ci: wire macOS profile from Vault
This commit is contained in:
Haitao Pan
parent
2ab7aa684d
commit
de5ead0be4
9
.github/workflows/build-and-release.yml
vendored
9
.github/workflows/build-and-release.yml
vendored
@ -217,6 +217,7 @@ jobs:
|
|||||||
echo "APPLE_CERT_P12_BASE64=${{ steps.vault_apple.outputs.APPLE_CERT_P12_BASE64 }}"
|
echo "APPLE_CERT_P12_BASE64=${{ steps.vault_apple.outputs.APPLE_CERT_P12_BASE64 }}"
|
||||||
echo "APPLE_CERT_PASSWORD=${{ steps.vault_apple.outputs.APPLE_CERT_PASSWORD }}"
|
echo "APPLE_CERT_PASSWORD=${{ steps.vault_apple.outputs.APPLE_CERT_PASSWORD }}"
|
||||||
echo "APPLE_PROVISION_PROFILE_BASE64=${{ steps.vault_apple.outputs.APPLE_PROVISION_PROFILE_BASE64 }}"
|
echo "APPLE_PROVISION_PROFILE_BASE64=${{ steps.vault_apple.outputs.APPLE_PROVISION_PROFILE_BASE64 }}"
|
||||||
|
echo "APPLE_MAC_PROVISION_PROFILE_BASE64=${{ steps.vault_apple.outputs.APPLE_MAC_PROVISION_PROFILE_BASE64 }}"
|
||||||
echo "APPLE_KEYCHAIN_PASSWORD=${{ steps.vault_apple.outputs.APPLE_KEYCHAIN_PASSWORD }}"
|
echo "APPLE_KEYCHAIN_PASSWORD=${{ steps.vault_apple.outputs.APPLE_KEYCHAIN_PASSWORD }}"
|
||||||
echo "APPLE_EXPORT_METHOD=${{ steps.vault_apple.outputs.APPLE_EXPORT_METHOD }}"
|
echo "APPLE_EXPORT_METHOD=${{ steps.vault_apple.outputs.APPLE_EXPORT_METHOD }}"
|
||||||
echo "WINDOWS_PFX_BASE64=${{ steps.vault_windows.outputs.WINDOWS_PFX_BASE64 }}"
|
echo "WINDOWS_PFX_BASE64=${{ steps.vault_windows.outputs.WINDOWS_PFX_BASE64 }}"
|
||||||
@ -347,10 +348,6 @@ jobs:
|
|||||||
jwtGithubAudience: vault
|
jwtGithubAudience: vault
|
||||||
ignoreNotFound: true
|
ignoreNotFound: true
|
||||||
secrets: |
|
secrets: |
|
||||||
kv/data/github-actions/xworkmate-app APPLE_CERT_P12_BASE64 | APPLE_CERT_P12_BASE64 ;
|
|
||||||
kv/data/github-actions/xworkmate-app APPLE_CERT_PASSWORD | APPLE_CERT_PASSWORD ;
|
|
||||||
kv/data/github-actions/xworkmate-app APPLE_MAC_PROVISION_PROFILE_BASE64 | APPLE_MAC_PROVISION_PROFILE_BASE64 ;
|
|
||||||
kv/data/github-actions/xworkmate-app APPLE_KEYCHAIN_PASSWORD | APPLE_KEYCHAIN_PASSWORD ;
|
|
||||||
kv/data/github-actions/xworkmate-app APP_STORE_CONNECT_API_KEY_ID | APP_STORE_CONNECT_API_KEY_ID ;
|
kv/data/github-actions/xworkmate-app APP_STORE_CONNECT_API_KEY_ID | APP_STORE_CONNECT_API_KEY_ID ;
|
||||||
kv/data/github-actions/xworkmate-app APP_STORE_CONNECT_ISSUER_ID | APP_STORE_CONNECT_ISSUER_ID ;
|
kv/data/github-actions/xworkmate-app APP_STORE_CONNECT_ISSUER_ID | APP_STORE_CONNECT_ISSUER_ID ;
|
||||||
kv/data/github-actions/xworkmate-app APP_STORE_CONNECT_API_KEY_P8_BASE64 | APP_STORE_CONNECT_API_KEY_P8_BASE64
|
kv/data/github-actions/xworkmate-app APP_STORE_CONNECT_API_KEY_P8_BASE64 | APP_STORE_CONNECT_API_KEY_P8_BASE64
|
||||||
@ -359,10 +356,6 @@ jobs:
|
|||||||
if: ${{ matrix.target != 'github_release' }}
|
if: ${{ matrix.target != 'github_release' }}
|
||||||
run: |
|
run: |
|
||||||
{
|
{
|
||||||
echo "APPLE_CERT_P12_BASE64=${{ steps.vault.outputs.APPLE_CERT_P12_BASE64 }}"
|
|
||||||
echo "APPLE_CERT_PASSWORD=${{ steps.vault.outputs.APPLE_CERT_PASSWORD }}"
|
|
||||||
echo "APPLE_MAC_PROVISION_PROFILE_BASE64=${{ steps.vault.outputs.APPLE_MAC_PROVISION_PROFILE_BASE64 }}"
|
|
||||||
echo "APPLE_KEYCHAIN_PASSWORD=${{ steps.vault.outputs.APPLE_KEYCHAIN_PASSWORD }}"
|
|
||||||
echo "APP_STORE_CONNECT_API_KEY_ID=${{ steps.vault.outputs.APP_STORE_CONNECT_API_KEY_ID }}"
|
echo "APP_STORE_CONNECT_API_KEY_ID=${{ steps.vault.outputs.APP_STORE_CONNECT_API_KEY_ID }}"
|
||||||
echo "APP_STORE_CONNECT_ISSUER_ID=${{ steps.vault.outputs.APP_STORE_CONNECT_ISSUER_ID }}"
|
echo "APP_STORE_CONNECT_ISSUER_ID=${{ steps.vault.outputs.APP_STORE_CONNECT_ISSUER_ID }}"
|
||||||
echo "APP_STORE_CONNECT_API_KEY_P8_BASE64=${{ steps.vault.outputs.APP_STORE_CONNECT_API_KEY_P8_BASE64 }}"
|
echo "APP_STORE_CONNECT_API_KEY_P8_BASE64=${{ steps.vault.outputs.APP_STORE_CONNECT_API_KEY_P8_BASE64 }}"
|
||||||
|
|||||||
@ -687,7 +687,7 @@
|
|||||||
338D0CEB231458BD00FA5F75 /* Profile */ = {
|
338D0CEB231458BD00FA5F75 /* Profile */ = {
|
||||||
isa = XCBuildConfiguration;
|
isa = XCBuildConfiguration;
|
||||||
buildSettings = {
|
buildSettings = {
|
||||||
CODE_SIGN_STYLE = Manual;
|
CODE_SIGN_STYLE = Automatic;
|
||||||
MACOSX_DEPLOYMENT_TARGET = 14.0;
|
MACOSX_DEPLOYMENT_TARGET = 14.0;
|
||||||
PRODUCT_NAME = "$(TARGET_NAME)";
|
PRODUCT_NAME = "$(TARGET_NAME)";
|
||||||
};
|
};
|
||||||
|
|||||||
@ -82,3 +82,47 @@ apple_install_provision_profile() {
|
|||||||
export APPLE_SIGNING_PROFILE_PATH="$profile_path"
|
export APPLE_SIGNING_PROFILE_PATH="$profile_path"
|
||||||
apple_register_cleanup "rm -f \"$profile_path\""
|
apple_register_cleanup "rm -f \"$profile_path\""
|
||||||
}
|
}
|
||||||
|
|
||||||
|
apple_install_base64_provision_profile() {
|
||||||
|
local source_var="${1:?base64 source variable is required}"
|
||||||
|
local expected_bundle_id="${2:-}"
|
||||||
|
|
||||||
|
apple_require_signing_vars "$source_var"
|
||||||
|
|
||||||
|
local tmp_dir
|
||||||
|
tmp_dir="$(mktemp -d "${RUNNER_TEMP:-/tmp}/xworkmate-profile.XXXXXX")"
|
||||||
|
local tmp_profile="$tmp_dir/profile.provisionprofile"
|
||||||
|
local profile_plist="$tmp_dir/profile.plist"
|
||||||
|
apple_register_cleanup "rm -rf \"$tmp_dir\""
|
||||||
|
|
||||||
|
printf '%s' "${!source_var}" | apple_decode_base64 > "$tmp_profile"
|
||||||
|
security cms -D -i "$tmp_profile" > "$profile_plist"
|
||||||
|
|
||||||
|
local profile_uuid profile_name profile_team profile_app_id profile_platform
|
||||||
|
profile_uuid="$(/usr/libexec/PlistBuddy -c 'Print :UUID' "$profile_plist")"
|
||||||
|
profile_name="$(/usr/libexec/PlistBuddy -c 'Print :Name' "$profile_plist")"
|
||||||
|
profile_team="$(/usr/libexec/PlistBuddy -c 'Print :TeamIdentifier:0' "$profile_plist")"
|
||||||
|
profile_app_id="$(/usr/libexec/PlistBuddy -c 'Print :Entitlements:com.apple.application-identifier' "$profile_plist")"
|
||||||
|
profile_platform="$(/usr/libexec/PlistBuddy -c 'Print :Platform:0' "$profile_plist")"
|
||||||
|
|
||||||
|
if [[ "$profile_platform" != "OSX" ]]; then
|
||||||
|
echo "Provisioning profile '$profile_name' targets '$profile_platform', expected 'OSX'." >&2
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
if [[ -n "$expected_bundle_id" && "$profile_app_id" != "$profile_team.$expected_bundle_id" ]]; then
|
||||||
|
echo "Provisioning profile '$profile_name' has app identifier '$profile_app_id', expected '$profile_team.$expected_bundle_id'." >&2
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
local profile_dir="$HOME/Library/MobileDevice/Provisioning Profiles"
|
||||||
|
local profile_path="$profile_dir/$profile_uuid.provisionprofile"
|
||||||
|
mkdir -p "$profile_dir"
|
||||||
|
mv "$tmp_profile" "$profile_path"
|
||||||
|
|
||||||
|
export APPLE_SIGNING_PROFILE_PATH="$profile_path"
|
||||||
|
export APPLE_SIGNING_PROFILE_UUID="$profile_uuid"
|
||||||
|
export APPLE_SIGNING_PROFILE_NAME="$profile_name"
|
||||||
|
export APPLE_SIGNING_PROFILE_TEAM="$profile_team"
|
||||||
|
apple_register_cleanup "rm -f \"$profile_path\""
|
||||||
|
echo "Installed macOS provisioning profile: $profile_name ($profile_uuid)"
|
||||||
|
}
|
||||||
|
|||||||
@ -40,25 +40,22 @@ app_build_commit="${GIT_BUILD_COMMIT:-${BUILD_ID_LINE:-unknown}}"
|
|||||||
|
|
||||||
tmp_dir="$(mktemp -d "${RUNNER_TEMP:-/tmp}/xworkmate-macos-app-store.XXXXXX")"
|
tmp_dir="$(mktemp -d "${RUNNER_TEMP:-/tmp}/xworkmate-macos-app-store.XXXXXX")"
|
||||||
cleanup() {
|
cleanup() {
|
||||||
|
local status=$?
|
||||||
rm -rf "$tmp_dir"
|
rm -rf "$tmp_dir"
|
||||||
|
apple_run_cleanup
|
||||||
|
return "$status"
|
||||||
}
|
}
|
||||||
trap cleanup EXIT
|
trap cleanup EXIT
|
||||||
|
|
||||||
apple_setup_signing_keychain
|
apple_setup_signing_keychain
|
||||||
|
apple_install_base64_provision_profile \
|
||||||
|
APPLE_MAC_PROVISION_PROFILE_BASE64 \
|
||||||
|
plus.svc.xworkmate
|
||||||
|
|
||||||
apple_decode_base64() {
|
if [[ "$APPLE_SIGNING_PROFILE_TEAM" != "N3G9T67W78" ]]; then
|
||||||
if base64 --help 2>&1 | grep -q -- '--decode'; then
|
echo "Provisioning profile team '$APPLE_SIGNING_PROFILE_TEAM' does not match expected team 'N3G9T67W78'." >&2
|
||||||
base64 --decode
|
exit 1
|
||||||
else
|
fi
|
||||||
base64 -D
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
profile_dir="$HOME/Library/MobileDevice/Provisioning Profiles"
|
|
||||||
profile_path="$profile_dir/xworkmate-macos.mobileprovision"
|
|
||||||
mkdir -p "$profile_dir"
|
|
||||||
printf '%s' "$APPLE_MAC_PROVISION_PROFILE_BASE64" | apple_decode_base64 > "$profile_path"
|
|
||||||
apple_register_cleanup "rm -f \"$profile_path\""
|
|
||||||
|
|
||||||
mkdir -p "$DIST_DIR"
|
mkdir -p "$DIST_DIR"
|
||||||
archive_path="$tmp_dir/$APP_NAME.xcarchive"
|
archive_path="$tmp_dir/$APP_NAME.xcarchive"
|
||||||
@ -80,12 +77,15 @@ xcodebuild archive \
|
|||||||
-scheme Runner \
|
-scheme Runner \
|
||||||
-configuration Release \
|
-configuration Release \
|
||||||
-archivePath "$archive_path" \
|
-archivePath "$archive_path" \
|
||||||
|
-allowProvisioningUpdates \
|
||||||
|
-allowProvisioningDeviceRegistration \
|
||||||
DEVELOPMENT_TEAM="N3G9T67W78"
|
DEVELOPMENT_TEAM="N3G9T67W78"
|
||||||
|
|
||||||
xcodebuild -exportArchive \
|
xcodebuild -exportArchive \
|
||||||
-archivePath "$archive_path" \
|
-archivePath "$archive_path" \
|
||||||
-exportPath "$DIST_DIR" \
|
-exportPath "$DIST_DIR" \
|
||||||
-exportOptionsPlist "$export_options_path"
|
-exportOptionsPlist "$export_options_path" \
|
||||||
|
-allowProvisioningUpdates
|
||||||
|
|
||||||
if ! compgen -G "$DIST_DIR/*.pkg" >/dev/null; then
|
if ! compgen -G "$DIST_DIR/*.pkg" >/dev/null; then
|
||||||
echo "No macOS TestFlight pkg was produced under $DIST_DIR" >&2
|
echo "No macOS TestFlight pkg was produced under $DIST_DIR" >&2
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user