Check Certificates (force_false) #106

Workflow file for this run

.github/workflows/check_certs.yml at 3eb5fe1

	name: Check Certificates
	run-name: Check Certificates (${{ github.ref_name }})

	on: [workflow_call, workflow_dispatch]

	env:
	TEAMID: ${{ secrets.TEAMID }}
	GH_PAT: ${{ secrets.GH_PAT }}
	GH_TOKEN: ${{ secrets.GH_PAT }}
	MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }}
	FASTLANE_KEY_ID: ${{ secrets.FASTLANE_KEY_ID }}
	FASTLANE_ISSUER_ID: ${{ secrets.FASTLANE_ISSUER_ID }}
	FASTLANE_KEY: ${{ secrets.FASTLANE_KEY }}

	jobs:
	validate:
	name: Validate
	uses: ./.github/workflows/validate_secrets.yml
	secrets: inherit

	check_certs:
	needs: validate
	runs-on: macos-14
	outputs:
	new_certificate_needed: ${{ steps.set_output.outputs.new_certificate_needed }}

	steps:
	# Uncomment to manually select latest Xcode if needed
	#- name: Select Latest Xcode
	# run: "sudo xcode-select --switch /Applications/Xcode_13.0.app/Contents/Developer"

	# Checks-out the repo
	- name: Checkout Repo
	uses: actions/checkout@v4

	# Patch Fastlane Match to not print tables
	- name: Patch Match Tables
	run: find /usr/local/lib/ruby/gems -name table_printer.rb \| xargs sed -i "" "/puts(Terminal::Table.new(params))/d"

	# Install project dependencies
	- name: Install Project Dependencies
	run: bundle install

	# Create or update provisioning profiles
	- name: Check certificate and profiles
	run: \|
	echo "Running Fastlane certs lane..."
	bundle exec fastlane certs --verbose 2>&1 \| tee output.log

	# Check Fastlane output for Certificate
	if grep -q -E "Your certificate .* is valid" output.log; then
	echo "::notice title=Distribution Certificate::Your Distribution certificate is valid"

	elif grep -q "Couldn't find a valid code signing identity for distribution... creating one for you now" output.log; then
	echo "::notice title=Distribution Certificate::Couldn't find a valid Distribution certificate, creating one for you now."
	fi

	# Check Fastlane output for Profiles
	if grep -q "No existing profiles found, that match the certificates you have installed locally! Creating a new provisioning profile for you" output.log; then
	echo "::notice title=Provisioning Profiles::No existing profiles found, creating new provisioning profiles for you."

	elif grep -q "Updated appstore and platform ios" output.log; then
	echo "::notice title=Provisioning Profiles::Profiles have been successfully updated."

	elif grep -q "(stored in your storage) is not available on the Developer Portal" output.log; then
	echo "::notice title=Provisioning Profiles::The certificate in your Match-Secrets repository is not available on the Developer Portal"
	fi


	- name: Check Distribution Certificate and create or renew if needed
	run: bundle exec fastlane check_and_renew_certificates
	id: check_certs

	- name: Set output based on Fastlane result
	id: set_output
	run: \|
	CERT_STATUS_FILE="${{ github.workspace }}/fastlane/new_certificate_needed.txt"
	ENABLE_NUKE_CERTS=${{ vars.ENABLE_NUKE_CERTS }}

	if [ -f "$CERT_STATUS_FILE" ]; then
	CERT_STATUS=$(cat "$CERT_STATUS_FILE" \| tr -d '\n' \| tr -d '\r') # Read file content and strip newlines
	echo "new_certificate_needed: $CERT_STATUS"
	echo "new_certificate_needed=$CERT_STATUS" >> $GITHUB_OUTPUT
	else
	echo "Certificate status file not found. Defaulting to false."
	echo "new_certificate_needed=false" >> $GITHUB_OUTPUT
	fi

	# Check if ENABLE_NUKE_CERTS is not set to true when certs are valid
	if [ "$CERT_STATUS" != "true" ] && [ "$ENABLE_NUKE_CERTS" != "true" ]; then
	echo "::notice::🔔 Automated renewal of certificates is disabled because the repository variable ENABLE_NUKE_CERTS is not set to 'true'."
	fi

	# Check if ENABLE_NUKE_CERTS is not set to true when certs are not valid
	if [ "$CERT_STATUS" = "true" ] && [ "$ENABLE_NUKE_CERTS" != "true" ]; then
	echo "::error::❌ No valid distribution certificate found. Automated renewal of certificates was skipped because the repository variable ENABLE_NUKE_CERTS is not set to 'true'."
	exit 1
	fi

	# Check if vars.FORCE_NUKE_CERTS is not set to true
	if [ vars.FORCE_NUKE_CERTS = "true" ]; then
	echo "::warning::‼️ Nuking of certificates was forced because the repository variable FORCE_NUKE_CERTS is set to 'true'."
	fi

	# Nuke Certs if needed, and if the repository variable ENABLE_NUKE_CERTS is set to 'true', or if FORCE_NUKE_CERTS is set to 'true', which will always force certs to be nuked
	nuke_certs:
	needs: [validate, check_certs]
	runs-on: macos-14
	if: ${{ (needs.check_certs.outputs.new_certificate_needed == 'true' && vars.ENABLE_NUKE_CERTS == 'true') \|\| vars.FORCE_NUKE_CERTS == 'true' }}
	steps:
	- name: Output from Check_certs
	run: echo "new_certificate_needed=${{ needs.check_certs.outputs.new_certificate_needed }}"

	- name: Checkout repository
	uses: actions/checkout@v4

	- name: Install dependencies
	run: bundle install

	- name: Run Fastlane nuke_certs
	run: \|
	set -e
	bundle exec fastlane nuke_certs

	- name: Add warning annotations for nuke_certs
	if: ${{ success() }}
	run: \|
	echo "::warning::⚠️⚠️⚠️ All Distribution certificates and TestFlight profiles have been revoked."

	- name: Recreate Distribution certificate after nuking
	run: \|
	set -e
	bundle exec fastlane certs

	- name: Add success annotations for certificate recreation
	if: ${{ success() }}
	run: \|
	echo "::warning::⚠️⚠️⚠️ Certificates have been recreated successfully."
	echo "::warning::❗️❗️❗️ If you have other apps being distributed by GitHub Actions / Fastlane / TestFlight that does not renew certificates automatically, please run the '3. Create Certificates' workflow for each of these apps to allow these apps to be built."
	echo "::warning::✅✅✅ But don't worry about your existing TestFlight builds, they will keep working!"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Check Certificates (force_false) #106

Workflow file

Check Certificates (force_false) #106

Jobs

Run details

Workflow file for this run