vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/best-practices-for-writing-repository-security-advisories) functionality.
 We highly value your input and will get back to you as soon as possible. Please include steps to reproduce, context, and any further information that makes identifying and resolving the vulnerability as quickly as possible.
 
 See the [The CERT Guide to Coordinated Vulnerability Disclosure](https://vuls.cert.org/confluence/display/CVD/The+CERT+Guide+to+Coordinated+Vulnerability+Disclosure) for additional background information about the coordinated vulnerability disclosure process.
-Original file line number
+Diff line change
@@ Expand Up / @@ -9,7 +9,6 @@ @@
     name: REUSE Compliance Check
     on:
-      pull_request:
       workflow_call:
     jobs:
@@ Expand Down @@