Merge branch 'main' into nc/merge-main

CONTRIBUTING.md

@@ -316,7 +316,7 @@ Refer to the following resources when writing Swift or Objective-C code.
 
 This is a general overview of what the Git workflow may look like, from start to
 finish, when contributing code to Firebase.
-The below snippet is purely for reference purposes and is used to demonstarate
+The below snippet is purely for reference purposes and is used to demonstrate
 what the workflow may look like, from start to finish.
 <details>
 <summary>View the workflow</summary>

FirebaseMessaging/CHANGELOG.md

@@ -1,9 +1,10 @@
 # 11.0.0
 - [fixed] Completed Messaging's transition to NSSecureCoding (#12343).
 
-# 10.29.0
+# Unreleased
 - [fixed] Renamed "initWithFileName" internal method that was causing submission issues for some
   users. (#13134).
+- [fixed] Fixed the APS Environment key on visionOS. (#13173)
 
 # 10.27.0
 - [fixed] Fixed bug preventing Messaging from working with a custom sqlite3

FirebaseMessaging/Sources/FIRMessaging.m

@@ -212,11 +212,11 @@ BOOL FIRMessagingIsContextManagerMessage(NSDictionary *message) {
   // This is not needed for app extension except for watch.
 #if TARGET_OS_WATCH
   [self didCompleteConfigure];
-#else
+#else   // TARGET_OS_WATCH
   if (![GULAppEnvironmentUtil isAppExtension]) {
     [self didCompleteConfigure];
   }
-#endif
+#endif  // TARGET_OS_WATCH
 }
 
 - (void)didCompleteConfigure {
@@ -384,7 +384,7 @@ BOOL FIRMessagingIsContextManagerMessage(NSDictionary *message) {
 }
 
 - (void)handleIncomingLinkIfNeededFromMessage:(NSDictionary *)message {
-#if TARGET_OS_IOS || TARGET_OS_TV
+#if TARGET_OS_IOS || TARGET_OS_TV || TARGET_OS_VISION
   NSURL *url = [self linkURLFromMessage:message];
   if (url == nil) {
     return;
@@ -418,7 +418,7 @@ BOOL FIRMessagingIsContextManagerMessage(NSDictionary *message) {
               // Do nothing, as we don't support the app calling this block
           }];
   }
-#endif  // TARGET_OS_IOS || TARGET_OS_TV
+#endif  // TARGET_OS_IOS || TARGET_OS_TV || TARGET_OS_VISION
 }
 
 - (NSURL *)linkURLFromMessage:(NSDictionary *)message {

FirebaseMessaging/Sources/FIRMessagingContextManagerService.m

@@ -173,7 +173,7 @@ typedef NS_ENUM(NSUInteger, FIRMessagingContextManagerMessageType) {
   if (apsDictionary[kFIRMessagingContextManagerBadgeKey]) {
     content.badge = apsDictionary[kFIRMessagingContextManagerBadgeKey];
   }
-#if TARGET_OS_IOS || TARGET_OS_OSX || TARGET_OS_WATCH
+#if !TARGET_OS_TV
   // The following fields are not available on tvOS
   if ([apsDictionary[kFIRMessagingContextManagerBodyKey] length]) {
     content.body = apsDictionary[kFIRMessagingContextManagerBodyKey];
@@ -201,7 +201,7 @@ typedef NS_ENUM(NSUInteger, FIRMessagingContextManagerMessageType) {
   if (userInfo.count) {
     content.userInfo = userInfo;
   }
-#endif  // TARGET_OS_IOS || TARGET_OS_OSX || TARGET_OS_WATCH
+#endif  // !TARGET_OS_TV
   return content;
 }
 

FirebaseMessaging/Sources/FIRMessagingExtensionHelper.m

@@ -111,7 +111,7 @@ pb_bytes_array_t *FIRMessagingEncodeString(NSString *string) {
   self.bestAttemptContent = content;
 
   // The `userInfo` property isn't available on newer versions of tvOS.
-#if TARGET_OS_IOS || TARGET_OS_OSX || TARGET_OS_WATCH
+#if !TARGET_OS_TV
   NSObject *currentImageURL = content.userInfo[kPayloadOptionsName][kPayloadOptionsImageURLName];
   if (!currentImageURL || currentImageURL == [NSNull null]) {
     [self deliverNotification];
@@ -131,12 +131,12 @@ pb_bytes_array_t *FIRMessagingEncodeString(NSString *string) {
                             @"The Image URL provided is invalid %@.", currentImageURL);
     [self deliverNotification];
   }
-#else
+#else   // !TARGET_OS_TV
   [self deliverNotification];
-#endif
+#endif  // !TARGET_OS_TV
 }
 
-#if TARGET_OS_IOS || TARGET_OS_OSX || TARGET_OS_WATCH
+#if !TARGET_OS_TV
 - (NSString *)fileExtensionForResponse:(NSURLResponse *)response {
   NSString *suggestedPathExtension = [response.suggestedFilename pathExtension];
   if (suggestedPathExtension.length > 0) {
@@ -194,7 +194,7 @@ pb_bytes_array_t *FIRMessagingEncodeString(NSString *string) {
           completionHandler(attachment);
         }] resume];
 }
-#endif
+#endif  // !TARGET_OS_TV
 
 - (void)deliverNotification {
   if (self.contentHandler) {

FirebaseMessaging/Sources/FIRMessagingRemoteNotificationsProxy.m

@@ -385,7 +385,7 @@ id FIRMessagingPropertyNameFromObject(id object, NSString *propertyName, Class k
 
 #pragma mark - GULApplicationDelegate
 
-#if TARGET_OS_IOS || TARGET_OS_TV
+#if TARGET_OS_IOS || TARGET_OS_TV || TARGET_OS_VISION
 - (void)application:(UIApplication *)application
     didReceiveRemoteNotification:(NSDictionary *)userInfo
           fetchCompletionHandler:(void (^)(UIBackgroundFetchResult))completionHandler {
@@ -401,7 +401,7 @@ id FIRMessagingPropertyNameFromObject(id object, NSString *propertyName, Class k
                           @"application:didFailToRegisterForRemoteNotificationsWithError: %@",
                           error.localizedDescription);
 }
-#endif
+#endif  // TARGET_OS_IOS || TARGET_OS_TV || TARGET_OS_VISION
 
 - (void)application:(GULApplication *)application
     didRegisterForRemoteNotificationsWithDeviceToken:(NSData *)deviceToken {

FirebaseMessaging/Sources/FIRMessagingUtilities.m

@@ -28,12 +28,16 @@ static NSString *const kFIRMessagingAPNSProdPrefix = @"p_";
 
 static NSString *const kFIRMessagingWatchKitExtensionPoint = @"com.apple.watchkit";
 
-#if TARGET_OS_IOS || TARGET_OS_TV || TARGET_OS_WATCH
-static NSString *const kEntitlementsAPSEnvironmentKey = @"Entitlements.aps-environment";
-#else
+#if TARGET_OS_OSX
+// macOS uses a different entitlement key than the rest of Apple's platforms:
+// https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_aps-environment
 static NSString *const kEntitlementsAPSEnvironmentKey =
     @"Entitlements.com.apple.developer.aps-environment";
-#endif
+#else
+// Entitlement key for all non-macOS platforms:
+// https://developer.apple.com/documentation/bundleresources/entitlements/aps-environment
+static NSString *const kEntitlementsAPSEnvironmentKey = @"Entitlements.aps-environment";
+#endif  // TARGET_OS_OSX
 static NSString *const kAPSEnvironmentDevelopmentValue = @"development";
 
 #pragma mark - URL Helpers
@@ -85,9 +89,9 @@ NSString *FIRMessagingAppIdentifier(void) {
   } else {
     return bundleID;
   }
-#else
+#else   // TARGET_OS_WATCH
   return bundleID;
-#endif
+#endif  // TARGET_OS_WATCH
 }
 
 NSString *FIRMessagingFirebaseAppID(void) {
@@ -108,17 +112,17 @@ BOOL FIRMessagingIsWatchKitExtension(void) {
   } else {
     return NO;
   }
-#else
+#else   // TARGET_OS_WATCH
   return NO;
-#endif
+#endif  // TARGET_OS_WATCH
 }
 
 NSSearchPathDirectory FIRMessagingSupportedDirectory(void) {
 #if TARGET_OS_TV
   return NSCachesDirectory;
-#else
+#else   // TARGET_OS_TV
   return NSApplicationSupportDirectory;
-#endif
+#endif  // TARGET_OS_TV
 }
 
 #pragma mark - Locales
@@ -311,10 +315,10 @@ BOOL FIRMessagingIsProductionApp(void) {
 #if TARGET_OS_OSX || TARGET_OS_MACCATALYST
   NSString *path = [[[[NSBundle mainBundle] resourcePath] stringByDeletingLastPathComponent]
       stringByAppendingPathComponent:@"embedded.provisionprofile"];
-#elif TARGET_OS_IOS || TARGET_OS_TV || TARGET_OS_WATCH || TARGET_OS_VISION
+#else   // TARGET_OS_OSX || TARGET_OS_MACCATALYST
   NSString *path = [[[NSBundle mainBundle] bundlePath]
       stringByAppendingPathComponent:@"embedded.mobileprovision"];
-#endif
+#endif  // TARGET_OS_OSX || TARGET_OS_MACCATALYST
 
   if ([GULAppEnvironmentUtil isAppStoreReceiptSandbox] && !path.length) {
     // Distributed via TestFlight

FirebaseMessaging/Sources/Token/FIRMessagingAuthKeychain.m

@@ -92,17 +92,17 @@ NSString *const kFIRMessagingKeychainWildcardIdentifier = @"*";
   NSMutableDictionary *keychainQuery = [self keychainQueryForService:service account:account];
   NSMutableArray<NSData *> *results;
   keychainQuery[(__bridge id)kSecReturnData] = (__bridge id)kCFBooleanTrue;
-#if TARGET_OS_IOS || TARGET_OS_TV || TARGET_OS_VISION
+#if TARGET_OS_OSX || TARGET_OS_WATCH
+  keychainQuery[(__bridge id)kSecMatchLimit] = (__bridge id)kSecMatchLimitOne;
+  NSData *passwordInfos =
+      CFBridgingRelease([[FIRMessagingKeychain sharedInstance] itemWithQuery:keychainQuery]);
+#else   // TARGET_OS_OSX || TARGET_OS_WATCH
   keychainQuery[(__bridge id)kSecReturnAttributes] = (__bridge id)kCFBooleanTrue;
   keychainQuery[(__bridge id)kSecMatchLimit] = (__bridge id)kSecMatchLimitAll;
   // FIRMessagingKeychain should only take a query and return a result, will handle the query here.
   NSArray *passwordInfos =
       CFBridgingRelease([[FIRMessagingKeychain sharedInstance] itemWithQuery:keychainQuery]);
-#elif TARGET_OS_OSX || TARGET_OS_WATCH
-  keychainQuery[(__bridge id)kSecMatchLimit] = (__bridge id)kSecMatchLimitOne;
-  NSData *passwordInfos =
-      CFBridgingRelease([[FIRMessagingKeychain sharedInstance] itemWithQuery:keychainQuery]);
-#endif
+#endif  // TARGET_OS_OSX || TARGET_OS_WATCH
 
   if (!passwordInfos) {
     // Nothing was found, simply return from this sync block.
@@ -119,7 +119,9 @@ NSString *const kFIRMessagingKeychainWildcardIdentifier = @"*";
     return @[];
   }
   results = [[NSMutableArray alloc] init];
-#if TARGET_OS_IOS || TARGET_OS_TV
+#if TARGET_OS_OSX || TARGET_OS_WATCH
+  [results addObject:passwordInfos];
+#else   // TARGET_OS_OSX || TARGET_OS_WATCH
   NSInteger numPasswords = passwordInfos.count;
   for (NSUInteger i = 0; i < numPasswords; i++) {
     NSDictionary *passwordInfo = [passwordInfos objectAtIndex:i];
@@ -127,9 +129,7 @@ NSString *const kFIRMessagingKeychainWildcardIdentifier = @"*";
       [results addObject:passwordInfo[(__bridge id)kSecValueData]];
     }
   }
-#elif TARGET_OS_OSX || TARGET_OS_WATCH
-  [results addObject:passwordInfos];
-#endif
+#endif  // TARGET_OS_OSX || TARGET_OS_WATCH
   // We query the keychain because it didn't exist in cache, now query is done, update the result in
   // the cache.
   if ([service isEqualToString:kFIRMessagingKeychainWildcardIdentifier] ||

FirebaseMessaging/Sources/Token/FIRMessagingTokenManager.m

@@ -194,13 +194,13 @@
     return;
   }
 
-#if TARGET_OS_SIMULATOR && TARGET_OS_IOS
+#if TARGET_OS_SIMULATOR
   if (tokenOptions[kFIRMessagingTokenOptionsAPNSKey] != nil) {
     // If APNS token is available on iOS Simulator, we must use the sandbox profile
     // https://developer.apple.com/documentation/xcode-release-notes/xcode-14-release-notes
     tokenOptions[kFIRMessagingTokenOptionsAPNSIsSandboxKey] = @(YES);
   }
-#endif
+#endif  // TARGET_OS_SIMULATOR
 
   if (tokenOptions[kFIRMessagingTokenOptionsAPNSKey] != nil &&
       tokenOptions[kFIRMessagingTokenOptionsAPNSIsSandboxKey] == nil) {
@@ -689,17 +689,17 @@
     return;
   }
   // Use this token type for when we have to automatically fetch tokens in the future
-#if TARGET_OS_SIMULATOR && TARGET_OS_IOS
+#if TARGET_OS_SIMULATOR
   // If APNS token is available on iOS Simulator, we must use the sandbox profile
   // https://developer.apple.com/documentation/xcode-release-notes/xcode-14-release-notes
   BOOL isSandboxApp = YES;
-#else
+#else   // TARGET_OS_SIMULATOR
   NSInteger type = [userInfo[kFIRMessagingAPNSTokenType] integerValue];
   BOOL isSandboxApp = (type == FIRMessagingAPNSTokenTypeSandbox);
   if (type == FIRMessagingAPNSTokenTypeUnknown) {
     isSandboxApp = FIRMessagingIsSandboxApp();
   }
-#endif
+#endif  // TARGET_OS_SIMULATOR
 
   // Pro-actively invalidate the default token, if the APNs change makes it
   // invalid. Previously, we invalidated just before fetching the token.

FirebaseMessaging/Tests/IntegrationTests/FIRMessagingPubSubTest.swift

@@ -76,4 +76,4 @@
       wait(for: [expectation], timeout: 5)
     }
   }
-#endif // !TARGET_OS_OSX
+#endif // !os(OSX)

FirebaseMessaging/Tests/IntegrationTests/FIRMessagingTokenRefreshTests.swift

@@ -145,4 +145,4 @@
       return app.options.gcmSenderID
     }
   }
-#endif // !TARGET_OS_OSX
+#endif // !os(OSX)

FirebaseMessaging/Tests/UnitTests/FIRMessagingAnalyticsTest.m

@@ -488,4 +488,4 @@ static FakeAnalyticsLogEventHandler _userPropertyHandler;
 }
 @end
 
-#endif
+#endif  // TARGET_OS_IOS

FirebaseMessaging/Tests/UnitTests/FIRMessagingAuthKeychainTest.m

@@ -39,7 +39,7 @@ static NSString *const kSecret = @"test-secret";
 static NSString *const kToken2 = @"c8oEXUYIl3s:APA91bHtJMs_dZ2lXYXIcwsC47abYIuWhEJ_CshY2PJRjVuI_"
                                  @"H659iYUwfmNNghnZVkCmeUdKDSrK8xqVb0PVHxyAW391Ynp2NchMB87kJWb3BS0z"
                                  @"ud6Ej_xDES_oc353eFRvt0E6NXefDmrUCpBY8y89_1eVFFfiA";
-#endif
+#endif  // TARGET_OS_IOS || TARGET_OS_TV
 static NSString *const kFirebaseAppID = @"abcdefg:ios:QrjxYS1BdtxHdVVnQKuxlF3Z0QO";
 
 static NSString *const kBundleID1 = @"com.google.fcm.dev";
@@ -139,7 +139,7 @@ static NSString *const kBundleID2 = @"com.google.abtesting.dev";
                      }];
             }];
   [self waitForExpectationsWithTimeout:1.0 handler:NULL];
-#endif
+#endif  // TARGET_OS_IOS || TARGET_OS_TV
 }
 
 - (void)testKeyChainNoCorruptionWithUniqueService {
@@ -214,7 +214,7 @@ static NSString *const kBundleID2 = @"com.google.abtesting.dev";
                   }];
          }];
   [self waitForExpectationsWithTimeout:1.0 handler:NULL];
-#endif
+#endif  // TARGET_OS_IOS || TARGET_OS_TV
 }
 
 // Skip keychain tests on Catalyst and macOS. Tests are skipped because they
@@ -404,7 +404,7 @@ static NSString *const kBundleID2 = @"com.google.abtesting.dev";
   XCTAssertNotNil(keychain.cachedKeychainData[service][account2]);
 }
 
-#endif
+#endif  // !TARGET_OS_MACCATALYST && !TARGET_OS_OSX
 
 #pragma mark - helper function
 - (NSData *)tokenDataWithAuthorizedEntity:(NSString *)authorizedEntity
@@ -425,4 +425,4 @@ static NSString *const kBundleID2 = @"com.google.abtesting.dev";
 }
 @end
 
-#endif  // TARGET_OS_MACCATALYST
+#endif  // !TARGET_OS_MACCATALYST && !SWIFT_PACKAGE

FirebaseMessaging/Tests/UnitTests/FIRMessagingBackupExcludedPlistTest.m

@@ -89,10 +89,10 @@ static NSString *const kTestPlistFileName = @"com.google.test.IIDBackupExcludedP
 #if TARGET_OS_TV
   NSArray *directoryPaths =
       NSSearchPathForDirectoriesInDomains(NSCachesDirectory, NSUserDomainMask, YES);
-#else
+#else   // TARGET_OS_TV
   NSArray *directoryPaths =
       NSSearchPathForDirectoriesInDomains(NSApplicationSupportDirectory, NSUserDomainMask, YES);
-#endif
+#endif  // TARGET_OS_TV
   NSString *dirPath = directoryPaths.lastObject;
   NSArray *components =
       @[ dirPath, kSubDirectoryName, [NSString stringWithFormat:@"%@.plist", kTestPlistFileName] ];

FirebaseMessaging/Tests/UnitTests/FIRMessagingCheckinStoreTest.m

@@ -203,4 +203,4 @@ static int64_t const kLastCheckinTimestamp = 123456;
 }
 
 @end
-#endif
+#endif  // !TARGET_OS_MACCATALYST

FirebaseMessaging/Tests/UnitTests/FIRMessagingContextManagerServiceTest.m

@@ -105,11 +105,11 @@ API_AVAILABLE(macos(10.14))
     XCTAssertEqual(self.requests.count, 1);
     UNNotificationRequest *request = self.requests.firstObject;
     XCTAssertEqualObjects(request.identifier, kMessageIdentifierValue);
-#if TARGET_OS_IOS || TARGET_OS_WATCH || TARGET_OS_OSX
+#if !TARGET_OS_TV
     XCTAssertEqualObjects(request.content.body, kBody);
     XCTAssertEqualObjects(request.content.userInfo[kUserInfoKey1], kUserInfoValue1);
     XCTAssertEqualObjects(request.content.userInfo[kUserInfoKey2], kUserInfoValue2);
-#endif
+#endif  // TARGET_OS_TV
     return;
   }
 
@@ -124,7 +124,7 @@ API_AVAILABLE(macos(10.14))
   XCTAssertEqualObjects(notification.alertBody, kBody);
   XCTAssertEqualObjects(notification.userInfo[kUserInfoKey1], kUserInfoValue1);
   XCTAssertEqualObjects(notification.userInfo[kUserInfoKey2], kUserInfoValue2);
-#endif
+#endif  // TARGET_OS_IOS
 }
 
 /**
@@ -193,7 +193,7 @@ API_AVAILABLE(macos(10.14))
   XCTAssertEqual([notification.fireDate compare:endDate], NSOrderedAscending);
   XCTAssertEqualObjects(notification.userInfo[kUserInfoKey1], kUserInfoValue1);
   XCTAssertEqualObjects(notification.userInfo[kUserInfoKey2], kUserInfoValue2);
-#endif
+#endif  // TARGET_OS_IOS
 }
 
 /**
@@ -229,7 +229,7 @@ API_AVAILABLE(macos(10.14))
 #pragma clang diagnostic pop
   XCTAssertEqualObjects(notification.userInfo[kUserInfoKey1], kUserInfoValue1);
   XCTAssertEqualObjects(notification.userInfo[kUserInfoKey2], kUserInfoValue2);
-#endif
+#endif  // TARGET_OS_IOS
 }
 
 #pragma mark - Private Helpers
@@ -271,7 +271,7 @@ API_AVAILABLE(macos(10.14))
        return NO;
      }]];
 #pragma clang diagnostic pop
-#endif
+#endif  // TARGET_OS_IOS
 }
 
 - (void)testScheduleiOS10LocalNotification {

FirebaseMessaging/Tests/UnitTests/FIRMessagingExtensionHelperTest.m

@@ -26,7 +26,7 @@
 API_AVAILABLE(macos(10.14), ios(10.0), watchos(3.0))
 typedef void (^FIRMessagingContentHandler)(UNNotificationContent *content);
 
-#if TARGET_OS_IOS || TARGET_OS_OSX || TARGET_OS_WATCH
+#if !TARGET_OS_TV
 static NSString *const kFCMPayloadOptionsName = @"fcm_options";
 static NSString *const kFCMPayloadOptionsImageURLName = @"image";
 static NSString *const kValidImageURL =
@@ -221,4 +221,4 @@ static NSString *const kValidImageURL =
 
 @end
 
-#endif  // TARGET_OS_IOS || TARGET_OS_OSX || TARGET_OS_WATCH
+#endif  // !TARGET_OS_TV

FirebaseMessaging/Tests/UnitTests/FIRMessagingRemoteNotificationsProxyTest.m

@@ -40,13 +40,13 @@
     API_AVAILABLE(ios(10.0), macos(10.14), tvos(10.0)) {
 }
 
-#if TARGET_OS_IOS || TARGET_OS_OSX
+#if !TARGET_OS_TV
 - (void)userNotificationCenter:(UNUserNotificationCenter *)center
     didReceiveNotificationResponse:(UNNotificationResponse *)response
              withCompletionHandler:(void (^)(void))completionHandler
     API_AVAILABLE(macos(10.14), ios(10.0)) {
 }
-#endif
+#endif  // !TARGET_OS_TV
 
 @end
 
@@ -65,14 +65,14 @@
 @end
 @implementation FakeAppDelegate
 
-#if TARGET_OS_IOS || TARGET_OS_TV
+#if TARGET_OS_IOS || TARGET_OS_TV || TARGET_OS_VISION
 - (void)application:(UIApplication *)application
     didReceiveRemoteNotification:(NSDictionary *)userInfo
           fetchCompletionHandler:(void (^)(UIBackgroundFetchResult))completionHandler {
   self.remoteNotificationWithFetchHandlerWasCalled = YES;
   completionHandler(UIBackgroundFetchResultNewData);
 }
-#endif
+#endif  // TARGET_OS_IOS || TARGET_OS_TV || TARGET_OS_VISION
 
 - (void)application:(GULApplication *)application
     didRegisterForRemoteNotificationsWithDeviceToken:(NSData *)deviceToken {
@@ -106,14 +106,14 @@
     API_AVAILABLE(ios(10.0), macos(10.14), tvos(10.0)) {
   self.willPresentWasCalled = YES;
 }
-#if TARGET_OS_IOS || TARGET_OS_OSX
+#if !TARGET_OS_TV
 - (void)userNotificationCenter:(UNUserNotificationCenter *)center
     didReceiveNotificationResponse:(UNNotificationResponse *)response
              withCompletionHandler:(void (^)(void))completionHandler
     API_AVAILABLE(ios(10.0), macos(10.14)) {
   self.didReceiveResponseWasCalled = YES;
 }
-#endif
+#endif  // !TARGET_OS_TV
 @end
 
 @interface GULAppDelegateSwizzler (FIRMessagingRemoteNotificationsProxyTest)
@@ -181,7 +181,7 @@
   [invalidAppDelegate application:[GULAppDelegateSwizzler sharedApplication]
       didReceiveRemoteNotification:@{}];
 }
-#endif
+#endif  // !TARGET_OS_WATCH
 
 #if !SWIFT_PACKAGE
 // The next 3 tests depend on a sharedApplication which is not available in the Swift PM test env.
@@ -215,7 +215,7 @@
   SEL remoteNotificationWithFetchHandler = @selector(application:
                                     didReceiveRemoteNotification:fetchCompletionHandler:);
   XCTAssertTrue([incompleteAppDelegate respondsToSelector:remoteNotificationWithFetchHandler]);
-#endif
+#endif  // TARGET_OS_IOS || TARGET_OS_TV
 
   SEL remoteNotification = @selector(application:didReceiveRemoteNotification:);
   XCTAssertFalse([incompleteAppDelegate respondsToSelector:remoteNotification]);
@@ -243,7 +243,7 @@
   XCTAssertTrue(appDelegate.remoteNotificationWithFetchHandlerWasCalled);
 
   [self.mockMessaging verify];
-#endif
+#endif  // TARGET_OS_IOS || TARGET_OS_TV
 
   // Verify application:didRegisterForRemoteNotificationsWithDeviceToken:
   NSData *deviceToken = [NSData data];
@@ -264,7 +264,7 @@
 
   XCTAssertEqual(appDelegate.registerForRemoteNotificationsError, error);
 }
-#endif
+#endif  // !SWIFT_PACKAGE
 
 - (void)testListeningForDelegateChangesOnInvalidUserNotificationCenter {
   if (@available(macOS 10.14, iOS 10.0, *)) {
@@ -321,7 +321,7 @@
 
 // Use an object that does actually implement the optional methods. Both should be called.
 - (void)testSwizzledUserNotificationsCenterDelegate {
-#if TARGET_OS_IOS || TARGET_OS_OSX
+#if !TARGET_OS_TV
   FakeUserNotificationCenterDelegate *delegate = [[FakeUserNotificationCenterDelegate alloc] init];
   OCMStub([self.mockUserNotificationCenter delegate]).andReturn(delegate);
   [self.proxy swizzleMethodsIfPossible];
@@ -361,11 +361,11 @@
     // Verify our swizzled method was called
     [self.mockMessaging verify];
   }
-#endif
+#endif  // !TARGET_OS_TV
 }
 
 - (id)userNotificationResponseWithMessage:(NSDictionary *)message {
-#if TARGET_OS_IOS || TARGET_OS_OSX
+#if !TARGET_OS_TV
   if (@available(macOS 10.14, iOS 10.0, *)) {
     // Stub out: response.[mock notification above]
     id mockNotificationResponse = OCMClassMock([UNNotificationResponse class]);
@@ -373,16 +373,16 @@
     OCMStub([mockNotificationResponse notification]).andReturn(mockNotification);
     return mockNotificationResponse;
   }
-#endif
+#endif  // !TARGET_OS_TV
   return nil;
 }
 
 - (UNNotification *)userNotificationWithMessage:(NSDictionary *)message
     API_AVAILABLE(macos(10.14), ios(10.0)) {
   UNMutableNotificationContent *content = [[UNMutableNotificationContent alloc] init];
-#if TARGET_OS_IOS || TARGET_OS_OSX
+#if !TARGET_OS_TV
   content.userInfo = message;
-#endif
+#endif  // !TARGET_OS_TV
   id notificationRequest = OCMClassMock([UNNotificationRequest class]);
   OCMStub([notificationRequest content]).andReturn(content);
   id notification = OCMClassMock([UNNotification class]);

FirebaseMessaging/Tests/UnitTests/FIRMessagingUtilitiesTest.m

@@ -74,10 +74,10 @@
   [[[_mainBundleMock stub] andReturn:fakeInfoDictionary] infoDictionary];
   NSString *bundleIdentifier = @"com.me.myapp.watchkit.watchkitextensions";
   NSString *expectedIdentifier = @"com.me.myapp.watchkit";
-#else
+#else   // TARGET_OS_WATCH
   NSString *bundleIdentifier = @"com.me.myapp";
   NSString *expectedIdentifier = @"com.me.myapp";
-#endif
+#endif  // TARGET_OS_WATCH
 
   [[[_mainBundleMock stub] andReturn:bundleIdentifier] bundleIdentifier];
   NSString *appIdentifier = FIRMessagingAppIdentifier();

FirebaseStorage/Sources/StorageMetadata.swift

@@ -230,7 +230,7 @@ import Foundation
     return 0
   }
 
-  private static var dateFormatter: DateFormatter = {
+  private static let dateFormatter: DateFormatter = {
     let dateFormatter = DateFormatter()
     dateFormatter.locale = Locale(identifier: "en_US_POSIX") // set locale to reliable US_POSIX
     dateFormatter.dateFormat = "yyyy'-'MM'-'dd'T'HH':'mm':'ss.SSSZZZZZ"

scripts/gha-encrypted/Sessions/GoogleService-Info_TestApp.plist.gpg

@@ -1,6 +1,3 @@
-▄
	╓╚╞▄·qШра:
42G6└Mъе_VA┼╔"7▒]┌pm6╚╗]╬╘·Ц0й╫c├┤ц░Ё7сзф├7
-╥ы1НB╚UЗёLлc#оW╠<7■ s?р	б·D╣╬╡пMiаfБь#Я√{┴ч┤4Ё╥л8╤2ь(ё$÷!╖3⌡|Ъь╦@j╡t2zXСЮh≥d+@ЫТЬNм	а╛y╥
-╒eтяDуеФa╟в4,╤ХMnW╢cс⌡к≥ЧfJ╪О┬Л┴и+p +C┬x╒2	W╒gИчм	'кd╔^э^╖JO:УhСWГFЯ┐з≈╪я'≈·iфмв└Ёw\Тd╔╟╜ф╘▄mX│JЪ)мф@ы7*Z┌ЪИ╢,П	╗D/NgPr╝°
-ЮмзO┘V	`└Д г@'лХ╝Юъ[t√_J÷=
PьЮкG╧aTаLN▌(ъАЁdЖУ╕╠ЩЛM(╛кA5ЖR	a┼СНR╕j└	k"1╪пжnhЫВb@▀6Н{8ЁйSn°2Э\╨ЪЗ╢Щv╝&⌠}ж,qs┼вЯgВЫ╕G╕█Q
-&╒░'Вл≈Хkнm^
-╣∙9╫ Ab}щ;4╠╬²Цq▌M·3Пx┬╧АХ$Ь_xШ░╢╘┼М>QB8р└ЙвR*-©hzЫ
╨┴┴'RхMOМ┼Е;x$└вяЯИ
+▄
	ЪЯ╝│mJЪра9
XСm≤k╞pоaЧ┬Ц╟МbДНхX}Ф┤Ow	╟v
∙/Хi╟св└┬мП?АЪQ─ыY┼╞к#ъиOW9б╜!%=ФЕ▒CEНYnщ░s>ОKЗdpятyТьшG@cд|С┴р@I{╖М*VЪ╜МэГн▓у╩l>u▐ ╛фС┐OK|S©k═РXЖk9юhB╬и╝dьФГYH▄8╤C║ТЁ∙█"БхIS┤ГrъюВ┴┬ШЮЗs]■√уRg;РCwйъRчdA ╝Oh
+┬оl┴I$≤k!▌н■
╨`╗u╟ЭЁNвЭ╥Чч▒▐}q°Дr)P
Jй
+в#╫D²Счj╥ь╣д6aбЗ└ЭьM_╘А\в╡└сЛа.иь4▄ЫВ-х²xчс ЭчDс≥\─д-A┘kБцэCFяJТ╠V▌г╕йdgr║Б╤тЭНОjл-f`8┌≤o║7÷л╔╠╚└CE▀tДЪв╞#╔Ё┘^З┴ыЪ╒-:FшrRj+╙C∙╤°7рШл┘6И═╣ЧМпp|Уx≥ жQцЯW▐├У4tAa1сl,╞│82·u ⌡j┴3└gg⌡╞.÷JЮrиу╜▀ПcHd<v╬AЭ■C8vЯamУp,≈╒vя┌уd_╨VsRЯчХь

scripts/gha-encrypted/bot-access.txt.gpg

@@ -1,2 +1,2 @@
-Ś
	ąĄ›x)găŇl
¬^ż–QŘ‹˘']”4'	çSzę	%DăwV¦Ă.Ônďío'ąRgâ
-ĘŞ�N§y˝Ž!…—łŕ`L±ÂşŃ¸b¸}öńl…Aź_,Źń5¦NDa‡-ŕďóŞ%0ŮA˛V×ö4‘ó	W›vy
+Ś
	”F»P%˙Ňl
.ęô?Ě	RŐźšTź
öČ
+âŚ;ď­ýáÚą_†üď™?Żµ–´.Űň�{ÝQf˛ŹÓĆ©üúËń˘XÔÍłăů«bvžł¶ݲٵçb$­ŠËdÍ­5řu�ţÔ×N^®

scripts/rotate_secrets.sh

@@ -0,0 +1,83 @@
+#!/bin/bash
+
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Script to re-encrypt stored secrets with a new cryptographic key.
+#
+# Usage:
+#   rotate_secrets.sh <current_secret_key> <new_secret_key> <secrets_directory>
+#
+# Arguments:
+#   <current_secret_key>: The current secret key.
+#   <new_secret_key>: The new secret key.
+#   <directory>: The directory to rotate encrypted files in.
+#
+# Note:
+#   A new cryptographic key can be generated with `openssl rand -base64 32`.
+#
+
+if [[ $# -ne 3 ]]; then
+  cat 1>&2 <<EOF
+Error: Expected exactly 3 arguments.
+USAGE: *** [current_secret_key]
+USAGE: *** [new_secret_key]
+USAGE: $3 [secrets_directory]
+EOF
+  exit 1
+fi
+
+current_secret_key=$1
+new_secret_key=$2
+secrets_directory=$3
+
+if [[ ! -d "$secrets_directory" ]]; then
+  echo "Error: The given directory does not exist."
+  exit 1
+fi
+
+# Search for encrypted files in the given directory.
+files=$(find "$secrets_directory" -name "*.gpg")
+
+# For each file, decrypt the encrypted contents and re-encrypt with the new
+# secret.
+for encrypted_file in $files; do
+  echo "Decrypting $encrypted_file"
+  scripts_dir=$(dirname "$0")
+  # The decrypted file's path will match the encrypted file's path, minus the
+  #  trailing `.gpg` extension.
+  decrypted_file=${encrypted_file%.*}
+  source "$scripts_dir/decrypt_gha_secret.sh" \
+    "$encrypted_file" "$decrypted_file" "$current_secret_key"
+  if [ ! -f "$decrypted_file" ]; then
+    echo "Error: The file could not be decrypted: $encrypted_file"
+    exit 1
+  fi
+
+  # Remove current encrypted file or else re-encryption will fail due to the
+  # gpg file already existing. The below script invocation will re-encrypt
+  # the file to the `encrypted_file` path.
+  rm "$encrypted_file"
+
+  echo "Encrypting with new secret to $encrypted_file"
+
+  source "$scripts_dir/encrypt_gha_secret.sh" "$decrypted_file" "$new_secret_key"
+  if [ ! -f "$encrypted_file" ]; then
+    echo "Error: The file could not be encrypted: $decrypted_file"
+    exit 1
+  fi
+
+  # Cleanup the decrpted file now that it's been re-encrypted.
+  rm "$decrypted_file"
+done