Skip to content

iOS code signing maintenance #5

iOS code signing maintenance

iOS code signing maintenance #5

# This workflow's job is to delete code signing files for all of the iOS apps we have in the company.
# There are some scenarios when you might need to delete all code signing files and start over:
# 1. Code signing certificate is expired or about to expire. For certificates, you need to delete *all* code signing files and re-create all new files for all apps.
# 2. Your company's Apple developer account is messy and has many un-used code signing files in it. By deleting all code signing files and re-creating them, it's a clean start.
name: iOS code signing maintenance
on:
workflow_dispatch: # allow running this manually if you encounter major code signing files and it's easiest to just start over.
schedule: # automatically run this workflow periodically to delete code signing files before they expire. Allows us to prepare for expiration.
- cron: '0 0 1 */6 *' # Run at midnight on Jan 1st and July 1st - https://cron.help/#0_0_1_*/6_*
# Secrets required on github repository to run this workflow.
# View CI_SETUP.md doc on how to find the values for these secrets.
env:
GOOGLE_CLOUD_MATCH_WRITE_SERVICE_ACCOUNT_B64: ${{ secrets.GOOGLE_CLOUD_MATCH_WRITE_SERVICE_ACCOUNT_B64 }}
APP_STORE_CONNECT_API_KEY_CONTENT_B64: ${{ secrets.APP_STORE_CONNECT_API_KEY_CONTENT_B64 }}
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_NOTIFY_WEBHOOK_URL }}
jobs:
delete_code_signing_certificates:
name: Delete iOS code signing certificates to prepare for them expiring soon
runs-on: macos-latest
steps:
- uses: actions/checkout@v4
- name: Install Fastlane (via ruby and Bundler) used for managing code signing files
uses: ruby/setup-ruby@v1
with:
ruby-version: '3.0'
bundler-cache: true # runs 'bundle install' and caches installed gems automatically
- name: Delete code signing files for all iOS apps
run: bundle exec fastlane delete_all_code_signing_files
- name: Create code signing files for all iOS apps since they got deleted
run: bundle exec fastlane create_all_code_signing_files
# Note: In future, we can send a request to each of the mobile SDKs in the org to have them all re-create code signing files for each iOS app in the SDK code base. This fully automated the re-creating of code signing files for us.
# Creating of code signing files via CI server on SDK code bases is not yet done. Once it is, we can add that feature.
- name: Notify team about schedule maintenance
uses: slackapi/[email protected]
with:
# Use block kit for format of the JSON payloads: https://app.slack.com/block-kit-builder
payload: |
{
"text": "Maintenance success notice",
"username": "Code signing maintenance bot",
"icon_url": "https://emojiguide.org/images/emoji/1/8z8e40kucdd1.png",
"channel": "#squad-mobile",
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "🟩 Attention: 🟩\n\nAs part of scheduled iOS code signing maintenance, all of the code signing certificates for all of the iOS apps in the company have been deleted and re-created. Code signing certificates expire and periodically need to be re-created.\n\nYou will need to download the new code signing files to your computer if you want to compile an iOS app on your development machine. Read documentation to learn more about development code signing: https://github.com/customerio/apple-code-signing"
}
}
]
}
env:
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
- name: Notify team deleting certificates failed. Fix issue so we can get certificates deleted before expiring.
uses: slackapi/[email protected]
if: ${{ failure() }} # only run this if any previous step failed
with:
# Use block kit for format of the JSON payloads: https://app.slack.com/block-kit-builder
payload: |
{
"text": "Maintenance error notice",
"username": "Code signing maintenance bot",
"icon_url": "https://emojiguide.org/images/emoji/1/8z8e40kucdd1.png",
"channel": "#squad-mobile",
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "🟥 Attention 🟥:\n\nAs part of iOS code signing maintenance, *I attempted but failed* to re-create the code signing certificates for all of the iOS apps in the company. This was planned as code signing certificates expire and periodically need to be deleted.\n\nIt's suggested you fix this failure before the code signing certificates expire and iOS app builds fail. View CI server logs and documentation in the code signing project to learn more: https://github.com/customerio/apple-code-signing"
}
}
]
}
env:
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK