Automate handling of Distribution certificates and profiles#453
Conversation
Test:Test with a GitHub organization account
Test with a personal GitHub account
Test when using two GitHub accountsMove this to a separate comment because it is a special case and somewhat confusing. |
|
It would be interesting to know what happens when nuke_certs is run when you have more than one distribution certificate. You can test this with the FORCE_NUKE_CERTS variable. |
Test when using two GitHub accountsNOTE- this is a special case. Most users will only build from one account (each account needs a separate Distribution Certificate). This situation is why there is a Previous test of build was successful for marionbarker; so switch to loopdocs-tester account.
Test another build that does not have the updated filesUse loopdocs-tester/LoopFollow_Second with
Use FORCE_NUKE_CERTSReturn to loopdocs-tester Trio and add set FORCE_NUKE_CERTS = true as organization environment variable.
Builds now work with both usernamesReturn to loopdocs-tester/LoopFollow_Second with
Return to marionbarker Trio and test the build
Return to loopdocs-tester Trio and test the build
|
marionbarker
left a comment
There was a problem hiding this comment.
The changes that are here are reviewed, tested and approved.
However, the fastlane/testflight.md file also needs to be modified.
I am marking this approved, in case you want the testflight.md file to be a separate PR. If you update that file for this PR, I will review again.
Will avoid halting the workflow on invalid certs during validate_secrets.yml, as this is handled in crate_certs.yml Add grep for "Your certificate .* is not valid"', but exit without error Remove unnecessary annotation output for 'Unable to create a valid authorization token for the App Store Connect API.' Remove misleading grep "No code signing identity found" -e "Could not install WWDR certificate" and error "No code signing identity found" or "Could not install WWDR certificate"
|
We got to test the workflow with an actually expired certificate before the last commit. This caused the 005339f attempts to fix this. The workflow did already and does still work in the case of manually revoking the Distribution certificate, now we need a confirmation that the latest changes also work with an actually expired certificate. I believe @MikePlante1 is a candidate for testing this soon. Please first make an attempt to build with an expired certificate using Trio dev, so that we can check the logs and confirm that the certificate is expires. Then push the Check for success by confirming
|
|
To see the incoming changes to docs, please refer to https://github.com/bjornoleh/Trio/pull/27/files, which is not yet included in the PR (but will be when everything is confirmed to be working). |
|
My cert expired 2 days ago, so I took the opportunity to test this PR, which worked successfully: ❌ My default branch was set to the latest ❌ I duplicated by ✅ In my Trio repo, I went to ⚙️ > |
|
Thank you @MikePlante1 for testing! This looks perfect to me! I have pushed the update to testflight.md (readme changes only, no impact on code). @marionbarker , hopefully this will be the final review! :-) |
marionbarker
left a comment
There was a problem hiding this comment.
Sorry - my PR had a typo for testflight.md.
I will approve after this minor fix.
MikePlante1
left a comment
There was a problem hiding this comment.
Reapproving after typo fix.
marionbarker
left a comment
There was a problem hiding this comment.
Minor changes - can be ignored. I would not have commented except the "Certficate" has been fixed in other repos so the diff caught my eye.
- fix typo in "Certificates" - remove a whitespace in validate_secrets.yml
cc43497
|
Please give another approval after fixing the typo and whitespace as mentioned above by @marionbarker Tagging @MikePlante1 too :-) |
Summary:
This pull request introduces automation for handling Distribution certificates and provisioning profiles within GitHub Actions workflows. It simplifies certificate management by detecting invalid or expired certificates and automatically creating or renewing them when needed. Additionally, it ensures a seamless process for annual certificate renewals by integrating these steps into the build process.
Key Changes:
nuke_certsjob to recreate certificates if they are expired or missing.check_and_renew_certificateslane for checking and renewing certificates programmatically.validate_secrets, avoiding workflow interruptions for invalid certificates.Benefits:
Notes:
ENABLE_NUKE_CERTSmust be set to true in the repository or organization settings for automatic certificate recreation.FORCE_NUKE_CERTScan be used to override default behavior and force certificate nuking when necessary.This PR significantly improves the browser build experience by automating critical parts of the build and certificate management process.