feat: add new reusable workflow, _build.yml (#15762)

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

Author: ncooke3

.github/workflows/_build.yml

@@ -0,0 +1,139 @@
+name: _build
+
+permissions:
+  contents: read
+
+on:
+  workflow_call:
+    inputs:
+      product:
+        required: true
+        type: string
+      platform:
+        required: true
+        type: string
+      method:
+        required: true
+        type: string
+      sanitizers:
+        required: false
+        type: string
+        description: "Space-separated list of sanitizers (asan, tsan, ubsan)"
+      setup_command:
+        required: false
+        type: string
+        description: "Command to run before build (e.g., for setting up secrets or prerequisites)"
+      xcode:
+        required: false
+        type: string
+        default: 'Xcode_16.4'
+      os:
+        required: false
+        type: string
+        default: 'macos-15'
+      timeout_minutes:
+        required: false
+        type: number
+        default: 120
+      max_attempts:
+        required: false
+        type: number
+        default: 3
+
+    # IMPORTANT: When adding new secrets to this workflow, update the
+    # 'has_secrets' logic in the 'check_secrets' job to include the new secret.
+    secrets:
+      plist_secret:
+        required: false
+
+jobs:
+  check_secrets:
+    runs-on: ubuntu-latest
+    outputs:
+      should_run: ${{ steps.determine_run.outputs.should_run }}
+      has_secrets: ${{ steps.determine_run.outputs.has_secrets }}
+    env:
+      plist_secret: ${{ secrets.plist_secret }}
+    steps:
+      - name: Determine if build should run and if secrets are present
+        id: determine_run
+        run: |
+          # 1. Check for secrets.
+          #    - IMPORTANT: Extend this logic if adding new secrets.
+          if [[ -n "$plist_secret" ]]; then
+            has_secrets="true"
+          else
+            has_secrets="false"
+          fi
+          echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT
+
+          # 2. Determine if the build job should run.
+          #    - Skip if on a fork AND secrets are present.
+          repo_full_name=$(echo "${{ github.repository }}" | tr '[:upper:]' '[:lower:]')
+          if [[ "$repo_full_name" != "firebase/firebase-ios-sdk" && "$has_secrets" == "true" ]]; then
+            echo "should_run=false" >> $GITHUB_OUTPUT
+          else
+            echo "should_run=true" >> $GITHUB_OUTPUT
+          fi
+
+  build:
+    needs: check_secrets
+    # Run on the main repo's scheduled jobs or pull requests and manual workflow invocations.
+    if: |
+      needs.check_secrets.outputs.should_run == 'true' &&
+      (
+        (github.repository == 'firebase/firebase-ios-sdk' && github.event_name == 'schedule') ||
+        contains(fromJSON('["pull_request", "workflow_dispatch"]'), github.event_name)
+      )
+    runs-on: ${{ inputs.os }}
+    env:
+      SANITIZERS: ${{ inputs.sanitizers }}
+      plist_secret: ${{ secrets.plist_secret }}
+      FIREBASECI_SECRETS_PRESENT: ${{ needs.check_secrets.outputs.has_secrets }}
+      FIREBASECI_IS_TRUSTED_ENV: ${{ github.repository == 'firebase/firebase-ios-sdk' && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) }}
+      FIREBASECI_USE_LATEST_GOOGLEAPPMEASUREMENT: 1
+    steps:
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+    - uses: ruby/setup-ruby@354a1ad156761f5ee2b7b13fa8e09943a5e8d252 # v1
+      if: inputs.method != 'spm' && inputs.method != 'spmbuildonly' && inputs.method != 'cmake'
+    - name: Setup Bundler
+      if: inputs.method != 'spm' && inputs.method != 'spmbuildonly' && inputs.method != 'cmake'
+      uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3
+      with:
+        timeout_minutes: 10
+        max_attempts: 5
+        retry_wait_seconds: 300
+        command: scripts/setup_bundler.sh
+    - name: Xcode
+      run: sudo xcode-select -s /Applications/${{ inputs.xcode }}.app/Contents/Developer
+    - name: Install simulators
+      if: inputs.platform != 'macOS' && inputs.platform != 'catalyst'
+      uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3
+      with:
+        timeout_minutes: 15
+        max_attempts: 5
+        retry_wait_seconds: 120
+        continue_on_error: true
+        command: |
+          if [[ "${{ inputs.platform }}" == "all" ]]; then
+            xcodebuild -downloadAllPlatforms
+          else
+            xcodebuild -downloadPlatform ${{ inputs.platform }}
+          fi
+    - name: Run setup command
+      if: inputs.setup_command != ''
+      run: ${{ inputs.setup_command }}
+    - name: Build
+      uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3
+      with:
+        timeout_minutes: ${{ inputs.timeout_minutes }}
+        max_attempts: ${{ inputs.max_attempts }}
+        retry_wait_seconds: 120
+        command: |
+          scripts/build.sh "${{ inputs.product }}" "${{ inputs.platform }}" "${{ inputs.method }}"
+    - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+      if: ${{ failure() }}
+      with:
+        name: xcodebuild-logs-${{ inputs.product }}-${{ inputs.platform }}-${{ inputs.method }}
+        path: xcodebuild-*.log
+        if-no-files-found: error

.github/workflows/infra.samples.client_app.yml

@@ -1,5 +1,8 @@
 name: infra.samples.client_app
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
   pull_request:
@@ -25,7 +28,6 @@ concurrency:
 
 jobs:
   client-app-spm:
-    if: (github.repository == 'Firebase/firebase-ios-sdk' && github.event_name == 'schedule') || github.event_name == 'pull_request'
     strategy:
       matrix:
         #TODO(ncooke3): Add multi-platform support: tvOS, macOS, catalyst
@@ -37,41 +39,36 @@ jobs:
             xcode: Xcode_16.2
           - os: macos-15
             xcode: Xcode_16.4
-    runs-on: ${{ matrix.os }}
-    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-      - name: Xcode
-        run: sudo xcode-select -s /Applications/${{ matrix.xcode }}.app/Contents/Developer
-      - name: Build Client App - ${{ matrix.platform }}
-        run: scripts/third_party/travis/retry.sh ./scripts/build.sh ${{ matrix.scheme }} ${{ matrix.platform }} xcodebuild
+    uses: ./.github/workflows/_build.yml
+    with:
+      product: ${{ matrix.scheme }}
+      platform: ${{ matrix.platform }}
+      method: xcodebuild
+      os: ${{ matrix.os }}
+      xcode: ${{ matrix.xcode }}
 
   client-app-spm-source-firestore:
-      if: (github.repository == 'Firebase/firebase-ios-sdk' && github.event_name == 'schedule') || github.event_name == 'pull_request'
-      env:
-        FIREBASECI_USE_LATEST_GOOGLEAPPMEASUREMENT: 1
-        FIREBASE_SOURCE_FIRESTORE: 1
-      strategy:
-        matrix:
-          #TODO(ncooke3): Add multi-platform support: tvOS, macOS, catalyst
-          platform: [iOS]
-          scheme: [ClientApp]
-          os: [macos-14, macos-15]
-          include:
-            - os: macos-14
-              xcode: Xcode_16.2
-            - os: macos-15
-              xcode: Xcode_16.4
-      runs-on: ${{ matrix.os }}
-      steps:
-        - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        - name: Xcode
-          run: sudo xcode-select -s /Applications/${{ matrix.xcode }}.app/Contents/Developer
-        - name: Build Client App - ${{ matrix.platform }}
-          run: scripts/third_party/travis/retry.sh ./scripts/build.sh ${{ matrix.scheme }} ${{ matrix.platform }} xcodebuild
+    strategy:
+      matrix:
+        #TODO(ncooke3): Add multi-platform support: tvOS, macOS, catalyst
+        platform: [iOS]
+        scheme: [ClientApp]
+        os: [macos-14, macos-15]
+        include:
+          - os: macos-14
+            xcode: Xcode_16.2
+          - os: macos-15
+            xcode: Xcode_16.4
+    uses: ./.github/workflows/_build.yml
+    with:
+      product: ${{ matrix.scheme }}
+      platform: ${{ matrix.platform }}
+      method: xcodebuild
+      os: ${{ matrix.os }}
+      xcode: ${{ matrix.xcode }}
+      setup_command: echo "FIREBASE_SOURCE_FIRESTORE=1" >> $GITHUB_ENV
 
   client-app-cocoapods:
-    # Don't run on private repo unless it is a PR.
-    if: (github.repository == 'Firebase/firebase-ios-sdk' && github.event_name == 'schedule') || github.event_name == 'pull_request'
     strategy:
       matrix:
         scheme: [ClientApp-CocoaPods]
@@ -81,15 +78,11 @@ jobs:
             xcode: Xcode_16.2
           - os: macos-15
             xcode: Xcode_16.4
-    runs-on: ${{ matrix.os }}
-    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-      - uses: ruby/setup-ruby@354a1ad156761f5ee2b7b13fa8e09943a5e8d252 # v1
-      - name: Setup Bundler
-        run: scripts/setup_bundler.sh
-      - name: Xcode
-        run: sudo xcode-select -s /Applications/${{ matrix.xcode }}.app/Contents/Developer
-      - name: Prereqs
-        run: scripts/install_prereqs.sh ClientApp iOS xcodebuild
-      - name: Build
-        run: scripts/build.sh ${{ matrix.scheme }} iOS xcodebuild
+    uses: ./.github/workflows/_build.yml
+    with:
+      product: ${{ matrix.scheme }}
+      platform: iOS
+      method: xcodebuild
+      os: ${{ matrix.os }}
+      xcode: ${{ matrix.xcode }}
+      setup_command: scripts/install_prereqs.sh ClientApp iOS xcodebuild

.github/workflows/infra.samples.symbolcollision.yml

@@ -1,5 +1,8 @@
 name: infra.samples.symbolcollision
 
+permissions:
+  contents: read
+
 # Tests the Pods listed in SymbolCollisionTest/Podfile for symbol collisions.
 
 on:
@@ -19,25 +22,9 @@ concurrency:
 
 jobs:
   installation-test:
-    # Don't run on private repo unless it is a PR.
-    if: github.repository == 'Firebase/firebase-ios-sdk' || github.event_name == 'pull_request'
-    runs-on: macos-15
-
-    steps:
-    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-    - uses: ruby/setup-ruby@354a1ad156761f5ee2b7b13fa8e09943a5e8d252 # v1
-    - name: Setup Bundler
-      run: scripts/setup_bundler.sh
-    - name: Xcode
-      run: sudo xcode-select -s /Applications/Xcode_16.4.app/Contents/Developer
-    - name: Install simulators in case they are missing.
-      uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3
-      with:
-        timeout_minutes: 15
-        max_attempts: 5
-        retry_wait_seconds: 120
-        command: sudo xcodebuild -downloadPlatform iOS
-    - name: Prereqs
-      run: scripts/install_prereqs.sh SymbolCollision iOS
-    - name: Build
-      run: scripts/build.sh SymbolCollision iOS
+    uses: ./.github/workflows/_build.yml
+    with:
+      product: SymbolCollision
+      platform: iOS
+      method: xcodebuild
+      setup_command: scripts/install_prereqs.sh SymbolCollision iOS

.github/workflows/sdk.appcheck.yml

@@ -43,30 +43,20 @@ jobs:
         product: [FirebaseAppCheckInterop, FirebaseAppCheck]
     uses: ./.github/workflows/_cocoapods.yml
     with:
-      product: ${{  matrix.product }}
+      product: ${{ matrix.product }}
       buildonly_platforms: macOS
 
   diagnostics:
-    # Don't run on private repo unless it is a PR.
-    if: (github.repository == 'Firebase/firebase-ios-sdk' && github.event_name == 'schedule') || github.event_name == 'pull_request'
-    runs-on: macos-15
     strategy:
       matrix:
         diagnostic: [tsan, asan, ubsan]
-    steps:
-    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-    - name: Xcode
-      run: sudo xcode-select -s /Applications/Xcode_16.4.app/Contents/Developer
-    - name: Initialize xcodebuild
-      run: scripts/setup_spm_tests.sh
-    - name: iOS Unit Tests
-      run: scripts/third_party/travis/retry.sh ./scripts/build.sh FirebaseAppCheckUnit iOS spm ${{ matrix.diagnostic }}
-    - name: Upload raw logs if failed
-      if: ${{ failure() }}
-      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
-      with:
-        name: failure-xcodebuild-raw-logs
-        path: xcodebuild.log
+    uses: ./.github/workflows/_build.yml
+    with:
+      product: FirebaseAppCheckUnit
+      platform: iOS
+      method: spm
+      sanitizers: ${{ matrix.diagnostic }}
+      setup_command: scripts/setup_spm_tests.sh
 
   app_check-cron-only:
     needs: pod_lib_lint

.github/workflows/sdk.auth.yml

@@ -92,7 +92,7 @@ jobs:
         timeout_minutes: 15
         max_attempts: 5
         retry_wait_seconds: 120
-        command: sudo xcodebuild -downloadPlatform iOS
+        command: xcodebuild -downloadPlatform iOS
     - uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3
       with:
         timeout_minutes: 15