diff --git a/.github/workflows/add_identifiers.yml b/.github/workflows/add_identifiers.yml index e28cbd2ca..214d2cfa8 100644 --- a/.github/workflows/add_identifiers.yml +++ b/.github/workflows/add_identifiers.yml @@ -1,9 +1,15 @@ -name: Add Identifiers +name: 2. Add Identifiers +run-name: Add Identifiers on: workflow_dispatch: jobs: + secrets: + uses: ./.github/workflows/validate_secrets.yml + secrets: inherit + identifiers: + needs: secrets runs-on: macos-12 steps: # Uncomment to manually select latest Xcode if needed diff --git a/.github/workflows/build_LoopFollow.yml b/.github/workflows/build_LoopFollow.yml index ea5843bb9..e47b8f9d3 100644 --- a/.github/workflows/build_LoopFollow.yml +++ b/.github/workflows/build_LoopFollow.yml @@ -1,9 +1,23 @@ -name: Build Loop Follow +name: 4. Build Loop Follow +run-name: Build Loop Follow on: workflow_dispatch: + ## Remove the "#" sign from the beginning of the line below to get automated builds on push (code changes in your repository) + #push: + + ## Remove the "#" sign from the beginning of the two lines below to get automated builds every two months + #schedule: + #- cron: '0 17 1 */2 *' # Runs at 17:00 UTC on the 1st in Jan, Mar, May, Jul, Sep and Nov. + + jobs: + secrets: + uses: ./.github/workflows/validate_secrets.yml + secrets: inherit + build: + needs: secrets runs-on: macos-12 steps: # Uncomment to manually select latest Xcode if needed @@ -20,7 +34,7 @@ jobs: - name: Patch Match Tables run: find /usr/local/lib/ruby/gems -name table_printer.rb | xargs sed -i "" "/puts(Terminal::Table.new(params))/d" - # Build signed FreeAPS X IPA file + # Build signed Loop Follow IPA file - name: Fastlane Build & Archive run: fastlane build_LoopFollow env: diff --git a/.github/workflows/create_certs.yml b/.github/workflows/create_certs.yml index 95a224c82..1ead0ff0e 100644 --- a/.github/workflows/create_certs.yml +++ b/.github/workflows/create_certs.yml @@ -1,9 +1,15 @@ -name: Create Certificates +name: 3. Create Certificates +run-name: Create Certificates on: workflow_dispatch: jobs: + secrets: + uses: ./.github/workflows/validate_secrets.yml + secrets: inherit + certificates: + needs: secrets runs-on: macos-12 steps: # Uncomment to manually select latest Xcode if needed diff --git a/.github/workflows/validate_secrets.yml b/.github/workflows/validate_secrets.yml new file mode 100644 index 000000000..6811efc79 --- /dev/null +++ b/.github/workflows/validate_secrets.yml @@ -0,0 +1,70 @@ +name: 1. Validate Secrets +run-name: Validate Secrets +on: [workflow_call, workflow_dispatch] + +jobs: + validate: + runs-on: macos-12 + steps: + # Checks-out the repo + - name: Checkout Repo + uses: actions/checkout@v3 + + # Validates the repo secrets + - name: Validate Secrets + run: | + # Validate Secrets + echo Validating Repository Secrets... + + # Validate TEAMID + if [ -z "$TEAMID" ]; then + failed=true + echo "::error::TEAMID secret is unset or empty. Set it and try again." + elif [ ${#TEAMID} -ne 10 ]; then + failed=true + echo "::error::TEAMID secret is set but has wrong length. Verify that it is set correctly and try again." + fi + + # Validate GH_PAT + if [ -z "$GH_PAT" ]; then + failed=true + echo "::error::GH_PAT secret is unset or empty. Set it and try again." + elif [ "$(gh api -H "Accept: application/vnd.github+json" /repos/${{ github.repository_owner }}/Match-Secrets | jq --raw-output '.permissions.push')" != "true" ]; then + failed=true + echo "::error::GH_PAT secret is set but invalid or lacking appropriate privileges on the ${{ github.repository_owner }}/Match-Secrets repository. Verify that it is set correctly and try again." + fi + + # Validate FASTLANE_ISSUER_ID, FASTLANE_KEY_ID, and FASTLANE_KEY + if [ -z "$FASTLANE_ISSUER_ID" ] || [ -z "$FASTLANE_KEY_ID" ] || [ -z "$FASTLANE_KEY" ]; then + failed=true + [ -z "$FASTLANE_ISSUER_ID" ] && echo "::error::The FASTLANE_ISSUER_ID secret is unset or empty. Set it and try again." + [ -z "$FASTLANE_KEY_ID" ] && echo "::error::The FASTLANE_KEY_ID secret is unset or empty. Set it and try again." + [ -z "$FASTLANE_KEY" ] && echo "::error::The FASTLANE_KEY secret is unset or empty. Set it and try again." + elif ! echo "$FASTLANE_KEY" | openssl pkcs8 -nocrypt >/dev/null; then + failed=true + echo "::error::The FASTLANE_KEY secret is set but invalid. Verify that it is set correctly and try again." + elif ! fastlane validate_secrets; then + failed=true + echo "::error::Unable to create a valid authorization token for the App Store Connect API.\ + Verify that the FASTLANE_ISSUER_ID, FASTLANE_KEY_ID, and FASTLANE_KEY secrets are set correctly and try again." + fi + + # Validate MATCH_PASSWORD + if [ -z "$MATCH_PASSWORD" ]; then + failed=true + echo "::error::The MATCH_PASSWORD secret is unset or empty. Set it and try again." + fi + + # Exit unsuccessfully if secret validation failed. + if [ $failed ]; then + exit 2 + fi + shell: bash + env: + TEAMID: ${{ secrets.TEAMID }} + GH_PAT: ${{ secrets.GH_PAT }} + FASTLANE_ISSUER_ID: ${{ secrets.FASTLANE_ISSUER_ID }} + FASTLANE_KEY_ID: ${{ secrets.FASTLANE_KEY_ID }} + FASTLANE_KEY: ${{ secrets.FASTLANE_KEY }} + MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }} + GH_TOKEN: ${{ secrets.GH_PAT }} \ No newline at end of file diff --git a/fastlane/Fastfile b/fastlane/Fastfile index 032f8b554..0c4d26a32 100644 --- a/fastlane/Fastfile +++ b/fastlane/Fastfile @@ -157,6 +157,24 @@ platform :ios do ) end + desc "Validate Secrets" + lane :validate_secrets do + setup_ci if ENV['CI'] + ENV["MATCH_READONLY"] = true.to_s + + app_store_connect_api_key( + key_id: "#{FASTLANE_KEY_ID}", + issuer_id: "#{FASTLANE_ISSUER_ID}", + key_content: "#{FASTLANE_KEY}" + ) + + def find_bundle_id(identifier) + bundle_id = Spaceship::ConnectAPI::BundleId.find(identifier) + end + + find_bundle_id("com.#{TEAMID}.loopkit.Loop") + end + desc "Nuke Certs" lane :nuke_certs do setup_ci if ENV['CI'] diff --git a/fastlane/testflight.md b/fastlane/testflight.md index 788c26ed4..c5e14ad72 100644 --- a/fastlane/testflight.md +++ b/fastlane/testflight.md @@ -1,48 +1,77 @@ -# Using Github Actions + FastLane to deploy to TestFlight +# Using Github Actions + FastLane to deploy to TestFlight: the "Browser Build" method These instructions allow you to build Loop Follow without having access to a Mac. They also allow you to easily install Loop Follow on phones that are not connected to your computer. So you can send builds and updates to those you care for easily, or have an easy to access backup if you run Loop Follow for yourself. You do not need to worry about correct Xcode/Mac versions either. An app built using this method can easily be deployed to newer versions of iOS, as soon as they are available. -The setup steps are somewhat involved, but nearly all are one time steps. Subsequent builds are trivial. Note that TestFlight requires apple id accounts 13 years or older. Your app must be updated once every 90 days, but it's a simple click to make a new build and can be done from anywhere. -There are more detailed instructions in LoopDocs for building Loop with Github Actions + FastLane, including troubleshooting and build errors. Please refer to [LoopDocs](https://loopkit.github.io/loopdocs/gh-actions/gh-first-time/#build-loop-using-github-actions) for more details. +The setup steps are somewhat involved, but nearly all are one time steps. Subsequent builds are trivial. Your app must be updated once every 90 days, but it's a simple click to make a new build and can be done from anywhere. + +Note that TestFlight requires apple id accounts 13 years or older. This can be circumvented by logging into Media & Purchase on the child's phone with an adult's account. More details on this can be found in [LoopDocs](https://loopkit.github.io/loopdocs/gh-actions/gh-deploy/#install-testflight-loop-for-child). + +This method for building without a Mac was ported from Loop. If you have used this method for Loop or one of the other DIY apps (Loop, Loop Caregiver, xDrip4iOS, FreeAPS X), some of the steps can be re-used and the full set of instructions does not need to be repeated. This will be mentioned in relevant sections below. + +There are more detailed instructions in LoopDocs for doing Browser Builds of Loop and other apps, including troubleshooting and build errors. Please refer to [LoopDocs](https://loopkit.github.io/loopdocs/gh-actions/gh-other-apps/) for more details. ## Prerequisites * A [github account](https://github.com/signup). The free level comes with plenty of storage and free compute time to build Loop Follow, multiple times a day, if you wanted to. -* A paid [Apple Developer account](https://developer.apple.com). You may be able to use the free version, but that has not been tested. +* A paid [Apple Developer account](https://developer.apple.com). * Some time. Set aside a couple of hours to perform the setup. - +* Use the same GitHub account for all "Browser Builds" of the various DIY apps. +* You require 6 Secrets (alphanumeric items) - make sure you save them; and do not use a smart editor because these Secrets are case sensitive. ## Generate App Store Connect API Key +This step is common for all "Browser Builds", and should be done only once. Please save the API key with your Secrets. + 1. Sign in to the [Apple developer portal page](https://developer.apple.com/account/resources/certificates/list). 1. Copy the team id from the upper right of the screen. Record this as your `TEAMID`. -1. Go to the [App Store Connect](https://appstoreconnect.apple.com/access/api) interface, click the "Keys" tab, and create a new key with "Admin" access. Give it a name like "FastLane API Key". +1. Go to the [App Store Connect](https://appstoreconnect.apple.com/access/api) interface, click the "Keys" tab, and create a new key with "Admin" access. Give it the name "FastLane API Key". 1. Record the key id; this will be used for `FASTLANE_KEY_ID`. 1. Record the issuer id; this will be used for `FASTLANE_ISSUER_ID`. 1. Download the API key itself, and open it in a text editor. The contents of this file will be used for `FASTLANE_KEY`. Copy the full text, including the "-----BEGIN PRIVATE KEY-----" and "-----END PRIVATE KEY-----" lines. -## Setup Github +## Setup Github Match-Secrets repository + +The creation of the Match-Secrets repository is also a common step for all "browser builds", do this step only once. 1. Create a [new empty repository](https://github.com/new) titled `Match-Secrets`. It should be private. -1. Fork https://github.com/jonfawcett/LoopFollow into your account. If you already have a fork of Loop Follow in GitHub, you can't make another one. You can continue to work with your existing fork, or delete that from GitHub and then and fork https://github.com/jonfawcett/LoopFollow. + +## Setup Github LoopFollow repository + +1. Fork https://github.com/jonfawcett/LoopFollow into your account. If you already have a fork of LoopFollow in GitHub, you can't make another one. You can continue to work with your existing fork, or delete your existing fork from GitHub and then create a new fork from https://github.com/jonfawcett/LoopFollow. + +NOTE: if your default branch is not set to the Main branch for LoopFollow, you will NOT see the expected build actions. Follow these steps in [LoopDocs](https://loopkit.github.io/loopdocs/gh-actions/gh-update/#set-default-branch) to select Main as your default branch. + +The first time you build with the GitHub Browser Build method for any DIY app, you will generate a personal access token and make up a password (MATCH_PASSWORD) for the Match-Secrets repository. If you lose your MATCH_PASSWORD, you will need to delete the Match-Secrets repository, create a new one and make up a new password (used for all repositories for which you use the GitHub build method). + +If you have previously built Loop or another app using the GitHub "browser build" method, you should re-use your previous personal access token (`GH_PAT`) and MATCH_PASSWORD and skip ahead to `step 2`. 1. Create a [new personal access token](https://github.com/settings/tokens/new): - * Enter a name for your token. Something like "FastLane Access Token". - * 30 days is fine, or you can select longer if you'd like. + * Enter a name for your token, use "FastLane Access Token". + * Select 90 days for this token. * Select the `repo` permission scope. * Click "Generate token". * Copy the token and record it. It will be used below as `GH_PAT`. -1. In the forked Loop Follow repo, go to Settings -> Secrets -> Actions. +1. In the forked LoopFollow repository, go to Settings -> Secrets -> Actions. 1. For each of the following secrets, tap on "New repository secret", then add the name of the secret, along with the value you recorded for it: * `TEAMID` * `FASTLANE_KEY_ID` * `FASTLANE_ISSUER_ID` * `FASTLANE_KEY` * `GH_PAT` - * `MATCH_PASSWORD` - just make up a password for this + * `MATCH_PASSWORD` + +## Validate repository secrets + +This step validates most of your six secrets and provides error messages if it detects an issue with one or more. + +1. Click on the "Actions" tab of your LoopFollow repository. +1. Select "1. Validate Secrets". +1. Click "Run Workflow", and tap the green button. +1. Wait, and within a minute or two you should see a green checkmark indicating the workflow succeeded. +1. The workflow will check if the required secrets are added and that they are correctly formatted. If errors are detected, please check the run log for details. ## Add Identifiers for Loop Follow App -1. Click on the "Actions" tab of your Loop Follow repository. -1. Select "Add Identifiers". +1. Click on the "Actions" tab of your LoopFollow repository. +1. Select "2. Add Identifiers". 1. Click "Run Workflow", and tap the green button. 1. Wait, and within a minute or two you should see a green checkmark indicating the workflow succeeded. @@ -64,15 +93,15 @@ You do not need to fill out the next form. That is for submitting to the app sto ## Create Building Certficates -1. Go back to the "Actions" tab of your Loop Follow repository in GitHub. -1. Select "Create Certificates". +1. Go back to the "Actions" tab of your LoopFollow repository in github. +1. Select "3. Create Certificates". 1. Click "Run Workflow", and tap the green button. 1. Wait, and within a minute or two you should see a green checkmark indicating the workflow succeeded. -## Build Loop Follow! +## Build Loop Follow -1. Click on the "Actions" tab of your Loop Follow repository. -1. Select "Build LoopFollow". _Are you working on a previuos fork of Loop Follow and not seeing any GitHub workflows in the Actions tab? You may have to change the default branch so that it contains the .github/workflows files, or merge these changes into your default branch (typically 'master' or 'main')._ +1. Click on the "Actions" tab of your LoopFollow repository. +1. Select "4. Build Loop Follow". 1. Click "Run Workflow", select your branch, and tap the green button. 1. You have some time now. Go enjoy a coffee. The build should take about 15 minutes. 1. Your app should eventually appear on [App Store Connect](https://appstoreconnect.apple.com/apps).