James Magahern
de7b448bc5
Some checks failed
TestFlight Release / testflight (push) Failing after 16s
290 lines
13 KiB
YAML
290 lines
13 KiB
YAML
name: TestFlight Release
|
|
|
|
on:
|
|
push:
|
|
tags:
|
|
- "release/v*.*.*"
|
|
|
|
permissions:
|
|
contents: write
|
|
|
|
jobs:
|
|
testflight:
|
|
runs-on: xcode
|
|
env:
|
|
SIGNING_KEYCHAIN: sybil_signing_temp
|
|
|
|
defaults:
|
|
run:
|
|
shell: bash
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Validate release tag
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
tag_name="${GITHUB_REF#refs/tags/}"
|
|
if [[ ! "$tag_name" =~ ^release/v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
|
|
echo "Release tag must match release/vN.N.N; got ${tag_name}" >&2
|
|
exit 1
|
|
fi
|
|
|
|
release_version="${tag_name#release/v}"
|
|
{
|
|
echo "TAG_NAME=${tag_name}"
|
|
echo "RELEASE_VERSION=${release_version}"
|
|
} >> "${GITHUB_ENV}"
|
|
|
|
- name: Set up Ruby
|
|
uses: ruby/setup-ruby@v1
|
|
with:
|
|
ruby-version: "3.3"
|
|
|
|
- name: Install Ruby gems
|
|
working-directory: ios
|
|
run: bundle install
|
|
|
|
- name: Install release tools
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
missing_tools=()
|
|
for tool in xcodegen jq; do
|
|
if ! command -v "${tool}" >/dev/null 2>&1; then
|
|
missing_tools+=("${tool}")
|
|
fi
|
|
done
|
|
|
|
if [[ "${#missing_tools[@]}" -eq 0 ]]; then
|
|
exit 0
|
|
fi
|
|
|
|
if ! command -v brew >/dev/null 2>&1; then
|
|
echo "Missing required tools: ${missing_tools[*]}; Homebrew is not available to install them" >&2
|
|
exit 1
|
|
fi
|
|
|
|
brew install "${missing_tools[@]}"
|
|
|
|
- name: Install signing secrets
|
|
env:
|
|
APPSTORE_CERTIFICATES_FILE_BASE64: ${{ secrets.APPSTORE_CERTIFICATES_FILE_BASE64 }}
|
|
APPSTORE_CERTIFICATES_PASSWORD: ${{ secrets.APPSTORE_CERTIFICATES_PASSWORD }}
|
|
APPSTORE_PROVISIONING_PROFILE_BASE64: ${{ secrets.APPSTORE_PROVISIONING_PROFILE_BASE64 }}
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
: "${APPSTORE_CERTIFICATES_FILE_BASE64:?APPSTORE_CERTIFICATES_FILE_BASE64 secret is required}"
|
|
: "${APPSTORE_CERTIFICATES_PASSWORD:?APPSTORE_CERTIFICATES_PASSWORD secret is required}"
|
|
: "${APPSTORE_PROVISIONING_PROFILE_BASE64:?APPSTORE_PROVISIONING_PROFILE_BASE64 secret is required}"
|
|
|
|
keychain_password="$(uuidgen)"
|
|
previous_default_keychain="$(security default-keychain -d user | sed 's/[ "]//g' || true)"
|
|
if [[ "${previous_default_keychain}" == *"/${SIGNING_KEYCHAIN}"* || ! -e "${previous_default_keychain}" ]]; then
|
|
previous_default_keychain=""
|
|
fi
|
|
developer_dir="$(xcode-select -p)"
|
|
signing_dir="$(mktemp -d "${RUNNER_TEMP:-${TMPDIR:-/tmp}}/sybil-signing.XXXXXX")"
|
|
mkdir -p "${HOME}/Library/Keychains"
|
|
keychain_name="${HOME}/Library/Keychains/login.keychain"
|
|
certificate_path="${signing_dir}/appstore-signing.p12"
|
|
wwdr_certificate_path="${signing_dir}/AppleWWDRCAG3.cer"
|
|
profile_path="${signing_dir}/Sybil_AppStore_CI.mobileprovision"
|
|
profile_plist="${signing_dir}/profile.plist"
|
|
old_profile_dir="${HOME}/Library/MobileDevice/Provisioning Profiles"
|
|
xcode_profile_dir="${HOME}/Library/Developer/Xcode/UserData/Provisioning Profiles"
|
|
mkdir -p "${old_profile_dir}" "${xcode_profile_dir}"
|
|
|
|
printf '%s' "${APPSTORE_CERTIFICATES_FILE_BASE64}" | base64 --decode > "${certificate_path}"
|
|
printf '%s' "${APPSTORE_PROVISIONING_PROFILE_BASE64}" | base64 --decode > "${profile_path}"
|
|
curl -fsSL https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer -o "${wwdr_certificate_path}"
|
|
openssl smime -inform DER -verify -noverify -in "${profile_path}" -out "${profile_plist}" >/dev/null
|
|
profile_uuid="$(/usr/libexec/PlistBuddy -c 'Print UUID' "${profile_plist}")"
|
|
profile_name="$(/usr/libexec/PlistBuddy -c 'Print Name' "${profile_plist}")"
|
|
old_profile_path="${old_profile_dir}/${profile_uuid}.mobileprovision"
|
|
xcode_profile_path="${xcode_profile_dir}/${profile_uuid}.mobileprovision"
|
|
old_named_profile_path="${old_profile_dir}/Sybil_AppStore_CI.mobileprovision"
|
|
xcode_named_profile_path="${xcode_profile_dir}/Sybil_AppStore_CI.mobileprovision"
|
|
cp "${profile_path}" "${old_profile_path}"
|
|
cp "${profile_path}" "${xcode_profile_path}"
|
|
cp "${profile_path}" "${old_named_profile_path}"
|
|
cp "${profile_path}" "${xcode_named_profile_path}"
|
|
|
|
base_keychains=()
|
|
while IFS= read -r existing_keychain; do
|
|
[[ -z "${existing_keychain}" ]] && continue
|
|
[[ "${existing_keychain}" == *"/${SIGNING_KEYCHAIN}"* ]] && continue
|
|
[[ ! -e "${existing_keychain}" ]] && continue
|
|
base_keychains+=("${existing_keychain}")
|
|
done < <(security list-keychains -d user | sed 's/[ "]//g')
|
|
|
|
security delete-keychain "${keychain_name}" >/dev/null 2>&1 || true
|
|
rm -f "${HOME}/Library/Keychains/${keychain_name}-db"
|
|
security create-keychain -p "${keychain_password}" "${keychain_name}"
|
|
security set-keychain-settings -lut 21600 "${keychain_name}"
|
|
security unlock-keychain -p "${keychain_password}" "${keychain_name}"
|
|
security import "${wwdr_certificate_path}" \
|
|
-k "${keychain_name}" \
|
|
-T /usr/bin/codesign \
|
|
-T /usr/bin/security \
|
|
-T /usr/bin/xcodebuild
|
|
security import "${certificate_path}" \
|
|
-k "${keychain_name}" \
|
|
-P "${APPSTORE_CERTIFICATES_PASSWORD}" \
|
|
-T /usr/bin/codesign \
|
|
-T /usr/bin/security \
|
|
-T /usr/bin/xcodebuild \
|
|
-T "${developer_dir}/usr/bin/xcodebuild"
|
|
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${keychain_password}" "${keychain_name}"
|
|
if [[ "${#base_keychains[@]}" -gt 0 ]]; then
|
|
security list-keychains -d user -s "${keychain_name}" "${base_keychains[@]}"
|
|
security list-keychains -s "${keychain_name}" "${base_keychains[@]}"
|
|
else
|
|
security list-keychains -d user -s "${keychain_name}"
|
|
security list-keychains -s "${keychain_name}"
|
|
fi
|
|
security default-keychain -d user -s "${keychain_name}"
|
|
keychain_path="$(security list-keychains -d user | sed 's/[ "]//g' | head -n 1)"
|
|
security find-identity -v -p codesigning "${keychain_path}"
|
|
security find-identity -v -p codesigning
|
|
echo "Installed ${profile_name} (${profile_uuid}) provisioning profile"
|
|
{
|
|
echo "SYBIL_SIGNING_KEYCHAIN_PATH=${keychain_path}"
|
|
echo "SYBIL_SIGNING_KEYCHAIN_NAME=${keychain_name}"
|
|
echo "SYBIL_SIGNING_KEYCHAIN_PASSWORD=${keychain_password}"
|
|
echo "SYBIL_PREVIOUS_DEFAULT_KEYCHAIN=${previous_default_keychain}"
|
|
echo "SYBIL_PROVISIONING_PROFILE_UUID=${profile_uuid}"
|
|
echo "SYBIL_SIGNING_DIR=${signing_dir}"
|
|
echo "SYBIL_OLD_PROFILE_PATH=${old_profile_path}"
|
|
echo "SYBIL_XCODE_PROFILE_PATH=${xcode_profile_path}"
|
|
echo "SYBIL_OLD_NAMED_PROFILE_PATH=${old_named_profile_path}"
|
|
echo "SYBIL_XCODE_NAMED_PROFILE_PATH=${xcode_named_profile_path}"
|
|
} >> "${GITHUB_ENV}"
|
|
|
|
- name: Build and upload to TestFlight
|
|
working-directory: ios
|
|
env:
|
|
APP_STORE_CONNECT_API_KEY_ID: ${{ secrets.APP_STORE_CONNECT_API_KEY_ID }}
|
|
APP_STORE_CONNECT_API_ISSUER_ID: ${{ secrets.APP_STORE_CONNECT_API_ISSUER_ID }}
|
|
APP_STORE_CONNECT_API_KEY_CONTENT: ${{ secrets.APP_STORE_CONNECT_API_KEY_CONTENT }}
|
|
APP_STORE_CONNECT_API_KEY_CONTENT_BASE64: "true"
|
|
FASTLANE_DONT_STORE_PASSWORD: "1"
|
|
FASTLANE_HIDE_CHANGELOG: "1"
|
|
FASTLANE_SKIP_UPDATE_CHECK: "1"
|
|
SYBIL_PROVISIONING_PROFILE_SPECIFIER: Sybil AppStore CI
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
security unlock-keychain -p "${SYBIL_SIGNING_KEYCHAIN_PASSWORD}" "${SYBIL_SIGNING_KEYCHAIN_PATH}"
|
|
security list-keychains -d user -s "${SYBIL_SIGNING_KEYCHAIN_PATH}" $(security list-keychains -d user | sed 's/[ "]//g')
|
|
security default-keychain -d user -s "${SYBIL_SIGNING_KEYCHAIN_PATH}"
|
|
security list-keychains -s "${SYBIL_SIGNING_KEYCHAIN_PATH}" $(security list-keychains | sed 's/[ "]//g')
|
|
security find-identity -v -p codesigning "${SYBIL_SIGNING_KEYCHAIN_PATH}"
|
|
security find-identity -v -p codesigning
|
|
|
|
SYBIL_VERSION_TAG="${TAG_NAME}" bundle exec fastlane ios beta
|
|
|
|
- name: Locate IPA
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
ipa_path="$(find ios/build/fastlane -maxdepth 1 -type f -name '*.ipa' -print | sort | tail -n 1)"
|
|
if [[ -z "${ipa_path}" ]]; then
|
|
echo "No IPA found under ios/build/fastlane" >&2
|
|
exit 1
|
|
fi
|
|
|
|
{
|
|
echo "IPA_PATH=${ipa_path}"
|
|
echo "IPA_NAME=$(basename "${ipa_path}")"
|
|
} >> "${GITHUB_ENV}"
|
|
|
|
- name: Publish Gitea release asset
|
|
env:
|
|
GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
|
|
RELEASE_API_URL: ${{ github.api_url }}
|
|
RELEASE_REPOSITORY: ${{ github.repository }}
|
|
RELEASE_SHA: ${{ github.sha }}
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
: "${GITEA_TOKEN:?GITEA_TOKEN is required}"
|
|
|
|
api_url="${RELEASE_API_URL:-https://code.buzzert.dev/api/v1}"
|
|
repository="${RELEASE_REPOSITORY:-buzzert/Sybil-2}"
|
|
sha="${RELEASE_SHA:-${GITHUB_SHA:-}}"
|
|
release_name="Sybil v${RELEASE_VERSION}"
|
|
release_body="Automated TestFlight release for ${TAG_NAME}."
|
|
release_payload="$(jq -nc \
|
|
--arg tag "${TAG_NAME}" \
|
|
--arg name "${release_name}" \
|
|
--arg body "${release_body}" \
|
|
--arg target "${sha}" \
|
|
'{tag_name: $tag, name: $name, body: $body, draft: false, prerelease: false} +
|
|
(if $target == "" then {} else {target_commitish: $target} end)')"
|
|
|
|
response_file="$(mktemp)"
|
|
status="$(curl -sS -o "${response_file}" -w "%{http_code}" \
|
|
-X POST "${api_url}/repos/${repository}/releases" \
|
|
-H "Authorization: token ${GITEA_TOKEN}" \
|
|
-H "Content-Type: application/json" \
|
|
--data "${release_payload}")"
|
|
|
|
if [[ "${status}" == "201" ]]; then
|
|
release_id="$(jq -r '.id' "${response_file}")"
|
|
elif [[ "${status}" == "409" ]]; then
|
|
release_id="$(curl -fsS \
|
|
-H "Authorization: token ${GITEA_TOKEN}" \
|
|
"${api_url}/repos/${repository}/releases?limit=100" |
|
|
jq -r --arg tag "${TAG_NAME}" '.[] | select(.tag_name == $tag) | .id' |
|
|
head -n 1)"
|
|
else
|
|
cat "${response_file}" >&2
|
|
exit 1
|
|
fi
|
|
|
|
if [[ -z "${release_id}" || "${release_id}" == "null" ]]; then
|
|
echo "Could not resolve Gitea release id for ${TAG_NAME}" >&2
|
|
exit 1
|
|
fi
|
|
|
|
existing_asset_id="$(curl -fsS \
|
|
-H "Authorization: token ${GITEA_TOKEN}" \
|
|
"${api_url}/repos/${repository}/releases/${release_id}/assets" |
|
|
jq -r --arg name "${IPA_NAME}" '.[] | select(.name == $name) | .id' |
|
|
head -n 1)"
|
|
|
|
if [[ -n "${existing_asset_id}" && "${existing_asset_id}" != "null" ]]; then
|
|
curl -fsS -X DELETE \
|
|
-H "Authorization: token ${GITEA_TOKEN}" \
|
|
"${api_url}/repos/${repository}/releases/${release_id}/assets/${existing_asset_id}"
|
|
fi
|
|
|
|
asset_name="$(jq -rn --arg value "${IPA_NAME}" '$value | @uri')"
|
|
curl -fsS -X POST \
|
|
-H "Authorization: token ${GITEA_TOKEN}" \
|
|
-F "attachment=@${IPA_PATH}" \
|
|
"${api_url}/repos/${repository}/releases/${release_id}/assets?name=${asset_name}" >/dev/null
|
|
|
|
echo "Published ${IPA_NAME} to ${release_name}"
|
|
|
|
- name: Clean up temporary keychain
|
|
if: always()
|
|
run: |
|
|
if [[ -n "${SYBIL_PREVIOUS_DEFAULT_KEYCHAIN:-}" ]]; then
|
|
security default-keychain -d user -s "${SYBIL_PREVIOUS_DEFAULT_KEYCHAIN}" || true
|
|
fi
|
|
rm -f \
|
|
"${SYBIL_OLD_PROFILE_PATH:-}" \
|
|
"${SYBIL_XCODE_PROFILE_PATH:-}" \
|
|
"${SYBIL_OLD_NAMED_PROFILE_PATH:-}" \
|
|
"${SYBIL_XCODE_NAMED_PROFILE_PATH:-}"
|
|
security delete-keychain "${SYBIL_SIGNING_KEYCHAIN_PATH:-${HOME}/Library/Keychains/${SIGNING_KEYCHAIN}.keychain-db}" || true
|
|
rm -f "${HOME}/Library/Keychains/${SIGNING_KEYCHAIN}-"*.keychain-db
|
|
rm -rf "${SYBIL_SIGNING_DIR:-}"
|