Merge pull request #75 from mxcl/api

Author: chris-araman

.github/workflows/checks.yml

@@ -110,6 +110,38 @@ jobs:
           echo >&2 "error: expected action to fail, but it succeeded"
           exit 1
 
+  missing-api-key-id-fails:
+    runs-on: macos-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: ./
+        id: xcodebuild
+        with:
+          authentication-key-base64: 'Cg=='
+          authentication-key-issuer-id: '14sb3dw0-r3t1-83u1-g381-4k9sg1t3w8r2'
+          working-directory: fixtures/debug
+        continue-on-error: true
+      - if: steps.xcodebuild.outcome == 'success'
+        run: |
+          echo >&2 "error: expected action to fail, but it succeeded"
+          exit 1
+
+  missing-api-key-issuer-id-fails:
+    runs-on: macos-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: ./
+        id: xcodebuild
+        with:
+          authentication-key-base64: 'Cg=='
+          authentication-key-id: 'JW271KX2u3'
+          working-directory: fixtures/debug
+        continue-on-error: true
+      - if: steps.xcodebuild.outcome == 'success'
+        run: |
+          echo >&2 "error: expected action to fail, but it succeeded"
+          exit 1
+
   null-none-action:
     runs-on: macos-latest
     strategy:

README.md

@@ -142,7 +142,8 @@ if you think we could have figured it out but didn’t please open a ticket.
 
 GitHub’s images have a **limited selection** of Xcodes.
 
-- GitHub list what is available for the current 10.15 image [here][gha-xcode-list].
+- GitHub list what is available for the current [10.15][gha-xcode-list-catalina]
+  and [11][gha-xcode-list-big-sur] images.
 - We run a scheduled workflow to determine what is available [here][automated-list].
 
 To install other versions first use [sinoru/actions-setup-xcode], then
@@ -174,31 +175,105 @@ This behavior cannot currently be disabled, PR welcome.
 
 ## Code Signing
 
+> This feature requires macOS.
+
+Code signing can be enabled with either an App Store Connect API key, or with a
+certificate.
+
+### Using an App Store Connect API Key
+
+> This feature requires Xcode 13 or later.
+
+[Create][create-api-key-instructions] an API key on
+[App Store Connect][create-api-key]. Download your key and Base64-encode it:
+
+```bash
+base64 AuthKey_9XXXX9XXXX.p8
+```
+
+Create [GitHub Secrets][secrets] for your base64-encoded key, the key ID, and
+the key's issuer ID. The IDs are displayed on App Store Connect.
+
 ```yaml
 jobs:
   build:
     runs-on: macos-latest
     steps:
       - use: mxcl/xcodebuild@v1
         with:
-          code-sign-certificate: ${{ secrets.CERTIFICATE_BASE64 }}
-          code-sign-certificate-passphrase: ${{ secrets.CERTIFICATE_PASSPHRASE}}
+          authentication-key-base64: ${{ secrets.APP_STORE_CONNECT_KEY_BASE64 }}
+          authentication-key-id: ${{ secrets.APP_STORE_CONNECT_KEY_ID }}
+          authentication-key-issuer-id: ${{ secrets.APP_STORE_CONNECT_KEY_ISSER_ID }}
 ```
 
-> This feature requires macOS.
+Certificates and provisioning profiles will be created automatically using the
+App Store Connect API. Certificates will appear in your
+[list of certificates](cert-list) as `Created via API`.
+
+Devices will be registered automatically. GitHub-hosted runners will appear in
+in your [list of devices](device-list) as `mac-NUMBER.local`.
+
+> :warning: This may cause undesired behavior when using GitHub-hosted runners.
+> For best results, use App Store Connect API keys only on self-hosted runners.
+
+For more information on this method of code signing, please review the
+["Distribute apps in Xcode with cloud signing"][cloud-signing] talk from WWDC21.
+
+### Using a Specific Certificate
 
-A code signing certificate can be installed to the macOS Keychain. It is
-automatically removed from the Keychain in a post action.
+If you are not able to use an App Store Connect API key, and you have a specific
+code signing certificate you'd like to use, it can be installed to the macOS
+Keychain. It is automatically removed from the Keychain in a post action.
+
+```yaml
+jobs:
+  build:
+    runs-on: macos-latest
+    steps:
+      - use: mxcl/xcodebuild@v1
+        with:
+          code-sign-certificate: ${{ secrets.CERTIFICATE_BASE64 }}
+          code-sign-certificate-passphrase: ${{ secrets.CERTIFICATE_PASSPHRASE}}
+```
 
 To export your certificate from Xcode and Base64 encode it, follow
 [these instructions][export]. Store any secrets, including certificates and
 passphrases, in GitHub as [Encrypted Secrets][secrets].
 
+### Specifying an Identity
+
 You may specify a `code-sign-identity` to override any `CODE_SIGN_IDENTITY`
 specified by your project.
 
+### Disabling Code Signing
+
 To disable code signing, you can specify `code-sign-identity: '-'`.
 
+### Provisioning Profiles
+
+If you are not able to use an App Store Connect API key, and you have specific
+provisioning profiles you'd like to use, you can specify profiles for Mac
+`provisioning-profiles-base64`, or for iOS or other devices using
+`mobile-provisioning-profiles-base64`.
+
+To export your provisioning profiles from Xcode and Base64 encode these, follow
+[these instructions][export]. Store any secrets, including provisioning
+profiles, in GitHub as [Encrypted Secrets][secrets].
+
+```yaml
+jobs:
+  build:
+    runs-on: macos-latest
+    steps:
+      - use: mxcl/xcodebuild@v1
+        with:
+          mobile-provisioning-profiles-base64: |
+            ${{ secrets.IPHONE_PROVISIONING_PROFILE_BASE64 }}
+            ${{ secrets.IPAD_PROVISIONING_PROFILE_BASE64 }}
+          provisioning-profiles-base64: |
+            ${{ secrets.MAC_PROVISIONING_PROFILE_BASE64 }}
+```
+
 ## Caveats
 
 - The selected Xcode remains the default Xcode for the image for the duration of
@@ -265,7 +340,13 @@ This action does not support Windows.
 1. Create a [Pull Request](https://github.com/mxcl/xcodebuild/compare)
 
 [automated-list]: https://flatgithub.com/mxcl/.github/?filename=versions.json
-[gha-xcode-list]: https://github.com/actions/virtual-environments/blob/main/images/macos/macos-10.15-Readme.md#xcode
+[cloud-signing]: https://developer.apple.com/videos/play/wwdc2021/10204/
+[create-api-key]: https://appstoreconnect.apple.com/access/api
+[create-api-key-instructions]: https://developer.apple.com/documentation/appstoreconnectapi/creating_api_keys_for_app_store_connect_api
+[cert-list]: https://developer.apple.com/account/resources/certificates/list
+[device-list]: https://developer.apple.com/account/resources/devices/list
+[gha-xcode-list-catalina]: https://github.com/actions/virtual-environments/blob/main/images/macos/macos-10.15-Readme.md#xcode
+[gha-xcode-list-big-sur]: https://github.com/actions/virtual-environments/blob/main/images/macos/macos-11-Readme.md#xcode
 [sinoru/actions-setup-xcode]: https://github.com/sinoru/actions-setup-xcode
 [img]: https://raw.githubusercontent.com/mxcl/xcodebuild/gh-pages/XCResult.png
 [secrets]: https://docs.github.com/en/actions/reference/encrypted-secrets

action.yml

@@ -32,6 +32,33 @@ inputs:
     description: Enables code coverage
     required: false
     default: 'false'
+  authentication-key-base64:
+    description: |
+      A Base64-encoded authentication key issued by App Store Connect. If
+      specified, `xcodebuild`` will authenticate with the Apple Developer
+      website using this credential. The `authentication-key-id` and
+      `authentication-key-issuer-id` parameters are required. Using this key,
+      `xcodebuild` will register the GitHub Actions runner device and manage
+      code signing certificates for it. Please note that this may cause
+      undesired behavior when using GitHub-hosted runners. For best results, use
+      App Store Connect API keys only on self-hosted runners.
+    required: false
+  authentication-key-id:
+    description: |
+      The key identifier associated with the App Store Conect authentication key
+      specified in `authentication-key-base64`. This string can be located in
+      the users and access details for your provider at
+      "https://appstoreconnect.apple.com". For best results, use App Store
+      Connect API keys only on self-hosted runners.
+    required: false
+  authentication-key-issuer-id:
+    description: |
+      The App Store Connect issuer identifier associated with the authentication
+      key specified in `authentication-key-base64`. This string can be located
+      in the users and access details for your provider at
+      "https://appstoreconnect.apple.com". For best results, use App Store
+      Connect API keys only on self-hosted runners.
+    required: false
   code-sign-certificate:
     description: |
       A Base64-encoded certificate to be installed to the macOS Keychain for
@@ -51,6 +78,14 @@ inputs:
       Identity to be used for code signing. If your project specifies a
       `CODE_SIGN_IDENTITY`, this will override it.
     required: false
+  mobile-provisioning-profiles-base64:
+    description: |
+      A multiline list of Base64-encoded mobile provisioning profiles.
+    required: false
+  provisioning-profiles-base64:
+    description: |
+      A multiline list of Base64-encoded Mac provisioning profiles.
+    required: false
   working-directory:
     description: '…'
     required: false