Validate repository secrets #36
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Adds support for validation of repository secrets.
billybooth
force-pushed
the
dev-secret-validation
branch
from
fc11578 to
4e8852d
Compare
|
I will happily update docs. I think adding numbers is a great improvement. |
|
Don't merge this just yet. I need to update the workflow to validate the FASTLANE_KEY as an unencrypted pkcs8 in the morning, and I intend to add step numbers to the workflow names. |
|
Still chewing on this a bit. I definitely like that the numbering of workflow names encourages sequential execution and looks good in the actions pane on the left, but the numbering of the names really bothers me in the runs pane on the right. I am withholding the numbering change and awaiting feedback, but this PR is otherwise functionally complete and ready to merge. |
|
You can use the 'run-name: ' without the number. So what you see on the left is different than on the right. https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#name ''' The name for workflow runs generated from the workflow. GitHub displays the workflow run name in the list of workflow runs on your repository's "Actions" tab. If run-name is omitted or is only whitespace, then the run name is set to event-specific information for the workflow run. For example, for a workflow triggered by a push or pull_request event, it is set as the commit message. This value can include expressions and can reference the github and inputs contexts. |
|
Brilliant, @mkellerman! As far as I'm concerned this is good to go now. |
|
If you want more help with GA's.. ping me on Zulip. I have some suggestions, but dont want to over-step. |
In the interest of getting this right, by all means share any suggestions you have (here or on Zulip). |
|
One of the suggestions is wether we can keep the certificates as build artifacts, instead of a seperate repo? Removing as many steps as possible to the setup process. Or, if it can't be done, then have the GA create the repo for us if it doesn't exists. but i would suggest renaming it, and making it dynamic. |
|
@mkellerman That change sounds like it could help make setup easier for people. If you are able, please submit it as a separate PR. Thanks! |
|
Thanks @billybooth! |
bjornoleh
added a commit
to bjornoleh/xdripswift
that referenced
this pull request
Feb 25, 2023
Copied from LoopKit/LoopWorkspace#36 Validate repository secrets (JohanDegraeve#36) * Validate repository secrets Adds support for validation of repository secrets. * Validate $FASTLANE_KEY as unencrypted PKCS#8 * Number workflows to guide sequential exection
bjornoleh
added a commit
to bjornoleh/xdripswift
that referenced
this pull request
May 29, 2023
Copied from LoopKit/LoopWorkspace#36 Validate repository secrets (JohanDegraeve#36) * Validate repository secrets Adds support for validation of repository secrets. * Validate $FASTLANE_KEY as unencrypted PKCS#8 * Number workflows to guide sequential exection
bjornoleh
added a commit
to bjornoleh/xdripswift
that referenced
this pull request
May 29, 2023
Copied from FreeAPS-X, not yet adapted to Xdrip4iOS. Originally based on FastLane and GitHub Actions from LoopKit/LoopWorkspace Adapt Fastfile and workflow file, rename workflow file to build_xdrip.yml Adapt instructions to Xdrip4iOS Fastfile: fix scheme (xdrip) xDrip.xcconfig: MAIN_APP_BUNDLE_IDENTIFIER = com.$(DEVELOPMENT_TEAM).xdripswift Add CURRENT_PROJECT_VERSION = $(CURRENT_PROJECT_VERSION) to xDrip and xdrip4iOS Widget targets testflight.md instructions: Add NFC Tag Reading to xdripswift App ID -and some adjustments to identifier names Validate repository secrets Copied from LoopKit/LoopWorkspace#36 Validate repository secrets (JohanDegraeve#36) * Validate repository secrets Adds support for validation of repository secrets. * Validate $FASTLANE_KEY as unencrypted PKCS#8 * Number workflows to guide sequential exection Add commented-out template for automated builds on push and on schedule (every two months) Users must uncomment (remove "#") from the start of the lines indicated in the workflow to enable automated builds. testflight.md: Add Validate Secrets instructions, and add numbered workflows. testflight.md: Add info about TestFlight on a child’s phone testflight.md: add info about steps to re-use for "Browser Builds" of other apps Add NFC tag reading capability to TestFlight app from Fastfile Remove step for manual setup of NFC tag reading capability from testflight.md Always upload artifacts build_xdrip.yml: remove "secrets" job No need to validate secrets for every build. This can be done by running Validate secrets manually. - remove "with: submodules: recursive" from Checkout action build_xdrip.yml: Add branch name to run-name testflight:md: update instructions Build on macos-13 and Xcode 14.3 macos-13 is still in beta as GitHub Actions runner, but works well. Available Xcode versions are listed here, Xcode 14.2 is currently the default: https://github.com/actions/runner-images/blob/main/images/macos/macos-13-Readme.md#xcode Sync changes from upstream, and keep repository "alive" The keep alive action allow scheduled runs beyond the 60 day repo inactivity limit for scheduled GitHub Actions
bjornoleh
added a commit
to bjornoleh/xdripswift
that referenced
this pull request
May 31, 2023
Copied from FreeAPS-X, not yet adapted to Xdrip4iOS. Originally based on FastLane and GitHub Actions from LoopKit/LoopWorkspace Adapt Fastfile and workflow file, rename workflow file to build_xdrip.yml Adapt instructions to Xdrip4iOS Fastfile: fix scheme (xdrip) xDrip.xcconfig: MAIN_APP_BUNDLE_IDENTIFIER = com.$(DEVELOPMENT_TEAM).xdripswift Add CURRENT_PROJECT_VERSION = $(CURRENT_PROJECT_VERSION) to xDrip and xdrip4iOS Widget targets testflight.md instructions: Add NFC Tag Reading to xdripswift App ID -and some adjustments to identifier names Validate repository secrets Copied from LoopKit/LoopWorkspace#36 Validate repository secrets (JohanDegraeve#36) * Validate repository secrets Adds support for validation of repository secrets. * Validate $FASTLANE_KEY as unencrypted PKCS#8 * Number workflows to guide sequential exection Add commented-out template for automated builds on push and on schedule (every two months) Users must uncomment (remove "#") from the start of the lines indicated in the workflow to enable automated builds. testflight.md: Add Validate Secrets instructions, and add numbered workflows. testflight.md: Add info about TestFlight on a child’s phone testflight.md: add info about steps to re-use for "Browser Builds" of other apps Add NFC tag reading capability to TestFlight app from Fastfile Remove step for manual setup of NFC tag reading capability from testflight.md Always upload artifacts build_xdrip.yml: remove "secrets" job No need to validate secrets for every build. This can be done by running Validate secrets manually. - remove "with: submodules: recursive" from Checkout action build_xdrip.yml: Add branch name to run-name testflight:md: update instructions Build on macos-13 and Xcode 14.3 macos-13 is still in beta as GitHub Actions runner, but works well. Available Xcode versions are listed here, Xcode 14.2 is currently the default: https://github.com/actions/runner-images/blob/main/images/macos/macos-13-Readme.md#xcode Sync changes from upstream, and keep repository "alive" The keep alive action allow scheduled runs beyond the 60 day repo inactivity limit for scheduled GitHub Actions Remove $(SRCROOT)/ from INFOPLIST_FILE due to build error with Fastlane INFOPLIST_FILE = "$(SRCROOT)/xdrip/Supporting Files/Info.plist" Fastlane error: -Cannot set build number with plist path containing $(SRCROOT) -Please remove $(SRCROOT) in your Xcode target build settings More info: fastlane/fastlane#329 build_xdrip.yml: correct app name (xDrip4iOS) in workflow name Sync changes from upstream, and keep repository "alive" The keep alive action allow scheduled runs beyond the 60 day repo inactivity limit for scheduled GitHub Actions build_xdrip: SYNC_UPSTREAM: 'true' / 'false'
paulplant
pushed a commit
to JohanDegraeve/xdripswift
that referenced
this pull request
Jun 2, 2023
…TestFlight distributions (#419) * Copy FastLane and GitHub Actions for Mac-free install Copied from FreeAPS-X, not yet adapted to Xdrip4iOS. Originally based on FastLane and GitHub Actions from LoopKit/LoopWorkspace * Adapt Fastfile and workflow file, rename workflow file to build_xdrip.yml * Adapt instructions to Xdrip4iOS * Fastfile: fix scheme (xdrip) * xDrip.xcconfig: MAIN_APP_BUNDLE_IDENTIFIER = com.$(DEVELOPMENT_TEAM).xdripswift * Add CURRENT_PROJECT_VERSION = $(CURRENT_PROJECT_VERSION) to xDrip and xdrip4iOS Widget targets * testflight.md instructions: Add NFC Tag Reading to xdripswift App ID -and some adjustments to identifier names * Validate repository secrets Copied from LoopKit/LoopWorkspace#36 Validate repository secrets (#36) * Validate repository secrets Adds support for validation of repository secrets. * Validate $FASTLANE_KEY as unencrypted PKCS#8 * Number workflows to guide sequential exection * Add commented-out template for automated builds on push and on schedule (every two months) Users must uncomment (remove "#") from the start of the lines indicated in the workflow to enable automated builds. * testflight.md: Add Validate Secrets instructions, and add numbered workflows. * testflight.md: Add info about TestFlight on a child’s phone * testflight.md: add info about steps to re-use for "Browser Builds" of other apps * Add NFC tag reading capability to TestFlight app from Fastfile Remove step for manual setup of NFC tag reading capability from testflight.md * Always upload artifacts * build_xdrip.yml: remove "secrets" job No need to validate secrets for every build. This can be done by running Validate secrets manually. - remove "with: submodules: recursive" from Checkout action * build_xdrip.yml: Add branch name to run-name * testflight:md: update instructions * Build on macos-13 and Xcode 14.3 macos-13 is still in beta as GitHub Actions runner, but works well. Available Xcode versions are listed here, Xcode 14.2 is currently the default: https://github.com/actions/runner-images/blob/main/images/macos/macos-13-Readme.md#xcode * Remove $(SRCROOT)/ from INFOPLIST_FILE due to build error with Fastlane INFOPLIST_FILE = "$(SRCROOT)/xdrip/Supporting Files/Info.plist" Fastlane error: -Cannot set build number with plist path containing $(SRCROOT) -Please remove $(SRCROOT) in your Xcode target build settings More info: fastlane/fastlane#329 * build_xdrip.yml: correct app name (xDrip4iOS) in workflow name * Sync changes from upstream, and keep repository "alive" The keep alive action allow scheduled runs beyond the 60 day repo inactivity limit for scheduled GitHub Actions * build_xdrip: SYNC_UPSTREAM: 'true' / 'false'
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds rudimentary support for validation of repository secrets used in GitHub Actions + Fastlane build workflows.
A shared
validate_secrets.ymlhas been added as a dependency of the other workflows to validate secrets prior to adding identifiers, creating certificates, or building Loop. It can also be run independently via standard workflow dispatch.The workflow should be pretty self-explanatory, but each required repository secret is checked to verify that it is set and non-empty, then secondary validation is done upon the
GH_PAT(via the GitHub CLI client) to ensure write permissions on the Match-Secrets repository andFASTLANE_secrets (via a new validate_secrets lane) to ensure that an App Store Connect API authorization with the repository secrets is successful.I'd considered numbering the workflows, since they should be run sequentially, but I didn't want to force @marionbarker to update all of her existing screenshots in the docs, i.e.:
Here is an example where Validate Secrets is run as a dependency of Add Identifiers and causes it to fail:
