Skip to content

Commit a7bfe11

Browse files
rinejrinej
authored
Make certificate-password and keychain-password optional
* feat: make certificate-pass and keychain-pass optional * docs: info about optional certificate-pass * feat: fix hardcoded keychange pass * chore: add more descriptive error logs * chore: adjust error handling
1 parent 0b4a5a6 commit a7bfe11

2 files changed

Lines changed: 25 additions & 17 deletions

File tree

README.md

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -38,8 +38,8 @@ jobs:
3838
# For device builds, add these (for certificate and provisioning profile - either file OR base64):
3939
# certificate-file: './certs/distribution.p12'
4040
# certificate-base64: ${{ secrets.CERTIFICATE_BASE64 }}
41-
# certificate-password: ${{ secrets.CERTIFICATE_PASSWORD }}
42-
# keychain-password: ${{ secrets.KEYCHAIN_PASSWORD }}
41+
# certificate-password: ${{ secrets.CERTIFICATE_PASSWORD }} # Optional - only needed if P12 has a password
42+
# keychain-password: ${{ secrets.KEYCHAIN_PASSWORD }} # Optional - defaults to auto-generated password
4343
# re-sign: true
4444
# ad-hoc: true
4545
# For apps that require provisioning profiles:
@@ -73,12 +73,12 @@ jobs:
7373
| `ad-hoc` | Upload the IPA for ad-hoc distribution to easily install on provisioned devices | No | `false` |
7474
| `certificate-base64` | Base64 encoded P12 file for device builds | No | - |
7575
| `certificate-file` | P12 file for device builds | No | - |
76-
| `certificate-password` | Password for the P12 file | No | - |
76+
| `certificate-password` | Password for the P12 file (optional - only needed if certificate has a password) | No | - |
7777
| `provisioning-profile-base64` | Base64 encoded provisioning profile | No | - |
7878
| `provisioning-profile-file` | Provisioning profile file | No | - |
7979
| `provisioning-profile-name` | Name of the provisioning profile | No | - |
8080
| `provisioning-profiles` | JSON array of provisioning profiles. Supports passing PP as both file and base64 string. Supported keys: `name`, `file`, `base64` | No | - |
81-
| `keychain-password` | Password for temporary keychain | No | - |
81+
| `keychain-password` | Password for temporary keychain (optional - defaults to auto-generated password) | No | - |
8282
| `rock-build-extra-params` | Extra parameters for rock build:ios | No | - |
8383
| `comment-bot` | Whether to comment PR with build link | No | `true` |
8484

action.yml

Lines changed: 21 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -91,17 +91,13 @@ runs:
9191
exit 1
9292
fi
9393
94-
if [ -n "${{ inputs.certificate-file }}" ]; then
94+
if [ -n "${{ inputs.certificate-file }}" ]; then
9595
if [ ! -f "${{ inputs.certificate-file }}" ]; then
9696
echo "Certificate file not found: '${{ inputs.certificate-file }}'"
9797
exit 1
9898
fi
9999
fi
100100
101-
if [ -z "${{ inputs.certificate-password }}" ]; then
102-
echo "Input 'certificate-password' is required for device builds."
103-
exit 1
104-
fi
105101
106102
# Legacy provisioning profile validation (only when not using provisioning-profiles)
107103
if [ -z "${{ inputs.provisioning-profiles }}" ]; then
@@ -134,10 +130,6 @@ runs:
134130
exit 1
135131
fi
136132
137-
if [ -z "${{ inputs.keychain-password }}" ]; then
138-
echo "Input 'keychain-password' is required for device builds."
139-
exit 1
140-
fi
141133
142134
# Validate provisioning profiles if provided
143135
if [ -n "${{ inputs.provisioning-profiles }}" ]; then
@@ -241,9 +233,15 @@ runs:
241233
# Create temporary keychain
242234
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
243235
244-
security create-keychain -p "${{ inputs.keychain-password }}" $KEYCHAIN_PATH
236+
KEYCHAIN_PASSWORD="${{ inputs.keychain-password }}"
237+
if [ -z "$KEYCHAIN_PASSWORD" ]; then
238+
KEYCHAIN_PASSWORD=$(openssl rand -base64 32)
239+
fi
240+
241+
242+
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
245243
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
246-
security unlock-keychain -p "${{ inputs.keychain-password }}" $KEYCHAIN_PATH
244+
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
247245
248246
# Import certificate to keychain
249247
CERTIFICATE_PATH=$RUNNER_TEMP/certificate.p12
@@ -255,8 +253,18 @@ runs:
255253
# Decode base64 certificate
256254
echo -n "${{ inputs.certificate-base64 }}" | base64 --decode -o $CERTIFICATE_PATH
257255
fi
258-
security import $CERTIFICATE_PATH -P "${{ inputs.certificate-password }}" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
259-
security set-key-partition-list -S apple-tool:,apple: -k "${{ inputs.keychain-password }}" $KEYCHAIN_PATH
256+
if [ -n "${{ inputs.certificate-password }}" ]; then
257+
security import $CERTIFICATE_PATH -P "${{ inputs.certificate-password }}" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
258+
else
259+
SECURITY_IMPORT_ERROR=$(security import $CERTIFICATE_PATH -A -t cert -f pkcs12 -k $KEYCHAIN_PATH 2>&1)
260+
if [ $? -ne 0 ]; then
261+
echo "Certificate import failed. If this P12 file requires a password, please provide certificate-password input."
262+
echo "Error output from 'security import':"
263+
echo "$SECURITY_IMPORT_ERROR"
264+
exit 1
265+
fi
266+
fi
267+
security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
260268
security list-keychain -d user -s $KEYCHAIN_PATH
261269
262270
# Infer certificate identity

0 commit comments

Comments
 (0)