buzzert/Sybil-2
1
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

Simplify TestFlight CI signing
Some checks failed
TestFlight / testflight (push) Failing after 22s
Details

Browse Source
This commit is contained in:
James Magahern
2026-06-25 23:44:13 -07:00
parent 0be2442ad0
commit 23ee30a53a
3 changed files with 71 additions and 102 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.gitea/workflows/testflight.yml
View File

@@ -36,6 +36,7 @@ jobs:
- name: Upload to TestFlight - name: Upload to TestFlight
working-directory: ios working-directory: ios
env: env:
HOME: /var/lib/act_runner
APP_STORE_CONNECT_KEY_ID: ${{ secrets.APP_STORE_CONNECT_KEY_ID }} APP_STORE_CONNECT_KEY_ID: ${{ secrets.APP_STORE_CONNECT_KEY_ID }}
APP_STORE_CONNECT_ISSUER_ID: ${{ secrets.APP_STORE_CONNECT_ISSUER_ID }} APP_STORE_CONNECT_ISSUER_ID: ${{ secrets.APP_STORE_CONNECT_ISSUER_ID }}
APP_STORE_CONNECT_KEY_CONTENT: ${{ secrets.APP_STORE_CONNECT_KEY_CONTENT }} APP_STORE_CONNECT_KEY_CONTENT: ${{ secrets.APP_STORE_CONNECT_KEY_CONTENT }}

4
ios/Apps/Sybil/project.yml
View File

@@ -35,8 +35,8 @@ targets:
configs: configs:
Release: Release:
CODE_SIGN_STYLE: Manual CODE_SIGN_STYLE: Manual
CODE_SIGN_IDENTITY: Apple Distribution CODE_SIGN_IDENTITY: "Apple Distribution: James Magahern (DQQH5H6GBD)"
"CODE_SIGN_IDENTITY[sdk=iphoneos*]": Apple Distribution "CODE_SIGN_IDENTITY[sdk=iphoneos*]": "Apple Distribution: James Magahern (DQQH5H6GBD)"
PROVISIONING_PROFILE_SPECIFIER: Sybil AppStore CI PROVISIONING_PROFILE_SPECIFIER: Sybil AppStore CI
schemes: schemes:

168
ios/fastlane/Fastfile
View File

@@ -1,4 +1,3 @@
require "fileutils"
require "shellwords" require "shellwords"
default_platform(:ios) default_platform(:ios)
@@ -7,13 +6,8 @@ APP_IDENTIFIER = "net.buzzert.sybil2"
SCHEME = "Sybil" SCHEME = "Sybil"
TEAM_ID = "DQQH5H6GBD" TEAM_ID = "DQQH5H6GBD"
PROFILE_NAME = "Sybil AppStore CI" PROFILE_NAME = "Sybil AppStore CI"
SIGNING_IDENTITY_NAME = "Apple Distribution: James Magahern (DQQH5H6GBD)" SIGNING_IDENTITY = "Apple Distribution: James Magahern (DQQH5H6GBD)"
SIGNING_IDENTITY_SHA1 = "6B74B268C4761720FB2051D01D8BB3E47B55D9F5" CI_KEYCHAIN_NAME = "sybil_ci_keychain"
CI_KEYCHAIN_DIR = "/private/var/lib/act_runner/Library/Keychains"
CI_LOGIN_KEYCHAIN = File.join(CI_KEYCHAIN_DIR, "login.keychain")
CI_LOGIN_KEYCHAIN_DB = "#{CI_LOGIN_KEYCHAIN}-db"
CI_KEYCHAIN_PASSWORD = "sybil-ci-keychain-password"
MATCH_BRANCH = "master"
IOS_ROOT = File.expand_path("..", __dir__) IOS_ROOT = File.expand_path("..", __dir__)
PROJECT_FILE = File.join(IOS_ROOT, "Sybil.xcodeproj") PROJECT_FILE = File.join(IOS_ROOT, "Sybil.xcodeproj")
PROJECT_SPEC = File.join(IOS_ROOT, "project.yml") PROJECT_SPEC = File.join(IOS_ROOT, "project.yml")
@@ -36,67 +30,15 @@ def release_version
version version
end end
def ci_login_keychain_path def ci?
return CI_LOGIN_KEYCHAIN_DB if ENV["CI"] present?(ENV["CI"])
end
candidates = [ def ci_keychain_path
"/private/var/lib/act_runner/Library/Keychains/login.keychain-db", File.expand_path("~/Library/Keychains/#{CI_KEYCHAIN_NAME}-db")
"/var/lib/act_runner/Library/Keychains/login.keychain-db",
"/Users/runner/Library/Keychains/login.keychain-db",
File.expand_path("~/Library/Keychains/login.keychain-db"),
File.expand_path("~/Library/Keychains/login.keychain")
]
existing_candidate = candidates.find { |path| File.file?(path) }
return existing_candidate if existing_candidate
keychains = sh("security list-keychains -d user", log: false).shellsplit
keychains.find { |path| File.basename(path).start_with?("login.keychain") } || keychains.first || "login.keychain"
end end
platform :ios do platform :ios do
private_lane :cleanup_ci_signing_identity do
next unless ENV["CI"]
keychain_path = ENV["MATCH_KEYCHAIN_NAME"].to_s
keychain_path = ci_login_keychain_path unless present?(keychain_path)
sh("security delete-identity -Z #{SIGNING_IDENTITY_SHA1.shellescape} #{keychain_path.shellescape} || true", log: false)
end
private_lane :prepare_ci_keychain do
next unless ENV["CI"]
ENV["HOME"] = "/var/lib/act_runner"
FileUtils.mkdir_p(CI_KEYCHAIN_DIR)
unless File.file?(CI_LOGIN_KEYCHAIN_DB)
sh("security create-keychain -p #{CI_KEYCHAIN_PASSWORD.shellescape} #{CI_LOGIN_KEYCHAIN.shellescape}", log: false)
end
ENV["MATCH_KEYCHAIN_NAME"] = ci_login_keychain_path
ENV["MATCH_KEYCHAIN_PASSWORD"] = CI_KEYCHAIN_PASSWORD
sh("security unlock-keychain -p #{CI_KEYCHAIN_PASSWORD.shellescape} #{ENV.fetch("MATCH_KEYCHAIN_NAME").shellescape}", log: false)
sh("security set-keychain-settings -t 3600 #{ENV.fetch("MATCH_KEYCHAIN_NAME").shellescape}", log: false)
sh("security default-keychain -d user -s #{ENV.fetch("MATCH_KEYCHAIN_NAME").shellescape}", log: false)
sh("security login-keychain -d user -s #{ENV.fetch("MATCH_KEYCHAIN_NAME").shellescape} || true", log: false)
sh("security list-keychains -d user -s #{ENV.fetch("MATCH_KEYCHAIN_NAME").shellescape}", log: false)
cleanup_ci_signing_identity
end
private_lane :verify_ci_signing_identity do
next unless ENV["CI"]
keychain_path = ENV.fetch("MATCH_KEYCHAIN_NAME")
sh("security unlock-keychain -p #{ENV.fetch("MATCH_KEYCHAIN_PASSWORD").shellescape} #{keychain_path.shellescape}", log: false)
sh("security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k #{ENV.fetch("MATCH_KEYCHAIN_PASSWORD").shellescape} #{keychain_path.shellescape}", log: false)
identities = sh("security find-identity -v -p codesigning #{keychain_path.shellescape}", log: false)
UI.message(identities)
unless identities.include?(SIGNING_IDENTITY_NAME)
UI.user_error!("The runner login keychain does not contain the expected Apple Distribution signing identity")
end
end
private_lane :app_store_api_key do private_lane :app_store_api_key do
app_store_connect_api_key( app_store_connect_api_key(
key_id: ENV.fetch("APP_STORE_CONNECT_KEY_ID"), key_id: ENV.fetch("APP_STORE_CONNECT_KEY_ID"),
@@ -106,41 +48,68 @@ platform :ios do
) )
end end
private_lane :sync_match_signing do |options| private_lane :setup_ci_signing do
%w[ next unless ci?
APP_STORE_CONNECT_API_KEY
APP_STORE_CONNECT_API_KEY_PATH
SIGH_API_KEY
SIGH_API_KEY_PATH
].each { |key| ENV.delete(key) }
match_options = { setup_ci(
force: true,
keychain_name: CI_KEYCHAIN_NAME,
timeout: 3600
)
end
private_lane :cleanup_ci_signing do
next unless ci?
next unless ENV["MATCH_KEYCHAIN_NAME"] == CI_KEYCHAIN_NAME
delete_keychain(name: CI_KEYCHAIN_NAME)
rescue => error
UI.message("Unable to delete temporary CI keychain: #{error.message}")
ensure
ENV.delete("MATCH_KEYCHAIN_NAME")
ENV.delete("MATCH_KEYCHAIN_PASSWORD")
end
private_lane :sync_signing do |options|
match(
type: "appstore", type: "appstore",
readonly: options.fetch(:readonly), readonly: options.fetch(:readonly),
app_identifier: APP_IDENTIFIER, app_identifier: APP_IDENTIFIER,
team_id: TEAM_ID, team_id: TEAM_ID,
profile_name: PROFILE_NAME, profile_name: PROFILE_NAME,
git_branch: MATCH_BRANCH, git_url: ENV.fetch("MATCH_GIT_URL"),
git_branch: "master",
git_full_name: "Sybil Release Bot", git_full_name: "Sybil Release Bot",
git_user_email: "james.magahern@me.com", git_user_email: "james.magahern@me.com",
api_key: app_store_api_key api_key: options.fetch(:api_key)
} )
match_options[:git_url] = ENV.fetch("MATCH_GIT_URL") end
match_options[:keychain_name] = ENV["MATCH_KEYCHAIN_NAME"] if present?(ENV["MATCH_KEYCHAIN_NAME"])
match_options[:keychain_password] = ENV["MATCH_KEYCHAIN_PASSWORD"] if present?(ENV["MATCH_KEYCHAIN_PASSWORD"])
match(match_options) private_lane :verify_ci_signing do
next unless ci?
if File.file?(ci_keychain_path)
password = ENV.fetch("MATCH_KEYCHAIN_PASSWORD", "")
sh("security unlock-keychain -p #{password.shellescape} #{ci_keychain_path.shellescape}", log: false)
sh("security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k #{password.shellescape} #{ci_keychain_path.shellescape}", log: false)
end
identities = sh("security find-identity -v -p codesigning", log: false)
UI.message(identities)
unless identities.include?(SIGNING_IDENTITY)
UI.user_error!("The CI keychain search list does not contain #{SIGNING_IDENTITY}")
end
end end
desc "Create or update match signing assets" desc "Create or update match signing assets"
lane :setup_signing do lane :setup_signing do
prepare_ci_keychain sync_signing(api_key: app_store_api_key, readonly: false)
sync_match_signing(readonly: false)
end end
desc "Build and upload to TestFlight" desc "Build and upload to TestFlight"
lane :beta do lane :beta do
prepare_ci_keychain setup_ci_signing
api_key = app_store_api_key api_key = app_store_api_key
@@ -162,35 +131,34 @@ platform :ios do
xcodeproj: PROJECT_FILE xcodeproj: PROJECT_FILE
) )
build_options = { sync_signing(api_key: api_key, readonly: true)
verify_ci_signing
build_app(
project: PROJECT_FILE, project: PROJECT_FILE,
scheme: SCHEME, scheme: SCHEME,
export_method: "app-store", export_method: "app-store",
codesigning_identity: SIGNING_IDENTITY,
xcargs: [
"DEVELOPMENT_TEAM=#{TEAM_ID.shellescape}",
"CODE_SIGN_STYLE=Manual",
"CODE_SIGN_IDENTITY=#{SIGNING_IDENTITY.shellescape}",
"PROVISIONING_PROFILE_SPECIFIER=#{PROFILE_NAME.shellescape}"
].join(" "),
export_options: { export_options: {
signingStyle: "manual",
teamID: TEAM_ID,
provisioningProfiles: { provisioningProfiles: {
APP_IDENTIFIER => PROFILE_NAME APP_IDENTIFIER => PROFILE_NAME
} }
} }
} )
if ENV["CI"]
build_options[:xcargs] = [
"CODE_SIGN_KEYCHAIN=#{ENV.fetch("MATCH_KEYCHAIN_NAME").shellescape}",
"OTHER_CODE_SIGN_FLAGS=#{("--keychain #{ENV.fetch("MATCH_KEYCHAIN_NAME")}").shellescape}"
].join(" ")
end
begin
sync_match_signing(readonly: true)
verify_ci_signing_identity
build_app(build_options)
ensure
cleanup_ci_signing_identity
end
upload_to_testflight( upload_to_testflight(
api_key: api_key, api_key: api_key,
skip_waiting_for_build_processing: true skip_waiting_for_build_processing: true
) )
ensure
cleanup_ci_signing
end end
end end