.github/workflows/testBuild.yml

name: Build and deploy apps for testing

on:
  workflow_dispatch:
    inputs:
      PULL_REQUEST_NUMBER:
        description: Pull Request number for correct placement of apps
        required: true
      REVIEWED_CODE:
        description: I reviewed this pull request and verified that it does not contain any malicious code.
        type: boolean
        required: true
        default: false
      WEB:
        description: Should build web app?
        type: boolean
        default: true
      DESKTOP:
        description: Should build desktop app?
        type: boolean
        default: true
      IOS:
        description: Should build iOS app?
        type: boolean
        default: true
      ANDROID:
        description: Should build android app?
        type: boolean
        default: true

env:
  # This variable is needed for fastlane to construct correct path
  PULL_REQUEST_NUMBER: ${{ github.event.inputs.PULL_REQUEST_NUMBER }}

jobs:
  prep:
    runs-on: ubuntu-latest
    outputs:
      REF: ${{ steps.getHeadRef.outputs.REF }}
    steps:
      - name: Checkout
        # v4
        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608

      - name: Validate that user is an Expensify employee
        uses: ./.github/actions/composite/validateActor
        with:
          REQUIRE_APP_DEPLOYER: false
          OS_BOTIFY_TOKEN: ${{ secrets.OS_BOTIFY_COMMIT_TOKEN }}

      - name: Validate that the user reviewed the pull request before running a test build
        if: ${{ !inputs.REVIEWED_CODE }}
        run: |
          echo "::error::🕵️‍♀️ Please carefully review the pull request before running a test build to ensure it does not contain any malicious code"
          exit 1

      - name: Check if pull request number is correct
        if: ${{ github.event_name == 'workflow_dispatch' }}
        id: getHeadRef
        run: |
          set -e
          echo "REF=$(gh pr view ${{ github.event.inputs.PULL_REQUEST_NUMBER }} --json headRefOid --jq '.headRefOid')" >> "$GITHUB_OUTPUT"
        env:
          GITHUB_TOKEN: ${{ github.token }}

  postGitHubCommentBuildStarted:
    name: Post build started comment
    uses: ./.github/workflows/postBuildStartedComment.yml
    needs: [prep]
    secrets: inherit
    with:
      APP_PULL_REQUEST_NUMBER: ${{ github.event.number || github.event.inputs.PULL_REQUEST_NUMBER }}

  desktop:
    name: Build and deploy Desktop for testing
    if: ${{ inputs.DESKTOP }}
    needs: [prep]
    runs-on: macos-14-large
    steps:
      - name: Checkout
        # v4
        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
        with:
          ref: ${{ needs.prep.outputs.REF }}

      - name: Create .env.adhoc file based on staging and add PULL_REQUEST_NUMBER env to it
        run: |
          cp .env.staging .env.adhoc
          sed -i '' 's/ENVIRONMENT=staging/ENVIRONMENT=adhoc/' .env.adhoc
          echo "PULL_REQUEST_NUMBER=$PULL_REQUEST_NUMBER" >> .env.adhoc

      - name: Setup Node
        uses: ./.github/actions/composite/setupNode
        with:
          IS_DESKTOP_BUILD: true

      - name: Load Desktop credentials from 1Password
        id: load-credentials
        # v2
        uses: 1password/load-secrets-action@581a835fb51b8e7ec56b71cf2ffddd7e68bb25e0
        with:
          export-env: false
        env:
          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
          DESKTOP_CERTIFICATE_BASE64: "op://${{ vars.OP_VAULT }}/Desktop Certificates.p12/CSC_LINK"
          DESKTOP_CERTIFICATE_PASSWORD: "op://${{ vars.OP_VAULT }}/Desktop Certificates.p12/CSC_KEY_PASSWORD"

      - name: Configure AWS Credentials
        # v4
        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-east-1

      - name: Build desktop app for testing
        run: npm run desktop-build-adhoc
        env:
          CSC_LINK: ${{ steps.load-credentials.outputs.DESKTOP_CERTIFICATE_BASE64 }}
          CSC_KEY_PASSWORD: ${{ steps.load-credentials.outputs.DESKTOP_CERTIFICATE_PASSWORD }}
          APPLE_ID: ${{ secrets.APPLE_ID }}
          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
          APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          GCP_GEOLOCATION_API_KEY: ${{ secrets.GCP_GEOLOCATION_API_KEY_STAGING }}

  web:
    name: Build and deploy Web
    if: ${{ inputs.WEB }}
    needs: [prep]
    runs-on: ubuntu-latest-xl
    steps:
      - name: Checkout
        # v4
        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
        with:
          ref: ${{ needs.prep.outputs.REF }}

      - name: Create .env.adhoc file based on staging and add PULL_REQUEST_NUMBER env to it
        run: |
          cp .env.staging .env.adhoc
          sed -i 's/ENVIRONMENT=staging/ENVIRONMENT=adhoc/' .env.adhoc
          echo "PULL_REQUEST_NUMBER=$PULL_REQUEST_NUMBER" >> .env.adhoc

      - name: Setup Node
        uses: ./.github/actions/composite/setupNode

      - name: Configure AWS Credentials
        # v4
        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-east-1

      - name: Build web for testing
        run: npm run build-adhoc

      - name: Deploy to S3 for internal testing
        run: aws s3 cp --recursive --acl public-read "$GITHUB_WORKSPACE"/dist s3://ad-hoc-expensify-cash/web/"$PULL_REQUEST_NUMBER"

  buildHybridApps:
    name: Build hybrid adhoc apps
    uses: ./.github/workflows/testBuildHybrid.yml
    needs: [prep]
    secrets: inherit
    with:
      APP_PR_NUMBER: ${{ github.event.inputs.PULL_REQUEST_NUMBER }}
      APP_REF: ${{ needs.prep.outputs.REF }}
      IOS: ${{ inputs.IOS }}
      ANDROID: ${{ inputs.ANDROID }}

  postGithubComment:
    runs-on: ubuntu-latest
    if: always()
    name: Post a GitHub comment with app download links for testing
    needs: [prep, desktop, web, buildHybridApps]
    steps:
      - name: Checkout
        # v4
        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
        with:
          ref: ${{ needs.prep.outputs.REF }}

      - name: Download Artifact
        # v4
        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e

      - name: Publish links to apps for download
        uses: ./.github/actions/javascript/postTestBuildComment
        with:
          PR_NUMBER: ${{ github.event.inputs.PULL_REQUEST_NUMBER }}
          GITHUB_TOKEN: ${{ github.token }}
          ANDROID: ${{ needs.buildHybridApps.result }}
          DESKTOP: ${{ needs.desktop.result }}
          IOS: ${{ needs.buildHybridApps.result }}
          WEB: ${{ needs.web.result }}
          ANDROID_LINK: ${{ needs.buildHybridApps.outputs.ANDROID_LINK }}
          DESKTOP_LINK: https://ad-hoc-expensify-cash.s3.amazonaws.com/desktop/${{ github.event.inputs.PULL_REQUEST_NUMBER }}/NewExpensify.dmg
          IOS_LINK: ${{ needs.buildHybridApps.outputs.IOS_LINK }}
          WEB_LINK: https://${{ github.event.inputs.PULL_REQUEST_NUMBER }}.pr-testing.expensify.com