feat(ci/release): wire iOS App Store signing via an Apple Distribution secret
ci / web (push) Successful in 27s
ci / docs-site (push) Successful in 31s
apple / swift (push) Successful in 1m16s
ci / rust (push) Successful in 1m25s
docker / build-push (., web/Dockerfile, punktfunk-web) (push) Successful in 6s
docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Successful in 4s
docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Successful in 5s
docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Successful in 5s
release / apple (push) Successful in 3m7s
deb / build-publish (push) Successful in 3m18s
docker / deploy-docs (push) Successful in 19s
rpm / build-publish (push) Successful in 4m43s
ci / web (push) Successful in 27s
ci / docs-site (push) Successful in 31s
apple / swift (push) Successful in 1m16s
ci / rust (push) Successful in 1m25s
docker / build-push (., web/Dockerfile, punktfunk-web) (push) Successful in 6s
docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Successful in 4s
docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Successful in 5s
docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Successful in 5s
release / apple (push) Successful in 3m7s
deb / build-publish (push) Successful in 3m18s
docker / deploy-docs (push) Successful in 19s
rpm / build-publish (push) Successful in 4m43s
Prepares the iOS/TestFlight path. The runner has the iOS 26.5 SDK but no signing identities, so import an Apple Distribution cert+key from IOS_DIST_CERT_P12_B64 / IOS_DIST_CERT_PASSWORD into the same throwaway keychain (the WWDR intermediates already fetched chain it). The iOS archive uses automatic signing (-allowProvisioningUpdates + the ASC key creates/downloads the App Store profile against the present cert, so no keychain-write that would hit the macOS -61). Re-assert the keychain on the search list like the macOS sign step. Until the secret is set the step self-skips with a warning, so it stays green. Still needs an App Store Connect app record for io.unom.punktfunk to upload. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -80,10 +80,12 @@ jobs:
|
|||||||
- name: Build PunktfunkCore.xcframework (mac + iOS)
|
- name: Build PunktfunkCore.xcframework (mac + iOS)
|
||||||
run: BUILD_IOS=1 bash scripts/build-xcframework.sh
|
run: BUILD_IOS=1 bash scripts/build-xcframework.sh
|
||||||
|
|
||||||
- name: Import Developer ID certificate (throwaway keychain)
|
- name: Import signing certificates (throwaway keychain)
|
||||||
env:
|
env:
|
||||||
P12_B64: ${{ secrets.DEVID_CERT_P12_B64 }}
|
P12_B64: ${{ secrets.DEVID_CERT_P12_B64 }}
|
||||||
P12_PASSWORD: ${{ secrets.DEVID_CERT_PASSWORD }}
|
P12_PASSWORD: ${{ secrets.DEVID_CERT_PASSWORD }}
|
||||||
|
IOS_P12_B64: ${{ secrets.IOS_DIST_CERT_P12_B64 }}
|
||||||
|
IOS_P12_PASSWORD: ${{ secrets.IOS_DIST_CERT_PASSWORD }}
|
||||||
run: |
|
run: |
|
||||||
KEYCHAIN="$RUNNER_TEMP/punktfunk-ci.keychain-db"
|
KEYCHAIN="$RUNNER_TEMP/punktfunk-ci.keychain-db"
|
||||||
KEYCHAIN_PASS="$(uuidgen)"
|
KEYCHAIN_PASS="$(uuidgen)"
|
||||||
@@ -108,6 +110,15 @@ jobs:
|
|||||||
security import "$RUNNER_TEMP/devid.p12" -k "$KEYCHAIN" -P "$P12_PASSWORD" \
|
security import "$RUNNER_TEMP/devid.p12" -k "$KEYCHAIN" -P "$P12_PASSWORD" \
|
||||||
-T /usr/bin/codesign -T /usr/bin/security
|
-T /usr/bin/codesign -T /usr/bin/security
|
||||||
rm -f "$RUNNER_TEMP/devid.p12"
|
rm -f "$RUNNER_TEMP/devid.p12"
|
||||||
|
# iOS App Store distribution identity (optional — imported only when the secret is
|
||||||
|
# set; the iOS/TestFlight job stays best-effort until it is). The WWDR intermediates
|
||||||
|
# fetched above also chain this Apple Distribution cert.
|
||||||
|
if [ -n "$IOS_P12_B64" ]; then
|
||||||
|
printf '%s' "$IOS_P12_B64" | base64 -d > "$RUNNER_TEMP/ios-dist.p12"
|
||||||
|
security import "$RUNNER_TEMP/ios-dist.p12" -k "$KEYCHAIN" -P "$IOS_P12_PASSWORD" \
|
||||||
|
-T /usr/bin/codesign -T /usr/bin/security
|
||||||
|
rm -f "$RUNNER_TEMP/ios-dist.p12"
|
||||||
|
fi
|
||||||
security set-key-partition-list -S apple-tool:,apple:,codesign: \
|
security set-key-partition-list -S apple-tool:,apple:,codesign: \
|
||||||
-s -k "$KEYCHAIN_PASS" "$KEYCHAIN" >/dev/null
|
-s -k "$KEYCHAIN_PASS" "$KEYCHAIN" >/dev/null
|
||||||
security list-keychains -d user -s "$KEYCHAIN" login.keychain-db
|
security list-keychains -d user -s "$KEYCHAIN" login.keychain-db
|
||||||
@@ -226,6 +237,16 @@ jobs:
|
|||||||
echo "::warning::iOS platform SDK not installed on this runner — skipping iOS/TestFlight."
|
echo "::warning::iOS platform SDK not installed on this runner — skipping iOS/TestFlight."
|
||||||
exit 0
|
exit 0
|
||||||
fi
|
fi
|
||||||
|
# App Store signing uses the Apple Distribution identity imported above from
|
||||||
|
# IOS_DIST_CERT_P12_B64. Skip cleanly until that secret exists; re-assert the
|
||||||
|
# throwaway keychain on the search list + as default so automatic signing finds it
|
||||||
|
# (the search list doesn't reliably carry across steps on this runner).
|
||||||
|
if ! security find-identity -v -p codesigning "$KEYCHAIN" | grep -q "Apple Distribution"; then
|
||||||
|
echo "::warning::no Apple Distribution identity present — set IOS_DIST_CERT_P12_B64. Skipping iOS/TestFlight."
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
security list-keychains -d user -s "$KEYCHAIN" login.keychain-db
|
||||||
|
security default-keychain -d user -s "$KEYCHAIN"
|
||||||
DEVELOPER_DIR="$XCODE_DEV_DIR" xcodebuild archive \
|
DEVELOPER_DIR="$XCODE_DEV_DIR" xcodebuild archive \
|
||||||
-project "$PROJECT" -scheme Punktfunk-iOS \
|
-project "$PROJECT" -scheme Punktfunk-iOS \
|
||||||
-destination 'generic/platform=iOS' \
|
-destination 'generic/platform=iOS' \
|
||||||
|
|||||||
Reference in New Issue
Block a user