iOS code signing maintenance #7
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This workflow's job is to delete code signing files for all of the iOS apps we have in the company. | |
| # There are some scenarios when you might need to delete all code signing files and start over: | |
| # 1. Code signing certificate is expired or about to expire. For certificates, you need to delete *all* code signing files and re-create all new files for all apps. | |
| # 2. Your company's Apple developer account is messy and has many un-used code signing files in it. By deleting all code signing files and re-creating them, it's a clean start. | |
| name: iOS code signing maintenance | |
| on: | |
| workflow_dispatch: # allow running this manually if you encounter major code signing files and it's easiest to just start over. | |
| schedule: # automatically run this workflow periodically to delete code signing files before they expire. Allows us to prepare for expiration. | |
| - cron: '0 0 1 */6 *' # Run at midnight on Jan 1st and July 1st - https://cron.help/#0_0_1_*/6_* | |
| # Secrets required on github repository to run this workflow. | |
| # View CI_SETUP.md doc on how to find the values for these secrets. | |
| env: | |
| GOOGLE_CLOUD_MATCH_WRITE_SERVICE_ACCOUNT_B64: ${{ secrets.GOOGLE_CLOUD_MATCH_WRITE_SERVICE_ACCOUNT_B64 }} | |
| APP_STORE_CONNECT_API_KEY_CONTENT_B64: ${{ secrets.APP_STORE_CONNECT_API_KEY_CONTENT_B64 }} | |
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_NOTIFY_WEBHOOK_URL }} | |
| jobs: | |
| delete_code_signing_certificates: | |
| name: Delete iOS code signing certificates to prepare for them expiring soon | |
| runs-on: macos-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install Fastlane (via ruby and Bundler) used for managing code signing files | |
| uses: ruby/setup-ruby@v1 | |
| with: | |
| ruby-version: '3.0' | |
| bundler-cache: true # runs 'bundle install' and caches installed gems automatically | |
| - name: Delete code signing files for all iOS apps | |
| run: bundle exec fastlane delete_all_code_signing_files | |
| - name: Create code signing files for all iOS apps since they got deleted | |
| run: bundle exec fastlane create_all_code_signing_files | |
| # Note: In future, we can send a request to each of the mobile SDKs in the org to have them all re-create code signing files for each iOS app in the SDK code base. This fully automated the re-creating of code signing files for us. | |
| # Creating of code signing files via CI server on SDK code bases is not yet done. Once it is, we can add that feature. | |
| - name: Notify team about schedule maintenance | |
| uses: slackapi/[email protected] | |
| with: | |
| # Use block kit for format of the JSON payloads: https://app.slack.com/block-kit-builder | |
| payload: | | |
| { | |
| "text": "Maintenance success notice", | |
| "username": "Code signing maintenance bot", | |
| "icon_url": "https://emojiguide.org/images/emoji/1/8z8e40kucdd1.png", | |
| "channel": "#squad-mobile", | |
| "blocks": [ | |
| { | |
| "type": "section", | |
| "text": { | |
| "type": "mrkdwn", | |
| "text": "🟩 Attention: 🟩\n\nAs part of scheduled iOS code signing maintenance, all of the code signing certificates for all of the iOS apps in the company have been deleted and re-created. Code signing certificates expire and periodically need to be re-created.\n\nYou will need to download the new code signing files to your computer if you want to compile an iOS app on your development machine. Read documentation to learn more about development code signing: https://github.com/customerio/apple-code-signing" | |
| } | |
| } | |
| ] | |
| } | |
| env: | |
| SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK | |
| - name: Notify team deleting certificates failed. Fix issue so we can get certificates deleted before expiring. | |
| uses: slackapi/[email protected] | |
| if: ${{ failure() }} # only run this if any previous step failed | |
| with: | |
| # Use block kit for format of the JSON payloads: https://app.slack.com/block-kit-builder | |
| payload: | | |
| { | |
| "text": "Maintenance error notice", | |
| "username": "Code signing maintenance bot", | |
| "icon_url": "https://emojiguide.org/images/emoji/1/8z8e40kucdd1.png", | |
| "channel": "#squad-mobile", | |
| "blocks": [ | |
| { | |
| "type": "section", | |
| "text": { | |
| "type": "mrkdwn", | |
| "text": "🟥 Attention 🟥:\n\nAs part of iOS code signing maintenance, *I attempted but failed* to re-create the code signing certificates for all of the iOS apps in the company. This was planned as code signing certificates expire and periodically need to be deleted.\n\nIt's suggested you fix this failure before the code signing certificates expire and iOS app builds fail. View CI server logs and documentation in the code signing project to learn more: https://github.com/customerio/apple-code-signing" | |
| } | |
| } | |
| ] | |
| } | |
| env: | |
| SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK | |