Sybil-2/.gitea/workflows/testflight-release.yml

name: TestFlight Release

on:
  push:
    tags:
      - "release/v*.*.*"

permissions:
  contents: write

jobs:
  testflight:
    runs-on: xcode
    env:
      SIGNING_KEYCHAIN: sybil_signing_temp

    defaults:
      run:
        shell: bash

    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Validate release tag
        run: |
          set -euo pipefail

          tag_name="${GITHUB_REF#refs/tags/}"
          if [[ ! "$tag_name" =~ ^release/v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
            echo "Release tag must match release/vN.N.N; got ${tag_name}" >&2
            exit 1
          fi

          release_version="${tag_name#release/v}"
          {
            echo "TAG_NAME=${tag_name}"
            echo "RELEASE_VERSION=${release_version}"
          } >> "${GITHUB_ENV}"

      - name: Set up Ruby
        uses: ruby/setup-ruby@v1
        with:
          ruby-version: "3.3"

      - name: Install Ruby gems
        working-directory: ios
        run: bundle install

      - name: Install release tools
        run: |
          set -euo pipefail

          missing_tools=()
          for tool in xcodegen jq; do
            if ! command -v "${tool}" >/dev/null 2>&1; then
              missing_tools+=("${tool}")
            fi
          done

          if [[ "${#missing_tools[@]}" -eq 0 ]]; then
            exit 0
          fi

          if ! command -v brew >/dev/null 2>&1; then
            echo "Missing required tools: ${missing_tools[*]}; Homebrew is not available to install them" >&2
            exit 1
          fi

          brew install "${missing_tools[@]}"

      - name: Install signing secrets
        env:
          APPSTORE_CERTIFICATES_FILE_BASE64: ${{ secrets.APPSTORE_CERTIFICATES_FILE_BASE64 }}
          APPSTORE_CERTIFICATES_PASSWORD: ${{ secrets.APPSTORE_CERTIFICATES_PASSWORD }}
          APPSTORE_PROVISIONING_PROFILE_BASE64: ${{ secrets.APPSTORE_PROVISIONING_PROFILE_BASE64 }}
        run: |
          set -euo pipefail

          : "${APPSTORE_CERTIFICATES_FILE_BASE64:?APPSTORE_CERTIFICATES_FILE_BASE64 secret is required}"
          : "${APPSTORE_CERTIFICATES_PASSWORD:?APPSTORE_CERTIFICATES_PASSWORD secret is required}"
          : "${APPSTORE_PROVISIONING_PROFILE_BASE64:?APPSTORE_PROVISIONING_PROFILE_BASE64 secret is required}"

          keychain_password="$(uuidgen)"
          previous_default_keychain="$(security default-keychain -d user | sed 's/[ "]//g' || true)"
          if [[ "${previous_default_keychain}" == *"/${SIGNING_KEYCHAIN}"* || ! -e "${previous_default_keychain}" ]]; then
            previous_default_keychain=""
          fi
          developer_dir="$(xcode-select -p)"
          signing_dir="$(mktemp -d "${RUNNER_TEMP:-${TMPDIR:-/tmp}}/sybil-signing.XXXXXX")"
          keychain_path="${HOME}/Library/Keychains/${SIGNING_KEYCHAIN}-${GITHUB_RUN_ID:-$(uuidgen)}.keychain-db"
          certificate_path="${signing_dir}/appstore-signing.p12"
          wwdr_certificate_path="${signing_dir}/AppleWWDRCAG3.cer"
          profile_path="${signing_dir}/Sybil_AppStore_CI.mobileprovision"
          profile_plist="${signing_dir}/profile.plist"
          old_profile_dir="${HOME}/Library/MobileDevice/Provisioning Profiles"
          xcode_profile_dir="${HOME}/Library/Developer/Xcode/UserData/Provisioning Profiles"
          mkdir -p "${HOME}/Library/Keychains" "${old_profile_dir}" "${xcode_profile_dir}"

          printf '%s' "${APPSTORE_CERTIFICATES_FILE_BASE64}" | base64 --decode > "${certificate_path}"
          printf '%s' "${APPSTORE_PROVISIONING_PROFILE_BASE64}" | base64 --decode > "${profile_path}"
          curl -fsSL https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer -o "${wwdr_certificate_path}"
          security cms -D -i "${profile_path}" > "${profile_plist}"
          profile_uuid="$(/usr/libexec/PlistBuddy -c 'Print UUID' "${profile_plist}")"
          profile_name="$(/usr/libexec/PlistBuddy -c 'Print Name' "${profile_plist}")"
          old_profile_path="${old_profile_dir}/${profile_uuid}.mobileprovision"
          xcode_profile_path="${xcode_profile_dir}/${profile_uuid}.mobileprovision"
          old_named_profile_path="${old_profile_dir}/Sybil_AppStore_CI.mobileprovision"
          xcode_named_profile_path="${xcode_profile_dir}/Sybil_AppStore_CI.mobileprovision"
          cp "${profile_path}" "${old_profile_path}"
          cp "${profile_path}" "${xcode_profile_path}"
          cp "${profile_path}" "${old_named_profile_path}"
          cp "${profile_path}" "${xcode_named_profile_path}"

          base_keychains=()
          while IFS= read -r existing_keychain; do
            [[ -z "${existing_keychain}" ]] && continue
            [[ "${existing_keychain}" == *"/${SIGNING_KEYCHAIN}"* ]] && continue
            [[ ! -e "${existing_keychain}" ]] && continue
            base_keychains+=("${existing_keychain}")
          done < <(security list-keychains -d user | sed 's/[ "]//g')

          security delete-keychain "${keychain_path}" >/dev/null 2>&1 || true
          rm -f "${keychain_path}"
          security create-keychain -p "${keychain_password}" "${keychain_path}"
          security set-keychain-settings -lut 21600 "${keychain_path}"
          security unlock-keychain -p "${keychain_password}" "${keychain_path}"
          security import "${wwdr_certificate_path}" \
            -k "${keychain_path}" \
            -T /usr/bin/codesign \
            -T /usr/bin/security \
            -T /usr/bin/xcodebuild
          security import "${certificate_path}" \
            -k "${keychain_path}" \
            -P "${APPSTORE_CERTIFICATES_PASSWORD}" \
            -T /usr/bin/codesign \
            -T /usr/bin/security \
            -T /usr/bin/xcodebuild \
            -T "${developer_dir}/usr/bin/xcodebuild"
          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${keychain_password}" "${keychain_path}"
          security list-keychains -d user -s "${keychain_path}" "${base_keychains[@]}"
          security default-keychain -d user -s "${keychain_path}"
          security find-identity -v -p codesigning "${keychain_path}"
          security find-identity -v -p codesigning
          echo "Installed ${profile_name} (${profile_uuid}) provisioning profile"
          {
            echo "SYBIL_SIGNING_KEYCHAIN_PATH=${keychain_path}"
            echo "SYBIL_SIGNING_KEYCHAIN_PASSWORD=${keychain_password}"
            echo "SYBIL_PREVIOUS_DEFAULT_KEYCHAIN=${previous_default_keychain}"
            echo "SYBIL_PROVISIONING_PROFILE_UUID=${profile_uuid}"
            echo "SYBIL_SIGNING_DIR=${signing_dir}"
            echo "SYBIL_OLD_PROFILE_PATH=${old_profile_path}"
            echo "SYBIL_XCODE_PROFILE_PATH=${xcode_profile_path}"
            echo "SYBIL_OLD_NAMED_PROFILE_PATH=${old_named_profile_path}"
            echo "SYBIL_XCODE_NAMED_PROFILE_PATH=${xcode_named_profile_path}"
          } >> "${GITHUB_ENV}"

      - name: Build and upload to TestFlight
        working-directory: ios
        env:
          APP_STORE_CONNECT_API_KEY_ID: ${{ secrets.APP_STORE_CONNECT_API_KEY_ID }}
          APP_STORE_CONNECT_API_ISSUER_ID: ${{ secrets.APP_STORE_CONNECT_API_ISSUER_ID }}
          APP_STORE_CONNECT_API_KEY_CONTENT: ${{ secrets.APP_STORE_CONNECT_API_KEY_CONTENT }}
          APP_STORE_CONNECT_API_KEY_CONTENT_BASE64: "true"
          FASTLANE_DONT_STORE_PASSWORD: "1"
          FASTLANE_HIDE_CHANGELOG: "1"
          FASTLANE_SKIP_UPDATE_CHECK: "1"
          SYBIL_PROVISIONING_PROFILE_SPECIFIER: Sybil AppStore CI
        run: |
          set -euo pipefail

          security unlock-keychain -p "${SYBIL_SIGNING_KEYCHAIN_PASSWORD}" "${SYBIL_SIGNING_KEYCHAIN_PATH}"
          security list-keychains -d user -s "${SYBIL_SIGNING_KEYCHAIN_PATH}" $(security list-keychains -d user | sed 's/[ "]//g')
          security default-keychain -d user -s "${SYBIL_SIGNING_KEYCHAIN_PATH}"
          security find-identity -v -p codesigning "${SYBIL_SIGNING_KEYCHAIN_PATH}"
          security find-identity -v -p codesigning

          SYBIL_VERSION_TAG="${TAG_NAME}" bundle exec fastlane ios beta

      - name: Locate IPA
        run: |
          set -euo pipefail

          ipa_path="$(find ios/build/fastlane -maxdepth 1 -type f -name '*.ipa' -print | sort | tail -n 1)"
          if [[ -z "${ipa_path}" ]]; then
            echo "No IPA found under ios/build/fastlane" >&2
            exit 1
          fi

          {
            echo "IPA_PATH=${ipa_path}"
            echo "IPA_NAME=$(basename "${ipa_path}")"
          } >> "${GITHUB_ENV}"

      - name: Publish Gitea release asset
        env:
          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
          RELEASE_API_URL: ${{ github.api_url }}
          RELEASE_REPOSITORY: ${{ github.repository }}
          RELEASE_SHA: ${{ github.sha }}
        run: |
          set -euo pipefail

          : "${GITEA_TOKEN:?GITEA_TOKEN is required}"

          api_url="${RELEASE_API_URL:-https://code.buzzert.dev/api/v1}"
          repository="${RELEASE_REPOSITORY:-buzzert/Sybil-2}"
          sha="${RELEASE_SHA:-${GITHUB_SHA:-}}"
          release_name="Sybil v${RELEASE_VERSION}"
          release_body="Automated TestFlight release for ${TAG_NAME}."
          release_payload="$(jq -nc \
            --arg tag "${TAG_NAME}" \
            --arg name "${release_name}" \
            --arg body "${release_body}" \
            --arg target "${sha}" \
            '{tag_name: $tag, name: $name, body: $body, draft: false, prerelease: false} +
            (if $target == "" then {} else {target_commitish: $target} end)')"

          response_file="$(mktemp)"
          status="$(curl -sS -o "${response_file}" -w "%{http_code}" \
            -X POST "${api_url}/repos/${repository}/releases" \
            -H "Authorization: token ${GITEA_TOKEN}" \
            -H "Content-Type: application/json" \
            --data "${release_payload}")"

          if [[ "${status}" == "201" ]]; then
            release_id="$(jq -r '.id' "${response_file}")"
          elif [[ "${status}" == "409" ]]; then
            release_id="$(curl -fsS \
              -H "Authorization: token ${GITEA_TOKEN}" \
              "${api_url}/repos/${repository}/releases?limit=100" |
              jq -r --arg tag "${TAG_NAME}" '.[] | select(.tag_name == $tag) | .id' |
              head -n 1)"
          else
            cat "${response_file}" >&2
            exit 1
          fi

          if [[ -z "${release_id}" || "${release_id}" == "null" ]]; then
            echo "Could not resolve Gitea release id for ${TAG_NAME}" >&2
            exit 1
          fi

          existing_asset_id="$(curl -fsS \
            -H "Authorization: token ${GITEA_TOKEN}" \
            "${api_url}/repos/${repository}/releases/${release_id}/assets" |
            jq -r --arg name "${IPA_NAME}" '.[] | select(.name == $name) | .id' |
            head -n 1)"

          if [[ -n "${existing_asset_id}" && "${existing_asset_id}" != "null" ]]; then
            curl -fsS -X DELETE \
              -H "Authorization: token ${GITEA_TOKEN}" \
              "${api_url}/repos/${repository}/releases/${release_id}/assets/${existing_asset_id}"
          fi

          asset_name="$(jq -rn --arg value "${IPA_NAME}" '$value | @uri')"
          curl -fsS -X POST \
            -H "Authorization: token ${GITEA_TOKEN}" \
            -F "attachment=@${IPA_PATH}" \
            "${api_url}/repos/${repository}/releases/${release_id}/assets?name=${asset_name}" >/dev/null

          echo "Published ${IPA_NAME} to ${release_name}"

      - name: Clean up temporary keychain
        if: always()
        run: |
          if [[ -n "${SYBIL_PREVIOUS_DEFAULT_KEYCHAIN:-}" ]]; then
            security default-keychain -d user -s "${SYBIL_PREVIOUS_DEFAULT_KEYCHAIN}" || true
          fi
          rm -f \
            "${SYBIL_OLD_PROFILE_PATH:-}" \
            "${SYBIL_XCODE_PROFILE_PATH:-}" \
            "${SYBIL_OLD_NAMED_PROFILE_PATH:-}" \
            "${SYBIL_XCODE_NAMED_PROFILE_PATH:-}"
          security delete-keychain "${SYBIL_SIGNING_KEYCHAIN_PATH:-${HOME}/Library/Keychains/${SIGNING_KEYCHAIN}.keychain-db}" || true
          rm -f "${HOME}/Library/Keychains/${SIGNING_KEYCHAIN}-"*.keychain-db
          rm -rf "${SYBIL_SIGNING_DIR:-}"