Add check_certs.yml and associated Fastfile changes to check and re…

…voke certificates if less than 30 days to expiry. Launch `create_certs.yml`if certs are revoked. Commenting out cert.revoke! for testing.
bjornoleh · Jan 7, 2025 · f33c006 · f33c006
1 parent 28c190b
commit f33c006
Show file tree

Hide file tree

Showing 3 changed files with 66 additions and 2 deletions.
diff --git a/.github/workflows/check_certs.yml b/.github/workflows/check_certs.yml
@@ -0,0 +1,31 @@
+name: Check Certificates
+run-name: Check Certificates (${{ github.ref_name }})
+
+on:
+  workflow_dispatch:
+
+jobs:
+  check_certs:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.1'
+
+      - name: Install dependencies
+        run: bundle install
+
+      - name: Check and Revoke Certificates
+        env:
+          FASTLANE_USER: ${{ secrets.APPLE_ID }}
+          FASTLANE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
+        run: fastlane check_and_revoke_certificates
+
+  trigger_create_certs:
+    needs: check_certs
+    if: env.cert_revoked == 'true'
+    uses: ./.github/workflows/create_certs.yml
diff --git a/.github/workflows/create_certs.yml b/.github/workflows/create_certs.yml
@@ -1,7 +1,6 @@
 name: 3. Create Certificates
 run-name: Create Certificates (${{ github.ref_name }})
-on:
-  workflow_dispatch:
+on: [workflow_call, workflow_dispatch]
 
 jobs:
   validate:

diff --git a/fastlane/Fastfile b/fastlane/Fastfile
@@ -323,4 +323,38 @@ platform :ios do
       UI.success("Certificates renewed successfully.")
     end
   end
+
+  lane :check_and_revoke_certificates do
+    require 'spaceship'
+
+    Spaceship::Portal.login(ENV['FASTLANE_USER'], ENV['FASTLANE_PASSWORD'])
+
+    revoked = false
+
+    # Fetch all certificates
+    certificates = Spaceship::Portal.certificate.all
+
+    # Filter for Production/Distribution certificates
+    distribution_certs = certificates.select { |cert| cert.kind_of?(Spaceship::Portal::Certificate::Production) }
+
+    # Check for expiration
+    distribution_certs.each do |cert|
+      expiration_date = cert.expires
+      puts "Checking Distribution Certificate: #{cert.id}, Expiration: #{expiration_date}"
+
+      if expiration_date < Time.now + 30 * 24 * 60 * 60 # Less than 30 days to expiry
+        puts "Certificate #{cert.id} is expiring soon or already expired. Revoking..."
+        #cert.revoke!
+        revoked = true
+      end
+    end
+
+    if revoked
+      puts "Certificates were revoked. Triggering workflow to recreate them."
+      Actions.sh("echo 'cert_revoked=true' >> $GITHUB_ENV") # Set GitHub Actions environment variable
+    else
+      puts "All certificates are valid. No action required."
+      Actions.sh("echo 'cert_revoked=false' >> $GITHUB_ENV") # Set GitHub Actions environment variable
+    end
+  end
 end