Create Certificates (check_and_renew_certs_v2) #22
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: 3. Create Certificates | |
| run-name: Create Certificates (${{ github.ref_name }}) | |
| on: [workflow_call, workflow_dispatch] | |
| env: | |
| TEAMID: ${{ secrets.TEAMID }} | |
| GH_PAT: ${{ secrets.GH_PAT }} | |
| GH_TOKEN: ${{ secrets.GH_PAT }} | |
| MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }} | |
| FASTLANE_KEY_ID: ${{ secrets.FASTLANE_KEY_ID }} | |
| FASTLANE_ISSUER_ID: ${{ secrets.FASTLANE_ISSUER_ID }} | |
| FASTLANE_KEY: ${{ secrets.FASTLANE_KEY }} | |
| jobs: | |
| validate: | |
| name: Validate | |
| uses: ./.github/workflows/validate_secrets.yml | |
| secrets: inherit | |
| check_certs: | |
| needs: validate | |
| runs-on: macos-14 | |
| outputs: | |
| new_certificate_needed: ${{ steps.set_output.outputs.new_certificate_needed }} | |
| steps: | |
| # Uncomment to manually select latest Xcode if needed | |
| #- name: Select Latest Xcode | |
| # run: "sudo xcode-select --switch /Applications/Xcode_13.0.app/Contents/Developer" | |
| # Checks-out the repo | |
| - name: Checkout Repo | |
| uses: actions/checkout@v4 | |
| # Patch Fastlane Match to not print tables | |
| - name: Patch Match Tables | |
| run: find /usr/local/lib/ruby/gems -name table_printer.rb | xargs sed -i "" "/puts(Terminal::Table.new(params))/d" | |
| # Install project dependencies | |
| - name: Install Project Dependencies | |
| run: bundle install | |
| # Create or update provisioning profiles | |
| - name: Check certificate and profiles | |
| run: | | |
| echo "Running Fastlane certs lane..." | |
| bundle exec fastlane certs || true # ignore and continue on errors without annotating an exit code | |
| - name: Check Distribution Certificate and create or renew if needed | |
| run: bundle exec fastlane check_and_renew_certificates | |
| id: check_certs | |
| - name: Set output based on Fastlane result | |
| id: set_output | |
| run: | | |
| CERT_STATUS_FILE="${{ github.workspace }}/fastlane/new_certificate_needed.txt" | |
| ENABLE_NUKE_CERTS=${{ vars.ENABLE_NUKE_CERTS }} | |
| if [ -f "$CERT_STATUS_FILE" ]; then | |
| CERT_STATUS=$(cat "$CERT_STATUS_FILE" | tr -d '\n' | tr -d '\r') # Read file content and strip newlines | |
| echo "new_certificate_needed: $CERT_STATUS" | |
| echo "new_certificate_needed=$CERT_STATUS" >> $GITHUB_OUTPUT | |
| else | |
| echo "Certificate status file not found. Defaulting to false." | |
| echo "new_certificate_needed=false" >> $GITHUB_OUTPUT | |
| fi | |
| # Check if ENABLE_NUKE_CERTS is not set to true when certs are valid | |
| if [ "$CERT_STATUS" != "true" ] && [ "$ENABLE_NUKE_CERTS" != "true" ]; then | |
| echo "::notice::🔔 Automated renewal of certificates is disabled because the repository variable ENABLE_NUKE_CERTS is not set to 'true'." | |
| fi | |
| # Check if ENABLE_NUKE_CERTS is not set to true when certs are not valid | |
| if [ "$CERT_STATUS" = "true" ] && [ "$ENABLE_NUKE_CERTS" != "true" ]; then | |
| echo "::error::❌ No valid distribution certificate found. Automated renewal of certificates was skipped because the repository variable ENABLE_NUKE_CERTS is not set to 'true'." | |
| exit 1 | |
| fi | |
| # Check if vars.FORCE_NUKE_CERTS is not set to true | |
| if [ vars.FORCE_NUKE_CERTS = "true" ]; then | |
| echo "::warning::‼️ Nuking of certificates was forced because the repository variable FORCE_NUKE_CERTS is set to 'true'." | |
| fi | |
| # Nuke Certs if needed, and if the repository variable ENABLE_NUKE_CERTS is set to 'true', or if FORCE_NUKE_CERTS is set to 'true', which will always force certs to be nuked | |
| nuke_certs: | |
| needs: [validate, check_certs] | |
| runs-on: macos-14 | |
| if: ${{ (needs.check_certs.outputs.new_certificate_needed == 'true' && vars.ENABLE_NUKE_CERTS == 'true') || vars.FORCE_NUKE_CERTS == 'true' }} | |
| steps: | |
| - name: Output from Check_certs | |
| run: echo "new_certificate_needed=${{ needs.check_certs.outputs.new_certificate_needed }}" | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Install dependencies | |
| run: bundle install | |
| - name: Run Fastlane nuke_certs | |
| run: | | |
| set -e | |
| bundle exec fastlane nuke_certs | |
| - name: Recreate Distribution certificate after nuking | |
| run: | | |
| set -e | |
| bundle exec fastlane certs | |
| - name: Add success annotations for nuke and certificate recreation | |
| if: ${{ success() }} | |
| run: | | |
| echo "::warning::⚠️ All Distribution certificates and TestFlight profiles have been revoked and recreated." | |
| echo "::warning::❗️ If you have other apps being distributed by GitHub Actions / Fastlane / TestFlight that does not renew certificates automatically, please run the '3. Create Certificates' workflow for each of these apps to allow these apps to be built." | |
| echo "::warning::✅ But don't worry about your existing TestFlight builds, they will keep working!" |