[PM-24930] New workflow to update the SDK and test ongoing work (#5742)

.github/actions/setup-android-build/action.yml

@@ -0,0 +1,49 @@
+name: 'Setup Android Build'
+description: 'Setup Android build environment with Gradle, Ruby, and Fastlane'
+inputs:
+  java-version:
+    description: 'Java version to use'
+    required: false
+    default: '17'
+runs:
+  using: 'composite'
+  steps:
+    - name: Validate Gradle wrapper
+      uses: gradle/actions/wrapper-validation@ac638b010cf58a27ee6c972d7336334ccaf61c96 # v4.4.1
+
+    - name: Cache Gradle files
+      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+      with:
+        path: |
+          ~/.gradle/caches
+          ~/.gradle/wrapper
+        key: ${{ runner.os }}-gradle-v2-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties', '**/libs.versions.toml') }}
+        restore-keys: |
+          ${{ runner.os }}-gradle-v2-
+
+    - name: Cache build output
+      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+      with:
+        path: |
+          ${{ github.workspace }}/build-cache
+        key: ${{ runner.os }}-build-cache-${{ github.sha }}
+        restore-keys: |
+          ${{ runner.os }}-build-
+
+    - name: Configure Ruby
+      uses: ruby/setup-ruby@bb6434c747fa7022e12fa1cae2a0951fcffcff26 # v1.253.0
+      with:
+        bundler-cache: true
+
+    - name: Configure JDK
+      uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
+      with:
+        distribution: "temurin"
+        java-version: ${{ inputs.java-version }}
+
+    - name: Install Fastlane
+      shell: bash
+      run: |
+        gem install bundler:2.2.27
+        bundle config path vendor/bundle
+        bundle install --jobs 4 --retry 3

.github/workflows/sdlc-sdk-update.yml

@@ -1,16 +1,167 @@
 name: SDLC / SDK Update
+run-name: "SDK ${{inputs.run-mode == 'Update' && format('Update - {0}', inputs.sdk-version) || format('Test #{0} - {1}', inputs.pr-id, inputs.sdk-version)}}"
 
 on:
   workflow_dispatch:
-
-permissions:
-  contents: read
+    inputs:
+      run-mode:
+        description: "Run Mode"
+        type: choice
+        options:
+          - Test # used for testing sdk-internal repo PRs
+          - Update # opens a PR in this repo updating the SDK
+        default: Test
+      sdk-package:
+        description: "SDK Package ID"
+        required: true
+        default: "com.bitwarden:sdk-android.dev"
+      sdk-version:
+        description: "SDK Version"
+        required: true
+        default: "1.0.0-2686-km-update-kdf-sdk"
+      pr-id:
+        description: "Pull Request ID"
 
 jobs:
   update:
-    name: Update SDK
+    name: Update and PR
+    if: ${{ inputs.run-mode == 'Update' }}
     runs-on: ubuntu-24.04
+    permissions:
+      id-token: write
 
     steps:
-      - name: Placeholder
-        run: echo ":feelsgood:" >> $GITHUB_STEP_SUMMARY
+      - name: Log in to Azure
+        uses: bitwarden/gh-actions/azure-login@main
+        with:
+          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+          client_id: ${{ secrets.AZURE_CLIENT_ID }}
+
+      - name: Get Azure Key Vault secrets
+        id: get-kv-secrets
+        uses: bitwarden/gh-actions/get-keyvault-secrets@main
+        with:
+          keyvault: gh-org-bitwarden
+          secrets: "BW-GHAPP-ID,BW-GHAPP-KEY"
+
+      - name: Log out from Azure
+        uses: bitwarden/gh-actions/azure-logout@main
+
+      - name: Generate GH App token
+        uses: actions/create-github-app-token@0f859bf9e69e887678d5bbfbee594437cb440ffe # v2.1.0
+        id: app-token
+        with:
+          app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }}
+          private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }}
+
+      - name: Check out repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+
+      - name: Log inputs to job summary
+        uses: ./.github/actions/log-inputs
+        with:
+          inputs: ${{ toJson(inputs) }}
+
+      - name: Switch to branch
+        id: switch-branch
+        run: |
+          BRANCH_NAME="sdlc/sdk-update"
+          echo "branch_name=$BRANCH_NAME" >> $GITHUB_OUTPUT
+          git switch -c $BRANCH_NAME
+
+      - name: Get current SDK version
+        id: get-current-sdk
+        run: |
+          SDK_VERSION=$(grep "bitwardenSdk =" gradle/libs.versions.toml | cut -d'"' -f2)
+          GIT_REF=$(echo "$SDK_VERSION" | cut -d'-' -f3-) # handles both commit hashes and branch names
+          echo "Current SDK version: $SDK_VERSION"
+          echo "Current SDK git ref: $GIT_REF"
+          echo "version=$SDK_VERSION" >> $GITHUB_OUTPUT
+          echo "git_ref=$GIT_REF" >> $GITHUB_OUTPUT
+
+      - name: Update SDK Version
+        env:
+          _SDK_PACKAGE: ${{ inputs.sdk-package }}
+          _SDK_VERSION: ${{ inputs.sdk-version }}
+        run: |
+          ./scripts/update-sdk-version.sh "$_SDK_PACKAGE" "$_SDK_VERSION"
+
+      - name: Create branch and commit
+        env:
+          _SDK_PACKAGE: ${{ inputs.sdk-package }}
+          _SDK_VERSION: ${{ inputs.sdk-version }}
+          _BRANCH_NAME: ${{ steps.switch-branch.outputs.branch_name }}
+        run: |
+          echo "👀 Committing SDK version update..."
+
+          git config user.name "bw-ghapp[bot]"
+          git config user.email "178206702+bw-ghapp[bot]@users.noreply.github.com"
+
+          git add gradle/libs.versions.toml
+          git commit -m "SDK Update - $_SDK_PACKAGE $_SDK_VERSION"
+          git push origin $_BRANCH_NAME
+
+      - name: Create Pull Request
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+          _BRANCH_NAME: ${{ steps.switch-branch.outputs.branch_name }}
+          _SDK_PACKAGE: ${{ inputs.sdk-package }}
+          _SDK_VERSION: ${{ inputs.sdk-version }}
+          _OLD_SDK_VERSION: ${{ steps.get-current-sdk.outputs.version }}
+          _OLD_SDK_GIT_REF: ${{ steps.get-current-sdk.outputs.git_ref }}
+        run: |
+          NEW_SDK_GIT_REF=$(echo "$_SDK_VERSION" | cut -d'-' -f3-)
+          CHANGELOG=$(./scripts/get-repo-changelog.sh "bitwarden/sdk-internal" "$_OLD_SDK_GIT_REF" "$NEW_SDK_GIT_REF")
+          PR_BODY="Updates the SDK version from \`$_OLD_SDK_VERSION\` to \`$_SDK_PACKAGE $_SDK_VERSION\`
+
+          ## What's Changed
+
+          $CHANGELOG"
+
+          # Use echo -e to interpret escape sequences and pipe to gh pr create
+          PR_URL=$(echo -e "$PR_BODY" | gh pr create \
+            --title "Update SDK to $_SDK_VERSION" \
+            --body-file - \
+            --base main \
+            --head $_BRANCH_NAME \
+            --label "automated-pr" \
+            --label "t:ci")
+
+          echo "🚀 Created PR: $PR_URL"
+          echo "## 🚀 Created PR: $PR_URL" >> $GITHUB_STEP_SUMMARY
+
+  test:
+    name: Test Update
+    if: ${{ inputs.run-mode == 'Test' }}
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      packages: read
+
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Log inputs to job summary
+        uses: ./.github/actions/log-inputs
+        with:
+          inputs: ${{ toJson(inputs) }}
+
+      - name: Setup Android Build
+        uses: ./.github/actions/setup-android-build
+
+      - name: Update SDK Version
+        env:
+          _SDK_PACKAGE: ${{ inputs.sdk-package }}
+          _SDK_VERSION: ${{ inputs.sdk-version }}
+        run: |
+          ./scripts/update-sdk-version.sh "$_SDK_PACKAGE" "$_SDK_VERSION"
+
+      - name: Build
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Used in settings.gradle.kts to download the SDK from GitHub Maven Packages
+        run: |
+          ./gradlew assembleDebug --warn

.gitignore

@@ -3,6 +3,13 @@
 fastlane/report.xml
 fastlane/README.md
 
+# Ruby / Bundler
+.bundle/
+vendor/
+
+# Backup files
+*.bak
+
 # General
 .DS_Store
 Thumbs.db

scripts/get-repo-changelog.sh

@@ -0,0 +1,41 @@
+#!/bin/bash
+
+# Script to get changelog from sdk-internal repo between two git refs
+# Usage: ./scripts/get-sdk-changelog.sh <current-ref> <new-ref>
+
+set -euo pipefail
+
+if [ $# -lt 2 ]; then
+    echo "Usage: $0 <repo> <current-ref> <new-ref>"
+    echo "Example: $0 bitwarden/sdk-internal 9fe3aeda fix-wasm-import"
+    echo "Example: $0 bitwarden/sdk-internal 2450-9fe3aeda 2577-fix-wasm-import"
+    exit 1
+fi
+
+REPO="$1"
+CURRENT_REF="$2"
+NEW_REF="$3"
+
+CHANGELOG=$(gh api "repos/$REPO/compare/$CURRENT_REF...$NEW_REF" \
+    --jq '.commits[] | "- \(.commit.message | split("\n")[0])"' | head -20)
+
+if [ -z "$CHANGELOG" ]; then
+    echo "No changes found between $CURRENT_REF and $NEW_REF"
+    exit 0
+fi
+
+
+# GitHub renders org/repo#123 as a link to a PR, removing the commit message when a PR ID is found
+# including the raw changelog in a collapsible section in case the pattern matching fails
+CLEANED_CHANGELOG=$(echo "$CHANGELOG" | sed -E "s|.*\(#([0-9]+)\).*|- $REPO#\1|")
+
+echo "$CLEANED_CHANGELOG"
+echo
+echo "<details>
+<summary>Raw changelog</summary>
+
+\`\`\`
+$CHANGELOG
+\`\`\`
+</details>
+"

scripts/update-sdk-version.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+# Script to update SDK version in gradle/libs.versions.toml
+# Usage: ./scripts/update-sdk-version.sh <sdk-package> <sdk-version>
+
+set -euo pipefail
+
+if [ $# -lt 2 ]; then
+    echo "Usage: $0 <sdk-package> <sdk-version>"
+    echo "Example: $0 com.bitwarden:sdk-android 1.0.0-2586-20e3dfa6"
+    echo "Example: $0 com.bitwarden:sdk-android.dev 1.0.0-2577-fix-wasm-import"
+    exit 1
+fi
+
+SDK_PACKAGE="$1"
+SDK_VERSION="$2"
+TOML_FILE="gradle/libs.versions.toml"
+
+echo "Updating SDK in $TOML_FILE..."
+echo "  Package: $SDK_PACKAGE"
+echo "  Version: $SDK_VERSION"
+
+sed -i.bak "s/bitwardenSdk = \".*\"/bitwardenSdk = \"$SDK_VERSION\"/" "$TOML_FILE"
+
+if [ "$SDK_PACKAGE" != "com.bitwarden:sdk-android" ]; then
+    sed -i.bak "s|bitwarden-sdk = { module = \".*\"|bitwarden-sdk = { module = \"$SDK_PACKAGE\", version.ref = \"bitwardenSdk\"|" "$TOML_FILE"
+fi
+
+echo "Updated:"
+grep -n "bitwardenSdk\|bitwarden-sdk" "$TOML_FILE"