c98bce9dde
The release preflight used to set should_build_platform=false whenever any
Apple signing secret was unset, which silently skipped the entire macos dmg
and ios ipa lanes (build + upload gated on that flag). Result: releases only
shipped linux, windows and android artifacts even when the iOS/macOS lanes
were otherwise healthy.
Make the preflight always release the lane, but emit a :⚠️: and
annotate the skip_reason when a secret is missing. The iOS branch in
build_matrix_artifacts.sh now picks the signed vs unsigned build path based
on actual secret availability instead of should_release alone, so it falls
back to flutter build ios --no-codesign + zip Runner.app whenever a secret
is absent. package-flutter-mac-app.sh already handled the no-secret case
locally (ad-hoc codesign --sign -) and needs no change.
Behavior matrix:
macos: secret present -> signed DMG; secret missing -> unsigned DMG
ios: secret present + release -> signed IPA
secret present + non-release -> unsigned zip
secret missing (any) -> unsigned zip
103 lines
2.3 KiB
Bash
103 lines
2.3 KiB
Bash
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
platform="${1:?platform is required}"
|
|
should_release="${2:-false}"
|
|
repo_root="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
|
|
|
|
emit_output() {
|
|
local key="$1"
|
|
local value="$2"
|
|
|
|
if [[ -n "${GITHUB_OUTPUT:-}" ]]; then
|
|
printf '%s=%s\n' "$key" "$value" >> "$GITHUB_OUTPUT"
|
|
else
|
|
printf '%s=%s\n' "$key" "$value"
|
|
fi
|
|
}
|
|
|
|
set_build_state() {
|
|
local should_build="$1"
|
|
local reason="$2"
|
|
|
|
emit_output "should_build_platform" "$should_build"
|
|
emit_output "skip_reason" "$reason"
|
|
|
|
if [[ "$should_build" == "true" ]]; then
|
|
if [[ -n "$reason" ]]; then
|
|
echo "Preflight passed for $platform with warning: $reason"
|
|
else
|
|
echo "Preflight passed for $platform."
|
|
fi
|
|
else
|
|
echo "Skipping $platform lane: $reason"
|
|
fi
|
|
}
|
|
|
|
warn_unsigned_build() {
|
|
local missing="$1"
|
|
echo "::warning::$platform build will run without Apple signing secrets (missing: $missing)." \
|
|
"Output artifacts will be unsigned/ad-hoc. Configure the Apple signing secrets to enable signed packaging."
|
|
}
|
|
|
|
case "$platform" in
|
|
linux)
|
|
set_build_state "true" ""
|
|
;;
|
|
windows)
|
|
set_build_state "true" ""
|
|
;;
|
|
macos)
|
|
required_vars=(
|
|
APPLE_CERT_P12_BASE64
|
|
APPLE_CERT_PASSWORD
|
|
APPLE_KEYCHAIN_PASSWORD
|
|
)
|
|
|
|
missing=()
|
|
for var_name in "${required_vars[@]}"; do
|
|
if [[ -z "${!var_name:-}" ]]; then
|
|
missing+=("$var_name")
|
|
fi
|
|
done
|
|
|
|
if [[ "${#missing[@]}" -gt 0 ]]; then
|
|
warn_unsigned_build "${missing[*]}"
|
|
set_build_state "true" "missing macOS signing secrets: ${missing[*]}; will produce unsigned DMG"
|
|
exit 0
|
|
fi
|
|
|
|
set_build_state "true" ""
|
|
;;
|
|
ios)
|
|
required_vars=(
|
|
APPLE_CERT_P12_BASE64
|
|
APPLE_CERT_PASSWORD
|
|
APPLE_PROVISION_PROFILE_BASE64
|
|
APPLE_KEYCHAIN_PASSWORD
|
|
)
|
|
|
|
missing=()
|
|
for var_name in "${required_vars[@]}"; do
|
|
if [[ -z "${!var_name:-}" ]]; then
|
|
missing+=("$var_name")
|
|
fi
|
|
done
|
|
|
|
if [[ "${#missing[@]}" -gt 0 ]]; then
|
|
warn_unsigned_build "${missing[*]}"
|
|
set_build_state "true" "missing iOS signing secrets: ${missing[*]}; will produce unsigned app bundle"
|
|
exit 0
|
|
fi
|
|
|
|
set_build_state "true" ""
|
|
;;
|
|
android)
|
|
set_build_state "true" ""
|
|
;;
|
|
*)
|
|
echo "Unsupported platform: $platform" >&2
|
|
exit 1
|
|
;;
|
|
esac
|