Generate appcast2.xml and upload files to S3 in a CI workflow (#2184)

Task/Issue URL: https://app.asana.com/0/0/1206459737646671/f

Description:
This change adds new workflow called sparkle_internal.yml that should be triggered
manually after smoke testing. It takes Asana release task URL and the tag to be published,
and generates new appcast file and uploads missing files to S3.
The workflow fetches DMG for the release from S3 (based on the assumption that
Code Freeze and/or Bump Internal Release uploaded the DMG there – this was introduced
in #2165). appcastManager and upload_to_s3 scripts were updated for running in CI
(support non-interactive shell). Additionally, appcastManager generates a list of
added/updated files.
Completion is reported to the Automation subtask and also to the release task. Upon
successful completion, the release DRI is assigned a task to verify that the update worked,
with instructions on how to revert the appcast in case it's broken.
If the workflow fails, the user is assigned a task with instructions for generating appcast
and uploading to S3 locally.

Author: ayoy

.github/actions/asana-add-comment/action.yml

@@ -0,0 +1,78 @@
+name: Add a Comment to Asana Task
+description: Adds a comment to the Asana task.
+inputs:
+  access-token:
+    description: "Asana access token"
+    required: true
+    type: string
+  task-url:
+    description: "Task URL"
+    required: false
+    type: string
+  task-id:
+    description: "Task ID"
+    required: false
+    type: string
+  comment:
+    description: "Comment to add to the Asana task"
+    required: false
+    type: string
+  template-name:
+    description: |
+      Name of a template file (without extension) for the comment, relative to 'templates' subdirectory of the action.
+      The file is processed by envsubst before being sent to Asana.
+    required: false
+    type: string
+runs:
+  using: "composite"
+  steps:
+    - id: extract-task-id
+      if: ${{ inputs.task-url }}
+      uses: ./.github/actions/asana-extract-task-id
+      with:
+        task-url: ${{ inputs.task-url }}
+        access-token: ${{ inputs.access-token }}
+
+    - id: process-template-payload
+      if: ${{ inputs.template-name }}
+      shell: bash
+      env:
+        TEMPLATE_PATH: ${{ github.action_path }}/templates/${{ inputs.template-name }}.yml
+      run: |
+        if [ ! -f $TEMPLATE_PATH ]; then
+          echo "::error::Template file not found at $TEMPLATE_PATH"
+          exit 1
+        fi
+
+        # Process the template file with envsubst, turn into JSON, remove leading spaces and newlines on non-empty lines, and compact the JSON
+        payload="$(envsubst < $TEMPLATE_PATH | yq -o=j | sed -E 's/\\n( *)([^\\n])/\2/g' | jq -c)"
+        echo "payload-base64=$(base64 <<< $payload)" >> $GITHUB_OUTPUT
+
+    - id: process-comment-payload
+      if: ${{ inputs.comment }}
+      shell: bash
+      env:
+        COMMENT: ${{ inputs.comment }}
+        WORKFLOW_URL: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
+      run: |
+        payload="{ \"data\": { \"text\": \"${COMMENT}\n\nWorkflow URL: ${WORKFLOW_URL}\" } }"
+        echo "payload-base64=$(base64 <<< $payload)" >> $GITHUB_OUTPUT
+
+    - id: add-comment
+      shell: bash
+      env:
+        ASANA_ACCESS_TOKEN: ${{ inputs.access-token }}
+        TASK_ID: ${{ inputs.task-id || steps.extract-task-id.outputs.task-id }}
+        PAYLOAD_BASE64: ${{ steps.process-template-payload.outputs.payload-base64 || steps.process-comment-payload.outputs.payload-base64 }}
+      run: |
+        return_code=$(curl -fLSs "https://app.asana.com/api/1.0/tasks/${TASK_ID}/stories" \
+          -H "Authorization: Bearer ${ASANA_ACCESS_TOKEN}" \
+          -H 'content-type: application/json' \
+          --write-out '%{http_code}' \
+          --output /dev/null \
+          -d "$(base64 -d <<< $PAYLOAD_BASE64)")
+
+        if [ $return_code -ne 201 ]; then
+          echo "::error::Failed to add a comment to the Asana task"
+          exit 1
+        fi

.github/actions/asana-add-comment/templates/appcast-failed.yml

@@ -0,0 +1,9 @@
+data:
+  html_text: |
+    <body>
+      <h2>[ACTION NEEDED] Publishing ${TAG} internal release to Sparkle failed</h2>
+      <a data-asana-gid='${ASSIGNEE_ID}'/>, please proceed with generating appcast2.xml and uploading files to S3 from your local machine, <a data-asana-gid='${TASK_ID}' data-asana-dynamic='false'>according to instructions</a>.
+
+
+      🔗 Workflow URL: <a href='${WORKFLOW_URL}'>${WORKFLOW_URL}</a>.
+    </body>

.github/actions/asana-add-comment/templates/debug-symbols-uploaded.yml

@@ -0,0 +1,8 @@
+data:
+  html_text: |
+    <body>
+      🐛 Debug symbols archive for ${TAG} build is uploaded to <code>${DSYM_S3_PATH}</code>.
+
+
+      🔗 Workflow URL: <a href='${WORKFLOW_URL}'>${WORKFLOW_URL}</a>.
+    </body>

.github/actions/asana-add-comment/templates/dmg-uploaded.yml

@@ -0,0 +1,8 @@
+data:
+  html_text: |
+    <body>
+      📥 DMG for ${TAG} is available from <a href='${DMG_URL}'>${DMG_URL}</a>.
+
+
+      🔗 Workflow URL: <a href='${WORKFLOW_URL}'>${WORKFLOW_URL}</a>.
+    </body>

.github/actions/asana-add-comment/templates/internal-release-complete.yml

@@ -0,0 +1,8 @@
+data:
+  html_text: |
+    <body>
+      Build ${TAG} is now available for internal testing through Sparkle and TestFlight.
+
+
+      <a href='${DMG_URL}'>📥 DMG download link</a>
+    </body>

.github/actions/asana-add-comment/templates/internal-release-ready-merge-failed.yml

@@ -0,0 +1,17 @@
+data:
+  # yq -o=j | sed -E 's/\\n( *)([^\\n])/\2/g'
+  html_text: |
+    <body>
+      <h2>[ACTION NEEDED] Internal release build ${TAG} ready</h2>
+      <ul>
+        <li>📥 DMG is available from <a href='${DMG_URL}'>${DMG_URL}</a>.</li>
+        <li>🏷️ Repository is tagged with <code>${TAG}</code> tag.</li>
+        <li>🚢 GitHub <a href='${RELEASE_URL}'>${TAG} pre-release</a> is created.</li>
+        <li><b>❗️ Merging <code>${BRANCH}</code> to <code>${BASE_BRANCH}</code> failed.</b>
+          <ul>
+            <li><a data-asana-gid='${ASSIGNEE_ID}'/>, please proceed with manual merging <a data-asana-gid='${TASK_ID}' data-asana-dynamic='false'>according to instructions</a>.</li>
+          </ul></li>
+      </ul>
+
+      🔗 Workflow URL: <a href='${WORKFLOW_URL}'>${WORKFLOW_URL}</a>.
+    </body>

.github/actions/asana-add-comment/templates/internal-release-ready-tag-failed.yml

@@ -0,0 +1,16 @@
+data:
+  html_text: |
+    <body>
+      <h2>[ACTION NEEDED] Internal release build ${TAG} ready</h2>
+      <ul>
+        <li>📥 DMG is available from <a href='${DMG_URL}'>${DMG_URL}</a>.</li>
+        <li><b>❗️ Tagging repository failed.</b></li>
+        <li><b>⚠️ GitHub release creation was skipped.</b></li>
+        <li><b>⚠️ Merging <code>${BRANCH}</code> to <code>${BASE_BRANCH}</code> was skipped.</b></li>
+      </ul>
+
+      <a data-asana-gid='${ASSIGNEE_ID}'/>, please proceed with manual tagging and merging <a data-asana-gid='${TASK_ID}' data-asana-dynamic='false'>according to instructions</a>.
+
+
+      🔗 Workflow URL: <a href='${WORKFLOW_URL}'>${WORKFLOW_URL}</a>.
+    </body>

.github/actions/asana-add-comment/templates/internal-release-ready.yml

@@ -0,0 +1,14 @@
+data:
+  # yq -o=j | sed -E 's/\\n( *)([^\\n])/\2/g'
+  html_text: |
+    <body>
+      <h2>Internal release build ${TAG} ready ✅</h2>
+      <ul>
+        <li>📥 DMG is available from <a href='${DMG_URL}'>${DMG_URL}</a>.</li>
+        <li>🏷️ Repository is tagged with <code>${TAG}</code> tag.</li>
+        <li>🚢 GitHub <a href='${RELEASE_URL}'>${TAG} pre-release</a> is created.</li>
+        <li>🔱 <code>${BRANCH}</code> branch has been successfully merged to <code>${BASE_BRANCH}</code>.</li>
+      </ul>
+
+      🔗 Workflow URL: <a href='${WORKFLOW_URL}'>${WORKFLOW_URL}</a>.
+    </body>

.github/actions/asana-add-comment/templates/validate-check-for-updates-internal.yml

@@ -0,0 +1,11 @@
+data:
+  html_text: |
+    <body>
+      <h2>Build ${TAG} is available for internal testing through Sparkle 🚀</h2>
+      <ul>
+        <li>🌟 New appcast file has been generated and uploaded to S3, together with binary delta files.</li>
+        <li>👀 <a data-asana-gid='${ASSIGNEE_ID}'/>, please proceed by following instructions in <a data-asana-gid='${TASK_ID}'/> which concludes the internal release process.</li>
+      </ul>
+
+      🔗 Workflow URL: <a href='${WORKFLOW_URL}'>${WORKFLOW_URL}</a>.
+    </body>

.github/actions/asana-create-action-item/templates/appcast-failed.yml

@@ -0,0 +1,37 @@
+data:
+  name: Generate appcast2.xml for ${TAG} internal release and upload assets to S3
+  assignee: "${ASSIGNEE_ID}"
+  html_notes: |
+    <body>
+      Publishing internal release ${TAG} failed in CI. Please follow the steps to generate the appcast file and upload files to S3 from your local machine.
+
+      <ol>
+        <li>Download <a href='${DMG_URL}'>the DMG for ${TAG} release</a>.</li>
+        <li>Create a new file called <code>release-notes.txt</code> on your disk.
+          <ul>
+            <li>Add each release note as a separate line and don't add bullet points (•) – the script will add them automatically.</li>
+          </ul></li>
+        <li>Run <code>appcastManager</code>:
+          <ul>
+            <li><code>./scripts/appcast_manager/appcastManager.swift --release-to-internal-channel --dmg ~/Downloads/${DMG_NAME} --release-notes release-notes.txt</code></li>
+          </ul></li>
+        <li>Verify that the new build is in the appcast file with the following internal channel tag:
+          <ul>
+            <li><code>&lt;sparkle:channel&gt;internal-channel&lt;/sparkle:channel&gt;</code></li>
+          </ul></li>
+        <li>Run <code>upload_to_s3.sh</code> script:
+          <ul>
+            <li><code>./scripts/upload_to_s3/upload_to_s3.sh --run</code></li>
+          </ul></li>
+      </ol>
+      When done, please verify that "Check for Updates" works correctly:
+      <ol>
+        <li>Launch a debug version of the app with an old version number.</li>
+        <li>Identify as an internal user in the app.</li>
+        <li>Go to Main Menu → DuckDuckGo → Check for Updates...</li>
+        <li>Verify that you're being offered to update to ${TAG}.</li>
+        <li>Verify that the update works.</li>
+      </ol>
+
+      🔗 Workflow URL: <a href='${WORKFLOW_URL}'>${WORKFLOW_URL}</a>.
+    </body>

.github/actions/asana-create-action-item/templates/validate-check-for-updates-internal.yml

@@ -0,0 +1,41 @@
+data:
+  name: Validate that 'Check For Updates' upgrades to ${TAG} for internal users
+  assignee: "${ASSIGNEE_ID}"
+  html_notes: |
+    <body>
+      <h1>Build ${TAG} has been released internally via Sparkle 🎉</h1>
+      Please verify that "Check for Updates" works correctly:
+      <ol>
+        <li>Launch a debug version of the app with an old version number.</li>
+        <li>Identify as an internal user in the app.</li>
+        <li>Go to Main Menu → DuckDuckGo → Check for Updates...</li>
+        <li>Verify that you're being offered to update to ${TAG}.</li>
+        <li>Verify that the update works.</li>
+      </ol>
+      <h1>🚨In case "Check for Updates" is broken</h1>
+      You can restore previous version of the appcast2.xml:
+      <ol>
+        <li>Download the ${OLD_APPCAST_NAME} file attached to this task.</li>
+        <li>Log in to AWS session:
+          <ul>
+            <li><code>aws --profile ddg-macos sso login</code></li>
+          </ul></li>
+        <li>Overwrite appcast2.xml with the old version:
+          <ul>
+            <li><code>aws --profile ddg-macos s3 cp ${OLD_APPCAST_NAME} s3://${RELEASE_BUCKET_NAME}/${RELEASE_BUCKET_PREFIX}/appcast2.xml --acl public-read</code></li>
+          </ul></li>
+      </ol>
+
+      <hr>
+      <h1>Summary of automated changes</h1>
+      <h2>Changes to appcast2.xml</h2>
+      See the attached <em>${APPCAST_PATCH_NAME}</em> file.
+      <h2>Release notes</h2>
+      See the attached <em>${RELEASE_NOTES_FILE}</em> file for release notes extracted automatically from <a data-asana-gid='${RELEASE_TASK_ID}' data-asana-dynamic='false'>the release task</a> description.
+      <h2>List of files uploaded to S3</h2>
+      <ol>
+        ${FILES_UPLOADED}
+      </ol>
+
+      🔗 Workflow URL: <a href='${WORKFLOW_URL}'>${WORKFLOW_URL}</a>.
+    </body>

.github/actions/asana-log-message/action.yml

@@ -47,46 +47,10 @@ runs:
           exit 1
         fi
 
-    - id: process-template-payload
-      if: ${{ inputs.template-name }}
-      shell: bash
-      env:
-        TEMPLATE_PATH: ${{ github.action_path }}/templates/${{ inputs.template-name }}.yml
-      run: |
-        if [ ! -f $TEMPLATE_PATH ]; then
-          echo "::error::Template file not found at $TEMPLATE_PATH"
-          exit 1
-        fi
-
-        # Process the template file with envsubst, turn into JSON, remove leading spaces and newlines on non-empty lines, and compact the JSON
-        payload="$(envsubst < $TEMPLATE_PATH | yq -o=j | sed -E 's/\\n( *)([^\\n])/\2/g' | jq -c)"
-        echo "payload-base64=$(base64 <<< $payload)" >> $GITHUB_OUTPUT
-
-    - id: process-comment-payload
-      if: ${{ inputs.comment }}
-      shell: bash
-      env:
-        COMMENT: ${{ inputs.comment }}
-        WORKFLOW_URL: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
-      run: |
-        payload="{ \"data\": { \"text\": \"${COMMENT}\n\nWorkflow URL: ${WORKFLOW_URL}\" } }"
-        echo "payload-base64=$(base64 <<< $payload)" >> $GITHUB_OUTPUT
-
     - id: add-comment
-      shell: bash
-      env:
-        ASANA_ACCESS_TOKEN: ${{ inputs.access-token }}
-        TASK_ID: ${{ steps.get-automation-subtask.outputs.automation-task-id }}
-        PAYLOAD_BASE64: ${{ steps.process-template-payload.outputs.payload-base64 || steps.process-comment-payload.outputs.payload-base64 }}
-      run: |
-        return_code=$(curl -fLSs "https://app.asana.com/api/1.0/tasks/${TASK_ID}/stories" \
-          -H "Authorization: Bearer ${ASANA_ACCESS_TOKEN}" \
-          -H 'content-type: application/json' \
-          --write-out '%{http_code}' \
-          --output /dev/null \
-          -d "$(base64 -d <<< $PAYLOAD_BASE64)")
-
-        if [ $return_code -ne 201 ]; then
-          echo "::error::Failed to add a comment to the Asana task"
-          exit 1
-        fi
+      uses: ./.github/actions/asana-add-comment
+      with:
+        access-token: ${{ inputs.access-token }}
+        task-id: ${{ steps.get-automation-subtask.outputs.automation-task-id }}
+        comment: ${{ inputs.comment }}
+        template-name: ${{ inputs.template-name }}

.github/actions/asana-upload/action.yml

@@ -17,7 +17,7 @@ runs:
   using: "composite"
   steps:
     - run: |
-        curl -s "https://app.asana.com/api/1.0/tasks/${{ inputs.task-id }}/attachments" \
+        curl -fLSs "https://app.asana.com/api/1.0/tasks/${{ inputs.task-id }}/attachments" \
           -H "Authorization: Bearer ${{ inputs.access-token }}" \
           --form "file=@${{ inputs.file-name }}"
       shell: bash

.github/workflows/build_appstore.yml

@@ -82,7 +82,7 @@ jobs:
           ${{ secrets.SSH_PRIVATE_KEY_FASTLANE_MATCH }}
 
     - name: Check out the code
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
       with:
         submodules: recursive
         ref: ${{ inputs.branch || github.ref_name }}

.github/workflows/build_notarized.yml

@@ -108,7 +108,7 @@ jobs:
     steps:
 
     - name: Check out the code
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
       with:
         submodules: recursive
         ref: ${{ env.branch }}
@@ -296,7 +296,8 @@ jobs:
       run: |
         aws s3 cp \
           ${{ github.workspace }}/${{ steps.create-dmg.outputs.dmg }} \
-          s3://${{ env.RELEASE_BUCKET_NAME }}/${{ env.RELEASE_BUCKET_PREFIX }}/
+          s3://${{ env.RELEASE_BUCKET_NAME }}/${{ env.RELEASE_BUCKET_PREFIX }}/ \\
+          --acl public-read
 
     - name: Report success
       if: ${{ env.upload-to == 's3' }}

.github/workflows/bump_internal_release.yml

@@ -31,7 +31,7 @@ jobs:
           esac
 
       - name: Check out the code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           submodules: recursive
 
@@ -71,7 +71,7 @@ jobs:
     steps:
 
       - name: Check out the code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           submodules: recursive
           ref: ${{ github.ref_name }}

.github/workflows/code_freeze.yml

@@ -26,7 +26,7 @@ jobs:
           fi
 
       - name: Check out the code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           submodules: recursive
 
@@ -95,7 +95,7 @@ jobs:
     steps:
 
       - name: Check out the code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           submodules: recursive
           ref: ${{ needs.create_release_branch.outputs.release_branch_name }}