[WIP] Better deploy workflows :D

.github/workflows/buildAndroid.yml

@@ -0,0 +1,113 @@
+name: Build Android app
+
+on:
+  workflow_call:
+    inputs:
+      BUILD_TYPE:
+        description: The environment to build for. Must be one of ("release", "ad-hoc", "e2e", "e2eDelta")
+        required: true
+        type: string
+      PR_NUMBER:
+        description: For AdHoc builds, the pull request being built from
+        required: false
+        type: number
+
+concurrency:
+  group: build-android-${{ inputs.BUILD_TYPE }}
+  # TODO: cancel in-progress adhoc/e2e builds based on ref. Maybe pass in cancel-in-progress as an input?
+  cancel-in-progress: ${{ inputs.BUILD_TYPE == 'release' }}
+
+jobs:
+  buildAndroid:
+    name: Build Android app
+    runs-on: ubuntu-latest-xl
+    steps:
+      - name: Validate build type
+        id: validateBuildType
+        run: |
+          if [[ ${{ contains(fromJSON('["release", "ad-hoc", "e2e", "e2eDelta"]'), inputs.BUILD_TYPE) }} == 'true' ]]; then
+            echo "Build type ${{ inputs.BUILD_TYPE }} is valid for Android"
+          else
+            echo "Build type ${{ inputs.BUILD_TYPE }} is not valid for Android."
+            exit 1
+          fi
+
+      - uses: actions/checkout@v4
+
+      - name: Configure MapBox SDK
+        run: ./scripts/setup-mapbox-sdk.sh ${{ secrets.MAPBOX_SDK_DOWNLOAD_TOKEN }}
+
+      - name: Setup Node
+        uses: ./.github/actions/composite/setupNode
+
+      - name: Setup Java
+        uses: actions/setup-java@v4
+        with:
+          distribution: oracle
+          java-version: 17
+
+      - name: Setup Gradle
+        uses: gradle/actions/setup-gradle@v3
+
+      - name: Setup Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '2.7'
+          bundler-cache: true
+
+      - name: Decrypt keystore
+        run: cd android/app && gpg --quiet --batch --yes --decrypt --passphrase="$LARGE_SECRET_PASSPHRASE" --output my-upload-key.keystore my-upload-key.keystore.gpg
+        env:
+          LARGE_SECRET_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
+
+      - name: Set version in ENV
+        run: |
+          echo "VERSION_CODE=$(grep -o 'versionCode\s\+[0-9]\+' android/app/build.gradle | awk '{ print $2 }')" >> "$GITHUB_ENV"
+          echo "NPM_VERSION=$(< package.json jq -r .version)" >> "$GITHUB_ENV"
+
+      - name: Create .env.adhoc file based on staging and add PULL_REQUEST_NUMBER env to it
+        if: inputs.BUILD_TYPE == 'ad-hoc'
+        run: |
+          cp .env.staging .env.adhoc
+          sed -i 's/ENVIRONMENT=staging/ENVIRONMENT=adhoc/' .env.adhoc
+          echo "PULL_REQUEST_NUMBER=$PULL_REQUEST_NUMBER" >> .env.adhoc
+
+      - name: Run Fastlane build
+        id: build
+        run: |
+          if [[ ${{ inputs.BUILD_TYPE }} == "release" ]]; then
+            bundle exec fastlane android build_release
+          elif [[ ${{ inputs.BUILD_TYPE }} == "ad-hoc" ]]; then
+            bundle exec fastlane android build_adhoc
+          elif [[ ${{ inputs.BUILD_TYPE }} == "e2e" ]]; then
+            bundle exec fastlane android build_e2e
+          else
+            bundle exec fastlane android build_e2e_delta
+          fi
+
+      - name: Upload APK as workflow artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: android-${{ inputs.BUILD_TYPE }}-${{ github.ref }}.apk
+          # Note: this output comes from inside the Fastfile
+          path: ${{ steps.build.outputs.APK_PATH }}
+
+      - name: Upload AAB as workflow artifact
+        if: inputs.BUILD_TYPE == 'release'
+        uses: actions/upload-artifact@v4
+        with:
+          name: android-${{ inputs.BUILD_TYPE }}-${{ github.ref }}.aab
+          # Note: this output comes from inside the Fastfile
+          path: ${{ steps.build.outputs.AAB_PATH }}
+
+      - name: Archive Android sourcemaps
+        uses: actions/upload-artifact@v4
+        with:
+          name: android-${{ inputs.BUILD_TYPE }}-sourcemap-${{ github.ref }}
+          path: android/app/build/generated/sourcemaps/react/release/*.map
+
+      - name: Post a message in slack if the build fails
+        if: failure()
+        uses: ./.github/actions/composite/announceFailedWorkflowInSlack
+        with:
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}

.github/workflows/buildDesktop.yml

@@ -0,0 +1,82 @@
+name: Build desktop app
+
+on:
+  workflow_call:
+    inputs:
+      BUILD_TYPE:
+        description: The environment to build for. Must be one of ("staging", "production", "ad-hoc")
+        required: true
+        type: string
+
+concurrency:
+  group: build-android-${{ inputs.BUILD_TYPE }}
+  # TODO: Fix cancel-in-progress
+  cancel-in-progress: ${{ inputs.BUILD_TYPE == "ad-hoc" }}
+
+jobs:
+  buildWeb:
+    name: Build desktop app
+    runs-on: ubuntu-latest-xl
+    steps:
+      - name: Validate build type
+        id: validateBuildType
+        run: |
+          if [[ ${{ contains(fromJSON('["staging", "production", "ad-hoc"]'), inputs.BUILD_TYPE) }} == 'true' ]]; then
+            echo "Build type ${{ inputs.BUILD_TYPE }} is valid for desktop."
+          else
+            echo "Build type ${{ inputs.BUILD_TYPE }} is not valid for desktop."
+            exit 1
+          fi
+
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Create .env.adhoc file based on staging
+        if: inputs.BUILD_TYPE == 'ad-hoc'
+        run: |
+          cp .env.staging .env.adhoc
+          sed -i 's/ENVIRONMENT=staging/ENVIRONMENT=adhoc/' .env.adhoc
+          echo "PULL_REQUEST_NUMBER=$PULL_REQUEST_NUMBER" >> .env.adhoc
+
+      - name: Decrypt Developer ID Certificate
+        run: cd desktop && gpg --quiet --batch --yes --decrypt --passphrase="$DEVELOPER_ID_SECRET_PASSPHRASE" --output developer_id.p12 developer_id.p12.gpg
+        env:
+          DEVELOPER_ID_SECRET_PASSPHRASE: ${{ secrets.DEVELOPER_ID_SECRET_PASSPHRASE }}
+
+      - name: Setup Node
+        uses: ./.github/actions/composite/setupNode
+
+      - name: Configure AWS Credentials
+        uses: Expensify/App/.github/actions/composite/configureAwsCredentials@main
+        with:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+
+      - name: Run desktop build
+        run: |
+          if [[ ${{ inputs.BUILD_TYPE }} == 'ad-hoc' ]]; then
+            npm run desktop-build-adhoc -- --publish never
+          elif [[ ${{ inputs.BUILD_TYPE }} == 'staging' ]]; then
+            npm run desktop-build-staging -- --publish never
+          else
+            npm run desktop-build -- --publish never
+          fi
+        env:
+          CSC_LINK: ${{ secrets.CSC_LINK }}
+          CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
+          APPLE_ID: ${{ secrets.APPLE_ID }}
+          APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+
+      - name: Upload DMG as a workflow artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: NewExpensify.dmg
+          path: desktop-build/NewExpensify.dmg
+
+      - name: Post a message in slack if the build fails
+        if: failure()
+        uses: ./.github/actions/composite/announceFailedWorkflowInSlack
+        with:
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}

.github/workflows/buildIOS.yml

@@ -0,0 +1,108 @@
+name: Build iOS App
+
+on:
+  workflow_call:
+    inputs:
+      BUILD_TYPE:
+        description: The environment to build for. Must be one of ("release", "ad-hoc")
+        required: true
+        type: string
+
+concurrency:
+  group: build-ios-${{ inputs.BUILD_TYPE }}
+  cancel-in-progress: ${{ inputs.BUILD_TYPE == 'release' }}
+
+jobs:
+  buildIOS:
+    name: Build iOS app
+    runs-on: macos-13-xlarge
+    env:
+      DEVELOPER_DIR: /Applications/Xcode_15.0.1.app/Contents/Developer
+    steps:
+      - name: Validate build type
+        id: validateBuildType
+        run: |
+          if [[ ${{ contains(fromJSON('["release", "ad-hoc"]'), inputs.BUILD_TYPE) }} == 'true' ]]; then
+            echo "Environment ${{ inputs.BUILD_TYPE }} is valid for iOS"
+          else
+            echo "Environment ${{ inputs.BUILD_TYPE }} is not valid for iOS."
+            exit 1
+          fi
+
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Configure MapBox SDK
+        run: ./scripts/setup-mapbox-sdk.sh ${{ secrets.MAPBOX_SDK_DOWNLOAD_TOKEN }}
+
+      - name: Setup Node
+        uses: ./.github/actions/composite/setupNode
+
+      - name: Setup Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '2.7'
+          bundler-cache: true
+
+      - name: Cache Pod dependencies
+        uses: actions/cache@v4
+        id: pods-cache
+        with:
+          path: ios/Pods
+          key: pods-cache-${{ hashFiles('ios/Podfile.lock') }}
+          restore-keys: pods-cache-
+
+      - name: Compare Podfile.lock and Manifest.lock
+        id: compare-podfile-and-manifest
+        run: echo "IS_PODFILE_SAME_AS_MANIFEST=${{ hashFiles('ios/Podfile.lock') == hashFiles('ios/Pods/Manifest.lock') }}" >> "$GITHUB_OUTPUT"
+
+      - name: Install cocoapods
+        uses: nick-invision/retry@3f757583fb1b1f940bc8ef4bf4734c8dc02a5847
+        if: steps.pods-cache.outputs.cache-hit != 'true' || steps.compare-podfile-and-manifest.outputs.IS_PODFILE_SAME_AS_MANIFEST != 'true'
+        with:
+          timeout_minutes: 10
+          max_attempts: 5
+          command: cd ios && bundle exec pod install
+
+      - name: Decrypt AppStore profile
+        run: cd ios && gpg --quiet --batch --yes --decrypt --passphrase="$LARGE_SECRET_PASSPHRASE" --output NewApp_AppStore.mobileprovision NewApp_AppStore.mobileprovision.gpg
+        env:
+          LARGE_SECRET_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
+
+      - name: Decrypt AppStore Notification Service profile
+        run: cd ios && gpg --quiet --batch --yes --decrypt --passphrase="$LARGE_SECRET_PASSPHRASE" --output NewApp_AppStore_Notification_Service.mobileprovision NewApp_AppStore_Notification_Service.mobileprovision.gpg
+        env:
+          LARGE_SECRET_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
+
+      - name: Decrypt certificate
+        run: cd ios && gpg --quiet --batch --yes --decrypt --passphrase="$LARGE_SECRET_PASSPHRASE" --output Certificates.p12 Certificates.p12.gpg
+        env:
+          LARGE_SECRET_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
+
+      - name: Run Fastlane build
+        id: build
+        run: |
+          if [[ ${{ inputs.BUILD_TYPE }} == "release" ]]; then
+            bundle exec fastlane ios build_release
+          else
+            bundle exec fastlane ios build_adhoc
+          fi
+
+      - name: Upload API as workflow artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: ios-${{ inputs.BUILD_TYPE }}-${{ github.ref }}.api
+          # Note: this output comes from inside the Fastfile
+          path: ${{ steps.build.outputs.IPA_PATH }}
+
+      - name: Upload iOS sourcemaps
+        uses: actions/upload-artifact@v3
+        with:
+          name: ios-${{ inputs.BUILD_TYPE }}-sourcemap-${{ github.ref }}
+          path: main.jsbundle.map
+
+      - name: Post a message in slack if the build fails
+        if: failure()
+        uses: ./.github/actions/composite/announceFailedWorkflowInSlack
+        with:
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}

.github/workflows/buildWeb.yml

@@ -0,0 +1,64 @@
+name: Build web app
+
+on:
+  workflow_call:
+    inputs:
+      BUILD_TYPE:
+        description: The environment to build for. Must be one of ("staging", "production", "ad-hoc")
+        required: true
+        type: string
+
+concurrency:
+  group: build-web-${{ inputs.BUILD_TYPE }}
+  # TODO: Fix cancel-in-progess
+  cancel-in-progress: ${{ inputs.BUILD_TYPE == "ad-hoc" }}
+
+jobs:
+  buildWeb:
+    name: Build web app
+    runs-on: ubuntu-latest-xl
+    steps:
+      - name: Validate build type
+        id: validateBuildType
+        run: |
+          if [[ ${{ contains(fromJSON('["staging", "production", "ad-hoc"]'), inputs.BUILD_TYPE) }} == 'true' ]]; then
+            echo "Build type ${{ inputs.BUILD_TYPE }} is valid for web."
+          else
+            echo "Build type ${{ inputs.BUILD_TYPE }} is not valid for web."
+            exit 1
+          fi
+
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node
+        uses: ./.github/actions/composite/setupNode
+
+      - name: Create .env.adhoc file based on staging
+        if: inputs.BUILD_TYPE == 'ad-hoc'
+        run: |
+          cp .env.staging .env.adhoc
+          sed -i 's/ENVIRONMENT=staging/ENVIRONMENT=adhoc/' .env.adhoc
+          echo "PULL_REQUEST_NUMBER=$PULL_REQUEST_NUMBER" >> .env.adhoc
+
+      - name: Run web build
+        run: |
+          if [[ ${{ inputs.BUILD_TYPE }} == 'ad-hoc' ]]; then
+            npm run build-adhoc
+          elif [[ ${{ inputs.BUILD_TYPE }} == 'staging' ]]; then
+            npm run build-staging
+          else
+            npm run build
+          fi
+
+      - name: Upload web build as workflow artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: web-${{ inputs.BUILD_TYPE }}-${{ github.ref }}
+          path: ./dist
+
+      - name: Post a message in slack if the build fails
+        if: failure()
+        uses: ./.github/actions/composite/announceFailedWorkflowInSlack
+        with:
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}