Sybil-2/.gitea/workflows/testflight-release.yml

name: TestFlight Release

on:
  push:
    tags:
      - "release/v*.*.*"

permissions:
  contents: write

jobs:
  testflight:
    runs-on: xcode
    env:
      SIGNING_KEYCHAIN: sybil_signing_temp

    defaults:
      run:
        shell: bash

    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Validate release tag
        run: |
          set -euo pipefail

          tag_name="${GITHUB_REF#refs/tags/}"
          if [[ ! "$tag_name" =~ ^release/v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
            echo "Release tag must match release/vN.N.N; got ${tag_name}" >&2
            exit 1
          fi

          release_version="${tag_name#release/v}"
          {
            echo "TAG_NAME=${tag_name}"
            echo "RELEASE_VERSION=${release_version}"
          } >> "${GITHUB_ENV}"

      - name: Set up Ruby
        uses: ruby/setup-ruby@v1
        with:
          ruby-version: "3.3"

      - name: Install Ruby gems
        working-directory: ios
        run: bundle install

      - name: Install release tools
        run: |
          set -euo pipefail

          missing_tools=()
          for tool in xcodegen jq; do
            if ! command -v "${tool}" >/dev/null 2>&1; then
              missing_tools+=("${tool}")
            fi
          done

          if [[ "${#missing_tools[@]}" -eq 0 ]]; then
            exit 0
          fi

          if ! command -v brew >/dev/null 2>&1; then
            echo "Missing required tools: ${missing_tools[*]}; Homebrew is not available to install them" >&2
            exit 1
          fi

          brew install "${missing_tools[@]}"

      - name: Install signing secrets
        env:
          APPSTORE_CERTIFICATES_FILE_BASE64: ${{ secrets.APPSTORE_CERTIFICATES_FILE_BASE64 }}
          APPSTORE_CERTIFICATES_PASSWORD: ${{ secrets.APPSTORE_CERTIFICATES_PASSWORD }}
          APPSTORE_PROVISIONING_PROFILE_BASE64: ${{ secrets.APPSTORE_PROVISIONING_PROFILE_BASE64 }}
        run: |
          set -euo pipefail

          : "${APPSTORE_CERTIFICATES_FILE_BASE64:?APPSTORE_CERTIFICATES_FILE_BASE64 secret is required}"
          : "${APPSTORE_CERTIFICATES_PASSWORD:?APPSTORE_CERTIFICATES_PASSWORD secret is required}"
          : "${APPSTORE_PROVISIONING_PROFILE_BASE64:?APPSTORE_PROVISIONING_PROFILE_BASE64 secret is required}"

          keychain_password="$(uuidgen)"
          keychain_path="${HOME}/Library/Keychains/${SIGNING_KEYCHAIN}.keychain-db"
          mkdir -p "${HOME}/Library/Keychains" "${HOME}/Library/MobileDevice/Provisioning Profiles" ios/build/secrets

          printf '%s' "${APPSTORE_CERTIFICATES_FILE_BASE64}" | base64 --decode > ios/build/secrets/appstore-signing.p12
          printf '%s' "${APPSTORE_PROVISIONING_PROFILE_BASE64}" | base64 --decode > "${HOME}/Library/MobileDevice/Provisioning Profiles/Sybil_AppStore_CI.mobileprovision"

          security create-keychain -p "${keychain_password}" "${keychain_path}"
          security set-keychain-settings -lut 21600 "${keychain_path}"
          security unlock-keychain -p "${keychain_password}" "${keychain_path}"
          security list-keychains -d user -s "${keychain_path}" $(security list-keychains -d user | sed 's/[ "]//g')
          security import ios/build/secrets/appstore-signing.p12 \
            -k "${keychain_path}" \
            -P "${APPSTORE_CERTIFICATES_PASSWORD}" \
            -T /usr/bin/codesign \
            -T /usr/bin/security \
            -T /usr/bin/xcodebuild
          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${keychain_password}" "${keychain_path}"

      - name: Build and upload to TestFlight
        working-directory: ios
        env:
          APP_STORE_CONNECT_API_KEY_ID: ${{ secrets.APP_STORE_CONNECT_API_KEY_ID }}
          APP_STORE_CONNECT_API_ISSUER_ID: ${{ secrets.APP_STORE_CONNECT_API_ISSUER_ID }}
          APP_STORE_CONNECT_API_KEY_CONTENT: ${{ secrets.APP_STORE_CONNECT_API_KEY_CONTENT }}
          APP_STORE_CONNECT_API_KEY_CONTENT_BASE64: "true"
          FASTLANE_DONT_STORE_PASSWORD: "1"
          FASTLANE_HIDE_CHANGELOG: "1"
          FASTLANE_SKIP_UPDATE_CHECK: "1"
          SYBIL_PROVISIONING_PROFILE_SPECIFIER: Sybil AppStore CI
        run: |
          set -euo pipefail

          SYBIL_VERSION_TAG="${TAG_NAME}" bundle exec fastlane ios beta

      - name: Locate IPA
        run: |
          set -euo pipefail

          ipa_path="$(find ios/build/fastlane -maxdepth 1 -type f -name '*.ipa' -print | sort | tail -n 1)"
          if [[ -z "${ipa_path}" ]]; then
            echo "No IPA found under ios/build/fastlane" >&2
            exit 1
          fi

          {
            echo "IPA_PATH=${ipa_path}"
            echo "IPA_NAME=$(basename "${ipa_path}")"
          } >> "${GITHUB_ENV}"

      - name: Publish Gitea release asset
        env:
          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
          RELEASE_API_URL: ${{ github.api_url }}
          RELEASE_REPOSITORY: ${{ github.repository }}
          RELEASE_SHA: ${{ github.sha }}
        run: |
          set -euo pipefail

          : "${GITEA_TOKEN:?GITEA_TOKEN is required}"

          api_url="${RELEASE_API_URL:-https://code.buzzert.dev/api/v1}"
          repository="${RELEASE_REPOSITORY:-buzzert/Sybil-2}"
          sha="${RELEASE_SHA:-${GITHUB_SHA:-}}"
          release_name="Sybil v${RELEASE_VERSION}"
          release_body="Automated TestFlight release for ${TAG_NAME}."
          release_payload="$(jq -nc \
            --arg tag "${TAG_NAME}" \
            --arg name "${release_name}" \
            --arg body "${release_body}" \
            --arg target "${sha}" \
            '{tag_name: $tag, name: $name, body: $body, draft: false, prerelease: false} +
            (if $target == "" then {} else {target_commitish: $target} end)')"

          response_file="$(mktemp)"
          status="$(curl -sS -o "${response_file}" -w "%{http_code}" \
            -X POST "${api_url}/repos/${repository}/releases" \
            -H "Authorization: token ${GITEA_TOKEN}" \
            -H "Content-Type: application/json" \
            --data "${release_payload}")"

          if [[ "${status}" == "201" ]]; then
            release_id="$(jq -r '.id' "${response_file}")"
          elif [[ "${status}" == "409" ]]; then
            release_id="$(curl -fsS \
              -H "Authorization: token ${GITEA_TOKEN}" \
              "${api_url}/repos/${repository}/releases?limit=100" |
              jq -r --arg tag "${TAG_NAME}" '.[] | select(.tag_name == $tag) | .id' |
              head -n 1)"
          else
            cat "${response_file}" >&2
            exit 1
          fi

          if [[ -z "${release_id}" || "${release_id}" == "null" ]]; then
            echo "Could not resolve Gitea release id for ${TAG_NAME}" >&2
            exit 1
          fi

          existing_asset_id="$(curl -fsS \
            -H "Authorization: token ${GITEA_TOKEN}" \
            "${api_url}/repos/${repository}/releases/${release_id}/assets" |
            jq -r --arg name "${IPA_NAME}" '.[] | select(.name == $name) | .id' |
            head -n 1)"

          if [[ -n "${existing_asset_id}" && "${existing_asset_id}" != "null" ]]; then
            curl -fsS -X DELETE \
              -H "Authorization: token ${GITEA_TOKEN}" \
              "${api_url}/repos/${repository}/releases/${release_id}/assets/${existing_asset_id}"
          fi

          asset_name="$(jq -rn --arg value "${IPA_NAME}" '$value | @uri')"
          curl -fsS -X POST \
            -H "Authorization: token ${GITEA_TOKEN}" \
            -F "attachment=@${IPA_PATH}" \
            "${api_url}/repos/${repository}/releases/${release_id}/assets?name=${asset_name}" >/dev/null

          echo "Published ${IPA_NAME} to ${release_name}"

      - name: Clean up temporary keychain
        if: always()
        run: |
          security delete-keychain "${HOME}/Library/Keychains/${SIGNING_KEYCHAIN}.keychain-db" || true