ios/fastlane/Fastfile

require "fileutils"
require "shellwords"

default_platform(:ios)

APP_IDENTIFIER = "net.buzzert.sybil2"
SCHEME = "Sybil"
TEAM_ID = "DQQH5H6GBD"
PROFILE_NAME = "Sybil AppStore CI"
SIGNING_IDENTITY = "Apple Distribution: James Magahern (DQQH5H6GBD)"
CI_KEYCHAIN_NAME = "sybil_ci_keychain"
CI_KEYCHAIN_PASSWORD = ""
IOS_ROOT = File.expand_path("..", __dir__)
PROJECT_FILE = File.join(IOS_ROOT, "Sybil.xcodeproj")
PROJECT_SPEC = File.join(IOS_ROOT, "project.yml")
CI_KEYCHAIN_PATH = File.join(File.expand_path("~/Library/Keychains"), CI_KEYCHAIN_NAME)
CI_KEYCHAIN_DB_PATH = "#{CI_KEYCHAIN_PATH}-db"
LOGIN_KEYCHAIN_PATH = File.expand_path("~/Library/Keychains/login.keychain")
LOGIN_KEYCHAIN_DB_PATH = "#{LOGIN_KEYCHAIN_PATH}-db"

def present?(value)
  !value.to_s.strip.empty?
end

def release_version
  tag = ENV["SYBIL_VERSION_TAG"].to_s
  tag = ENV["GITHUB_REF_NAME"].to_s if !present?(tag)
  tag = ENV["GITHUB_REF"].to_s.sub(%r{\Arefs/tags/}, "") if !present?(tag)
  tag = sh("git describe --tags --abbrev=0").strip if !present?(tag)
  version = tag.sub(%r{\Arelease/}, "").sub(/\Av/, "")

  unless version.match?(/\A\d+\.\d+\.\d+\z/)
    UI.user_error!("Release tag must look like v1.2.3; got #{tag.inspect}")
  end

  version
end

def ci?
  present?(ENV["CI"])
end

def ci_keychain_path
  File.file?(CI_KEYCHAIN_DB_PATH) ? CI_KEYCHAIN_DB_PATH : CI_KEYCHAIN_PATH
end

platform :ios do
  private_lane :app_store_api_key do
    app_store_connect_api_key(
      key_id: ENV.fetch("APP_STORE_CONNECT_KEY_ID"),
      issuer_id: ENV.fetch("APP_STORE_CONNECT_ISSUER_ID"),
      key_content: ENV.fetch("APP_STORE_CONNECT_KEY_CONTENT"),
      is_key_content_base64: true
    )
  end

  private_lane :setup_ci_signing do
    next unless ci?

    FileUtils.mkdir_p(File.dirname(CI_KEYCHAIN_PATH))
    sh("security delete-keychain #{CI_KEYCHAIN_PATH.shellescape} || true", log: false)
    FileUtils.rm_f(CI_KEYCHAIN_PATH)
    FileUtils.rm_f(CI_KEYCHAIN_DB_PATH)

    create_keychain(
      path: CI_KEYCHAIN_PATH,
      password: CI_KEYCHAIN_PASSWORD,
      default_keychain: false,
      unlock: true,
      timeout: 3600,
      lock_when_sleeps: true,
      add_to_search_list: false
    )

    sh("security default-keychain -d user -s #{CI_KEYCHAIN_PATH.shellescape}", log: false)
    sh("security list-keychains -d user -s #{ci_keychain_path.shellescape}", log: false)

    ENV["MATCH_KEYCHAIN_NAME"] = CI_KEYCHAIN_PATH
    ENV["MATCH_KEYCHAIN_PASSWORD"] = CI_KEYCHAIN_PASSWORD
    ENV["MATCH_READONLY"] = "true"
  end

  private_lane :cleanup_ci_signing do
    next unless ci?

    if File.file?(LOGIN_KEYCHAIN_DB_PATH) || File.file?(LOGIN_KEYCHAIN_PATH)
      sh("security default-keychain -d user -s #{LOGIN_KEYCHAIN_PATH.shellescape} || true", log: false)
      sh("security list-keychains -d user -s #{LOGIN_KEYCHAIN_DB_PATH.shellescape} || true", log: false)
    end
    sh("security delete-keychain #{ci_keychain_path.shellescape} || true", log: false)
    FileUtils.rm_f(CI_KEYCHAIN_PATH)
    FileUtils.rm_f(CI_KEYCHAIN_DB_PATH)
  rescue => error
    UI.message("Unable to delete temporary CI keychain: #{error.message}")
  ensure
    ENV.delete("MATCH_KEYCHAIN_NAME")
    ENV.delete("MATCH_KEYCHAIN_PASSWORD")
    ENV.delete("MATCH_READONLY")
  end

  private_lane :sync_signing do |options|
    match_options = {
      type: "appstore",
      readonly: options.fetch(:readonly),
      app_identifier: APP_IDENTIFIER,
      team_id: TEAM_ID,
      profile_name: PROFILE_NAME,
      git_url: ENV.fetch("MATCH_GIT_URL"),
      git_branch: "master",
      git_full_name: "Sybil Release Bot",
      git_user_email: "james.magahern@me.com",
      api_key: options.fetch(:api_key)
    }
    match_options[:keychain_name] = ENV["MATCH_KEYCHAIN_NAME"] if present?(ENV["MATCH_KEYCHAIN_NAME"])
    match_options[:keychain_password] = ENV["MATCH_KEYCHAIN_PASSWORD"] if ENV.key?("MATCH_KEYCHAIN_PASSWORD")

    match(match_options)
  end

  private_lane :verify_ci_signing do
    next unless ci?

    if File.file?(ci_keychain_path)
      password = ENV.fetch("MATCH_KEYCHAIN_PASSWORD", "")
      sh("security unlock-keychain -p #{password.shellescape} #{ci_keychain_path.shellescape}", log: false)
      sh("security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k #{password.shellescape} #{ci_keychain_path.shellescape}", log: false)
    end

    identities = sh("security find-identity -v -p codesigning", log: false)
    UI.message(identities)

    unless identities.include?(SIGNING_IDENTITY)
      UI.user_error!("The CI keychain search list does not contain #{SIGNING_IDENTITY}")
    end
  end

  desc "Create or update match signing assets"
  lane :setup_signing do
    sync_signing(api_key: app_store_api_key, readonly: false)
  end

  desc "Build and upload to TestFlight"
  lane :beta do
    setup_ci_signing

    api_key = app_store_api_key

    sh("xcodegen --spec #{PROJECT_SPEC.shellescape}")

    increment_version_number(
      version_number: release_version,
      xcodeproj: PROJECT_FILE
    )

    latest_build_number = latest_testflight_build_number(
      app_identifier: APP_IDENTIFIER,
      api_key: api_key,
      initial_build_number: 0
    )

    increment_build_number(
      build_number: latest_build_number + 1,
      xcodeproj: PROJECT_FILE
    )

    sync_signing(api_key: api_key, readonly: true)
    verify_ci_signing

    xcargs = [
      "DEVELOPMENT_TEAM=#{TEAM_ID.shellescape}",
      "CODE_SIGN_STYLE=Manual",
      "CODE_SIGN_IDENTITY=#{SIGNING_IDENTITY.shellescape}",
      "PROVISIONING_PROFILE_SPECIFIER=#{PROFILE_NAME.shellescape}"
    ]

    if ci?
      xcargs << "CODE_SIGN_KEYCHAIN=#{ci_keychain_path.shellescape}"
      xcargs << "OTHER_CODE_SIGN_FLAGS=#{("--keychain #{ci_keychain_path}").shellescape}"
    end

    build_app(
      project: PROJECT_FILE,
      scheme: SCHEME,
      export_method: "app-store",
      codesigning_identity: SIGNING_IDENTITY,
      xcargs: xcargs.join(" "),
      export_options: {
        signingStyle: "manual",
        teamID: TEAM_ID,
        provisioningProfiles: {
          APP_IDENTIFIER => PROFILE_NAME
        }
      }
    )

    upload_to_testflight(
      api_key: api_key,
      skip_waiting_for_build_processing: true
    )
  ensure
    cleanup_ci_signing
  end
end
Use explicit CI signing keychain 2026-06-25 23:48:26 -07:00			`require "fileutils"`
Use absolute iOS paths in Fastlane 2026-06-25 22:50:30 -07:00			`require "shellwords"`
Use disposable match keychain in CI 2026-06-25 22:48:59 -07:00
ios: add fastlane 2026-06-05 23:19:14 -07:00			`default_platform(:ios)`

Reset iOS TestFlight deployment 2026-06-25 22:41:00 -07:00			`APP_IDENTIFIER = "net.buzzert.sybil2"`
ios: add fastlane 2026-06-05 23:19:14 -07:00			`SCHEME = "Sybil"`
Reset iOS TestFlight deployment 2026-06-25 22:41:00 -07:00			`TEAM_ID = "DQQH5H6GBD"`
			`PROFILE_NAME = "Sybil AppStore CI"`
Simplify TestFlight CI signing 2026-06-25 23:44:13 -07:00			`SIGNING_IDENTITY = "Apple Distribution: James Magahern (DQQH5H6GBD)"`
			`CI_KEYCHAIN_NAME = "sybil_ci_keychain"`
Use explicit CI signing keychain 2026-06-25 23:48:26 -07:00			`CI_KEYCHAIN_PASSWORD = ""`
Use absolute iOS paths in Fastlane 2026-06-25 22:50:30 -07:00			`IOS_ROOT = File.expand_path("..", __dir__)`
			`PROJECT_FILE = File.join(IOS_ROOT, "Sybil.xcodeproj")`
			`PROJECT_SPEC = File.join(IOS_ROOT, "project.yml")`
Use explicit CI signing keychain 2026-06-25 23:48:26 -07:00			`CI_KEYCHAIN_PATH = File.join(File.expand_path("~/Library/Keychains"), CI_KEYCHAIN_NAME)`
			`CI_KEYCHAIN_DB_PATH = "#{CI_KEYCHAIN_PATH}-db"`
Use user keychain domain in CI 2026-06-25 23:51:33 -07:00			`LOGIN_KEYCHAIN_PATH = File.expand_path("~/Library/Keychains/login.keychain")`
			`LOGIN_KEYCHAIN_DB_PATH = "#{LOGIN_KEYCHAIN_PATH}-db"`
ios: add fastlane 2026-06-05 23:19:14 -07:00
			`def present?(value)`
			`!value.to_s.strip.empty?`
			`end`

			`def release_version`
Reset iOS TestFlight deployment 2026-06-25 22:41:00 -07:00			`tag = ENV["SYBIL_VERSION_TAG"].to_s`
			`tag = ENV["GITHUB_REF_NAME"].to_s if !present?(tag)`
			`tag = ENV["GITHUB_REF"].to_s.sub(%r{\Arefs/tags/}, "") if !present?(tag)`
			`tag = sh("git describe --tags --abbrev=0").strip if !present?(tag)`
			`version = tag.sub(%r{\Arelease/}, "").sub(/\Av/, "")`
ios: bootstrap signing with existing certificate 2026-06-25 21:03:43 -07:00
Reset iOS TestFlight deployment 2026-06-25 22:41:00 -07:00			`unless version.match?(/\A\d+\.\d+\.\d+\z/)`
			`UI.user_error!("Release tag must look like v1.2.3; got #{tag.inspect}")`
ios: bootstrap signing with existing certificate 2026-06-25 21:03:43 -07:00			`end`

Reset iOS TestFlight deployment 2026-06-25 22:41:00 -07:00			`version`
ios: bootstrap signing with existing certificate 2026-06-25 21:03:43 -07:00			`end`

Simplify TestFlight CI signing 2026-06-25 23:44:13 -07:00			`def ci?`
			`present?(ENV["CI"])`
Target login keychain path for CI signing 2026-06-25 23:18:01 -07:00			`end`

Simplify TestFlight CI signing 2026-06-25 23:44:13 -07:00			`def ci_keychain_path`
Use explicit CI signing keychain 2026-06-25 23:48:26 -07:00			`File.file?(CI_KEYCHAIN_DB_PATH) ? CI_KEYCHAIN_DB_PATH : CI_KEYCHAIN_PATH`
Simplify TestFlight CI signing 2026-06-25 23:44:13 -07:00			`end`
Make CI signing keychain visible to Xcode 2026-06-25 23:06:00 -07:00
Simplify TestFlight CI signing 2026-06-25 23:44:13 -07:00			`platform :ios do`
Reset iOS TestFlight deployment 2026-06-25 22:41:00 -07:00			`private_lane :app_store_api_key do`
			`app_store_connect_api_key(`
			`key_id: ENV.fetch("APP_STORE_CONNECT_KEY_ID"),`
			`issuer_id: ENV.fetch("APP_STORE_CONNECT_ISSUER_ID"),`
			`key_content: ENV.fetch("APP_STORE_CONNECT_KEY_CONTENT"),`
			`is_key_content_base64: true`
			`)`
ios: use single identity signing p12 2026-06-25 21:18:54 -07:00			`end`

Simplify TestFlight CI signing 2026-06-25 23:44:13 -07:00			`private_lane :setup_ci_signing do`
			`next unless ci?`

Use explicit CI signing keychain 2026-06-25 23:48:26 -07:00			`FileUtils.mkdir_p(File.dirname(CI_KEYCHAIN_PATH))`
			`sh("security delete-keychain #{CI_KEYCHAIN_PATH.shellescape} \|\| true", log: false)`
			`FileUtils.rm_f(CI_KEYCHAIN_PATH)`
			`FileUtils.rm_f(CI_KEYCHAIN_DB_PATH)`

			`create_keychain(`
			`path: CI_KEYCHAIN_PATH,`
			`password: CI_KEYCHAIN_PASSWORD,`
Use user keychain domain in CI 2026-06-25 23:51:33 -07:00			`default_keychain: false,`
Use explicit CI signing keychain 2026-06-25 23:48:26 -07:00			`unlock: true,`
			`timeout: 3600,`
			`lock_when_sleeps: true,`
Use user keychain domain in CI 2026-06-25 23:51:33 -07:00			`add_to_search_list: false`
Simplify TestFlight CI signing 2026-06-25 23:44:13 -07:00			`)`
Use explicit CI signing keychain 2026-06-25 23:48:26 -07:00
Use user keychain domain in CI 2026-06-25 23:51:33 -07:00			`sh("security default-keychain -d user -s #{CI_KEYCHAIN_PATH.shellescape}", log: false)`
			`sh("security list-keychains -d user -s #{ci_keychain_path.shellescape}", log: false)`

Use explicit CI signing keychain 2026-06-25 23:48:26 -07:00			`ENV["MATCH_KEYCHAIN_NAME"] = CI_KEYCHAIN_PATH`
			`ENV["MATCH_KEYCHAIN_PASSWORD"] = CI_KEYCHAIN_PASSWORD`
			`ENV["MATCH_READONLY"] = "true"`
Simplify TestFlight CI signing 2026-06-25 23:44:13 -07:00			`end`

			`private_lane :cleanup_ci_signing do`
			`next unless ci?`

Use user keychain domain in CI 2026-06-25 23:51:33 -07:00			`if File.file?(LOGIN_KEYCHAIN_DB_PATH) \|\| File.file?(LOGIN_KEYCHAIN_PATH)`
			`sh("security default-keychain -d user -s #{LOGIN_KEYCHAIN_PATH.shellescape} \|\| true", log: false)`
			`sh("security list-keychains -d user -s #{LOGIN_KEYCHAIN_DB_PATH.shellescape} \|\| true", log: false)`
			`end`
			`sh("security delete-keychain #{ci_keychain_path.shellescape} \|\| true", log: false)`
			`FileUtils.rm_f(CI_KEYCHAIN_PATH)`
			`FileUtils.rm_f(CI_KEYCHAIN_DB_PATH)`
Simplify TestFlight CI signing 2026-06-25 23:44:13 -07:00			`rescue => error`
			`UI.message("Unable to delete temporary CI keychain: #{error.message}")`
			`ensure`
			`ENV.delete("MATCH_KEYCHAIN_NAME")`
			`ENV.delete("MATCH_KEYCHAIN_PASSWORD")`
Use explicit CI signing keychain 2026-06-25 23:48:26 -07:00			`ENV.delete("MATCH_READONLY")`
Simplify TestFlight CI signing 2026-06-25 23:44:13 -07:00			`end`
Reset iOS TestFlight deployment 2026-06-25 22:41:00 -07:00
Simplify TestFlight CI signing 2026-06-25 23:44:13 -07:00			`private_lane :sync_signing do \|options\|`
Use explicit CI signing keychain 2026-06-25 23:48:26 -07:00			`match_options = {`
Reset iOS TestFlight deployment 2026-06-25 22:41:00 -07:00			`type: "appstore",`
			`readonly: options.fetch(:readonly),`
			`app_identifier: APP_IDENTIFIER,`
			`team_id: TEAM_ID,`
			`profile_name: PROFILE_NAME,`
Simplify TestFlight CI signing 2026-06-25 23:44:13 -07:00			`git_url: ENV.fetch("MATCH_GIT_URL"),`
			`git_branch: "master",`
Reset iOS TestFlight deployment 2026-06-25 22:41:00 -07:00			`git_full_name: "Sybil Release Bot",`
			`git_user_email: "james.magahern@me.com",`
Simplify TestFlight CI signing 2026-06-25 23:44:13 -07:00			`api_key: options.fetch(:api_key)`
Use explicit CI signing keychain 2026-06-25 23:48:26 -07:00			`}`
			`match_options[:keychain_name] = ENV["MATCH_KEYCHAIN_NAME"] if present?(ENV["MATCH_KEYCHAIN_NAME"])`
			`match_options[:keychain_password] = ENV["MATCH_KEYCHAIN_PASSWORD"] if ENV.key?("MATCH_KEYCHAIN_PASSWORD")`

			`match(match_options)`
Simplify TestFlight CI signing 2026-06-25 23:44:13 -07:00			`end`

			`private_lane :verify_ci_signing do`
			`next unless ci?`

			`if File.file?(ci_keychain_path)`
			`password = ENV.fetch("MATCH_KEYCHAIN_PASSWORD", "")`
			`sh("security unlock-keychain -p #{password.shellescape} #{ci_keychain_path.shellescape}", log: false)`
			`sh("security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k #{password.shellescape} #{ci_keychain_path.shellescape}", log: false)`
			`end`
ios: configure api-key TestFlight signing 2026-06-25 20:51:01 -07:00
Simplify TestFlight CI signing 2026-06-25 23:44:13 -07:00			`identities = sh("security find-identity -v -p codesigning", log: false)`
			`UI.message(identities)`

			`unless identities.include?(SIGNING_IDENTITY)`
			`UI.user_error!("The CI keychain search list does not contain #{SIGNING_IDENTITY}")`
			`end`
ios: configure api-key TestFlight signing 2026-06-25 20:51:01 -07:00			`end`

Reset iOS TestFlight deployment 2026-06-25 22:41:00 -07:00			`desc "Create or update match signing assets"`
			`lane :setup_signing do`
Simplify TestFlight CI signing 2026-06-25 23:44:13 -07:00			`sync_signing(api_key: app_store_api_key, readonly: false)`
ios: add fastlane 2026-06-05 23:19:14 -07:00			`end`

Reset iOS TestFlight deployment 2026-06-25 22:41:00 -07:00			`desc "Build and upload to TestFlight"`
ios: add fastlane 2026-06-05 23:19:14 -07:00			`lane :beta do`
Simplify TestFlight CI signing 2026-06-25 23:44:13 -07:00			`setup_ci_signing`
ios: add fastlane 2026-06-05 23:19:14 -07:00
Reset iOS TestFlight deployment 2026-06-25 22:41:00 -07:00			`api_key = app_store_api_key`
ios: add fastlane 2026-06-05 23:19:14 -07:00
Use absolute iOS paths in Fastlane 2026-06-25 22:50:30 -07:00			`sh("xcodegen --spec #{PROJECT_SPEC.shellescape}")`
ios: add fastlane 2026-06-05 23:19:14 -07:00
Reset iOS TestFlight deployment 2026-06-25 22:41:00 -07:00			`increment_version_number(`
			`version_number: release_version,`
Use absolute iOS paths in Fastlane 2026-06-25 22:50:30 -07:00			`xcodeproj: PROJECT_FILE`
Reset iOS TestFlight deployment 2026-06-25 22:41:00 -07:00			`)`
ios: add fastlane 2026-06-05 23:19:14 -07:00
Reset iOS TestFlight deployment 2026-06-25 22:41:00 -07:00			`latest_build_number = latest_testflight_build_number(`
			`app_identifier: APP_IDENTIFIER,`
			`api_key: api_key,`
			`initial_build_number: 0`
			`)`
ios: add fastlane 2026-06-05 23:19:14 -07:00
Reset iOS TestFlight deployment 2026-06-25 22:41:00 -07:00			`increment_build_number(`
			`build_number: latest_build_number + 1,`
Use absolute iOS paths in Fastlane 2026-06-25 22:50:30 -07:00			`xcodeproj: PROJECT_FILE`
Reset iOS TestFlight deployment 2026-06-25 22:41:00 -07:00			`)`

Simplify TestFlight CI signing 2026-06-25 23:44:13 -07:00			`sync_signing(api_key: api_key, readonly: true)`
			`verify_ci_signing`

Use user keychain domain in CI 2026-06-25 23:51:33 -07:00			`xcargs = [`
			`"DEVELOPMENT_TEAM=#{TEAM_ID.shellescape}",`
			`"CODE_SIGN_STYLE=Manual",`
			`"CODE_SIGN_IDENTITY=#{SIGNING_IDENTITY.shellescape}",`
			`"PROVISIONING_PROFILE_SPECIFIER=#{PROFILE_NAME.shellescape}"`
			`]`

			`if ci?`
			`xcargs << "CODE_SIGN_KEYCHAIN=#{ci_keychain_path.shellescape}"`
			`xcargs << "OTHER_CODE_SIGN_FLAGS=#{("--keychain #{ci_keychain_path}").shellescape}"`
			`end`

Simplify TestFlight CI signing 2026-06-25 23:44:13 -07:00			`build_app(`
Use absolute iOS paths in Fastlane 2026-06-25 22:50:30 -07:00			`project: PROJECT_FILE,`
ios: add fastlane 2026-06-05 23:19:14 -07:00			`scheme: SCHEME,`
			`export_method: "app-store",`
Simplify TestFlight CI signing 2026-06-25 23:44:13 -07:00			`codesigning_identity: SIGNING_IDENTITY,`
Use user keychain domain in CI 2026-06-25 23:51:33 -07:00			`xcargs: xcargs.join(" "),`
ios: add fastlane 2026-06-05 23:19:14 -07:00			`export_options: {`
Simplify TestFlight CI signing 2026-06-25 23:44:13 -07:00			`signingStyle: "manual",`
			`teamID: TEAM_ID,`
ios: configure api-key TestFlight signing 2026-06-25 20:51:01 -07:00			`provisioningProfiles: {`
Reset iOS TestFlight deployment 2026-06-25 22:41:00 -07:00			`APP_IDENTIFIER => PROFILE_NAME`
			`}`
ios: add fastlane 2026-06-05 23:19:14 -07:00			`}`
Simplify TestFlight CI signing 2026-06-25 23:44:13 -07:00			`)`
ios: add fastlane 2026-06-05 23:19:14 -07:00
ios: configure api-key TestFlight signing 2026-06-25 20:51:01 -07:00			`upload_to_testflight(`
			`api_key: api_key,`
			`skip_waiting_for_build_processing: true`
			`)`
Simplify TestFlight CI signing 2026-06-25 23:44:13 -07:00			`ensure`
			`cleanup_ci_signing`
ios: add fastlane 2026-06-05 23:19:14 -07:00			`end`
			`end`