Haitao Pan
fa161247d3
* chore(security): add gitleaks config allowlisting vendored/test fixtures
Suppress false positives so `gitleaks detect` is clean:
- third_party/* (cargokit ships a public binary-verification key)
- workspace_management_unit_test.dart (obfuscated "token" fixture)
- gatewayruntime/runtime_test.go (hardcoded "device-1" test key pair)
Real leaked secrets are purged from history, not allowlisted.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
* chore(security): remove historical secret fixtures
* chore(release): bump build metadata for 1.1.5+2
* chore(release): bump version to 1.1.5+2
* chore(release): bump build metadata for 1.1.5+2
---------
Co-authored-by: Haitao Pan <manbuzhe2009@qq.com>
* ci(release): add TestFlight release matrix
* chore(release): bump version to 1.1.5+2
* chore(release): bump build metadata for 1.1.5+2
* ci(release): add TestFlight release matrix
---------
Co-authored-by: Haitao Pan <manbuzhe2009@qq.com>
* ci(release): load Vault secrets per-platform in build matrix
The build matrix loaded all 17 signing secrets in one shared block for
every platform. vault-action's ignoreNotFound only suppresses path-level
404s, not field-level "No match data" errors, so a single missing field
(e.g. APPLE_MAC_PROVISION_PROFILE_BASE64) failed every leg — including
linux/windows/android that need no Apple secrets.
Split the load into per-OS-family steps gated by matrix.platform:
- Apple (macos/ios): Apple cert + provisioning + keychain + export method
- Windows: WINDOWS_PFX_* + codesign subject
- Android: ANDROID_KEYSTORE_* + key alias/password
Linux requests nothing.
Also drop APP_STORE_CONNECT_* from the build matrix: only
testflight_upload.sh consumes them and it runs in the release job, which
loads them itself. The build matrix no longer depends on them.
Add shell: bash to the Export step (its `{ … } >> $GITHUB_ENV` brace
syntax is bash-only and would fail under the default pwsh on windows).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---------
Co-authored-by: Haitao Pan <haitao.pan@xworkmate.ai>
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Co-authored-by: Haitao Pan <manbuzhe2009@qq.com>
83 lines
1.9 KiB
Bash
Executable File
83 lines
1.9 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
platform="${1:?platform is required}"
|
|
artifact_root="${2:?artifact root is required}"
|
|
|
|
required_vars=(
|
|
APP_STORE_CONNECT_API_KEY_ID
|
|
APP_STORE_CONNECT_ISSUER_ID
|
|
APP_STORE_CONNECT_API_KEY_P8_BASE64
|
|
)
|
|
|
|
missing=()
|
|
for var_name in "${required_vars[@]}"; do
|
|
if [[ -z "${!var_name:-}" ]]; then
|
|
missing+=("$var_name")
|
|
fi
|
|
done
|
|
|
|
if [[ "${#missing[@]}" -gt 0 ]]; then
|
|
echo "Missing App Store Connect secrets: ${missing[*]}" >&2
|
|
exit 1
|
|
fi
|
|
|
|
if ! command -v xcrun >/dev/null 2>&1; then
|
|
echo "xcrun is required to upload TestFlight artifacts." >&2
|
|
exit 1
|
|
fi
|
|
|
|
apple_decode_base64() {
|
|
if base64 --help 2>&1 | grep -q -- '--decode'; then
|
|
base64 --decode
|
|
else
|
|
base64 -D
|
|
fi
|
|
}
|
|
|
|
tmp_dir="$(mktemp -d "${RUNNER_TEMP:-/tmp}/xworkmate-testflight.XXXXXX")"
|
|
cleanup() {
|
|
rm -rf "$tmp_dir"
|
|
}
|
|
trap cleanup EXIT
|
|
|
|
private_keys_dir="$tmp_dir/private_keys"
|
|
mkdir -p "$private_keys_dir"
|
|
|
|
p8_path="$private_keys_dir/AuthKey_${APP_STORE_CONNECT_API_KEY_ID}.p8"
|
|
printf '%s' "$APP_STORE_CONNECT_API_KEY_P8_BASE64" | apple_decode_base64 > "$p8_path"
|
|
|
|
case "$platform" in
|
|
ios)
|
|
artifact_file="$(find "$artifact_root" -type f -name '*.ipa' | head -n 1)"
|
|
;;
|
|
macos)
|
|
artifact_file="$(find "$artifact_root" -type f -name '*.pkg' | head -n 1)"
|
|
;;
|
|
*)
|
|
echo "Unsupported TestFlight platform: $platform" >&2
|
|
exit 1
|
|
;;
|
|
esac
|
|
if [[ -z "$artifact_file" ]]; then
|
|
echo "No ipa/pkg artifact found under $artifact_root" >&2
|
|
exit 1
|
|
fi
|
|
|
|
export API_PRIVATE_KEYS_DIR="$private_keys_dir"
|
|
|
|
if [[ "$platform" == "ios" ]]; then
|
|
xcrun altool \
|
|
--upload-app \
|
|
-f "$artifact_file" \
|
|
--api-key "$APP_STORE_CONNECT_API_KEY_ID" \
|
|
--api-issuer "$APP_STORE_CONNECT_ISSUER_ID" \
|
|
--show-progress
|
|
else
|
|
xcrun altool \
|
|
--upload-package "$artifact_file" \
|
|
--api-key "$APP_STORE_CONNECT_API_KEY_ID" \
|
|
--api-issuer "$APP_STORE_CONNECT_ISSUER_ID" \
|
|
--show-progress
|
|
fi
|