From 4e8852d9dde428aa2a73449a2655a85a783c3288 Mon Sep 17 00:00:00 2001
From: Billy Booth <billy@appliedolap.com>
Date: Mon, 6 Feb 2023 16:26:00 -0600
Subject: [PATCH 1/3] Validate repository secrets

Adds support for validation of repository secrets.
---
 .github/workflows/add_identifiers.yml  |  5 ++
 .github/workflows/build_loop.yml       |  5 ++
 .github/workflows/create_certs.yml     |  5 ++
 .github/workflows/validate_secrets.yml | 69 ++++++++++++++++++++++++++
 fastlane/Fastfile                      | 18 +++++++
 5 files changed, 102 insertions(+)
 create mode 100644 .github/workflows/validate_secrets.yml

diff --git a/.github/workflows/add_identifiers.yml b/.github/workflows/add_identifiers.yml
index e28cbd2cac..acf98d0b36 100644
--- a/.github/workflows/add_identifiers.yml
+++ b/.github/workflows/add_identifiers.yml
@@ -3,7 +3,12 @@ on:
   workflow_dispatch:
 
 jobs:
+  secrets:
+    uses: ./.github/workflows/validate_secrets.yml
+    secrets: inherit
+    
   identifiers:
+    needs: secrets
     runs-on: macos-12
     steps:
       # Uncomment to manually select latest Xcode if needed
diff --git a/.github/workflows/build_loop.yml b/.github/workflows/build_loop.yml
index 7cf9921471..af1c428d85 100644
--- a/.github/workflows/build_loop.yml
+++ b/.github/workflows/build_loop.yml
@@ -3,7 +3,12 @@ on:
   workflow_dispatch:
 
 jobs:
+  secrets:
+    uses: ./.github/workflows/validate_secrets.yml
+    secrets: inherit
+    
   build:
+    needs: secrets
     runs-on: macos-12
     steps:
       # Uncomment to manually select latest Xcode if needed
diff --git a/.github/workflows/create_certs.yml b/.github/workflows/create_certs.yml
index 95a224c82b..c9f710c35a 100644
--- a/.github/workflows/create_certs.yml
+++ b/.github/workflows/create_certs.yml
@@ -3,7 +3,12 @@ on:
   workflow_dispatch:
 
 jobs:
+  secrets:
+    uses: ./.github/workflows/validate_secrets.yml
+    secrets: inherit
+    
   certificates:
+    needs: secrets
     runs-on: macos-12
     steps:
       # Uncomment to manually select latest Xcode if needed
diff --git a/.github/workflows/validate_secrets.yml b/.github/workflows/validate_secrets.yml
new file mode 100644
index 0000000000..0b248631c2
--- /dev/null
+++ b/.github/workflows/validate_secrets.yml
@@ -0,0 +1,69 @@
+name: Validate Secrets
+on: [workflow_call, workflow_dispatch]
+  
+jobs:
+  validate:
+    runs-on: macos-12
+    steps:
+      # Checks-out the repo
+      - name: Checkout Repo
+        uses: actions/checkout@v3
+      
+      # Validates the repo secrets
+      - name: Validate Secrets
+        run: |
+          # Validate Secrets
+          echo Validating Repository Secrets...
+          
+          # Validate TEAMID
+          if [ -z "$TEAMID" ]; then
+            failed=true
+            echo "::error::TEAMID secret is unset or empty. Set it and try again."
+          elif [ ${#TEAMID} -ne 10 ]; then
+            failed=true
+            echo "::error::TEAMID secret is set but has wrong length. Verify that it is set correctly and try again."
+          fi
+          
+          # Validate GH_PAT
+          if [ -z "$GH_PAT" ]; then
+            failed=true
+            echo "::error::GH_PAT secret is unset or empty. Set it and try again."
+          elif [ "$(gh api -H "Accept: application/vnd.github+json" /repos/${{ github.repository_owner }}/Match-Secrets | jq --raw-output '.permissions.push')" != "true" ]; then
+            failed=true
+            echo "::error::GH_PAT secret is set but invalid or lacking appropriate privileges on the ${{ github.repository_owner }}/Match-Secrets repository. Verify that it is set correctly and try again."
+          fi
+          
+          # Validate FASTLANE_ISSUER_ID, FASTLANE_KEY_ID, and FASTLANE_KEY
+          if [ -z "$FASTLANE_ISSUER_ID" ] || [ -z "$FASTLANE_KEY_ID" ] || [ -z "$FASTLANE_KEY" ]; then
+            failed=true
+            [ -z "$FASTLANE_ISSUER_ID" ] && echo "::error::The FASTLANE_ISSUER_ID secret is unset or empty. Set it and try again."
+            [ -z "$FASTLANE_KEY_ID"    ] && echo "::error::The FASTLANE_KEY_ID secret is unset or empty. Set it and try again."
+            [ -z "$FASTLANE_KEY"       ] && echo "::error::The FASTLANE_KEY secret is unset or empty. Set it and try again."
+          elif ! echo "$FASTLANE_KEY" | openssl ec -noout >/dev/null 2>&1; then
+            failed=true
+            echo "::error::The FASTLANE_KEY secret is set but invalid. Verify that it is set correctly and try again."
+          elif ! fastlane validate_secrets; then
+            failed=true
+            echo "::error::Unable to create a valid authorization token for the App Store Connect API.\
+            Verify that the FASTLANE_ISSUER_ID, FASTLANE_KEY_ID, and FASTLANE_KEY secrets are set correctly and try again."
+          fi
+          
+          # Validate MATCH_PASSWORD
+          if [ -z "$MATCH_PASSWORD" ]; then
+            failed=true
+            echo "::error::The MATCH_PASSWORD secret is unset or empty. Set it and try again."
+          fi
+          
+          # Exit unsuccessfully if secret validation failed.
+          if [ $failed ]; then
+            exit 2
+          fi
+        shell: bash
+        env:
+          TEAMID: ${{ secrets.TEAMID }}
+          GH_PAT: ${{ secrets.GH_PAT }}
+          FASTLANE_ISSUER_ID: ${{ secrets.FASTLANE_ISSUER_ID }}
+          FASTLANE_KEY_ID: ${{ secrets.FASTLANE_KEY_ID }}
+          FASTLANE_KEY: ${{ secrets.FASTLANE_KEY }}
+          MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }}
+          GH_TOKEN: ${{ secrets.GH_PAT }}
diff --git a/fastlane/Fastfile b/fastlane/Fastfile
index 61542919a0..70ef2ba575 100644
--- a/fastlane/Fastfile
+++ b/fastlane/Fastfile
@@ -231,6 +231,24 @@ platform :ios do
     )
   end
 
+  desc "Validate Secrets"
+  lane :validate_secrets do
+    setup_ci if ENV['CI']
+    ENV["MATCH_READONLY"] = true.to_s
+    
+    app_store_connect_api_key(
+      key_id: "#{FASTLANE_KEY_ID}",
+      issuer_id: "#{FASTLANE_ISSUER_ID}",
+      key_content: "#{FASTLANE_KEY}"
+    )
+    
+    def find_bundle_id(identifier)
+      bundle_id = Spaceship::ConnectAPI::BundleId.find(identifier)
+    end
+
+    find_bundle_id("com.#{TEAMID}.loopkit.Loop")
+  end
+  
   desc "Nuke Certs"
   lane :nuke_certs do
     setup_ci if ENV['CI']

From 4ea45938986a821cf0b169063c83b153a0e89da5 Mon Sep 17 00:00:00 2001
From: Billy Booth <billy@appliedolap.com>
Date: Tue, 7 Feb 2023 09:47:00 -0600
Subject: [PATCH 2/3] Validate $FASTLANE_KEY as unencrypted PKCS#8

---
 .github/workflows/validate_secrets.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/validate_secrets.yml b/.github/workflows/validate_secrets.yml
index 0b248631c2..c5e8383e45 100644
--- a/.github/workflows/validate_secrets.yml
+++ b/.github/workflows/validate_secrets.yml
@@ -39,7 +39,7 @@ jobs:
             [ -z "$FASTLANE_ISSUER_ID" ] && echo "::error::The FASTLANE_ISSUER_ID secret is unset or empty. Set it and try again."
             [ -z "$FASTLANE_KEY_ID"    ] && echo "::error::The FASTLANE_KEY_ID secret is unset or empty. Set it and try again."
             [ -z "$FASTLANE_KEY"       ] && echo "::error::The FASTLANE_KEY secret is unset or empty. Set it and try again."
-          elif ! echo "$FASTLANE_KEY" | openssl ec -noout >/dev/null 2>&1; then
+          elif ! echo "$FASTLANE_KEY" | openssl pkcs8 -nocrypt >/dev/null; then
             failed=true
             echo "::error::The FASTLANE_KEY secret is set but invalid. Verify that it is set correctly and try again."
           elif ! fastlane validate_secrets; then

From 662959ac2a11c260cdf45c31e870266d6eea6b19 Mon Sep 17 00:00:00 2001
From: Billy Booth <billy@appliedolap.com>
Date: Tue, 7 Feb 2023 09:51:29 -0600
Subject: [PATCH 3/3] Number workflows to guide sequential exection

---
 .github/workflows/add_identifiers.yml  | 3 ++-
 .github/workflows/build_loop.yml       | 3 ++-
 .github/workflows/create_certs.yml     | 3 ++-
 .github/workflows/validate_secrets.yml | 3 ++-
 4 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/add_identifiers.yml b/.github/workflows/add_identifiers.yml
index acf98d0b36..62a2b543f5 100644
--- a/.github/workflows/add_identifiers.yml
+++ b/.github/workflows/add_identifiers.yml
@@ -1,4 +1,5 @@
-name: Add Identifiers
+name: 2. Add Identifiers
+run-name: Add Identifiers
 on:
   workflow_dispatch:
 
diff --git a/.github/workflows/build_loop.yml b/.github/workflows/build_loop.yml
index af1c428d85..1094350dac 100644
--- a/.github/workflows/build_loop.yml
+++ b/.github/workflows/build_loop.yml
@@ -1,4 +1,5 @@
-name: Build Loop
+name: 4. Build Loop
+run-name: Build Loop
 on:
   workflow_dispatch:
 
diff --git a/.github/workflows/create_certs.yml b/.github/workflows/create_certs.yml
index c9f710c35a..82961983c0 100644
--- a/.github/workflows/create_certs.yml
+++ b/.github/workflows/create_certs.yml
@@ -1,4 +1,5 @@
-name: Create Certificates
+name: 3. Create Certificates
+run-name: Create Certificates
 on:
   workflow_dispatch:
 
diff --git a/.github/workflows/validate_secrets.yml b/.github/workflows/validate_secrets.yml
index c5e8383e45..70401888c6 100644
--- a/.github/workflows/validate_secrets.yml
+++ b/.github/workflows/validate_secrets.yml
@@ -1,4 +1,5 @@
-name: Validate Secrets
+name: 1. Validate Secrets
+run-name: Validate Secrets
 on: [workflow_call, workflow_dispatch]
   
 jobs: