firebase · daymxn · Oct 17, 2025 · Oct 14, 2025 · Oct 14, 2025 · Oct 14, 2025
diff --git a/scripts/repo.sh b/scripts/repo.sh
@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# USAGE: ./repo.sh <subcommand> [args...]
+#
+# EXAMPLE: ./repo.sh tests decrypt --json ./scripts/secrets/AI.json
+#
+# Wraps around the local "repo" swift package, and facilitates calls to it.
+# The main purpose of this is to make calling "repo" easier, as you typically
+# need to call "swift run" with the package path.
+
+set -euo pipefail
+
+ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+if [[ $# -eq 0 ]]; then
+ cat 1>&2 <<EOF
+OVERVIEW: Small script for running repo commands.
+
+ Repo commands live under the scripts/repo swift package.
+
+USAGE: $0 <subcommand> [args...]
+EOF
+ exit 1
+fi
+
+swift run --package-path "${ROOT}/repo" "$@"
diff --git a/scripts/repo/Package.swift b/scripts/repo/Package.swift
@@ -0,0 +1,50 @@
+// swift-tools-version:6.0
+// The swift-tools-version declares the minimum version of Swift required to build this package.
+
+/*
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import PackageDescription
+
+/// Package containing CLI executables for our larger scripts that are a bit harder to follow in
+/// bash form, or that need more advanced flag/optional requirements.
+let package = Package(
+ name: "RepoScripts",
+ platforms: [.macOS(.v15)],
+ products: [
+ .executable(name: "tests", targets: ["Tests"]),
+ ],
+ dependencies: [
+ .package(url: "https://github.com/apple/swift-argument-parser", exact: "1.6.2"),
+ .package(url: "https://github.com/apple/swift-log", exact: "1.6.2"),
+ ],
+ targets: [
+ .executableTarget(
+ name: "Tests",
+ dependencies: [
+ .product(name: "ArgumentParser", package: "swift-argument-parser"),
+ .product(name: "Logging", package: "swift-log"),
+ .byName(name: "Util"),
+ ]
+ ),
+ .target(
+ name: "Util",
+ dependencies: [
+ .product(name: "Logging", package: "swift-log"),
+ ]
+ ),
+ ]
+)
diff --git a/scripts/repo/README.md b/scripts/repo/README.md
@@ -0,0 +1,13 @@
+# Firebase Apple repo commands
+
+This project includes commands that are too long and complicated to properly
+maintain in a bash script, or that have unique option/flag constraints that
+are better represented in a swift project.
+
+## Tests
+
+Commands for interacting with integration tests in the repo.
+
+```sh
+./scripts/repo.sh tests --help
+```
diff --git a/scripts/repo/Sources/Tests/Decrypt.swift b/scripts/repo/Sources/Tests/Decrypt.swift
@@ -0,0 +1,183 @@
+/*
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import ArgumentParser
+import Foundation
+import Logging
+import Util
+
+extension Tests {
+ /// Command for decrypting the secret files needed for a test run.
+ struct Decrypt: ParsableCommand {
+ nonisolated(unsafe) static var configuration = CommandConfiguration(
+ abstract: "Decrypt the secret files for a test run.",
+ usage: """
+ tests decrypt [--json] [--overwrite] [<json-file>]
+ tests decrypt [--password <password>] [--overwrite] [<secret-files> ...]
+
+ tests decrypt --json secret_files.json
+ tests decrypt --json --overwrite secret_files.json
+ tests decrypt --password "super_secret" \\
+ scripts/gha-encrypted/FirebaseAI/TestApp-GoogleService-Info.plist.gpg:FirebaseAI/Tests/TestApp/Resources/GoogleService-Info.plist \\
+ scripts/gha-encrypted/FirebaseAI/TestApp-GoogleService-Info-Spark.plist.gpg:FirebaseAI/Tests/TestApp/Resources/GoogleService-Info-Spark.plist
+ """,
+ discussion: """
+ The happy path usage is saving the secret passphrase in the environment variable \
+ 'secrets_passphrase', and passing a json file to the command. Although, you can also \
+ pass everything inline via options.
+
+ When using a json file, it's expected that the json file is an array of json elements \
+ in the format of:
+ { encrypted: <path-to-encrypted-file>, destination: <where-to-output-decrypted-file> }
+ """,
+ )
+
+ @Argument(
+ help: """
+ An array of secret files to decrypt. \
+ The files should be in the format "encrypted:destination", where "encrypted" is a path to \
+ the encrypted file and "destination" is a path to where the decrypted file should be saved.
+ """
+ )
+ var secretFiles: [String] = []
+
+ @Option(
+ help: """
+ The secret to use when decrypting the files. \
+ Defaults to the environment variable 'secrets_passphrase'.
+ """
+ )
+ var password: String = ""
+
+ @Flag(help: "Overwrite existing decrypted secret files.")
+ var overwrite: Bool = false
+
+ @Flag(
+ help: """
+ Use a json file of secret file mappings instead. \
+ When this flag is enabled, <secret-files> should be a single json file.
+ """
+ )
+ var json: Bool = false
+
+ /// The parsed version of ``secretFiles``.
+ ///
+ /// Only populated after `validate()` runs.
+ var files: [SecretFile] = []
+
+ static let log = Logger(label: "Tests::Decrypt")
+ private var log: Logger { Decrypt.log }
+
+ mutating func validate() throws {
+ try validatePassword()
+
+ if json {
+ try validateJSON()
+ } else {
+ try validateFileString()
+ }
+
+ if !overwrite {
+ log.info("Overwrite is disabled, so we're skipping generation for existing files.")
+ files = files.filter { file in
+ let keep = !FileManager.default.fileExists(atPath: file.destination)
+ if !keep {
+ log.debug(
+ "Skipping generation for existing file",
+ metadata: ["destination": "\(file.destination)"]
+ )
+ }
+ return keep
+ }
+ }
+
+ for file in files {
+ guard FileManager.default.fileExists(atPath: file.encrypted) else {
+ throw ValidationError("Encrypted secret file does not exist: \(file.encrypted)")
+ }
+ }
+ }
+
+ private mutating func validatePassword() throws {
+ if password.isEmpty {
+ // when a password isn't provided, try to load one from the environment variable
+ guard
+ let secrets_passphrase = ProcessInfo.processInfo.environment["secrets_passphrase"]
+ else {
+ throw ValidationError(
+ "Either provide a passphrase via the password option or set the environvment variable 'secrets_passphrase' to the passphrase."
+ )
+ }
+ password = secrets_passphrase
+ }
+ }
+
+ private mutating func validateJSON() throws {
+ guard let jsonPath = secretFiles.first else {
+ throw ValidationError("Missing path to json file for secret files")
+ }
+
+ let fileURL = URL(
+ filePath: jsonPath, directoryHint: .notDirectory,
+ relativeTo: URL.currentDirectory()
+ )
+
+ files = try SecretFile.parseArrayFrom(file: fileURL)
+ guard !files.isEmpty else {
+ throw ValidationError("Missing secret files in json file: \(jsonPath)")
+ }
+ }
+
+ private mutating func validateFileString() throws {
+ guard !secretFiles.isEmpty else {
+ throw ValidationError("Missing paths to secret files")
+ }
+ for string in secretFiles {
+ try files.append(SecretFile(string: string))
+ }
+ }
+
+ mutating func run() throws {
+ log.info("Decrypting files...")
+
+ for file in files {
+ let gpg = Process("gpg", inheritEnvironment: true)
+ let result = try gpg.runWithSignals([
+ "--quiet",
+ "--batch",
+ "--yes",
+ "--decrypt",
+ "--passphrase=\(password)",
+ "--output",
+ file.destination,
+ file.encrypted,
+ ])
+
+ guard result == 0 else {
+ log.error("Failed to decrypt file", metadata: ["file": "\(file.encrypted)"])
+ throw ExitCode(result)
+ }
+
+ log.debug(
+ "File encrypted",
+ metadata: ["file": "\(file.encrypted)", "destination": "\(file.destination)"]
+ )
+ }
+
+ log.info("Files decrypted")
+ }
+ }
+}
diff --git a/scripts/repo/Sources/Tests/SecretFile.swift b/scripts/repo/Sources/Tests/SecretFile.swift
@@ -0,0 +1,73 @@
+/*
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import ArgumentParser
+import Foundation
+
+/// A representation of a secret file, which should be decrypted for an integration test.
+struct SecretFile: Codable {
+ /// A relative path to the encrypted file.
+ let encrypted: String
+
+ /// A relative path to where the decrypted file should be output to.
+ let destination: String
+}
+
+extension SecretFile {
+ /// Parses a `SecretFile` from a string.
+ ///
+ /// The string should be in the format of "encrypted:destination".
+ /// If it's not, then a `ValidationError`will be thrown.
+ ///
+ /// - Parameters:
+ /// - string: A string in the format of "encrypted:destination".
+ init(string: String) throws {
+ let splits = string.split(separator: ":")
+ guard splits.count == 2 else {
+ throw ValidationError(
+ "Invalid secret file format. Format should be \"encrypted:destination\". Cause: \(string)"
+ )
+ }
+ encrypted = String(splits[0])
+ destination = String(splits[1])
+ }
+
+ /// Parses an array of `SecretFile` from a JSON file.
+ ///
+ /// It's expected that the secrets are encoded in the JSON file in the format of:
+ /// ```json
+ /// [
+ /// {
+ /// "encrypted": "path-to-encrypted-file",
+ /// "destination": "where-to-output-decrypted-file"
+ /// }
+ /// ]
+ /// ```
+ ///
+ /// - Parameters:
+ /// - file: The URL of a JSON file which contains an array of `SecretFile`,
+ /// encoded as JSON.
+ static func parseArrayFrom(file: URL) throws -> [SecretFile] {
+ do {
+ let data = try Data(contentsOf: file)
+ return try JSONDecoder().decode([SecretFile].self, from: data)
+ } catch {
+ throw ValidationError(
+ "Failed to load secret files from json file. Cause: \(error.localizedDescription)"
+ )
+ }
+ }
+}