From 3617009453daebdcb30df142ad4561fcadf19830 Mon Sep 17 00:00:00 2001 From: AJ Mabry <81774843+aj-bw@users.noreply.github.com> Date: Tue, 5 May 2026 14:57:33 -0400 Subject: [PATCH 1/9] test script fix to attempt to unblock builds --- Scripts/generate-mocks.sh | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/Scripts/generate-mocks.sh b/Scripts/generate-mocks.sh index c2eecf8961..f8056c530f 100755 --- a/Scripts/generate-mocks.sh +++ b/Scripts/generate-mocks.sh @@ -5,18 +5,18 @@ # # Usage: ./Scripts/generate-mocks.sh [BitwardenShared|AuthenticatorShared|BitwardenKit|AuthenticatorBridgeKit] # -# Intended to be run as an Xcode build phase script, where $BUILD_DIR and $TARGET_NAME +# Intended to be run as an Xcode build phase script, where $BUILD_ROOT and $TARGET_NAME # are already set in the environment by Xcode. When no framework argument is given, # TARGET_NAME is used to determine which framework's config to run. # -# To run standalone, supply BUILD_DIR manually: -# BUILD_DIR=$(xcodebuild -showBuildSettings \ +# To run standalone, supply BUILD_ROOT manually: +# BUILD_ROOT=$(xcodebuild -showBuildSettings \ # -workspace Bitwarden.xcworkspace -scheme Bitwarden \ # -disableAutomaticPackageResolution 2>/dev/null \ -# | awk -F ' = ' '/^ *BUILD_DIR = / { sub(/[[:space:]]+$/, "", $2); print $2; exit }') \ +# | awk -F ' = ' '/^ *BUILD_ROOT = / { sub(/[[:space:]]+$/, "", $2); print $2; exit }') \ # ./Scripts/generate-mocks.sh # -# BUILD_DIR = .../DerivedData/Bitwarden-/Build/Products +# BUILD_ROOT = .../DerivedData/Bitwarden-/Build # BITWARDEN_SDK_PATH = .../DerivedData/Bitwarden-/SourcePackages/checkouts/sdk-swift set -euo pipefail @@ -33,15 +33,18 @@ if [ ! -f "$CONFIG" ]; then exit 1 fi -if [ -z "${BUILD_DIR:-}" ]; then - echo "⚠️ BUILD_DIR is not set." - echo " Run this script from an Xcode build phase, or supply BUILD_DIR manually." +# BUILD_ROOT is always /Build regardless of build type. BUILD_DIR changes +# structure during `xcodebuild archive` (deeper into ArchiveIntermediates), so deriving +# the DerivedData root from BUILD_DIR produces the wrong path for archive builds. +if [ -z "${BUILD_ROOT:-}" ]; then + echo "⚠️ BUILD_ROOT is not set." + echo " Run this script from an Xcode build phase, or supply BUILD_ROOT manually." echo " See the script header for instructions." exit 1 fi export BITWARDEN_SDK_PATH -BITWARDEN_SDK_PATH="$(dirname "$(dirname "$BUILD_DIR")")/SourcePackages/checkouts/sdk-swift" +BITWARDEN_SDK_PATH="$(dirname "$BUILD_ROOT")/SourcePackages/checkouts/sdk-swift" echo "BITWARDEN_SDK_PATH: $BITWARDEN_SDK_PATH" mint run sourcery --config "$CONFIG" From 9cb281c5f40fb3e4ab1eeadd65c5c9b883890c60 Mon Sep 17 00:00:00 2001 From: AJ Mabry <81774843+aj-bw@users.noreply.github.com> Date: Tue, 5 May 2026 20:55:06 -0400 Subject: [PATCH 2/9] second pass at script fix --- Scripts/generate-mocks.sh | 37 +++++++++++++++++++++++++------------ 1 file changed, 25 insertions(+), 12 deletions(-) diff --git a/Scripts/generate-mocks.sh b/Scripts/generate-mocks.sh index f8056c530f..5f246f0d9d 100755 --- a/Scripts/generate-mocks.sh +++ b/Scripts/generate-mocks.sh @@ -5,18 +5,19 @@ # # Usage: ./Scripts/generate-mocks.sh [BitwardenShared|AuthenticatorShared|BitwardenKit|AuthenticatorBridgeKit] # -# Intended to be run as an Xcode build phase script, where $BUILD_ROOT and $TARGET_NAME +# Intended to be run as an Xcode build phase script, where $BUILD_DIR and $TARGET_NAME # are already set in the environment by Xcode. When no framework argument is given, # TARGET_NAME is used to determine which framework's config to run. # -# To run standalone, supply BUILD_ROOT manually: -# BUILD_ROOT=$(xcodebuild -showBuildSettings \ +# To run standalone, supply BUILD_DIR manually: +# BUILD_DIR=$(xcodebuild -showBuildSettings \ # -workspace Bitwarden.xcworkspace -scheme Bitwarden \ # -disableAutomaticPackageResolution 2>/dev/null \ -# | awk -F ' = ' '/^ *BUILD_ROOT = / { sub(/[[:space:]]+$/, "", $2); print $2; exit }') \ +# | awk -F ' = ' '/^ *BUILD_DIR = / { sub(/[[:space:]]+$/, "", $2); print $2; exit }') \ # ./Scripts/generate-mocks.sh # -# BUILD_ROOT = .../DerivedData/Bitwarden-/Build +# BUILD_DIR = .../DerivedData/Bitwarden-/Build/Products (regular) +# = .../DerivedData/Bitwarden-/Build/Intermediates.noindex/ArchiveIntermediates/... (archive) # BITWARDEN_SDK_PATH = .../DerivedData/Bitwarden-/SourcePackages/checkouts/sdk-swift set -euo pipefail @@ -33,18 +34,30 @@ if [ ! -f "$CONFIG" ]; then exit 1 fi -# BUILD_ROOT is always /Build regardless of build type. BUILD_DIR changes -# structure during `xcodebuild archive` (deeper into ArchiveIntermediates), so deriving -# the DerivedData root from BUILD_DIR produces the wrong path for archive builds. -if [ -z "${BUILD_ROOT:-}" ]; then - echo "⚠️ BUILD_ROOT is not set." - echo " Run this script from an Xcode build phase, or supply BUILD_ROOT manually." +if [ -z "${BUILD_DIR:-}" ]; then + echo "⚠️ BUILD_DIR is not set." + echo " Run this script from an Xcode build phase, or supply BUILD_DIR manually." echo " See the script header for instructions." exit 1 fi +# BUILD_DIR nests at different depths for regular builds vs xcodebuild archive, so +# walk up the directory tree until we find the DerivedData root (contains SourcePackages/). export BITWARDEN_SDK_PATH -BITWARDEN_SDK_PATH="$(dirname "$BUILD_ROOT")/SourcePackages/checkouts/sdk-swift" +_search_dir="$BUILD_DIR" +BITWARDEN_SDK_PATH="" +while [ "$_search_dir" != "/" ]; do + if [ -d "$_search_dir/SourcePackages/checkouts/sdk-swift" ]; then + BITWARDEN_SDK_PATH="$_search_dir/SourcePackages/checkouts/sdk-swift" + break + fi + _search_dir="$(dirname "$_search_dir")" +done + +if [ -z "$BITWARDEN_SDK_PATH" ]; then + echo "error: Could not locate sdk-swift checkout under SourcePackages/ — ensure SPM packages are resolved before running Sourcery." + exit 1 +fi echo "BITWARDEN_SDK_PATH: $BITWARDEN_SDK_PATH" mint run sourcery --config "$CONFIG" From 67d34214e923e9c6dc0fd064e7873d8329be0466 Mon Sep 17 00:00:00 2001 From: AJ Mabry <81774843+aj-bw@users.noreply.github.com> Date: Fri, 8 May 2026 14:05:24 -0400 Subject: [PATCH 3/9] swap out fastlane calls for xcrun, abstract out changelog job to another repo --- .github/workflows/_build-any.yml | 87 ++++++++++++++++++++++++++------ .github/workflows/ci-bwpm.yml | 4 +- 2 files changed, 73 insertions(+), 18 deletions(-) diff --git a/.github/workflows/_build-any.yml b/.github/workflows/_build-any.yml index c7b2c1f344..ef5e792c1c 100644 --- a/.github/workflows/_build-any.yml +++ b/.github/workflows/_build-any.yml @@ -103,7 +103,7 @@ jobs: uses: bitwarden/gh-actions/get-keyvault-secrets@main with: keyvault: gh-ios - secrets: "APP-STORE-CONNECT-AUTH-KEY,APP-STORE-CONNECT-TEAM-ISSUER" + secrets: "APP-STORE-CONNECT-AUTH-ID,APP-STORE-CONNECT-AUTH-KEY,APP-STORE-CONNECT-TEAM-ISSUER" - name: Setup secrets if: env._BUILD_MODE == 'Device' @@ -142,9 +142,6 @@ jobs: plutil -replace BUNDLE_ID -string '$BUNDLE_ID.watchkitapp' BitwardenWatchApp/GoogleService-Info.plist fi - echo "⌛️ Downloading fastlane credentials..." - az_download mobile appstoreconnect-fastlane.json "$HOME/secrets/appstoreconnect-fastlane.json" - echo "⌛️ Downloading distribution certificate..." mkdir -p "$HOME/certificates" az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/ios-distribution | @@ -252,24 +249,26 @@ jobs: - name: Set up private auth key if: env._BUILD_MODE == 'Device' env: + _KEY_ID: ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-AUTH-ID }} _APP_STORE_CONNECT_AUTH_KEY: ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-AUTH-KEY }} run: | - mkdir ~/private_keys - cat << EOF > ~/private_keys/AuthKey_R758JZPC6K.p8 - ${_APP_STORE_CONNECT_AUTH_KEY} - EOF + mkdir -p ~/private_keys + chmod 700 ~/private_keys + printf '%s\n' "$_APP_STORE_CONNECT_AUTH_KEY" > ~/private_keys/AuthKey_${_KEY_ID:?missing APP-STORE-CONNECT-AUTH-ID}.p8 + chmod 600 ~/private_keys/AuthKey_${_KEY_ID}.p8 - name: Validate app with App Store Connect if: env._BUILD_MODE == 'Device' && false # Set to true to debug failing submissions env: _EXPORT_FILEPATH: ${{ steps.get_file_paths.outputs.export_filepath }} + _KEY_ID: ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-AUTH-ID }} _ISSUER: ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-TEAM-ISSUER }} run: | xcrun altool --validate-app \ --type ios \ --file "$_EXPORT_FILEPATH" \ - --apiKey "R758JZPC6K" \ - --apiIssuer "${_ISSUER}" + --apiKey "$_KEY_ID" \ + --apiIssuer "$_ISSUER" - name: Upload dSYM files to Crashlytics if: ${{ env._BUILD_MODE == 'Device' }} @@ -280,19 +279,75 @@ jobs: -gsp "$_CRASHLYTICS_PATH" \ -p ios -- {} + - - name: Upload app to TestFlight with Fastlane + - name: Upload app to TestFlight if: ${{ inputs.distribute && env._BUILD_MODE == 'Device' }} env: _EXPORT_FILEPATH: ${{ steps.get_file_paths.outputs.export_filepath }} + _KEY_ID: ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-AUTH-ID }} + _ISSUER: ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-TEAM-ISSUER }} run: | + declare -A APPLE_ID_MAP=( + ["com.8bit.bitwarden"]="1137397744" + ["com.8bit.bitwarden.beta"]="6477551146" + ["com.bitwarden.authenticator"]="6497335175" + ) + APPLE_ID="${APPLE_ID_MAP[$_BUNDLE_ID]:-}" + if [ -z "$APPLE_ID" ]; then + echo "::error::No Apple ID mapping for bundle ID: $_BUNDLE_ID" + exit 1 + fi + + xcrun altool --upload-app \ + --type ios \ + --file "$_EXPORT_FILEPATH" \ + --apiKey "$_KEY_ID" \ + --apiIssuer "$_ISSUER" \ + --apple-id "$APPLE_ID" + + - name: Build TestFlight trigger data + id: build-trigger-data + if: ${{ inputs.distribute && env._BUILD_MODE == 'Device' }} + run: | + declare -A APPLE_ID_MAP=( + ["com.8bit.bitwarden"]="1137397744" + ["com.8bit.bitwarden.beta"]="6477551146" + ["com.bitwarden.authenticator"]="6497335175" + ) + APPLE_ID="${APPLE_ID_MAP[$_BUNDLE_ID]:-}" + CHANGELOG="$(git show -s --format=%s) $GITHUB_REPOSITORY/$GITHUB_REF_NAME @ $GITHUB_SHA Xcode $_XCODE_VERSION Compiler Flags: $_COMPILER_FLAGS $_GITHUB_ACTION_RUN_URL" - bundle exec fastlane upload_build \ - --env "$_BW_ENV" \ - api_key_path:"$HOME/secrets/appstoreconnect-fastlane.json" \ - changelog:"$CHANGELOG" \ - ipa_path:"$_EXPORT_FILEPATH" + CHANGELOG_B64=$(printf '%s' "$CHANGELOG" | base64 | tr -d '\n') + + TRIGGER_DATA=$(jq -nc \ + --arg bundle_id "$_BUNDLE_ID" \ + --arg version_number "$_VERSION_NUMBER" \ + --arg version_name "$_VERSION_NAME" \ + --arg apple_id "$APPLE_ID" \ + --arg changelog_b64 "$CHANGELOG_B64" \ + '{bundle_id: $bundle_id, version_number: $version_number, version_name: $version_name, apple_id: $apple_id, changelog_b64: $changelog_b64}') + + DELIM="EOF_$(openssl rand -hex 16)" + { + echo "trigger-data<<$DELIM" + echo "$TRIGGER_DATA" + echo "$DELIM" + } >> "$GITHUB_OUTPUT" + + - name: Trigger TestFlight changelog update + if: ${{ inputs.distribute && env._BUILD_MODE == 'Device' }} + uses: bitwarden/gh-actions/trigger-actions@main + with: + azure_subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + azure_tenant_id: ${{ secrets.AZURE_TENANT_ID }} + azure_client_id: ${{ secrets.AZURE_CLIENT_ID }} + task: ios-testflight-changelog + data: ${{ steps.build-trigger-data.outputs.trigger-data }} + + - name: Clean up auth key + if: ${{ always() && env._BUILD_MODE == 'Device' }} + run: rm -f ~/private_keys/AuthKey_*.p8 diff --git a/.github/workflows/ci-bwpm.yml b/.github/workflows/ci-bwpm.yml index 0c678133ff..00d79e31f1 100644 --- a/.github/workflows/ci-bwpm.yml +++ b/.github/workflows/ci-bwpm.yml @@ -69,7 +69,7 @@ jobs: contents: read id-token: write if: ${{ github.event_name == 'workflow_dispatch' && inputs.build-mode != 'CI' }} - uses: bitwarden/ios/.github/workflows/_build-any.yml@main + uses: ./.github/workflows/_build-any.yml with: bw-env: ${{ (inputs.build-variant == 'Production') && 'bwpm_prod' || 'bwpm_beta' }} build-mode: ${{ inputs.build-mode }} @@ -87,7 +87,7 @@ jobs: contents: read id-token: write if: ${{ github.event_name == 'push' || inputs.build-mode == 'CI' }} - uses: bitwarden/ios/.github/workflows/_build-any.yml@main + uses: ./.github/workflows/_build-any.yml strategy: matrix: include: From abadabb0bc450dfa5d740223b798b981c350ef44 Mon Sep 17 00:00:00 2001 From: AJ Mabry <81774843+aj-bw@users.noreply.github.com> Date: Fri, 8 May 2026 14:40:18 -0400 Subject: [PATCH 4/9] address local review feedback --- .github/workflows/_build-any.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/.github/workflows/_build-any.yml b/.github/workflows/_build-any.yml index c41c4a6f49..7e78b7b128 100644 --- a/.github/workflows/_build-any.yml +++ b/.github/workflows/_build-any.yml @@ -26,7 +26,7 @@ on: type: boolean env: _BW_ENV: ${{ inputs.bw-env || 'bwpm-prod' }} - _BUILD_VARIANT: ${{ inputs.bw-env == 'bwpm-prod' && 'Production' || 'Beta' }} + _BUILD_VARIANT: ${{ inputs.bw-env == 'bwpm_prod' && 'Production' || 'Beta' }} _BUILD_MODE: ${{ inputs.build-mode || 'Device' }} _XCODE_VERSION: ${{ inputs.xcode-version }} _VERSION_NAME: ${{ inputs.version-name }} @@ -314,11 +314,12 @@ jobs: ) APPLE_ID="${APPLE_ID_MAP[$_BUNDLE_ID]:-}" - CHANGELOG="$(git show -s --format=%s) + CHANGELOG="$_GITHUB_ACTION_RUN_URL + $(git show -s --format=%s) $GITHUB_REPOSITORY/$GITHUB_REF_NAME @ $GITHUB_SHA - Xcode $_XCODE_VERSION - Compiler Flags: $_COMPILER_FLAGS - $_GITHUB_ACTION_RUN_URL" + Xcode $_XCODE_VERSION" + [[ -n "$_COMPILER_FLAGS" ]] && CHANGELOG="$CHANGELOG + Compiler Flags: $_COMPILER_FLAGS" CHANGELOG_B64=$(printf '%s' "$CHANGELOG" | base64 | tr -d '\n') From c7ecca5f7380ed2da8148b7e5768460e1872a0f0 Mon Sep 17 00:00:00 2001 From: AJ Mabry <81774843+aj-bw@users.noreply.github.com> Date: Fri, 8 May 2026 14:59:34 -0400 Subject: [PATCH 5/9] update uses build workflow call --- .github/workflows/ci-bwa.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci-bwa.yml b/.github/workflows/ci-bwa.yml index 303e1306f1..f719671e04 100644 --- a/.github/workflows/ci-bwa.yml +++ b/.github/workflows/ci-bwa.yml @@ -67,7 +67,7 @@ jobs: contents: read id-token: write if: ${{ github.event_name == 'workflow_dispatch' && inputs.build-mode != 'CI' }} - uses: bitwarden/ios/.github/workflows/_build-any.yml@main + uses: ./.github/workflows/_build-any.yml with: bw-env: bwa_prod build-mode: ${{ inputs.build-mode }} @@ -85,7 +85,7 @@ jobs: contents: read id-token: write if: ${{ github.event_name == 'push' || inputs.build-mode == 'CI' }} - uses: bitwarden/ios/.github/workflows/_build-any.yml@main + uses: ./.github/workflows/_build-any.yml strategy: matrix: include: From e94578d14e646b056c91351772ca7031edc1a795 Mon Sep 17 00:00:00 2001 From: AJ Mabry <81774843+aj-bw@users.noreply.github.com> Date: Fri, 8 May 2026 15:15:10 -0400 Subject: [PATCH 6/9] syntax fix --- .github/workflows/_build-any.yml | 31 +++++++++++++++---------------- 1 file changed, 15 insertions(+), 16 deletions(-) diff --git a/.github/workflows/_build-any.yml b/.github/workflows/_build-any.yml index 7e78b7b128..56c2e082d3 100644 --- a/.github/workflows/_build-any.yml +++ b/.github/workflows/_build-any.yml @@ -285,16 +285,15 @@ jobs: _KEY_ID: ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-AUTH-ID }} _ISSUER: ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-TEAM-ISSUER }} run: | - declare -A APPLE_ID_MAP=( - ["com.8bit.bitwarden"]="1137397744" - ["com.8bit.bitwarden.beta"]="6477551146" - ["com.bitwarden.authenticator"]="6497335175" - ) - APPLE_ID="${APPLE_ID_MAP[$_BUNDLE_ID]:-}" - if [ -z "$APPLE_ID" ]; then - echo "::error::No Apple ID mapping for bundle ID: $_BUNDLE_ID" - exit 1 - fi + case "$_BUNDLE_ID" in + "com.8bit.bitwarden") APPLE_ID="1137397744" ;; + "com.8bit.bitwarden.beta") APPLE_ID="6477551146" ;; + "com.bitwarden.authenticator") APPLE_ID="6497335175" ;; + *) + echo "::error::No Apple ID mapping for bundle ID: $_BUNDLE_ID" + exit 1 + ;; + esac xcrun altool --upload-app \ --type ios \ @@ -307,12 +306,12 @@ jobs: id: build-trigger-data if: ${{ inputs.distribute && env._BUILD_MODE == 'Device' }} run: | - declare -A APPLE_ID_MAP=( - ["com.8bit.bitwarden"]="1137397744" - ["com.8bit.bitwarden.beta"]="6477551146" - ["com.bitwarden.authenticator"]="6497335175" - ) - APPLE_ID="${APPLE_ID_MAP[$_BUNDLE_ID]:-}" + case "$_BUNDLE_ID" in + "com.8bit.bitwarden") APPLE_ID="1137397744" ;; + "com.8bit.bitwarden.beta") APPLE_ID="6477551146" ;; + "com.bitwarden.authenticator") APPLE_ID="6497335175" ;; + *) APPLE_ID="" ;; + esac CHANGELOG="$_GITHUB_ACTION_RUN_URL $(git show -s --format=%s) From e511a08963f70cbc5e88d9eab9fc41805c65a7cc Mon Sep 17 00:00:00 2001 From: AJ Mabry <81774843+aj-bw@users.noreply.github.com> Date: Fri, 8 May 2026 16:01:19 -0400 Subject: [PATCH 7/9] previous run failed, reworked to not produce silent failures --- .github/workflows/_build-any.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/.github/workflows/_build-any.yml b/.github/workflows/_build-any.yml index 56c2e082d3..10d0a29446 100644 --- a/.github/workflows/_build-any.yml +++ b/.github/workflows/_build-any.yml @@ -295,12 +295,17 @@ jobs: ;; esac - xcrun altool --upload-app \ + ALTOOL_OUTPUT=$(xcrun altool --upload-app \ --type ios \ --file "$_EXPORT_FILEPATH" \ --apiKey "$_KEY_ID" \ --apiIssuer "$_ISSUER" \ - --apple-id "$APPLE_ID" + --apple-id "$APPLE_ID" 2>&1) + echo "$ALTOOL_OUTPUT" + if echo "$ALTOOL_OUTPUT" | grep -q "ERROR:"; then + echo "::error::xcrun altool reported errors — upload failed" + exit 1 + fi - name: Build TestFlight trigger data id: build-trigger-data From bed15f3d081df9ab5b80688967c3913b5c9f85b7 Mon Sep 17 00:00:00 2001 From: AJ Mabry <81774843+aj-bw@users.noreply.github.com> Date: Mon, 11 May 2026 09:17:27 -0400 Subject: [PATCH 8/9] address PR feedback, resolve Apple ID as a step and reuse versus code duplication --- .github/workflows/_build-any.yml | 25 +++++++++++-------------- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/.github/workflows/_build-any.yml b/.github/workflows/_build-any.yml index 10d0a29446..35a05517a5 100644 --- a/.github/workflows/_build-any.yml +++ b/.github/workflows/_build-any.yml @@ -25,7 +25,7 @@ on: description: "Distribute to TestFlight" type: boolean env: - _BW_ENV: ${{ inputs.bw-env || 'bwpm-prod' }} + _BW_ENV: ${{ inputs.bw-env || 'bwpm_prod' }} _BUILD_VARIANT: ${{ inputs.bw-env == 'bwpm_prod' && 'Production' || 'Beta' }} _BUILD_MODE: ${{ inputs.build-mode || 'Device' }} _XCODE_VERSION: ${{ inputs.xcode-version }} @@ -278,12 +278,8 @@ jobs: -gsp "$_CRASHLYTICS_PATH" \ -p ios -- {} + - - name: Upload app to TestFlight + - name: Resolve Apple ID if: ${{ inputs.distribute && env._BUILD_MODE == 'Device' }} - env: - _EXPORT_FILEPATH: ${{ steps.get_file_paths.outputs.export_filepath }} - _KEY_ID: ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-AUTH-ID }} - _ISSUER: ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-TEAM-ISSUER }} run: | case "$_BUNDLE_ID" in "com.8bit.bitwarden") APPLE_ID="1137397744" ;; @@ -294,7 +290,15 @@ jobs: exit 1 ;; esac + echo "APPLE_ID=$APPLE_ID" >> "$GITHUB_ENV" + - name: Upload app to TestFlight + if: ${{ inputs.distribute && env._BUILD_MODE == 'Device' }} + env: + _EXPORT_FILEPATH: ${{ steps.get_file_paths.outputs.export_filepath }} + _KEY_ID: ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-AUTH-ID }} + _ISSUER: ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-TEAM-ISSUER }} + run: | ALTOOL_OUTPUT=$(xcrun altool --upload-app \ --type ios \ --file "$_EXPORT_FILEPATH" \ @@ -311,13 +315,6 @@ jobs: id: build-trigger-data if: ${{ inputs.distribute && env._BUILD_MODE == 'Device' }} run: | - case "$_BUNDLE_ID" in - "com.8bit.bitwarden") APPLE_ID="1137397744" ;; - "com.8bit.bitwarden.beta") APPLE_ID="6477551146" ;; - "com.bitwarden.authenticator") APPLE_ID="6497335175" ;; - *) APPLE_ID="" ;; - esac - CHANGELOG="$_GITHUB_ACTION_RUN_URL $(git show -s --format=%s) $GITHUB_REPOSITORY/$GITHUB_REF_NAME @ $GITHUB_SHA @@ -354,4 +351,4 @@ jobs: - name: Clean up auth key if: ${{ always() && env._BUILD_MODE == 'Device' }} - run: rm -f ~/private_keys/AuthKey_*.p8 + run: rm -rf ~/private_keys From fe7997e22a47f6bb74889110330a9c2674e40f4d Mon Sep 17 00:00:00 2001 From: AJ Mabry <81774843+aj-bw@users.noreply.github.com> Date: Mon, 11 May 2026 11:04:12 -0400 Subject: [PATCH 9/9] repin to main for workflows --- .github/workflows/ci-bwa.yml | 4 ++-- .github/workflows/ci-bwpm.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci-bwa.yml b/.github/workflows/ci-bwa.yml index f719671e04..303e1306f1 100644 --- a/.github/workflows/ci-bwa.yml +++ b/.github/workflows/ci-bwa.yml @@ -67,7 +67,7 @@ jobs: contents: read id-token: write if: ${{ github.event_name == 'workflow_dispatch' && inputs.build-mode != 'CI' }} - uses: ./.github/workflows/_build-any.yml + uses: bitwarden/ios/.github/workflows/_build-any.yml@main with: bw-env: bwa_prod build-mode: ${{ inputs.build-mode }} @@ -85,7 +85,7 @@ jobs: contents: read id-token: write if: ${{ github.event_name == 'push' || inputs.build-mode == 'CI' }} - uses: ./.github/workflows/_build-any.yml + uses: bitwarden/ios/.github/workflows/_build-any.yml@main strategy: matrix: include: diff --git a/.github/workflows/ci-bwpm.yml b/.github/workflows/ci-bwpm.yml index 00d79e31f1..0c678133ff 100644 --- a/.github/workflows/ci-bwpm.yml +++ b/.github/workflows/ci-bwpm.yml @@ -69,7 +69,7 @@ jobs: contents: read id-token: write if: ${{ github.event_name == 'workflow_dispatch' && inputs.build-mode != 'CI' }} - uses: ./.github/workflows/_build-any.yml + uses: bitwarden/ios/.github/workflows/_build-any.yml@main with: bw-env: ${{ (inputs.build-variant == 'Production') && 'bwpm_prod' || 'bwpm_beta' }} build-mode: ${{ inputs.build-mode }} @@ -87,7 +87,7 @@ jobs: contents: read id-token: write if: ${{ github.event_name == 'push' || inputs.build-mode == 'CI' }} - uses: ./.github/workflows/_build-any.yml + uses: bitwarden/ios/.github/workflows/_build-any.yml@main strategy: matrix: include: