-
Notifications
You must be signed in to change notification settings - Fork 641
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Automate handling of Distribution certificates and profiles #453
base: dev
Are you sure you want to change the base?
Conversation
Test:Test with a GitHub organization account
Test with a personal GitHub account
Test when using two GitHub accountsMove this to a separate comment because it is a special case and somewhat confusing. |
It would be interesting to know what happens when nuke_certs is run when you have more than one distribution certificate. You can test this with the FORCE_NUKE_CERTS variable. |
Test when using two GitHub accountsNOTE- this is a special case. Most users will only build from one account (each account needs a separate Distribution Certificate). This situation is why there is a Previous test of build was successful for marionbarker; so switch to loopdocs-tester account.
Test another build that does not have the updated filesUse loopdocs-tester/LoopFollow_Second with
Use FORCE_NUKE_CERTSReturn to loopdocs-tester Trio and add set FORCE_NUKE_CERTS = true as organization environment variable.
Builds now work with both usernamesReturn to loopdocs-tester/LoopFollow_Second with
Return to marionbarker Trio and test the build
Return to loopdocs-tester Trio and test the build
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The changes that are here are reviewed, tested and approved.
However, the fastlane/testflight.md file also needs to be modified.
I am marking this approved, in case you want the testflight.md file to be a separate PR. If you update that file for this PR, I will review again.
Will avoid halting the workflow on invalid certs during validate_secrets.yml, as this is handled in crate_certs.yml Add grep for "Your certificate .* is not valid"', but exit without error Remove unnecessary annotation output for 'Unable to create a valid authorization token for the App Store Connect API.' Remove misleading grep "No code signing identity found" -e "Could not install WWDR certificate" and error "No code signing identity found" or "Could not install WWDR certificate"
We got to test the workflow with an actually expired certificate before the last commit. This caused the
005339f attempts to fix this. The workflow did already and does still work in the case of manually revoking the Distribution certificate, now we need a confirmation that the latest changes also work with an actually expired certificate. I believe @MikePlante1 is a candidate for testing this soon. Please first make an attempt to build with an expired certificate using Trio dev, so that we can check the logs and confirm that the certificate is expires. Then push the Check for success by confirming
|
To see the incoming changes to docs, please refer to https://github.com/bjornoleh/Trio/pull/27/files, which is not yet included in the PR (but will be when everything is confirmed to be working). |
My cert expired 2 days ago, so I took the opportunity to test this PR, which worked successfully: ❌ My default branch was set to the latest ❌ I duplicated by ✅ In my Trio repo, I went to ⚙️ > |
Thank you @MikePlante1 for testing! This looks perfect to me! I have pushed the update to testflight.md (readme changes only, no impact on code). @marionbarker , hopefully this will be the final review! :-) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approving, as my test with expired certificates was successful.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry - my PR had a typo for testflight.md.
I will approve after this minor fix.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reapproving after typo fix.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor changes - can be ignored. I would not have commented except the "Certficate" has been fixed in other repos so the diff caught my eye.
fi | ||
fi | ||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
added white space can be removed.
@@ -207,10 +212,9 @@ You do not need to fill out the next form. That is for submitting to the app sto | |||
|
|||
## Create Building Certficates |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we fix this typo please: Certificates not Certficates
Summary:
This pull request introduces automation for handling Distribution certificates and provisioning profiles within GitHub Actions workflows. It simplifies certificate management by detecting invalid or expired certificates and automatically creating or renewing them when needed. Additionally, it ensures a seamless process for annual certificate renewals by integrating these steps into the build process.
Key Changes:
nuke_certs
job to recreate certificates if they are expired or missing.check_and_renew_certificates
lane for checking and renewing certificates programmatically.validate_secrets
, avoiding workflow interruptions for invalid certificates.Benefits:
Notes:
ENABLE_NUKE_CERTS
must be set to true in the repository or organization settings for automatic certificate recreation.FORCE_NUKE_CERTS
can be used to override default behavior and force certificate nuking when necessary.This PR significantly improves the browser build experience by automating critical parts of the build and certificate management process.