Random-Timer/.github/workflows/ios-apple-id-release.yml at develop · IgorGanapolsky/Random-Timer · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
name: iOS Apple-ID Release (ASC JWT fallback)

on:
  workflow_dispatch:
    inputs:
      ref:
        description: 'Git ref to build (branch/tag/SHA)'
        required: true
        default: 'release/v1.3.25'

permissions:
  contents: read

concurrency:
  group: ios-apple-id-release-${{ inputs.ref }}
  cancel-in-progress: false

jobs:
  testflight-upload:
    name: iOS TestFlight (Apple-ID auth)
    runs-on: macos-26
    steps:
      - uses: actions/checkout@v6.0.2
        with:
          ref: ${{ inputs.ref }}

      - name: Write GoogleService-Info.plist from secret
        env:
          GOOGLE_SERVICE_INFO_PLIST: ${{ secrets.GOOGLE_SERVICE_INFO_PLIST }}
        working-directory: native-ios
        run: |
          set -euo pipefail
          if [ -n "${GOOGLE_SERVICE_INFO_PLIST:-}" ]; then
            printf '%s' "$GOOGLE_SERVICE_INFO_PLIST" > RandomTimer/GoogleService-Info.plist
            echo "Wrote GoogleService-Info.plist"
          fi

      - name: Fail fast on required Apple-ID secrets
        env:
          MATCH_GIT_URL: ${{ secrets.MATCH_GIT_URL }}
          MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }}
          MATCH_GIT_BASIC_AUTHORIZATION: ${{ secrets.MATCH_GIT_BASIC_AUTHORIZATION }}
          FASTLANE_USER: ${{ secrets.FASTLANE_USER }}
          FASTLANE_PASSWORD: ${{ secrets.FASTLANE_PASSWORD }}
          FASTLANE_APPLE_APPLICATION_SPECIFIC_PASSWORD: ${{ secrets.FASTLANE_APPLE_APPLICATION_SPECIFIC_PASSWORD }}
          ADMIN_TOKEN: ${{ secrets.ADMIN_TOKEN }}
        run: |
          set -euo pipefail
          for name in MATCH_GIT_URL MATCH_PASSWORD MATCH_GIT_BASIC_AUTHORIZATION FASTLANE_USER FASTLANE_PASSWORD FASTLANE_APPLE_APPLICATION_SPECIFIC_PASSWORD ADMIN_TOKEN; do
            if [ -z "${!name:-}" ]; then
              echo "::error::Missing required secret: $name"
              exit 1
            fi
          done

      - name: Preflight release checks (iOS)
        run: bash scripts/shell/preflight-release.sh --platform ios --layer 1

      - name: Setup Ruby
        uses: ruby/setup-ruby@e65c17d16e57e481586a6a5a0282698790062f92 # v1.300.0
        with:
          ruby-version: "3.3"
          bundler-cache: true
          working-directory: native-ios

      - name: Install Fastlane
        working-directory: native-ios
        run: gem install fastlane

      - name: Configure git credentials for match
        env:
          GIT_AUTH_TOKEN: ${{ secrets.ADMIN_TOKEN }}
        run: |
          set -euo pipefail
          git config --global url."https://x-access-token:${GIT_AUTH_TOKEN}@github.com/".insteadOf "https://github.com/"

      - name: Setup signing assets (match readonly, no ASC JWT)
        working-directory: native-ios
        env:
          CI: "true"
          MATCH_GIT_URL: ${{ secrets.MATCH_GIT_URL }}
          MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }}
          MATCH_GIT_BASIC_AUTHORIZATION: ${{ secrets.MATCH_GIT_BASIC_AUTHORIZATION }}
        run: fastlane setup

      - name: Compute build number (timestamp)
        id: bn
        run: |
          set -euo pipefail
          echo "build_number=$(date -u +%s)" >> "$GITHUB_OUTPUT"

      - name: Build signed IPA (no upload)
        working-directory: native-ios
        env:
          CI: "true"
          FASTLANE_XCODEBUILD_SETTINGS_TIMEOUT: "120"
          FASTLANE_XCODEBUILD_SETTINGS_RETRIES: "6"
          FASTLANE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
          MATCH_GIT_URL: ${{ secrets.MATCH_GIT_URL }}
          MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }}
          MATCH_GIT_BASIC_AUTHORIZATION: ${{ secrets.MATCH_GIT_BASIC_AUTHORIZATION }}
          POSTHOG_API_KEY: ${{ secrets.POSTHOG_API_KEY }}
        run: fastlane build_ipa build_number:${{ steps.bn.outputs.build_number }}

      - name: Upload IPA to TestFlight via altool (app-specific password)
        working-directory: native-ios
        env:
          ALTOOL_USER: ${{ secrets.FASTLANE_USER }}
          ALTOOL_PASSWORD: ${{ secrets.FASTLANE_APPLE_APPLICATION_SPECIFIC_PASSWORD }}
        run: |
          set -euo pipefail
          if [ ! -f RandomTimer.ipa ]; then
            echo "::error::RandomTimer.ipa not found after build"
            ls -la
            exit 1
          fi
          echo "IPA size: $(du -h RandomTimer.ipa | cut -f1)"
          xcrun altool --upload-app \
            --file RandomTimer.ipa \
            --type ios \
            --username "$ALTOOL_USER" \
            --password "$ALTOOL_PASSWORD" \
            --verbose

      - name: Upload IPA artifact
        uses: actions/upload-artifact@v7
        if: always()
        with:
          name: ios-ipa-apple-id
          path: native-ios/RandomTimer.ipa
          if-no-files-found: warn
          retention-days: 1