ios/fastlane/Fastfile

require "fileutils"
require "shellwords"

default_platform(:ios)

APP_IDENTIFIER = "net.buzzert.sybil2"
SCHEME = "Sybil"
TEAM_ID = "DQQH5H6GBD"
PROFILE_NAME = "Sybil AppStore CI"
SIGNING_IDENTITY_NAME = "Apple Distribution: James Magahern (DQQH5H6GBD)"
SIGNING_IDENTITY_SHA1 = "6B74B268C4761720FB2051D01D8BB3E47B55D9F5"
CI_KEYCHAIN_DIR = "/private/var/lib/act_runner/Library/Keychains"
CI_LOGIN_KEYCHAIN = File.join(CI_KEYCHAIN_DIR, "login.keychain")
CI_LOGIN_KEYCHAIN_DB = "#{CI_LOGIN_KEYCHAIN}-db"
CI_KEYCHAIN_PASSWORD = "sybil-ci-keychain-password"
MATCH_BRANCH = "master"
IOS_ROOT = File.expand_path("..", __dir__)
PROJECT_FILE = File.join(IOS_ROOT, "Sybil.xcodeproj")
PROJECT_SPEC = File.join(IOS_ROOT, "project.yml")

def present?(value)
  !value.to_s.strip.empty?
end

def release_version
  tag = ENV["SYBIL_VERSION_TAG"].to_s
  tag = ENV["GITHUB_REF_NAME"].to_s if !present?(tag)
  tag = ENV["GITHUB_REF"].to_s.sub(%r{\Arefs/tags/}, "") if !present?(tag)
  tag = sh("git describe --tags --abbrev=0").strip if !present?(tag)
  version = tag.sub(%r{\Arelease/}, "").sub(/\Av/, "")

  unless version.match?(/\A\d+\.\d+\.\d+\z/)
    UI.user_error!("Release tag must look like v1.2.3; got #{tag.inspect}")
  end

  version
end

def ci_login_keychain_path
  return CI_LOGIN_KEYCHAIN_DB if ENV["CI"]

  candidates = [
    "/private/var/lib/act_runner/Library/Keychains/login.keychain-db",
    "/var/lib/act_runner/Library/Keychains/login.keychain-db",
    "/Users/runner/Library/Keychains/login.keychain-db",
    File.expand_path("~/Library/Keychains/login.keychain-db"),
    File.expand_path("~/Library/Keychains/login.keychain")
  ]
  existing_candidate = candidates.find { |path| File.file?(path) }
  return existing_candidate if existing_candidate

  keychains = sh("security list-keychains -d user", log: false).shellsplit
  keychains.find { |path| File.basename(path).start_with?("login.keychain") } || keychains.first || "login.keychain"
end

platform :ios do
  private_lane :cleanup_ci_signing_identity do
    next unless ENV["CI"]

    keychain_path = ENV["MATCH_KEYCHAIN_NAME"].to_s
    keychain_path = ci_login_keychain_path unless present?(keychain_path)

    sh("security delete-identity -Z #{SIGNING_IDENTITY_SHA1.shellescape} #{keychain_path.shellescape} || true", log: false)
  end

  private_lane :prepare_ci_keychain do
    next unless ENV["CI"]

    FileUtils.mkdir_p(CI_KEYCHAIN_DIR)
    unless File.file?(CI_LOGIN_KEYCHAIN_DB)
      sh("security create-keychain -p #{CI_KEYCHAIN_PASSWORD.shellescape} #{CI_LOGIN_KEYCHAIN.shellescape}", log: false)
    end

    ENV["MATCH_KEYCHAIN_NAME"] = ci_login_keychain_path
    ENV["MATCH_KEYCHAIN_PASSWORD"] = CI_KEYCHAIN_PASSWORD
    sh("security unlock-keychain -p #{CI_KEYCHAIN_PASSWORD.shellescape} #{ENV.fetch("MATCH_KEYCHAIN_NAME").shellescape}", log: false)
    sh("security set-keychain-settings -t 3600 #{ENV.fetch("MATCH_KEYCHAIN_NAME").shellescape}", log: false)
    sh("security login-keychain -s #{ENV.fetch("MATCH_KEYCHAIN_NAME").shellescape}", log: false)
    sh("security list-keychains -d user -s #{ENV.fetch("MATCH_KEYCHAIN_NAME").shellescape}", log: false)
    cleanup_ci_signing_identity
  end

  private_lane :verify_ci_signing_identity do
    next unless ENV["CI"]

    keychain_path = ENV.fetch("MATCH_KEYCHAIN_NAME")
    identities = sh("security find-identity -v -p codesigning #{keychain_path.shellescape}", log: false)
    UI.message(identities)

    unless identities.include?(SIGNING_IDENTITY_NAME)
      UI.user_error!("The runner login keychain does not contain the expected Apple Distribution signing identity")
    end
  end

  private_lane :app_store_api_key do
    app_store_connect_api_key(
      key_id: ENV.fetch("APP_STORE_CONNECT_KEY_ID"),
      issuer_id: ENV.fetch("APP_STORE_CONNECT_ISSUER_ID"),
      key_content: ENV.fetch("APP_STORE_CONNECT_KEY_CONTENT"),
      is_key_content_base64: true
    )
  end

  private_lane :sync_match_signing do |options|
    %w[
      APP_STORE_CONNECT_API_KEY
      APP_STORE_CONNECT_API_KEY_PATH
      SIGH_API_KEY
      SIGH_API_KEY_PATH
    ].each { |key| ENV.delete(key) }

    match_options = {
      type: "appstore",
      readonly: options.fetch(:readonly),
      app_identifier: APP_IDENTIFIER,
      team_id: TEAM_ID,
      profile_name: PROFILE_NAME,
      git_branch: MATCH_BRANCH,
      git_full_name: "Sybil Release Bot",
      git_user_email: "james.magahern@me.com",
      api_key: app_store_api_key
    }
    match_options[:git_url] = ENV.fetch("MATCH_GIT_URL")
    match_options[:keychain_name] = ENV["MATCH_KEYCHAIN_NAME"] if present?(ENV["MATCH_KEYCHAIN_NAME"])
    match_options[:keychain_password] = ENV["MATCH_KEYCHAIN_PASSWORD"] if present?(ENV["MATCH_KEYCHAIN_PASSWORD"])

    match(match_options)
  end

  desc "Create or update match signing assets"
  lane :setup_signing do
    prepare_ci_keychain
    sync_match_signing(readonly: false)
  end

  desc "Build and upload to TestFlight"
  lane :beta do
    prepare_ci_keychain

    api_key = app_store_api_key

    sh("xcodegen --spec #{PROJECT_SPEC.shellescape}")

    increment_version_number(
      version_number: release_version,
      xcodeproj: PROJECT_FILE
    )

    latest_build_number = latest_testflight_build_number(
      app_identifier: APP_IDENTIFIER,
      api_key: api_key,
      initial_build_number: 0
    )

    increment_build_number(
      build_number: latest_build_number + 1,
      xcodeproj: PROJECT_FILE
    )

    build_options = {
      project: PROJECT_FILE,
      scheme: SCHEME,
      export_method: "app-store",
      export_options: {
        provisioningProfiles: {
          APP_IDENTIFIER => PROFILE_NAME
        }
      }
    }

    if ENV["CI"]
      build_options[:xcargs] = [
        "CODE_SIGN_IDENTITY=#{SIGNING_IDENTITY_SHA1.shellescape}",
        "OTHER_CODE_SIGN_FLAGS=#{("--keychain #{ENV.fetch("MATCH_KEYCHAIN_NAME")}").shellescape}"
      ].join(" ")
    end

    begin
      sync_match_signing(readonly: true)
      verify_ci_signing_identity
      build_app(build_options)
    ensure
      cleanup_ci_signing_identity
    end

    upload_to_testflight(
      api_key: api_key,
      skip_waiting_for_build_processing: true
    )
  end
end
Create CI login keychain when missing 2026-06-25 23:25:42 -07:00			`require "fileutils"`
Use absolute iOS paths in Fastlane 2026-06-25 22:50:30 -07:00			`require "shellwords"`
Use disposable match keychain in CI 2026-06-25 22:48:59 -07:00
ios: add fastlane 2026-06-05 23:19:14 -07:00			`default_platform(:ios)`

Reset iOS TestFlight deployment 2026-06-25 22:41:00 -07:00			`APP_IDENTIFIER = "net.buzzert.sybil2"`
ios: add fastlane 2026-06-05 23:19:14 -07:00			`SCHEME = "Sybil"`
Reset iOS TestFlight deployment 2026-06-25 22:41:00 -07:00			`TEAM_ID = "DQQH5H6GBD"`
			`PROFILE_NAME = "Sybil AppStore CI"`
Use signing certificate identity hash 2026-06-25 23:13:08 -07:00			`SIGNING_IDENTITY_NAME = "Apple Distribution: James Magahern (DQQH5H6GBD)"`
			`SIGNING_IDENTITY_SHA1 = "6B74B268C4761720FB2051D01D8BB3E47B55D9F5"`
Create CI login keychain when missing 2026-06-25 23:25:42 -07:00			`CI_KEYCHAIN_DIR = "/private/var/lib/act_runner/Library/Keychains"`
			`CI_LOGIN_KEYCHAIN = File.join(CI_KEYCHAIN_DIR, "login.keychain")`
			`CI_LOGIN_KEYCHAIN_DB = "#{CI_LOGIN_KEYCHAIN}-db"`
			`CI_KEYCHAIN_PASSWORD = "sybil-ci-keychain-password"`
Reset iOS TestFlight deployment 2026-06-25 22:41:00 -07:00			`MATCH_BRANCH = "master"`
Use absolute iOS paths in Fastlane 2026-06-25 22:50:30 -07:00			`IOS_ROOT = File.expand_path("..", __dir__)`
			`PROJECT_FILE = File.join(IOS_ROOT, "Sybil.xcodeproj")`
			`PROJECT_SPEC = File.join(IOS_ROOT, "project.yml")`
ios: add fastlane 2026-06-05 23:19:14 -07:00
			`def present?(value)`
			`!value.to_s.strip.empty?`
			`end`

			`def release_version`
Reset iOS TestFlight deployment 2026-06-25 22:41:00 -07:00			`tag = ENV["SYBIL_VERSION_TAG"].to_s`
			`tag = ENV["GITHUB_REF_NAME"].to_s if !present?(tag)`
			`tag = ENV["GITHUB_REF"].to_s.sub(%r{\Arefs/tags/}, "") if !present?(tag)`
			`tag = sh("git describe --tags --abbrev=0").strip if !present?(tag)`
			`version = tag.sub(%r{\Arelease/}, "").sub(/\Av/, "")`
ios: bootstrap signing with existing certificate 2026-06-25 21:03:43 -07:00
Reset iOS TestFlight deployment 2026-06-25 22:41:00 -07:00			`unless version.match?(/\A\d+\.\d+\.\d+\z/)`
			`UI.user_error!("Release tag must look like v1.2.3; got #{tag.inspect}")`
ios: bootstrap signing with existing certificate 2026-06-25 21:03:43 -07:00			`end`

Reset iOS TestFlight deployment 2026-06-25 22:41:00 -07:00			`version`
ios: bootstrap signing with existing certificate 2026-06-25 21:03:43 -07:00			`end`

Target login keychain path for CI signing 2026-06-25 23:18:01 -07:00			`def ci_login_keychain_path`
Create CI login keychain when missing 2026-06-25 23:25:42 -07:00			`return CI_LOGIN_KEYCHAIN_DB if ENV["CI"]`
Use explicit runner login keychain 2026-06-25 23:23:13 -07:00
Reset CI keychain search list 2026-06-25 23:21:42 -07:00			`candidates = [`
			`"/private/var/lib/act_runner/Library/Keychains/login.keychain-db",`
			`"/var/lib/act_runner/Library/Keychains/login.keychain-db",`
			`"/Users/runner/Library/Keychains/login.keychain-db",`
			`File.expand_path("~/Library/Keychains/login.keychain-db"),`
			`File.expand_path("~/Library/Keychains/login.keychain")`
			`]`
			`existing_candidate = candidates.find { \|path\| File.file?(path) }`
			`return existing_candidate if existing_candidate`

Detect runner login keychain path 2026-06-25 23:20:06 -07:00			`keychains = sh("security list-keychains -d user", log: false).shellsplit`
			`keychains.find { \|path\| File.basename(path).start_with?("login.keychain") } \|\| keychains.first \|\| "login.keychain"`
Target login keychain path for CI signing 2026-06-25 23:18:01 -07:00			`end`

Reset iOS TestFlight deployment 2026-06-25 22:41:00 -07:00			`platform :ios do`
Use runner login keychain for CI signing 2026-06-25 23:16:22 -07:00			`private_lane :cleanup_ci_signing_identity do`
Use disposable match keychain in CI 2026-06-25 22:48:59 -07:00			`next unless ENV["CI"]`

Target login keychain path for CI signing 2026-06-25 23:18:01 -07:00			`keychain_path = ENV["MATCH_KEYCHAIN_NAME"].to_s`
			`keychain_path = ci_login_keychain_path unless present?(keychain_path)`

			`sh("security delete-identity -Z #{SIGNING_IDENTITY_SHA1.shellescape} #{keychain_path.shellescape} \|\| true", log: false)`
Use runner login keychain for CI signing 2026-06-25 23:16:22 -07:00			`end`
Make CI signing keychain visible to Xcode 2026-06-25 23:06:00 -07:00
Use runner login keychain for CI signing 2026-06-25 23:16:22 -07:00			`private_lane :prepare_ci_keychain do`
			`next unless ENV["CI"]`
Resolve CI signing keychain path 2026-06-25 23:08:35 -07:00
Create CI login keychain when missing 2026-06-25 23:25:42 -07:00			`FileUtils.mkdir_p(CI_KEYCHAIN_DIR)`
			`unless File.file?(CI_LOGIN_KEYCHAIN_DB)`
			`sh("security create-keychain -p #{CI_KEYCHAIN_PASSWORD.shellescape} #{CI_LOGIN_KEYCHAIN.shellescape}", log: false)`
			`end`

Target login keychain path for CI signing 2026-06-25 23:18:01 -07:00			`ENV["MATCH_KEYCHAIN_NAME"] = ci_login_keychain_path`
Create CI login keychain when missing 2026-06-25 23:25:42 -07:00			`ENV["MATCH_KEYCHAIN_PASSWORD"] = CI_KEYCHAIN_PASSWORD`
			`sh("security unlock-keychain -p #{CI_KEYCHAIN_PASSWORD.shellescape} #{ENV.fetch("MATCH_KEYCHAIN_NAME").shellescape}", log: false)`
			`sh("security set-keychain-settings -t 3600 #{ENV.fetch("MATCH_KEYCHAIN_NAME").shellescape}", log: false)`
			`sh("security login-keychain -s #{ENV.fetch("MATCH_KEYCHAIN_NAME").shellescape}", log: false)`
Reset CI keychain search list 2026-06-25 23:21:42 -07:00			`sh("security list-keychains -d user -s #{ENV.fetch("MATCH_KEYCHAIN_NAME").shellescape}", log: false)`
Target login keychain path for CI signing 2026-06-25 23:18:01 -07:00			`cleanup_ci_signing_identity`
Use disposable match keychain in CI 2026-06-25 22:48:59 -07:00			`end`

Make CI signing keychain visible to Xcode 2026-06-25 23:06:00 -07:00			`private_lane :verify_ci_signing_identity do`
			`next unless ENV["CI"]`

Target login keychain path for CI signing 2026-06-25 23:18:01 -07:00			`keychain_path = ENV.fetch("MATCH_KEYCHAIN_NAME")`
			`identities = sh("security find-identity -v -p codesigning #{keychain_path.shellescape}", log: false)`
Make CI signing keychain visible to Xcode 2026-06-25 23:06:00 -07:00			`UI.message(identities)`

Use signing certificate identity hash 2026-06-25 23:13:08 -07:00			`unless identities.include?(SIGNING_IDENTITY_NAME)`
Use runner login keychain for CI signing 2026-06-25 23:16:22 -07:00			`UI.user_error!("The runner login keychain does not contain the expected Apple Distribution signing identity")`
Make CI signing keychain visible to Xcode 2026-06-25 23:06:00 -07:00			`end`
			`end`

Reset iOS TestFlight deployment 2026-06-25 22:41:00 -07:00			`private_lane :app_store_api_key do`
			`app_store_connect_api_key(`
			`key_id: ENV.fetch("APP_STORE_CONNECT_KEY_ID"),`
			`issuer_id: ENV.fetch("APP_STORE_CONNECT_ISSUER_ID"),`
			`key_content: ENV.fetch("APP_STORE_CONNECT_KEY_CONTENT"),`
			`is_key_content_base64: true`
			`)`
ios: use single identity signing p12 2026-06-25 21:18:54 -07:00			`end`

Reset iOS TestFlight deployment 2026-06-25 22:41:00 -07:00			`private_lane :sync_match_signing do \|options\|`
			`%w[`
			`APP_STORE_CONNECT_API_KEY`
			`APP_STORE_CONNECT_API_KEY_PATH`
			`SIGH_API_KEY`
			`SIGH_API_KEY_PATH`
			`].each { \|key\| ENV.delete(key) }`

			`match_options = {`
			`type: "appstore",`
			`readonly: options.fetch(:readonly),`
			`app_identifier: APP_IDENTIFIER,`
			`team_id: TEAM_ID,`
			`profile_name: PROFILE_NAME,`
			`git_branch: MATCH_BRANCH,`
			`git_full_name: "Sybil Release Bot",`
			`git_user_email: "james.magahern@me.com",`
			`api_key: app_store_api_key`
ios: add fastlane 2026-06-05 23:19:14 -07:00			`}`
Reset iOS TestFlight deployment 2026-06-25 22:41:00 -07:00			`match_options[:git_url] = ENV.fetch("MATCH_GIT_URL")`
Use disposable match keychain in CI 2026-06-25 22:48:59 -07:00			`match_options[:keychain_name] = ENV["MATCH_KEYCHAIN_NAME"] if present?(ENV["MATCH_KEYCHAIN_NAME"])`
			`match_options[:keychain_password] = ENV["MATCH_KEYCHAIN_PASSWORD"] if present?(ENV["MATCH_KEYCHAIN_PASSWORD"])`
ios: configure api-key TestFlight signing 2026-06-25 20:51:01 -07:00
Reset iOS TestFlight deployment 2026-06-25 22:41:00 -07:00			`match(match_options)`
ios: configure api-key TestFlight signing 2026-06-25 20:51:01 -07:00			`end`

Reset iOS TestFlight deployment 2026-06-25 22:41:00 -07:00			`desc "Create or update match signing assets"`
			`lane :setup_signing do`
Use disposable match keychain in CI 2026-06-25 22:48:59 -07:00			`prepare_ci_keychain`
Reset iOS TestFlight deployment 2026-06-25 22:41:00 -07:00			`sync_match_signing(readonly: false)`
ios: add fastlane 2026-06-05 23:19:14 -07:00			`end`

Reset iOS TestFlight deployment 2026-06-25 22:41:00 -07:00			`desc "Build and upload to TestFlight"`
ios: add fastlane 2026-06-05 23:19:14 -07:00			`lane :beta do`
Use disposable match keychain in CI 2026-06-25 22:48:59 -07:00			`prepare_ci_keychain`
ios: add fastlane 2026-06-05 23:19:14 -07:00
Reset iOS TestFlight deployment 2026-06-25 22:41:00 -07:00			`api_key = app_store_api_key`
ios: add fastlane 2026-06-05 23:19:14 -07:00
Use absolute iOS paths in Fastlane 2026-06-25 22:50:30 -07:00			`sh("xcodegen --spec #{PROJECT_SPEC.shellescape}")`
ios: add fastlane 2026-06-05 23:19:14 -07:00
Reset iOS TestFlight deployment 2026-06-25 22:41:00 -07:00			`increment_version_number(`
			`version_number: release_version,`
Use absolute iOS paths in Fastlane 2026-06-25 22:50:30 -07:00			`xcodeproj: PROJECT_FILE`
Reset iOS TestFlight deployment 2026-06-25 22:41:00 -07:00			`)`
ios: add fastlane 2026-06-05 23:19:14 -07:00
Reset iOS TestFlight deployment 2026-06-25 22:41:00 -07:00			`latest_build_number = latest_testflight_build_number(`
			`app_identifier: APP_IDENTIFIER,`
			`api_key: api_key,`
			`initial_build_number: 0`
			`)`
ios: add fastlane 2026-06-05 23:19:14 -07:00
Reset iOS TestFlight deployment 2026-06-25 22:41:00 -07:00			`increment_build_number(`
			`build_number: latest_build_number + 1,`
Use absolute iOS paths in Fastlane 2026-06-25 22:50:30 -07:00			`xcodeproj: PROJECT_FILE`
Reset iOS TestFlight deployment 2026-06-25 22:41:00 -07:00			`)`

Resolve CI signing keychain path 2026-06-25 23:08:35 -07:00			`build_options = {`
Use absolute iOS paths in Fastlane 2026-06-25 22:50:30 -07:00			`project: PROJECT_FILE,`
ios: add fastlane 2026-06-05 23:19:14 -07:00			`scheme: SCHEME,`
			`export_method: "app-store",`
			`export_options: {`
ios: configure api-key TestFlight signing 2026-06-25 20:51:01 -07:00			`provisioningProfiles: {`
Reset iOS TestFlight deployment 2026-06-25 22:41:00 -07:00			`APP_IDENTIFIER => PROFILE_NAME`
			`}`
ios: add fastlane 2026-06-05 23:19:14 -07:00			`}`
Resolve CI signing keychain path 2026-06-25 23:08:35 -07:00			`}`

			`if ENV["CI"]`
			`build_options[:xcargs] = [`
Target login keychain path for CI signing 2026-06-25 23:18:01 -07:00			`"CODE_SIGN_IDENTITY=#{SIGNING_IDENTITY_SHA1.shellescape}",`
			`"OTHER_CODE_SIGN_FLAGS=#{("--keychain #{ENV.fetch("MATCH_KEYCHAIN_NAME")}").shellescape}"`
Resolve CI signing keychain path 2026-06-25 23:08:35 -07:00			`].join(" ")`
			`end`

Use runner login keychain for CI signing 2026-06-25 23:16:22 -07:00			`begin`
			`sync_match_signing(readonly: true)`
			`verify_ci_signing_identity`
			`build_app(build_options)`
			`ensure`
			`cleanup_ci_signing_identity`
			`end`
ios: add fastlane 2026-06-05 23:19:14 -07:00
ios: configure api-key TestFlight signing 2026-06-25 20:51:01 -07:00			`upload_to_testflight(`
			`api_key: api_key,`
			`skip_waiting_for_build_processing: true`
			`)`
ios: add fastlane 2026-06-05 23:19:14 -07:00			`end`
			`end`