build: add GitHub actions for build, test, code scan, and release (#50)

* build: add github actions for build, test, code scan, and release

* chore: update github action pinned version

* update fortify scan

Author: phantumcode

Diff for: .github/composite_actions/run_xcodebuild/action.yml

@@ -0,0 +1,44 @@
+name: 'Run xcodebuild'
+description: 'Action runs `xcodebuild build` for the scheme specified'
+
+inputs:
+  scheme:
+    required: true
+    type: string
+  project_path:
+    required: false
+    type: string
+  xcode_path:
+    required: false
+    type: string
+  destination:
+    required: false
+    type: string
+    default: 'platform=iOS Simulator,name=iPhone 13,OS=latest'
+  sdk:
+    required: false
+    type: string
+    default: 'iphonesimulator'
+  other_flags:
+    required: false
+    type: string
+    default: ''
+
+runs:
+  using: "composite"
+  steps:
+    - name: Build ${{ inputs.scheme }}
+      env:
+        SCHEME: ${{ inputs.scheme }}
+        PROJECT_PATH: ${{ inputs.project_path }}
+        XCODE_PATH: ${{ inputs.xcode_path }}
+      run: |
+        if [ ! -z "$PROJECT_PATH" ]; then
+          cd $PROJECT_PATH
+        fi
+        if [ ! -z "$XCODE_PATH" ]; then
+          sudo xcode-select -s $XCODE_PATH
+        fi
+        xcodebuild -version
+        xcodebuild build -scheme $SCHEME -sdk '${{ inputs.sdk }}' -destination '${{ inputs.destination }}' ${{ inputs.other_flags }} | xcpretty --simple --color --report junit && exit ${PIPESTATUS[0]}
+      shell: bash

Diff for: .github/composite_actions/run_xcodebuild_test/action.yml

@@ -0,0 +1,66 @@
+name: 'Run xcodebuild test'
+description: 'Action runs the test for the scheme specified'
+
+inputs:
+  scheme:
+    required: true
+    type: string
+  project_path:
+    required: false
+    type: string
+  xcode_path:
+    required: false
+    type: string
+  destination:
+    required: false
+    type: string
+    default: 'platform=iOS Simulator,name=iPhone 13,OS=latest'
+  sdk:
+    required: false
+    type: string
+    default: 'iphonesimulator'
+  other_flags:
+    required: false
+    type: string
+    default: ''
+  generate_coverage:
+    required: false
+    type: boolean
+    default: false
+
+runs:
+  using: "composite"
+  steps:
+    - name: Test ${{ inputs.scheme }}
+      env:
+        SCHEME: ${{ inputs.scheme }}
+        PROJECT_PATH: ${{ inputs.project_path }}
+        XCODE_PATH: ${{ inputs.xcode_path }}
+      run: |
+        if [ ! -z "$PROJECT_PATH" ]; then
+          cd $PROJECT_PATH
+        fi
+        if [ ! -z "$XCODE_PATH" ]; then
+          echo "Using Xcode $XCODE_PATH"
+          sudo xcode-select -s $XCODE_PATH
+        fi
+        coverageFlags=""
+        if [ "${{ inputs.generate_coverage }}" == "true" ]; then
+          echo "Code Coverage is enabled!"
+          coverageFlags+="-derivedDataPath Build/ -clonedSourcePackagesDirPath "~/Library/Developer/Xcode/DerivedData/$SCHEME" -enableCodeCoverage YES build test"
+        fi
+        xcode-select -p
+        xcodebuild -version
+        xcodebuild test -scheme $SCHEME -sdk '${{ inputs.sdk }}' -destination '${{ inputs.destination }}' ${{ inputs.other_flags }} $coverageFlags | xcpretty --simple --color --report junit && exit ${PIPESTATUS[0]}
+      shell: bash
+
+    - name: Generate Coverage report
+      if: ${{ inputs.generate_coverage == 'true' }}
+      run: |
+        echo "Generating Coverage report..."
+        cd Build/Build/ProfileData
+        cd $(ls -d */|head -n 1)
+        pathCoverage=Build/Build/ProfileData/${PWD##*/}/Coverage.profdata
+        cd ../../../../
+        xcrun llvm-cov export -format="lcov" -instr-profile $pathCoverage Build/Build/Products/Debug-iphonesimulator/$SCHEME.o > Coverage.lcov
+      shell: bash

Diff for: .github/workflows/build_liveness.yml

@@ -0,0 +1,45 @@
+name: Build | Amplify UI Swift Liveness 
+on:
+  workflow_call:
+    inputs:
+      identifier:
+        required: true
+        type: string
+  workflow_dispatch:
+  push:
+    branches-ignore:
+      - main
+      - release
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ inputs.identifier || github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: ${{ github.ref_name != 'main'}}
+
+jobs:
+  build-amplify-ui-swift-liveness:
+    runs-on: macos-13
+    timeout-minutes: 20
+    steps:
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 #v3.5.3
+        with:
+          persist-credentials: false
+      - name: Build Amplify Swift Liveness UI
+        uses: ./.github/composite_actions/run_xcodebuild
+        with:
+          scheme: AmplifyUILiveness
+          destination: 'platform=iOS Simulator,name=iPhone 14,OS=16.4'
+          xcode_path: '/Applications/Xcode_14.3.app'
+
+  confirm-pass:
+    runs-on: ubuntu-latest
+    name: Confirm Passing Build Steps
+    if: ${{ !cancelled() }}
+    needs: [ build-amplify-ui-swift-liveness ]
+    env:
+      EXIT_CODE: ${{ contains(needs.*.result, 'failure') && 1 || 0 }}
+    steps:
+      - run: exit $EXIT_CODE
+

Diff for: .github/workflows/deploy_liveness.yml

@@ -0,0 +1,74 @@
+name: Deploy Liveness
+on:
+  workflow_call:
+    inputs:
+      type:
+        description: 'The type of deployment. Valid values are unstable (default) and release'
+        default: 'unstable'
+        required: false
+        type: string
+
+permissions:
+  id-token: write
+  contents: write
+
+jobs:
+  build-amplify-ui-swift-liveness:
+    name: Build Amplify package
+    uses: ./.github/workflows/build_liveness.yml
+    with:
+      identifier: 'workflow-call-build-liveness'
+
+  unit-tests:
+    name: Run Unit Tests
+    uses: ./.github/workflows/liveness_unit_tests.yml
+    with:
+      identifier: 'workflow-call-unit-test'
+
+  fortify:
+    name: Run Fortify Scan
+    uses: ./.github/workflows/fortify_scan.yml
+    secrets: inherit
+    with:
+      identifier: 'workflow-call-fortify'
+
+  release:
+    environment: Release
+    name: Release new ${{ inputs.type }} version
+    needs: [unit-tests, fortify, build-amplify-ui-swift-liveness]
+    runs-on: macos-latest
+    env:
+      GITHUB_EMAIL: [email protected]
+      GITHUB_USER: aws-amplify-ops
+    steps:
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@8c3f20df09ac63af7b3ae3d7c91f105f857d8497 #v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
+          role-session-name: ${{ format('{0}.release', github.run_id) }}
+          aws-region: ${{ secrets.AWS_REGION }}
+
+      - id: retrieve-token
+        name: Retrieve Token
+        env:
+          DEPLOY_SECRET_ARN: ${{ secrets.DEPLOY_SECRET_ARN }}
+        run: |
+          PAT=$(aws secretsmanager get-secret-value \
+          --secret-id "$DEPLOY_SECRET_ARN" \
+          | jq -r ".SecretString | fromjson | .Credential")
+          echo "token=$PAT" >> $GITHUB_OUTPUT
+
+      - name: Checkout repo
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        with:
+          fetch-depth: 10
+          token: ${{steps.retrieve-token.outputs.token}}
+
+      - name: Setup Ruby
+        uses: ruby/setup-ruby@250fcd6a742febb1123a77a841497ccaa8b9e939 # v1.152.0
+        with:
+          ruby-version: '3.2.1'
+          bundler-cache: true
+
+      - name:  Release Package
+        run: bundle exec fastlane ${{ inputs.type }}

Diff for: .github/workflows/deploy_release.yml

@@ -0,0 +1,17 @@
+name: Build, Test and Release | Stable version
+on:
+  push:
+    branches:
+      release
+
+permissions:
+  id-token: write
+  contents: write
+
+jobs:
+  release-stable:
+    uses: ./.github/workflows/deploy_liveness.yml
+    with:
+      type: release
+    secrets: inherit
+

Diff for: .github/workflows/deploy_unstable.yml

@@ -0,0 +1,16 @@
+name: Build, Test and Release | Unstable version
+on:
+  push:
+    branches:
+      main
+
+permissions:
+  id-token: write
+  contents: write
+
+jobs:
+  release-unstable:
+    uses: ./.github/workflows/deploy_liveness.yml
+    with:
+      type: unstable
+    secrets: inherit

Diff for: .github/workflows/fortify_scan.yml

@@ -0,0 +1,74 @@
+name: Fortify Scan
+on:
+  workflow_dispatch:
+  workflow_call:
+    inputs:
+      identifier:
+        required: true
+        type: string
+  push:
+    branches-ignore:
+      - main
+      - release
+
+permissions:
+  id-token: write
+  contents: read
+
+concurrency:
+  group: ${{ inputs.identifier || github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: ${{ github.ref_name != 'main'}}
+
+jobs:
+  fortify-scan:
+    runs-on: macos-latest
+    environment: Fortify
+    steps:
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 #v3.5.3
+        with:
+          persist-credentials: false
+
+      - name: Configure AWS credentials for fetching fortify resources
+        uses: aws-actions/configure-aws-credentials@8c3f20df09ac63af7b3ae3d7c91f105f857d8497 #v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
+          aws-region: ${{ secrets.AWS_REGION }}
+          role-session-name: GHAFortifySession
+          role-duration-seconds: 900
+          mask-aws-account-id: true
+
+      - name: Download License
+        run: |
+          aws s3 cp s3://${{ secrets.AWS_S3_FORTIFY_BUCKET }}${{ vars.LICENSE_PATH }} fortify.license
+
+      - name: Download Installer
+        run: |
+          aws s3 cp s3://${{ secrets.AWS_S3_FORTIFY_BUCKET }}${{ vars.INSTALLER_PATH }} Fortify_SCA_and_Apps_22.1.1_Mac.tar.gz
+          tar -xvf Fortify_SCA_and_Apps_22.1.1_Mac.tar.gz
+          unzip Fortify_SCA_and_Apps_22.1.1_osx_x64.app.zip
+
+      - name: Download Scripts
+        run: |
+            aws s3 cp s3://${{ secrets.AWS_S3_FORTIFY_BUCKET }}${{ vars.SCRIPTS_PATH }} liveness_swift_fortify_scan.sh
+
+      - name: Run Installer
+        run: |
+          Fortify_SCA_and_Apps_22.1.1_osx_x64.app/Contents/MacOS/installbuilder.sh --mode unattended --installdir ~/amplify-ui-swift-liveness/Fortify --InstallSamples 0  --fortify_license_path fortify.license --MigrateSCA 0
+          export PATH=~/amplify-ui-swift-liveness/Fortify/bin:$PATH
+          fortifyupdate -acceptKey
+          sourceanalyzer -version
+
+      - name: Run Scan
+        run: |
+          export PATH=~/amplify-ui-swift-liveness/Fortify/bin:$PATH
+          sh ./liveness_swift_fortify_scan.sh Sources
+
+  confirm-pass:
+    runs-on: ubuntu-latest
+    name: Confirm Passing Fortify Scan
+    if: ${{ !cancelled() }}
+    needs: [ fortify-scan ]
+    env:
+      EXIT_CODE: ${{ contains(needs.*.result, 'failure') && 1 || 0 }}
+    steps:
+      - run: exit $EXIT_CODE

Diff for: .github/workflows/liveness_unit_tests.yml

@@ -1,4 +1,4 @@
-name: Run Unit Tests
+name: Run Unit Tests | Amplify UI Swift Liveness
 
 on:
   workflow_dispatch:
@@ -12,5 +12,15 @@ jobs:
     runs-on: macos-latest
     steps:
       - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        with:
+          persist-credentials: false
       - name: Test FaceLiveness
-        run:  xcodebuild test -scheme AmplifyUILiveness -sdk 'iphonesimulator' -destination 'platform=iOS Simulator,name=iPhone 14,OS=latest' | xcpretty --simple --color --report junit && exit ${PIPESTATUS[0]}
+        with:
+          scheme: AmplifyUILiveness
+          destination: 'platform=iOS Simulator,name=iPhone 14,OS=16.4'
+          xcode_path: '/Applications/Xcode_14.3.app'
+          generate_coverage: true
+      - name: Upload Coverage report to Codecov
+        uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
+        with:
+          flags: 'unittests'