From 4278696559c88e0c2724ea721f23c06b47954261 Mon Sep 17 00:00:00 2001 From: Deniz Cengiz <48965855+dnzxy@users.noreply.github.com> Date: Fri, 19 Jul 2024 16:49:07 +0200 Subject: [PATCH] Fix browser build sync and alive behavior (#164) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Fix browser build sync and alive behavior - Added logic to extend the alive check for the existence of either `alive-main` or `alive-dev` branches. - Resolved an issue where unexpected successes were occurring when failures were expected. - Implemented a check to determine the existence of the `alive-main` and `alive-dev` branches and create them if they do not exist. - Introduced a mechanism to identify the current branch being run (either `main` or `dev`). - Based on the current branch, the corresponding alive branch (`alive-main` or `alive-dev`) will be used to check for upstream changes. - Set a new variable `ABORT_SYNC` to `true` when the current branch is neither `dev` nor `main`. - The syncing attempt will proceed based on the `ABORT_SYNC` variable status. - Ensured proper branch synchronization to prevent build inconsistencies and failures - Addresses issue LoopKit/Loop#2192 - Updates app store connect link for validation error hints to new Apple URL scheme * 💚 Security Fix Co-Authored-By: ebouchut --------- Co-authored-by: ebouchut --- .github/workflows/add_identifiers.yml | 11 +- .github/workflows/build_loop.yml | 325 ++++++++++++++----------- .github/workflows/create_certs.yml | 11 +- .github/workflows/validate_secrets.yml | 40 +-- 4 files changed, 219 insertions(+), 168 deletions(-) diff --git a/.github/workflows/add_identifiers.yml b/.github/workflows/add_identifiers.yml index aab334ab6..8ff87a55f 100644 --- a/.github/workflows/add_identifiers.yml +++ b/.github/workflows/add_identifiers.yml @@ -24,8 +24,15 @@ jobs: # Patch Fastlane Match to not print tables - name: Patch Match Tables - run: find /usr/local/lib/ruby/gems -name table_printer.rb | xargs sed -i "" "/puts(Terminal::Table.new(params))/d" - + run: | + TABLE_PRINTER_PATH=$(ruby -e 'puts Gem::Specification.find_by_name("fastlane").gem_dir')/match/lib/match/table_printer.rb + if [ -f "$TABLE_PRINTER_PATH" ]; then + sed -i "" "/puts(Terminal::Table.new(params))/d" "$TABLE_PRINTER_PATH" + else + echo "table_printer.rb not found" + exit 1 + fi + # Install project dependencies - name: Install Project Dependencies run: bundle install diff --git a/.github/workflows/build_loop.yml b/.github/workflows/build_loop.yml index dc84dbee8..254c4015f 100644 --- a/.github/workflows/build_loop.yml +++ b/.github/workflows/build_loop.yml @@ -2,26 +2,27 @@ name: 4. Build Loop run-name: Build Loop (${{ github.ref_name }}) on: workflow_dispatch: - + ## Remove the "#" sign from the beginning of the line below to get automated builds on push (code changes in your repository) #push: - + schedule: - - cron: '0 8 * * 3' # Checks for updates at 08:00 UTC every Wednesday - - cron: '0 6 1 * *' # Builds the app on the 1st of every month at 06:00 UTC + - cron: "0 8 * * 3" # Checks for updates at 08:00 UTC every Wednesday + - cron: "0 6 1 * *" # Builds the app on the 1st of every month at 06:00 UTC env: UPSTREAM_REPO: LoopKit/LoopWorkspace UPSTREAM_BRANCH: ${{ github.ref_name }} # branch on upstream repository to sync from (replace with specific branch name if needed) TARGET_BRANCH: ${{ github.ref_name }} # target branch on fork to be kept in sync, and target branch on upstream to be kept alive (replace with specific branch name if needed) - ALIVE_BRANCH: alive + ALIVE_BRANCH_MAIN: alive-main + ALIVE_BRANCH_DEV: alive-dev jobs: validate: name: Validate uses: ./.github/workflows/validate_secrets.yml secrets: inherit - + # Checks if GH_PAT holds workflow permissions # Checks for existence of alive branch; if non-existent creates it check_alive_and_permissions: @@ -32,126 +33,155 @@ jobs: contents: write outputs: WORKFLOW_PERMISSION: ${{ steps.workflow-permission.outputs.has_permission }} - + steps: - - name: Check for workflow permissions - id: workflow-permission - env: - TOKEN_TO_CHECK: ${{ secrets.GH_PAT }} - run: | - PERMISSIONS=$(curl -sS -f -I -H "Authorization: token ${{ env.TOKEN_TO_CHECK }}" https://api.github.com | grep ^x-oauth-scopes: | cut -d' ' -f2-); - - if [[ $PERMISSIONS =~ "workflow" || $PERMISSIONS == "" ]]; then - echo "GH_PAT holds workflow permissions or is fine-grained PAT." - echo "has_permission=true" >> $GITHUB_OUTPUT # Set WORKFLOW_PERMISSION to false. - else - echo "GH_PAT lacks workflow permissions." - echo "Automated build features will be skipped!" - echo "has_permission=false" >> $GITHUB_OUTPUT # Set WORKFLOW_PERMISSION to false. - fi - - - name: Check for alive branch - if: steps.workflow-permission.outputs.has_permission == 'true' - env: - GITHUB_TOKEN: ${{ secrets.GH_PAT }} - run: | - if [[ "$(gh api -H "Accept: application/vnd.github+json" /repos/${{ github.repository_owner }}/LoopWorkspace/branches | jq --raw-output 'any(.name=="alive")')" == "true" ]]; then - echo "Branch 'alive' exists." - echo "ALIVE_BRANCH_EXISTS=true" >> $GITHUB_ENV # Set ALIVE_BRANCH_EXISTS to true - else - echo "Branch 'alive' does not exist." - echo "ALIVE_BRANCH_EXISTS=false" >> $GITHUB_ENV # Set ALIVE_BRANCH_EXISTS to false - fi - - - name: Create alive branch - if: env.ALIVE_BRANCH_EXISTS == 'false' - env: - GITHUB_TOKEN: ${{ secrets.GH_PAT }} - run: | - # Get ref for LoopKit/LoopWorkspace:dev - SHA=$(curl -sS https://api.github.com/repos/${{ env.UPSTREAM_REPO }}/git/refs \ - | jq '.[] | select(.ref == "refs/heads/dev" ) | .object.sha' \ - | tr -d '"' - ); - - # Create alive branch based on LoopKit/LoopWorkspace:dev - gh api \ - --method POST \ - -H "Authorization: token $GITHUB_TOKEN" \ - -H "Accept: application/vnd.github.v3+json" \ - /repos/${{ github.repository_owner }}/LoopWorkspace/git/refs \ - -f ref='refs/heads/alive' \ - -f sha=$SHA - + - name: Check for workflow permissions + id: workflow-permission + env: + TOKEN_TO_CHECK: ${{ secrets.GH_PAT }} + run: | + PERMISSIONS=$(curl -sS -f -I -H "Authorization: token ${{ env.TOKEN_TO_CHECK }}" https://api.github.com | grep ^x-oauth-scopes: | cut -d' ' -f2-); + + if [[ $PERMISSIONS =~ "workflow" || $PERMISSIONS == "" ]]; then + echo "GH_PAT holds workflow permissions or is fine-grained PAT." + echo "has_permission=true" >> $GITHUB_OUTPUT # Set WORKFLOW_PERMISSION to false. + else + echo "GH_PAT lacks workflow permissions." + echo "Automated build features will be skipped!" + echo "has_permission=false" >> $GITHUB_OUTPUT # Set WORKFLOW_PERMISSION to false. + fi + + - name: Check for alive branches + if: steps.workflow-permission.outputs.has_permission == 'true' + env: + GITHUB_TOKEN: ${{ secrets.GH_PAT }} + run: | + if [[ $(gh api -H "Accept: application/vnd.github+json" /repos/${{ github.repository_owner }}/LoopWorkspace/branches | jq --raw-output '[.[] | select(.name == "alive-main" or .name == "alive-dev")] | length > 0') == "true" ]]; then + echo "Branches 'alive-main' or 'alive-dev' exist." + echo "ALIVE_BRANCH_EXISTS=true" >> $GITHUB_ENV + else + echo "Branches 'alive-main' and 'alive-dev' do not exist." + echo "ALIVE_BRANCH_EXISTS=false" >> $GITHUB_ENV + fi + + - name: Create alive branches + if: env.ALIVE_BRANCH_EXISTS == 'false' + env: + GITHUB_TOKEN: ${{ secrets.GH_PAT }} + run: | + # Get ref for LoopKit/LoopWorkspace:main + SHA_MAIN=$(curl -sS -H "Authorization: token $GITHUB_TOKEN" https://api.github.com/repos/${{ env.UPSTREAM_REPO }}/git/refs/heads/main | jq -r '.object.sha') + + # Get ref for LoopKit/LoopWorkspace:dev + SHA_DEV=$(curl -sS -H "Authorization: token $GITHUB_TOKEN" https://api.github.com/repos/${{ env.UPSTREAM_REPO }}/git/refs/heads/dev | jq -r '.object.sha') + + # Create alive-main branch based on LoopKit/LoopWorkspace:main + gh api \ + --method POST \ + -H "Authorization: token $GITHUB_TOKEN" \ + -H "Accept: application/vnd.github.v3+json" \ + /repos/${{ github.repository_owner }}/LoopWorkspace/git/refs \ + -f ref='refs/heads/alive-main' \ + -f sha=$SHA_MAIN + + # Create alive-dev branch based on LoopKit/LoopWorkspace:dev + gh api \ + --method POST \ + -H "Authorization: token $GITHUB_TOKEN" \ + -H "Accept: application/vnd.github.v3+json" \ + /repos/${{ github.repository_owner }}/LoopWorkspace/git/refs \ + -f ref='refs/heads/alive-dev' \ + -f sha=$SHA_DEV + # Checks for changes in upstream repository; if changes exist prompts sync for build # Performs keepalive to avoid stale fork check_latest_from_upstream: needs: [validate, check_alive_and_permissions] runs-on: ubuntu-latest name: Check upstream and keep alive - outputs: + outputs: NEW_COMMITS: ${{ steps.sync.outputs.has_new_commits }} - + ABORT_SYNC: ${{ steps.check_branch.outputs.ABORT_SYNC }} + steps: - - name: Checkout target repo - if: | - needs.check_alive_and_permissions.outputs.WORKFLOW_PERMISSION == 'true' && - (vars.SCHEDULED_BUILD != 'false' || vars.SCHEDULED_SYNC != 'false') - uses: actions/checkout@v4 - with: - token: ${{ secrets.GH_PAT }} - ref: alive - - - name: Sync upstream changes - if: | # do not run the upstream sync action on the upstream repository - needs.check_alive_and_permissions.outputs.WORKFLOW_PERMISSION == 'true' && - vars.SCHEDULED_SYNC != 'false' && github.repository_owner != 'LoopKit' - id: sync - uses: aormsby/Fork-Sync-With-Upstream-action@v3.4.1 - with: - target_sync_branch: ${{ env.ALIVE_BRANCH }} - shallow_since: 6 months ago - target_repo_token: ${{ secrets.GH_PAT }} - upstream_sync_branch: ${{ env.UPSTREAM_BRANCH }} - upstream_sync_repo: ${{ env.UPSTREAM_REPO }} - - # Display a sample message based on the sync output var 'has_new_commits' - - name: New commits found - if: | - needs.check_alive_and_permissions.outputs.WORKFLOW_PERMISSION == 'true' && - vars.SCHEDULED_SYNC != 'false' && steps.sync.outputs.has_new_commits == 'true' - run: echo "New commits were found to sync." - - - name: No new commits - if: | - needs.check_alive_and_permissions.outputs.WORKFLOW_PERMISSION == 'true' && - vars.SCHEDULED_SYNC != 'false' && steps.sync.outputs.has_new_commits == 'false' - run: echo "There were no new commits." - - - name: Show value of 'has_new_commits' - if: needs.check_alive_and_permissions.outputs.WORKFLOW_PERMISSION == 'true' && vars.SCHEDULED_SYNC != 'false' - run: | - echo ${{ steps.sync.outputs.has_new_commits }} - echo "NEW_COMMITS=${{ steps.sync.outputs.has_new_commits }}" >> $GITHUB_OUTPUT - - # Keep repository "alive": add empty commits to ALIVE_BRANCH after "time_elapsed" days of inactivity to avoid inactivation of scheduled workflows - - name: Keep alive - if: | - needs.check_alive_and_permissions.outputs.WORKFLOW_PERMISSION == 'true' && - (vars.SCHEDULED_BUILD != 'false' || vars.SCHEDULED_SYNC != 'false') - uses: gautamkrishnar/keepalive-workflow@v1 # using the workflow with default settings - with: - time_elapsed: 20 # Time elapsed from the previous commit to trigger a new automated commit (in days) - - - name: Show scheduled build configuration message - if: needs.check_alive_and_permissions.outputs.WORKFLOW_PERMISSION != 'true' - run: | - echo "### :calendar: Scheduled Sync and Build Disabled :mobile_phone_off:" >> $GITHUB_STEP_SUMMARY - echo "You have not yet configured the scheduled sync and build for Loop's browser build." >> $GITHUB_STEP_SUMMARY - echo "Synchronizing your fork of LoopWorkspace with the upstream repository LoopKit/LoopWorkspace will be skipped." >> $GITHUB_STEP_SUMMARY - echo "If you want to enable automatic builds and updates for your Loop, please follow the instructions \ - under the following path LoopWorkspace/fastlane/testflight.md." >> $GITHUB_STEP_SUMMARY - + - name: Check if running on main or dev branch + if: | + needs.check_alive_and_permissions.outputs.WORKFLOW_PERMISSION == 'true' && + (vars.SCHEDULED_BUILD != 'false' || vars.SCHEDULED_SYNC != 'false') + id: check_branch + run: | + if [ "${GITHUB_REF##*/}" = "main" ]; then + echo "Running on main branch" + echo "ALIVE_BRANCH=${ALIVE_BRANCH_MAIN}" >> $GITHUB_OUTPUT + echo "ABORT_SYNC=false" >> $GITHUB_OUTPUT + elif [ "${GITHUB_REF##*/}" = "dev" ]; then + echo "Running on dev branch" + echo "ALIVE_BRANCH=${ALIVE_BRANCH_DEV}" >> $GITHUB_OUTPUT + echo "ABORT_SYNC=false" >> $GITHUB_OUTPUT + else + echo "Not running on main or dev branch" + echo "ABORT_SYNC=true" >> $GITHUB_OUTPUT + fi + + - name: Checkout target repo + if: | + needs.check_alive_and_permissions.outputs.WORKFLOW_PERMISSION == 'true' && + (vars.SCHEDULED_BUILD != 'false' || vars.SCHEDULED_SYNC != 'false') + uses: actions/checkout@v4 + with: + token: ${{ secrets.GH_PAT }} + ref: ${{ steps.check_branch.outputs.ALIVE_BRANCH }} + + - name: Sync upstream changes + if: | # do not run the upstream sync action on the upstream repository + needs.check_alive_and_permissions.outputs.WORKFLOW_PERMISSION == 'true' && + vars.SCHEDULED_SYNC != 'false' && github.repository_owner != 'LoopKit' && steps.check_branch.outputs.ABORT_SYNC == 'false' + id: sync + uses: aormsby/Fork-Sync-With-Upstream-action@v3.4.1 + with: + target_sync_branch: ${{ steps.check_branch.outputs.ALIVE_BRANCH }} + shallow_since: 6 months ago + target_repo_token: ${{ secrets.GH_PAT }} + upstream_sync_branch: ${{ env.UPSTREAM_BRANCH }} + upstream_sync_repo: ${{ env.UPSTREAM_REPO }} + + # Display a sample message based on the sync output var 'has_new_commits' + - name: New commits found + if: | + needs.check_alive_and_permissions.outputs.WORKFLOW_PERMISSION == 'true' && + vars.SCHEDULED_SYNC != 'false' && steps.sync.outputs.has_new_commits == 'true' + run: echo "New commits were found to sync." + + - name: No new commits + if: | + needs.check_alive_and_permissions.outputs.WORKFLOW_PERMISSION == 'true' && + vars.SCHEDULED_SYNC != 'false' && steps.sync.outputs.has_new_commits == 'false' + run: echo "There were no new commits." + + - name: Show value of 'has_new_commits' + if: needs.check_alive_and_permissions.outputs.WORKFLOW_PERMISSION == 'true' && vars.SCHEDULED_SYNC != 'false' && steps.check_branch.outputs.ABORT_SYNC == 'false' + run: | + echo ${{ steps.sync.outputs.has_new_commits }} + echo "NEW_COMMITS=${{ steps.sync.outputs.has_new_commits }}" >> $GITHUB_OUTPUT + + # Keep repository "alive": add empty commits to ALIVE_BRANCH after "time_elapsed" days of inactivity to avoid inactivation of scheduled workflows + - name: Keep alive + if: | + needs.check_alive_and_permissions.outputs.WORKFLOW_PERMISSION == 'true' && + (vars.SCHEDULED_BUILD != 'false' || vars.SCHEDULED_SYNC != 'false') + uses: gautamkrishnar/keepalive-workflow@v1 # using the workflow with default settings + with: + time_elapsed: 20 # Time elapsed from the previous commit to trigger a new automated commit (in days) + + - name: Show scheduled build configuration message + if: needs.check_alive_and_permissions.outputs.WORKFLOW_PERMISSION != 'true' + run: | + echo "### :calendar: Scheduled Sync and Build Disabled :mobile_phone_off:" >> $GITHUB_STEP_SUMMARY + echo "You have not yet configured the scheduled sync and build for Loop's browser build." >> $GITHUB_STEP_SUMMARY + echo "Synchronizing your fork of LoopWorkspace with the upstream repository LoopKit/LoopWorkspace will be skipped." >> $GITHUB_STEP_SUMMARY + echo "If you want to enable automatic builds and updates for your Loop, please follow the instructions \ + under the following path LoopWorkspace/fastlane/testflight.md." >> $GITHUB_STEP_SUMMARY + # Builds Loop build: name: Build @@ -159,16 +189,17 @@ jobs: runs-on: macos-14 permissions: contents: write - if: | # runs if started manually, or if sync schedule is set and enabled and scheduled on the first Saturday each month, or if sync schedule is set and enabled and new commits were found - github.event_name == 'workflow_dispatch' || - (needs.check_alive_and_permissions.outputs.WORKFLOW_PERMISSION == 'true' && - (vars.SCHEDULED_BUILD != 'false' && github.event.schedule == '0 6 1 * *') || - (vars.SCHEDULED_SYNC != 'false' && needs.check_latest_from_upstream.outputs.NEW_COMMITS == 'true' ) - ) + if: + | # runs if started manually, or if sync schedule is set and enabled and scheduled on the first Saturday each month, or if sync schedule is set and enabled and new commits were found + github.event_name == 'workflow_dispatch' || + (needs.check_alive_and_permissions.outputs.WORKFLOW_PERMISSION == 'true' && + (vars.SCHEDULED_BUILD != 'false' && github.event.schedule == '0 6 1 * *') || + (vars.SCHEDULED_SYNC != 'false' && needs.check_latest_from_upstream.outputs.NEW_COMMITS == 'true' ) + ) steps: - name: Select Xcode version run: "sudo xcode-select --switch /Applications/Xcode_15.4.app/Contents/Developer" - + - name: Checkout Repo for syncing if: | needs.check_alive_and_permissions.outputs.WORKFLOW_PERMISSION == 'true' && @@ -176,12 +207,12 @@ jobs: uses: actions/checkout@v4 with: token: ${{ secrets.GH_PAT }} - ref: ${{ env.TARGET_BRANCH }} - + ref: ${{ env.TARGET_BRANCH }} + - name: Sync upstream changes if: | # do not run the upstream sync action on the upstream repository needs.check_alive_and_permissions.outputs.WORKFLOW_PERMISSION == 'true' && - vars.SCHEDULED_SYNC != 'false' && github.repository_owner != 'LoopKit' + vars.SCHEDULED_SYNC != 'false' && github.repository_owner != 'LoopKit' && needs.check_latest_from_upstream.outputs.ABORT_SYNC == 'false' id: sync uses: aormsby/Fork-Sync-With-Upstream-action@v3.4.1 with: @@ -190,24 +221,24 @@ jobs: target_repo_token: ${{ secrets.GH_PAT }} upstream_sync_branch: ${{ env.UPSTREAM_BRANCH }} upstream_sync_repo: ${{ env.UPSTREAM_REPO }} - + # Display a sample message based on the sync output var 'has_new_commits' - name: New commits found if: | needs.check_alive_and_permissions.outputs.WORKFLOW_PERMISSION == 'true' && - vars.SCHEDULED_SYNC != 'false' && steps.sync.outputs.has_new_commits == 'true' + vars.SCHEDULED_SYNC != 'false' && steps.sync.outputs.has_new_commits == 'true' && needs.check_latest_from_upstream.outputs.ABORT_SYNC == 'false' run: echo "New commits were found to sync." - + - name: No new commits if: | needs.check_alive_and_permissions.outputs.WORKFLOW_PERMISSION == 'true' && - vars.SCHEDULED_SYNC != 'false' && steps.sync.outputs.has_new_commits == 'false' + vars.SCHEDULED_SYNC != 'false' && steps.sync.outputs.has_new_commits == 'false' && needs.check_latest_from_upstream.outputs.ABORT_SYNC == 'false' run: echo "There were no new commits." - + - name: Show value of 'has_new_commits' if: | needs.check_alive_and_permissions.outputs.WORKFLOW_PERMISSION == 'true' - && vars.SCHEDULED_SYNC != 'false' + && vars.SCHEDULED_SYNC != 'false' && needs.check_latest_from_upstream.outputs.ABORT_SYNC == 'false' run: | echo ${{ steps.sync.outputs.has_new_commits }} echo "NEW_COMMITS=${{ steps.sync.outputs.has_new_commits }}" >> $GITHUB_OUTPUT @@ -218,7 +249,7 @@ jobs: token: ${{ secrets.GH_PAT }} submodules: recursive ref: ${{ env.TARGET_BRANCH }} - + # Customize Loop: Download and apply patches - name: Customize Loop run: | @@ -233,24 +264,30 @@ jobs: # Template for customizing submodule Loop (changes Loop app name to "CustomLoop") # Remove the "#" sign from the beginning of the line below to activate: #curl https://github.com/loopnlearn/Loop/commit/d206432b024279ef710df462b20bd464cd9682d4.patch | git apply --directory=Loop -v --whitespace=fix - + # Submodule LoopKit patches: # General template for customizing submodule LoopKit # Copy url from a GitHub commit or pull request and insert below, and remove the "#" sign from the beginning of the line to activate: #curl url_to_github_commit.patch | git apply --directory=LoopKit -v --whitespace=fix - + # Submodule xxxxx patches: # Add patches for customization of additional submodules by following the templates above, # and make sure to specify the submodule by setting "--directory=(submodule_name)". # Several patches may be added per submodule. # Adding comments (#) may be useful to easily tell the individual patches apart. - - + # Patch Fastlane Match to not print tables - name: Patch Match Tables - run: find /usr/local/lib/ruby/gems -name table_printer.rb | xargs sed -i "" "/puts(Terminal::Table.new(params))/d" - + run: | + TABLE_PRINTER_PATH=$(ruby -e 'puts Gem::Specification.find_by_name("fastlane").gem_dir')/match/lib/match/table_printer.rb + if [ -f "$TABLE_PRINTER_PATH" ]; then + sed -i "" "/puts(Terminal::Table.new(params))/d" "$TABLE_PRINTER_PATH" + else + echo "table_printer.rb not found" + exit 1 + fi + # Install project dependencies - name: Install Project Dependencies run: bundle install @@ -258,10 +295,10 @@ jobs: # Sync the GitHub runner clock with the Windows time server (workaround as suggested in https://github.com/actions/runner/issues/2996) - name: Sync clock run: sudo sntp -sS time.windows.com - + # Build signed Loop IPA file - name: Fastlane Build & Archive - run: bundle exec fastlane build_loop + run: bundle exec fastlane build_loop env: TEAMID: ${{ secrets.TEAMID }} GH_PAT: ${{ secrets.GH_PAT }} @@ -269,7 +306,7 @@ jobs: FASTLANE_ISSUER_ID: ${{ secrets.FASTLANE_ISSUER_ID }} FASTLANE_KEY: ${{ secrets.FASTLANE_KEY }} MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }} - + # Upload to TestFlight - name: Fastlane upload to TestFlight run: bundle exec fastlane release @@ -289,4 +326,4 @@ jobs: name: build-artifacts path: | artifacts - buildlog + buildlog \ No newline at end of file diff --git a/.github/workflows/create_certs.yml b/.github/workflows/create_certs.yml index 90bb4f75b..9c4b51722 100644 --- a/.github/workflows/create_certs.yml +++ b/.github/workflows/create_certs.yml @@ -24,8 +24,15 @@ jobs: # Patch Fastlane Match to not print tables - name: Patch Match Tables - run: find /usr/local/lib/ruby/gems -name table_printer.rb | xargs sed -i "" "/puts(Terminal::Table.new(params))/d" - + run: | + TABLE_PRINTER_PATH=$(ruby -e 'puts Gem::Specification.find_by_name("fastlane").gem_dir')/match/lib/match/table_printer.rb + if [ -f "$TABLE_PRINTER_PATH" ]; then + sed -i "" "/puts(Terminal::Table.new(params))/d" "$TABLE_PRINTER_PATH" + else + echo "table_printer.rb not found" + exit 1 + fi + # Install project dependencies - name: Install Project Dependencies run: bundle install diff --git a/.github/workflows/validate_secrets.yml b/.github/workflows/validate_secrets.yml index 5ad976a01..15562a740 100644 --- a/.github/workflows/validate_secrets.yml +++ b/.github/workflows/validate_secrets.yml @@ -16,14 +16,14 @@ jobs: id: access-token run: | # Validate Access Token - + # Ensure that gh exit codes are handled when output is piped. set -o pipefail - + # Define patterns to validate the access token (GH_PAT) and distinguish between classic and fine-grained tokens. GH_PAT_CLASSIC_PATTERN='^ghp_[a-zA-Z0-9]{36}$' GH_PAT_FINE_GRAINED_PATTERN='^github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}$' - + # Validate Access Token (GH_PAT) if [ -z "$GH_PAT" ]; then failed=true @@ -65,12 +65,12 @@ jobs: echo "has_workflow_permission=true" >> $GITHUB_OUTPUT fi fi - + # Exit unsuccessfully if secret validation failed. if [ $failed ]; then exit 2 fi - + validate-match-secrets: name: Match-Secrets needs: validate-access-token @@ -81,10 +81,10 @@ jobs: - name: Validate Match-Secrets run: | # Validate Match-Secrets - + # Ensure that gh exit codes are handled when output is piped. set -o pipefail - + # If a Match-Secrets repository does not exist, attempt to create one. if ! visibility=$(gh repo view ${{ github.repository_owner }}/Match-Secrets --json visibility | jq --raw-output '.visibility | ascii_downcase'); then echo "A '${{ github.repository_owner }}/Match-Secrets' repository could not be found using the GH_PAT secret. Attempting to create one..." @@ -103,12 +103,12 @@ jobs: else echo "Found a private '${{ github.repository_owner }}/Match-Secrets' repository to use." fi - + # Exit unsuccessfully if secret validation failed. if [ $failed ]; then exit 2 fi - + validate-fastlane-secrets: name: Fastlane needs: [validate-access-token, validate-match-secrets] @@ -124,18 +124,18 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 - + - name: Install Project Dependencies run: bundle install # Sync the GitHub runner clock with the Windows time server (workaround as suggested in https://github.com/actions/runner/issues/2996) - name: Sync clock run: sudo sntp -sS time.windows.com - + - name: Validate Fastlane Secrets run: | # Validate Fastlane Secrets - + # Validate TEAMID if [ -z "$TEAMID" ]; then failed=true @@ -147,20 +147,20 @@ jobs: failed=true echo "::error::The TEAMID secret is set but invalid. Verify that it is set correctly (only uppercase letters and numbers) and try again." fi - + # Validate MATCH_PASSWORD if [ -z "$MATCH_PASSWORD" ]; then failed=true echo "::error::The MATCH_PASSWORD secret is unset or empty. Set it and try again." fi - + # Ensure that fastlane exit codes are handled when output is piped. set -o pipefail - + # Validate FASTLANE_ISSUER_ID, FASTLANE_KEY_ID, and FASTLANE_KEY FASTLANE_KEY_ID_PATTERN='^[A-Z0-9]+$' FASTLANE_ISSUER_ID_PATTERN='^\{?[A-F0-9a-f]{8}-[A-F0-9a-f]{4}-[A-F0-9a-f]{4}-[A-F0-9a-f]{4}-[A-F0-9a-f]{12}\}?$' - + if [ -z "$FASTLANE_ISSUER_ID" ] || [ -z "$FASTLANE_KEY_ID" ] || [ -z "$FASTLANE_KEY" ]; then failed=true [ -z "$FASTLANE_ISSUER_ID" ] && echo "::error::The FASTLANE_ISSUER_ID secret is unset or empty. Set it and try again." @@ -168,13 +168,13 @@ jobs: [ -z "$FASTLANE_KEY" ] && echo "::error::The FASTLANE_KEY secret is unset or empty. Set it and try again." elif [ ${#FASTLANE_KEY_ID} -ne 10 ]; then failed=true - echo "::error::The FASTLANE_KEY_ID secret is set but has wrong length. Verify that you copied it correctly from the 'Keys' tab at https://appstoreconnect.apple.com/access/api and try again." + echo "::error::The FASTLANE_KEY_ID secret is set but has wrong length. Verify that you copied it correctly from the 'Keys' tab at https://appstoreconnect.apple.com/access/integrations/api and try again." elif ! [[ $FASTLANE_KEY_ID =~ $FASTLANE_KEY_ID_PATTERN ]]; then failed=true - echo "::error::The FASTLANE_KEY_ID secret is set but invalid. Verify that you copied it correctly from the 'Keys' tab at https://appstoreconnect.apple.com/access/api and try again." + echo "::error::The FASTLANE_KEY_ID secret is set but invalid. Verify that you copied it correctly from the 'Keys' tab at https://appstoreconnect.apple.com/access/integrations/api and try again." elif ! [[ $FASTLANE_ISSUER_ID =~ $FASTLANE_ISSUER_ID_PATTERN ]]; then failed=true - echo "::error::The FASTLANE_ISSUER_ID secret is set but invalid. Verify that you copied it correctly from the 'Keys' tab at https://appstoreconnect.apple.com/access/api and try again." + echo "::error::The FASTLANE_ISSUER_ID secret is set but invalid. Verify that you copied it correctly from the 'Keys' tab at https://appstoreconnect.apple.com/access/integrations/api and try again." elif ! echo "$FASTLANE_KEY" | openssl pkcs8 -nocrypt >/dev/null; then failed=true echo "::error::The FASTLANE_KEY secret is set but invalid. Verify that you copied it correctly from the API Key file (*.p8) you downloaded and try again." @@ -190,7 +190,7 @@ jobs: echo "::error::Unable to create a valid authorization token for the App Store Connect API. Verify that the FASTLANE_ISSUER_ID, FASTLANE_KEY_ID, and FASTLANE_KEY secrets are set correctly and try again." fi fi - + # Exit unsuccessfully if secret validation failed. if [ $failed ]; then exit 2