Sybil-2/ios/fastlane/Fastfile

require "fileutils"
require "shellwords"

default_platform(:ios)

APP_IDENTIFIER = "net.buzzert.sybil2"
SCHEME = "Sybil"
TEAM_ID = "DQQH5H6GBD"
PROFILE_NAME = "Sybil AppStore CI"
SIGNING_IDENTITY_NAME = "Apple Distribution: James Magahern (DQQH5H6GBD)"
SIGNING_IDENTITY_SHA1 = "6B74B268C4761720FB2051D01D8BB3E47B55D9F5"
MATCH_BRANCH = "master"
IOS_ROOT = File.expand_path("..", __dir__)
PROJECT_FILE = File.join(IOS_ROOT, "Sybil.xcodeproj")
PROJECT_SPEC = File.join(IOS_ROOT, "project.yml")

def present?(value)
  !value.to_s.strip.empty?
end

def release_version
  tag = ENV["SYBIL_VERSION_TAG"].to_s
  tag = ENV["GITHUB_REF_NAME"].to_s if !present?(tag)
  tag = ENV["GITHUB_REF"].to_s.sub(%r{\Arefs/tags/}, "") if !present?(tag)
  tag = sh("git describe --tags --abbrev=0").strip if !present?(tag)
  version = tag.sub(%r{\Arelease/}, "").sub(/\Av/, "")

  unless version.match?(/\A\d+\.\d+\.\d+\z/)
    UI.user_error!("Release tag must look like v1.2.3; got #{tag.inspect}")
  end

  version
end

platform :ios do
  private_lane :prepare_ci_keychain do
    next unless ENV["CI"]

    keychain_path = File.expand_path("../build/ci/sybil-signing.keychain", __dir__)
    keychain_password = ENV["MATCH_KEYCHAIN_PASSWORD"].to_s
    keychain_password = "sybil-ci-keychain-password" unless present?(keychain_password)

    FileUtils.mkdir_p(File.dirname(keychain_path))

    create_keychain(
      path: keychain_path,
      password: keychain_password,
      default_keychain: false,
      unlock: true,
      timeout: 3600,
      lock_after_timeout: false,
      add_to_search_list: true
    )

    resolved_keychain_path = ["#{keychain_path}-db", keychain_path].find { |path| File.exist?(path) } || keychain_path

    sh("security list-keychains -d user -s #{resolved_keychain_path.shellescape}", log: false)

    ENV["MATCH_KEYCHAIN_NAME"] = resolved_keychain_path
    ENV["MATCH_KEYCHAIN_PASSWORD"] = keychain_password
  end

  private_lane :verify_ci_signing_identity do
    next unless ENV["CI"]

    keychain_path = ENV.fetch("MATCH_KEYCHAIN_NAME")
    keychain_password = ENV.fetch("MATCH_KEYCHAIN_PASSWORD")

    sh("security unlock-keychain -p #{keychain_password.shellescape} #{keychain_path.shellescape}", log: false)
    sh("security list-keychains -d user -s #{keychain_path.shellescape}", log: false)
    sh("security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k #{keychain_password.shellescape} #{keychain_path.shellescape}", log: false)

    identities = sh("security find-identity -v -p codesigning #{keychain_path.shellescape}", log: false)
    UI.message(identities)

    unless identities.include?(SIGNING_IDENTITY_NAME)
      UI.user_error!("The CI keychain does not contain the expected Apple Distribution signing identity")
    end
  end

  private_lane :app_store_api_key do
    app_store_connect_api_key(
      key_id: ENV.fetch("APP_STORE_CONNECT_KEY_ID"),
      issuer_id: ENV.fetch("APP_STORE_CONNECT_ISSUER_ID"),
      key_content: ENV.fetch("APP_STORE_CONNECT_KEY_CONTENT"),
      is_key_content_base64: true
    )
  end

  private_lane :sync_match_signing do |options|
    %w[
      APP_STORE_CONNECT_API_KEY
      APP_STORE_CONNECT_API_KEY_PATH
      SIGH_API_KEY
      SIGH_API_KEY_PATH
    ].each { |key| ENV.delete(key) }

    match_options = {
      type: "appstore",
      readonly: options.fetch(:readonly),
      app_identifier: APP_IDENTIFIER,
      team_id: TEAM_ID,
      profile_name: PROFILE_NAME,
      git_branch: MATCH_BRANCH,
      git_full_name: "Sybil Release Bot",
      git_user_email: "james.magahern@me.com",
      api_key: app_store_api_key
    }
    match_options[:git_url] = ENV.fetch("MATCH_GIT_URL")
    match_options[:keychain_name] = ENV["MATCH_KEYCHAIN_NAME"] if present?(ENV["MATCH_KEYCHAIN_NAME"])
    match_options[:keychain_password] = ENV["MATCH_KEYCHAIN_PASSWORD"] if present?(ENV["MATCH_KEYCHAIN_PASSWORD"])

    match(match_options)
  end

  desc "Create or update match signing assets"
  lane :setup_signing do
    prepare_ci_keychain
    sync_match_signing(readonly: false)
  end

  desc "Build and upload to TestFlight"
  lane :beta do
    prepare_ci_keychain

    api_key = app_store_api_key

    sh("xcodegen --spec #{PROJECT_SPEC.shellescape}")

    increment_version_number(
      version_number: release_version,
      xcodeproj: PROJECT_FILE
    )

    latest_build_number = latest_testflight_build_number(
      app_identifier: APP_IDENTIFIER,
      api_key: api_key,
      initial_build_number: 0
    )

    increment_build_number(
      build_number: latest_build_number + 1,
      xcodeproj: PROJECT_FILE
    )

    sync_match_signing(readonly: true)
    verify_ci_signing_identity

    build_options = {
      project: PROJECT_FILE,
      scheme: SCHEME,
      export_method: "app-store",
      export_options: {
        provisioningProfiles: {
          APP_IDENTIFIER => PROFILE_NAME
        }
      }
    }

    if ENV["CI"]
      build_options[:xcargs] = [
        "CODE_SIGN_IDENTITY=#{SIGNING_IDENTITY_SHA1.shellescape}",
        "OTHER_CODE_SIGN_FLAGS=#{("--keychain #{ENV.fetch("MATCH_KEYCHAIN_NAME")}").shellescape}"
      ].join(" ")
    end

    build_app(build_options)

    upload_to_testflight(
      api_key: api_key,
      skip_waiting_for_build_processing: true
    )
  end
end