name: TestFlight Release on: push: tags: - "release/v*.*.*" permissions: contents: write jobs: testflight: runs-on: xcode env: SIGNING_KEYCHAIN: sybil_signing_temp defaults: run: shell: bash steps: - name: Checkout uses: actions/checkout@v4 with: fetch-depth: 0 - name: Validate release tag run: | set -euo pipefail tag_name="${GITHUB_REF#refs/tags/}" if [[ ! "$tag_name" =~ ^release/v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then echo "Release tag must match release/vN.N.N; got ${tag_name}" >&2 exit 1 fi release_version="${tag_name#release/v}" { echo "TAG_NAME=${tag_name}" echo "RELEASE_VERSION=${release_version}" } >> "${GITHUB_ENV}" - name: Set up Ruby uses: ruby/setup-ruby@v1 with: ruby-version: "3.3" - name: Install Ruby gems working-directory: ios run: bundle install - name: Install release tools run: | set -euo pipefail missing_tools=() for tool in xcodegen jq; do if ! command -v "${tool}" >/dev/null 2>&1; then missing_tools+=("${tool}") fi done if [[ "${#missing_tools[@]}" -eq 0 ]]; then exit 0 fi if ! command -v brew >/dev/null 2>&1; then echo "Missing required tools: ${missing_tools[*]}; Homebrew is not available to install them" >&2 exit 1 fi brew install "${missing_tools[@]}" - name: Install signing secrets env: APPSTORE_CERTIFICATES_FILE_BASE64: ${{ secrets.APPSTORE_CERTIFICATES_FILE_BASE64 }} APPSTORE_CERTIFICATES_PASSWORD: ${{ secrets.APPSTORE_CERTIFICATES_PASSWORD }} APPSTORE_PROVISIONING_PROFILE_BASE64: ${{ secrets.APPSTORE_PROVISIONING_PROFILE_BASE64 }} run: | set -euo pipefail : "${APPSTORE_CERTIFICATES_FILE_BASE64:?APPSTORE_CERTIFICATES_FILE_BASE64 secret is required}" : "${APPSTORE_CERTIFICATES_PASSWORD:?APPSTORE_CERTIFICATES_PASSWORD secret is required}" : "${APPSTORE_PROVISIONING_PROFILE_BASE64:?APPSTORE_PROVISIONING_PROFILE_BASE64 secret is required}" keychain_password="$(uuidgen)" previous_default_keychain="$(security default-keychain -d user | sed 's/[ "]//g' || true)" if [[ "${previous_default_keychain}" == *"/${SIGNING_KEYCHAIN}"* || ! -e "${previous_default_keychain}" ]]; then previous_default_keychain="" fi developer_dir="$(xcode-select -p)" signing_dir="$(mktemp -d "${RUNNER_TEMP:-${TMPDIR:-/tmp}}/sybil-signing.XXXXXX")" mkdir -p "${HOME}/Library/Keychains" keychain_name="${HOME}/Library/Keychains/login.keychain" certificate_path="${signing_dir}/appstore-signing.p12" wwdr_certificate_path="${signing_dir}/AppleWWDRCAG3.cer" profile_path="${signing_dir}/Sybil_AppStore_CI.mobileprovision" profile_plist="${signing_dir}/profile.plist" old_profile_dir="${HOME}/Library/MobileDevice/Provisioning Profiles" xcode_profile_dir="${HOME}/Library/Developer/Xcode/UserData/Provisioning Profiles" mkdir -p "${old_profile_dir}" "${xcode_profile_dir}" printf '%s' "${APPSTORE_CERTIFICATES_FILE_BASE64}" | base64 --decode > "${certificate_path}" printf '%s' "${APPSTORE_PROVISIONING_PROFILE_BASE64}" | base64 --decode > "${profile_path}" curl -fsSL https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer -o "${wwdr_certificate_path}" openssl smime -inform DER -verify -noverify -in "${profile_path}" -out "${profile_plist}" >/dev/null profile_uuid="$(/usr/libexec/PlistBuddy -c 'Print UUID' "${profile_plist}")" profile_name="$(/usr/libexec/PlistBuddy -c 'Print Name' "${profile_plist}")" old_profile_path="${old_profile_dir}/${profile_uuid}.mobileprovision" xcode_profile_path="${xcode_profile_dir}/${profile_uuid}.mobileprovision" old_named_profile_path="${old_profile_dir}/Sybil_AppStore_CI.mobileprovision" xcode_named_profile_path="${xcode_profile_dir}/Sybil_AppStore_CI.mobileprovision" cp "${profile_path}" "${old_profile_path}" cp "${profile_path}" "${xcode_profile_path}" cp "${profile_path}" "${old_named_profile_path}" cp "${profile_path}" "${xcode_named_profile_path}" base_keychains=() while IFS= read -r existing_keychain; do [[ -z "${existing_keychain}" ]] && continue [[ "${existing_keychain}" == *"/${SIGNING_KEYCHAIN}"* ]] && continue [[ ! -e "${existing_keychain}" ]] && continue base_keychains+=("${existing_keychain}") done < <(security list-keychains -d user | sed 's/[ "]//g') security delete-keychain "${keychain_name}" >/dev/null 2>&1 || true rm -f "${HOME}/Library/Keychains/${keychain_name}-db" security create-keychain -p "${keychain_password}" "${keychain_name}" security set-keychain-settings -lut 21600 "${keychain_name}" security unlock-keychain -p "${keychain_password}" "${keychain_name}" security import "${wwdr_certificate_path}" \ -k "${keychain_name}" \ -T /usr/bin/codesign \ -T /usr/bin/security \ -T /usr/bin/xcodebuild security import "${certificate_path}" \ -k "${keychain_name}" \ -P "${APPSTORE_CERTIFICATES_PASSWORD}" \ -T /usr/bin/codesign \ -T /usr/bin/security \ -T /usr/bin/xcodebuild \ -T "${developer_dir}/usr/bin/xcodebuild" security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${keychain_password}" "${keychain_name}" if [[ "${#base_keychains[@]}" -gt 0 ]]; then security list-keychains -d user -s "${keychain_name}" "${base_keychains[@]}" else security list-keychains -d user -s "${keychain_name}" fi security default-keychain -d user -s "${keychain_name}" keychain_path="$(security list-keychains -d user | sed 's/[ "]//g' | head -n 1)" security find-identity -v -p codesigning "${keychain_path}" security find-identity -v -p codesigning echo "Installed ${profile_name} (${profile_uuid}) provisioning profile" { echo "SYBIL_SIGNING_KEYCHAIN_PATH=${keychain_path}" echo "SYBIL_SIGNING_KEYCHAIN_NAME=${keychain_name}" echo "SYBIL_SIGNING_KEYCHAIN_PASSWORD=${keychain_password}" echo "SYBIL_PREVIOUS_DEFAULT_KEYCHAIN=${previous_default_keychain}" echo "SYBIL_PROVISIONING_PROFILE_UUID=${profile_uuid}" echo "SYBIL_SIGNING_DIR=${signing_dir}" echo "SYBIL_OLD_PROFILE_PATH=${old_profile_path}" echo "SYBIL_XCODE_PROFILE_PATH=${xcode_profile_path}" echo "SYBIL_OLD_NAMED_PROFILE_PATH=${old_named_profile_path}" echo "SYBIL_XCODE_NAMED_PROFILE_PATH=${xcode_named_profile_path}" } >> "${GITHUB_ENV}" - name: Build and upload to TestFlight working-directory: ios env: APP_STORE_CONNECT_API_KEY_ID: ${{ secrets.APP_STORE_CONNECT_API_KEY_ID }} APP_STORE_CONNECT_API_ISSUER_ID: ${{ secrets.APP_STORE_CONNECT_API_ISSUER_ID }} APP_STORE_CONNECT_API_KEY_CONTENT: ${{ secrets.APP_STORE_CONNECT_API_KEY_CONTENT }} APP_STORE_CONNECT_API_KEY_CONTENT_BASE64: "true" FASTLANE_DONT_STORE_PASSWORD: "1" FASTLANE_HIDE_CHANGELOG: "1" FASTLANE_SKIP_UPDATE_CHECK: "1" SYBIL_PROVISIONING_PROFILE_SPECIFIER: Sybil AppStore CI run: | set -euo pipefail security unlock-keychain -p "${SYBIL_SIGNING_KEYCHAIN_PASSWORD}" "${SYBIL_SIGNING_KEYCHAIN_PATH}" security list-keychains -d user -s "${SYBIL_SIGNING_KEYCHAIN_PATH}" $(security list-keychains -d user | sed 's/[ "]//g') security default-keychain -d user -s "${SYBIL_SIGNING_KEYCHAIN_PATH}" security find-identity -v -p codesigning "${SYBIL_SIGNING_KEYCHAIN_PATH}" security find-identity -v -p codesigning SYBIL_VERSION_TAG="${TAG_NAME}" bundle exec fastlane ios beta - name: Locate IPA run: | set -euo pipefail ipa_path="$(find ios/build/fastlane -maxdepth 1 -type f -name '*.ipa' -print | sort | tail -n 1)" if [[ -z "${ipa_path}" ]]; then echo "No IPA found under ios/build/fastlane" >&2 exit 1 fi { echo "IPA_PATH=${ipa_path}" echo "IPA_NAME=$(basename "${ipa_path}")" } >> "${GITHUB_ENV}" - name: Publish Gitea release asset env: GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }} RELEASE_API_URL: ${{ github.api_url }} RELEASE_REPOSITORY: ${{ github.repository }} RELEASE_SHA: ${{ github.sha }} run: | set -euo pipefail : "${GITEA_TOKEN:?GITEA_TOKEN is required}" api_url="${RELEASE_API_URL:-https://code.buzzert.dev/api/v1}" repository="${RELEASE_REPOSITORY:-buzzert/Sybil-2}" sha="${RELEASE_SHA:-${GITHUB_SHA:-}}" release_name="Sybil v${RELEASE_VERSION}" release_body="Automated TestFlight release for ${TAG_NAME}." release_payload="$(jq -nc \ --arg tag "${TAG_NAME}" \ --arg name "${release_name}" \ --arg body "${release_body}" \ --arg target "${sha}" \ '{tag_name: $tag, name: $name, body: $body, draft: false, prerelease: false} + (if $target == "" then {} else {target_commitish: $target} end)')" response_file="$(mktemp)" status="$(curl -sS -o "${response_file}" -w "%{http_code}" \ -X POST "${api_url}/repos/${repository}/releases" \ -H "Authorization: token ${GITEA_TOKEN}" \ -H "Content-Type: application/json" \ --data "${release_payload}")" if [[ "${status}" == "201" ]]; then release_id="$(jq -r '.id' "${response_file}")" elif [[ "${status}" == "409" ]]; then release_id="$(curl -fsS \ -H "Authorization: token ${GITEA_TOKEN}" \ "${api_url}/repos/${repository}/releases?limit=100" | jq -r --arg tag "${TAG_NAME}" '.[] | select(.tag_name == $tag) | .id' | head -n 1)" else cat "${response_file}" >&2 exit 1 fi if [[ -z "${release_id}" || "${release_id}" == "null" ]]; then echo "Could not resolve Gitea release id for ${TAG_NAME}" >&2 exit 1 fi existing_asset_id="$(curl -fsS \ -H "Authorization: token ${GITEA_TOKEN}" \ "${api_url}/repos/${repository}/releases/${release_id}/assets" | jq -r --arg name "${IPA_NAME}" '.[] | select(.name == $name) | .id' | head -n 1)" if [[ -n "${existing_asset_id}" && "${existing_asset_id}" != "null" ]]; then curl -fsS -X DELETE \ -H "Authorization: token ${GITEA_TOKEN}" \ "${api_url}/repos/${repository}/releases/${release_id}/assets/${existing_asset_id}" fi asset_name="$(jq -rn --arg value "${IPA_NAME}" '$value | @uri')" curl -fsS -X POST \ -H "Authorization: token ${GITEA_TOKEN}" \ -F "attachment=@${IPA_PATH}" \ "${api_url}/repos/${repository}/releases/${release_id}/assets?name=${asset_name}" >/dev/null echo "Published ${IPA_NAME} to ${release_name}" - name: Clean up temporary keychain if: always() run: | if [[ -n "${SYBIL_PREVIOUS_DEFAULT_KEYCHAIN:-}" ]]; then security default-keychain -d user -s "${SYBIL_PREVIOUS_DEFAULT_KEYCHAIN}" || true fi rm -f \ "${SYBIL_OLD_PROFILE_PATH:-}" \ "${SYBIL_XCODE_PROFILE_PATH:-}" \ "${SYBIL_OLD_NAMED_PROFILE_PATH:-}" \ "${SYBIL_XCODE_NAMED_PROFILE_PATH:-}" security delete-keychain "${SYBIL_SIGNING_KEYCHAIN_PATH:-${HOME}/Library/Keychains/${SIGNING_KEYCHAIN}.keychain-db}" || true rm -f "${HOME}/Library/Keychains/${SIGNING_KEYCHAIN}-"*.keychain-db rm -rf "${SYBIL_SIGNING_DIR:-}"