Autonomous 2026-04-22 overnight + AI clinical agents (23 commits)

.github/workflows/android-internal.yml

@@ -0,0 +1,208 @@
+name: Android Internal Track
+
+# Internal-track automated submission for Google Play.
+# Uses eas.json "preview" submit profile (track: internal) by default so that
+# Google Play internal testers are the first to receive builds from CI.
+# Production track is gated behind the "production" input below to avoid
+# accidental production submissions.
+#
+# Trigger paths:
+#   1. workflow_dispatch   - manual run from Actions UI
+#   2. Tag push v*-android - lightweight tag convention for Android-only cuts
+#
+# Required GitHub Actions secrets:
+#   - EXPO_TOKEN                         EAS API auth (expo.dev -> access tokens)
+#   - ANDROID_GOOGLE_SERVICE_ACCOUNT_KEY Google Play service account JSON
+#                                        (contents of google-service-account.json)
+#   - SENTRY_AUTH_TOKEN (optional)       Sourcemap upload on successful build
+#
+# All workflow_dispatch inputs are channeled through env: blocks before use in
+# any shell command to avoid workflow command-injection (see GitHub security
+# hardening guidance).
+
+on:
+  workflow_dispatch:
+    inputs:
+      profile:
+        description: 'EAS build profile'
+        type: choice
+        required: true
+        default: 'production'
+        options:
+          - production
+          - preview
+      submit_track:
+        description: 'Google Play track to submit to'
+        type: choice
+        required: true
+        default: 'internal'
+        options:
+          - internal
+          - beta
+          - production
+      skip_submit:
+        description: 'Build only, skip Play Store submit'
+        type: boolean
+        required: false
+        default: false
+  push:
+    tags:
+      - 'v*-android'
+
+# Prevent parallel Android release builds stepping on each other's binary numbers
+concurrency:
+  group: android-internal-${{ github.ref }}
+  cancel-in-progress: false
+
+permissions:
+  contents: read
+
+env:
+  NODE_VERSION: '22'
+
+jobs:
+  build-and-submit:
+    name: EAS build + Play Store submit (Android)
+    runs-on: ubuntu-latest
+    timeout-minutes: 60
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install pnpm
+        uses: pnpm/action-setup@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          cache: pnpm
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Setup EAS
+        uses: expo/expo-github-action@v8
+        with:
+          eas-version: latest
+          token: ${{ secrets.EXPO_TOKEN }}
+
+      - name: Verify EAS auth
+        run: eas whoami
+
+      - name: Resolve build profile
+        id: profile
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+          INPUT_PROFILE: ${{ github.event.inputs.profile }}
+          INPUT_SUBMIT_TRACK: ${{ github.event.inputs.submit_track }}
+          INPUT_SKIP_SUBMIT: ${{ github.event.inputs.skip_submit }}
+        run: |
+          set -euo pipefail
+          if [ "$EVENT_NAME" = "workflow_dispatch" ]; then
+            # workflow_dispatch inputs are validated against choice enums above,
+            # but we still only echo them to GITHUB_OUTPUT via env, never
+            # splicing the raw template expression into the script body.
+            echo "profile=$INPUT_PROFILE" >> "$GITHUB_OUTPUT"
+            echo "submit_track=$INPUT_SUBMIT_TRACK" >> "$GITHUB_OUTPUT"
+            echo "skip_submit=$INPUT_SKIP_SUBMIT" >> "$GITHUB_OUTPUT"
+          else
+            # Tag push defaults to production build -> internal track
+            echo "profile=production" >> "$GITHUB_OUTPUT"
+            echo "submit_track=internal" >> "$GITHUB_OUTPUT"
+            echo "skip_submit=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Materialize Google Play service account key
+        env:
+          GSA_KEY: ${{ secrets.ANDROID_GOOGLE_SERVICE_ACCOUNT_KEY }}
+        run: |
+          set -euo pipefail
+          if [ -z "${GSA_KEY:-}" ]; then
+            echo "::error::ANDROID_GOOGLE_SERVICE_ACCOUNT_KEY secret is not set"
+            exit 1
+          fi
+          printf '%s' "$GSA_KEY" > google-service-account.json
+          # Basic JSON sanity check so we fail here, not deep in eas submit
+          node -e "JSON.parse(require('fs').readFileSync('google-service-account.json','utf8'))"
+          echo "Service account key materialized"
+
+      - name: EAS build (Android)
+        id: build
+        env:
+          EXPO_TOKEN: ${{ secrets.EXPO_TOKEN }}
+          PROFILE: ${{ steps.profile.outputs.profile }}
+        run: |
+          set -euo pipefail
+          echo "Running: eas build --platform android --profile $PROFILE --non-interactive --wait"
+          eas build \
+            --platform android \
+            --profile "$PROFILE" \
+            --non-interactive \
+            --wait \
+            --json 2>&1 | tee build-output.json
+          # Extract the build id of the first (and only) build for follow-up submit
+          BUILD_ID=$(node -e "const d=JSON.parse(require('fs').readFileSync('build-output.json','utf8'));console.log(Array.isArray(d)?d[0].id:d.id)")
+          echo "build_id=$BUILD_ID" >> "$GITHUB_OUTPUT"
+          echo "Build id: $BUILD_ID"
+
+      - name: EAS submit (Google Play)
+        if: steps.profile.outputs.skip_submit != 'true'
+        env:
+          EXPO_TOKEN: ${{ secrets.EXPO_TOKEN }}
+          TRACK: ${{ steps.profile.outputs.submit_track }}
+          BUILD_ID: ${{ steps.build.outputs.build_id }}
+        run: |
+          set -euo pipefail
+          # Match track to an eas.json submit profile that already sets it
+          case "$TRACK" in
+            internal)   SUBMIT_PROFILE=preview ;;
+            beta)       SUBMIT_PROFILE=beta ;;
+            production) SUBMIT_PROFILE=production ;;
+            *) echo "::error::Unknown track $TRACK"; exit 1 ;;
+          esac
+          echo "Submitting build $BUILD_ID to $TRACK via profile $SUBMIT_PROFILE"
+          eas submit \
+            --platform android \
+            --profile "$SUBMIT_PROFILE" \
+            --id "$BUILD_ID" \
+            --non-interactive
+
+      - name: Upload Android sourcemaps to Sentry
+        if: steps.profile.outputs.profile == 'production'
+        env:
+          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
+          SENTRY_ORG: apex-u9
+          SENTRY_PROJECT: protocol-guide
+          EAS_BUILD_GIT_COMMIT_HASH: ${{ github.sha }}
+        run: |
+          set -euo pipefail
+          if [ -z "${SENTRY_AUTH_TOKEN:-}" ]; then
+            echo "::warning::SENTRY_AUTH_TOKEN not set - skipping Android sourcemap upload"
+            exit 0
+          fi
+          chmod +x eas-hooks/post-build-sentry.sh
+          eas-hooks/post-build-sentry.sh
+
+      - name: Cleanup service account key
+        if: always()
+        run: rm -f google-service-account.json
+
+      - name: Summary
+        if: always()
+        env:
+          PROFILE: ${{ steps.profile.outputs.profile }}
+          SUBMIT_TRACK: ${{ steps.profile.outputs.submit_track }}
+          SKIP_SUBMIT: ${{ steps.profile.outputs.skip_submit }}
+          BUILD_ID: ${{ steps.build.outputs.build_id }}
+        run: |
+          {
+            echo "### Android Internal Track run"
+            echo "- Profile: $PROFILE"
+            echo "- Submit track: $SUBMIT_TRACK"
+            echo "- Skipped submit: $SKIP_SUBMIT"
+            echo "- Build id: $BUILD_ID"
+          } >> "$GITHUB_STEP_SUMMARY"