Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Automate handling of Distribution certificates and profiles #453

Open
wants to merge 3 commits into
base: dev
Choose a base branch
from

Conversation

bjornoleh
Copy link
Contributor

@bjornoleh bjornoleh commented Jan 15, 2025

Summary:

This pull request introduces automation for handling Distribution certificates and provisioning profiles within GitHub Actions workflows. It simplifies certificate management by detecting invalid or expired certificates and automatically creating or renewing them when needed. Additionally, it ensures a seamless process for annual certificate renewals by integrating these steps into the build process.

Key Changes:

  1. Workflow Updates:
    • Added check_certs job to .github/workflows/build_trio.yml for verifying the validity of Distribution certificates.
    • Introduced a conditional nuke_certs job to recreate certificates if they are expired or missing.
    • Enhanced .github/workflows/create_certs.yml to handle certificate validation, renewal, and recreation automatically.
  2. Fastfile Enhancements:
    • Updated Fastfile to include a new check_and_renew_certificates lane for checking and renewing certificates programmatically.
    • Added detailed logging and output management for certificate renewal processes.
  3. Validation Workflow Improvements:
    • Modified .github/workflows/validate_secrets.yml to continue on errors in fastlane validate_secrets, avoiding workflow interruptions for invalid certificates.
    • Improved error messages and annotations for better clarity and guidance during validation.
  4. Documentation Updates:
    • Updated testflight.md with new instructions for certificate handling:
    • Explained the automation of annual certificate renewal.
    • Simplified guidance for users managing multiple GitHub usernames or organizations.
    • Removed outdated manual certificate creation steps.

Benefits:

  • Automation: Eliminates manual intervention for certificate renewal and reduces build disruptions caused by expired certificates.
  • Reliability: Ensures workflows continue to operate even when certificates are invalid, providing actionable feedback to users.
  • Scalability: Simplifies managing certificates across multiple repositories or organizations with minimal configuration.
  • Ease of Use: Documentation updates provide clear instructions for users, reducing onboarding complexity for certificate management.

Notes:

  • The variable ENABLE_NUKE_CERTS must be set to true in the repository or organization settings for automatic certificate recreation.
  • The optional variable FORCE_NUKE_CERTS can be used to override default behavior and force certificate nuking when necessary.

‼️Follow-Up Actions‼️

  • Users are encouraged to update their repository secrets and variables to align with the new workflows.
  • For those using multiple GitHub usernames, refer to the updated instructions in testflight.md for certificate handling.

This PR significantly improves the browser build experience by automating critical parts of the build and certificate management process.

@marionbarker
Copy link
Contributor

Test:

Test with a GitHub organization account

Test with a personal GitHub account

Test when using two GitHub accounts

Move this to a separate comment because it is a special case and somewhat confusing.

@bjornoleh
Copy link
Contributor Author

It would be interesting to know what happens when nuke_certs is run when you have more than one distribution certificate. You can test this with the FORCE_NUKE_CERTS variable.

@marionbarker
Copy link
Contributor

Test when using two GitHub accounts

NOTE- this is a special case. Most users will only build from one account (each account needs a separate Distribution Certificate). This situation is why there is a FORCE_NUKE_CERTS environment setting. Most people will not need to use that.

Previous test of build was successful for marionbarker; so switch to loopdocs-tester account.

Test another build that does not have the updated files

Use loopdocs-tester/LoopFollow_Second with main branch as default branch.

  • As expected build fails
  • The create certs fails too though with Certificate 'W4ZQ664Y86' (stored in your storage) is not available on the Developer Portal for the user

Use FORCE_NUKE_CERTS

Return to loopdocs-tester Trio and add set FORCE_NUKE_CERTS = true as organization environment variable.

  • Success: run Create Certificates
    • this nuked and created new
  • immediately restore FORCE_NUKE_CERTS = false

Builds now work with both usernames

Return to loopdocs-tester/LoopFollow_Second with main branch as default branch.

Return to marionbarker Trio and test the build

Return to loopdocs-tester Trio and test the build

marionbarker
marionbarker previously approved these changes Jan 15, 2025
Copy link
Contributor

@marionbarker marionbarker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The changes that are here are reviewed, tested and approved.
However, the fastlane/testflight.md file also needs to be modified.

I am marking this approved, in case you want the testflight.md file to be a separate PR. If you update that file for this PR, I will review again.

Will avoid halting the workflow on invalid certs during validate_secrets.yml, as this is handled in crate_certs.yml

Add grep for "Your certificate .* is not valid"', but exit without error

Remove unnecessary annotation output for 'Unable to create a valid authorization token for the App Store Connect API.'

Remove misleading grep "No code signing identity found" -e "Could not install WWDR certificate" and error "No code signing identity found" or "Could not install WWDR certificate"
@bjornoleh
Copy link
Contributor Author

We got to test the workflow with an actually expired certificate before the last commit. This caused the
"Validate Fastlane Secrets" step in validate_secrets.yml to exit fastlane validate_secretswith error and stop the workflow:

[13:49:02]: Called from Fastfile at line 250
[13:49:02]: ```
[13:49:02]:     248:	    find_bundle_id("#{BUNDLE_ID}")
[13:49:02]:     249:	
[13:49:02]:  => 250:	    match(
[13:49:02]:     251:	      type: "appstore",
[13:49:02]:     252:	      git_basic_authorization: Base64.strict_encode64("#{GITHUB_REPOSITORY_OWNER}:#{GH_PAT}"),
[13:49:02]: ```

 Your certificate 'X59XX98686.cer' is not valid, please check end date and renew it if necessary

005339f attempts to fix this.

The workflow did already and does still work in the case of manually revoking the Distribution certificate, now we need a confirmation that the latest changes also work with an actually expired certificate.

I believe @MikePlante1 is a candidate for testing this soon. Please first make an attempt to build with an expired certificate using Trio dev, so that we can check the logs and confirm that the certificate is expires. Then push the certs_trio branch to your repository and run 4. Build Trio from the certs_trio branch. This will automatically include a run of validate_secrets.yml and create_certificates.yml before the build is started. Hopefully no further action is needed.

Check for success by confirming

@bjornoleh
Copy link
Contributor Author

To see the incoming changes to docs, please refer to https://github.com/bjornoleh/Trio/pull/27/files, which is not yet included in the PR (but will be when everything is confirmed to be working).

@MikePlante1
Copy link
Contributor

My cert expired 2 days ago, so I took the opportunity to test this PR, which worked successfully:

❌ My default branch was set to the latest dev, and I ran 4. Build Trio, which failed as expected

❌ I duplicated by dev branch, called it cert-test, merged this PR into it, set it as my default branch, ran 4. Build Trio, which failed

✅ In my Trio repo, I went to ⚙️ > Secrets and variables > Actions > Variables > New repository variable, and created a new variable named with name ENABLE_NUKE_CERTS and value true. I then re-ran 4. Build Trio, which built successfully.

@bjornoleh
Copy link
Contributor Author

Thank you @MikePlante1 for testing! This looks perfect to me!

I have pushed the update to testflight.md (readme changes only, no impact on code).

@marionbarker , hopefully this will be the final review! :-)

MikePlante1
MikePlante1 previously approved these changes Jan 20, 2025
Copy link
Contributor

@MikePlante1 MikePlante1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving, as my test with expired certificates was successful.

Copy link
Contributor

@marionbarker marionbarker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry - my PR had a typo for testflight.md.
I will approve after this minor fix.

fastlane/testflight.md Outdated Show resolved Hide resolved
Copy link
Contributor

@MikePlante1 MikePlante1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reapproving after typo fix.

Copy link
Contributor

@marionbarker marionbarker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor changes - can be ignored. I would not have commented except the "Certficate" has been fixed in other repos so the diff caught my eye.

fi
fi


Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added white space can be removed.

@@ -207,10 +212,9 @@ You do not need to fill out the next form. That is for submitting to the app sto

## Create Building Certficates
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we fix this typo please: Certificates not Certficates

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants