forked from LoopKit/LoopWorkspace
-
Notifications
You must be signed in to change notification settings - Fork 0
140 lines (112 loc) · 6.33 KB
/
check_certs.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
name: Check Certificates
run-name: Check Certificates (${{ github.ref_name }})
on: [workflow_call, workflow_dispatch]
env:
TEAMID: ${{ secrets.TEAMID }}
GH_PAT: ${{ secrets.GH_PAT }}
GH_TOKEN: ${{ secrets.GH_PAT }}
MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }}
FASTLANE_KEY_ID: ${{ secrets.FASTLANE_KEY_ID }}
FASTLANE_ISSUER_ID: ${{ secrets.FASTLANE_ISSUER_ID }}
FASTLANE_KEY: ${{ secrets.FASTLANE_KEY }}
jobs:
validate:
name: Validate
uses: ./.github/workflows/validate_secrets.yml
secrets: inherit
check_certs:
needs: validate
runs-on: macos-14
outputs:
new_certificate_needed: ${{ steps.set_output.outputs.new_certificate_needed }}
steps:
# Uncomment to manually select latest Xcode if needed
#- name: Select Latest Xcode
# run: "sudo xcode-select --switch /Applications/Xcode_13.0.app/Contents/Developer"
# Checks-out the repo
- name: Checkout Repo
uses: actions/checkout@v4
# Patch Fastlane Match to not print tables
- name: Patch Match Tables
run: find /usr/local/lib/ruby/gems -name table_printer.rb | xargs sed -i "" "/puts(Terminal::Table.new(params))/d"
# Install project dependencies
- name: Install Project Dependencies
run: bundle install
# Create or update provisioning profiles
- name: Check certificate and profiles
run: |
echo "Running Fastlane certs lane..."
bundle exec fastlane certs --verbose 2>&1 | tee output.log
# Check Fastlane output for Certificate
if grep -q -E "Your certificate .* is valid" output.log; then
echo "::notice title=Distribution Certificate::Your Distribution certificate is valid"
elif grep -q "Couldn't find a valid code signing identity for distribution... creating one for you now" output.log; then
echo "::notice title=Distribution Certificate::Couldn't find a valid Distribution certificate, creating one for you now."
fi
# Check Fastlane output for Profiles
if grep -q "No existing profiles found, that match the certificates you have installed locally! Creating a new provisioning profile for you" output.log; then
echo "::notice title=Provisioning Profiles::No existing profiles found, creating new provisioning profiles for you."
elif grep -q "Updated appstore and platform ios" output.log; then
echo "::notice title=Provisioning Profiles::Profiles have been successfully updated."
elif grep -q "(stored in your storage) is not available on the Developer Portal" output.log; then
echo "::notice title=Provisioning Profiles::The certificate in your Match-Secrets repository is not available on the Developer Portal"
fi
- name: Check Distribution Certificate and create or renew if needed
run: bundle exec fastlane check_and_renew_certificates
id: check_certs
- name: Set output based on Fastlane result
id: set_output
run: |
CERT_STATUS_FILE="${{ github.workspace }}/fastlane/new_certificate_needed.txt"
ENABLE_NUKE_CERTS=${{ vars.ENABLE_NUKE_CERTS }}
if [ -f "$CERT_STATUS_FILE" ]; then
CERT_STATUS=$(cat "$CERT_STATUS_FILE" | tr -d '\n' | tr -d '\r') # Read file content and strip newlines
echo "new_certificate_needed: $CERT_STATUS"
echo "new_certificate_needed=$CERT_STATUS" >> $GITHUB_OUTPUT
else
echo "Certificate status file not found. Defaulting to false."
echo "new_certificate_needed=false" >> $GITHUB_OUTPUT
fi
# Check if ENABLE_NUKE_CERTS is not set to true when certs are valid
if [ "$CERT_STATUS" != "true" ] && [ "$ENABLE_NUKE_CERTS" != "true" ]; then
echo "::notice::🔔 Automated renewal of certificates is disabled because the repository variable ENABLE_NUKE_CERTS is not set to 'true'."
fi
# Check if ENABLE_NUKE_CERTS is not set to true when certs are not valid
if [ "$CERT_STATUS" = "true" ] && [ "$ENABLE_NUKE_CERTS" != "true" ]; then
echo "::error::❌ No valid distribution certificate found. Automated renewal of certificates was skipped because the repository variable ENABLE_NUKE_CERTS is not set to 'true'."
exit 1
fi
# Check if vars.FORCE_NUKE_CERTS is not set to true
if [ vars.FORCE_NUKE_CERTS = "true" ]; then
echo "::warning::‼️ Nuking of certificates was forced because the repository variable FORCE_NUKE_CERTS is set to 'true'."
fi
# Nuke Certs if needed, and if the repository variable ENABLE_NUKE_CERTS is set to 'true', or if FORCE_NUKE_CERTS is set to 'true', which will always force certs to be nuked
nuke_certs:
needs: [validate, check_certs]
runs-on: macos-14
if: ${{ (needs.check_certs.outputs.new_certificate_needed == 'true' && vars.ENABLE_NUKE_CERTS == 'true') || vars.FORCE_NUKE_CERTS == 'true' }}
steps:
- name: Output from Check_certs
run: echo "new_certificate_needed=${{ needs.check_certs.outputs.new_certificate_needed }}"
- name: Checkout repository
uses: actions/checkout@v4
- name: Install dependencies
run: bundle install
- name: Run Fastlane nuke_certs
run: |
set -e
bundle exec fastlane nuke_certs
- name: Add warning annotations for nuke_certs
if: ${{ success() }}
run: |
echo "::warning::⚠️⚠️⚠️ All Distribution certificates and TestFlight profiles have been revoked."
- name: Recreate Distribution certificate after nuking
run: |
set -e
bundle exec fastlane certs
- name: Add success annotations for certificate recreation
if: ${{ success() }}
run: |
echo "::warning::⚠️⚠️⚠️ Certificates have been recreated successfully."
echo "::warning::❗️❗️❗️ If you have other apps being distributed by GitHub Actions / Fastlane / TestFlight that does not renew certificates automatically, please run the '3. Create Certificates' workflow for each of these apps to allow these apps to be built."
echo "::warning::✅✅✅ But don't worry about your existing TestFlight builds, they will keep working!"