Update Github Actions - Fastlane - TestFlight Browser builds (#596)

based on https://github.com/LoopKit/LoopWorkspace/commit/319b611b3349f4e7aba8d6556623e3bb8ef4e2a4
* Validate repository secrets

Adds support for validation of repository secrets.

* Validate $FASTLANE_KEY as unencrypted PKCS#8

* Number workflows to guide sequential exection

Also included:
* Template for automated builds on push and on schedule (uncomment to activate):

on:  
  #push:
  #schedule:
    #- cron: '0 17 1 */2 *' # Runs at 17:00 UTC on the 1st in Jan, Mar, May, Jul, Sep and Nov.

* Update instructions in testflight.md

.github/workflows/add_identifiers.yml

@@ -1,9 +1,15 @@
-name: Add Identifiers
+name: 2. Add Identifiers
+run-name: Add Identifiers
 on:
   workflow_dispatch:
 
 jobs:
+  secrets:
+    uses: ./.github/workflows/validate_secrets.yml
+    secrets: inherit
+build_FAX.yml
   identifiers:
+    needs: secrets
     runs-on: macos-12
     steps:
       # Uncomment to manually select latest Xcode if needed

.github/workflows/build_FAX.yml

@@ -1,9 +1,23 @@
-name: Build FAX
+name: 4. Build FAX
+run-name: Build FAX
 on:
   workflow_dispatch:
+  
+  ## Remove the "#" sign from the beginning of the line below to get automated builds on push (code changes in your repository)
+  #push:
+  
+  ## Remove the "#" sign from the beginning of the two lines below to get automated builds every two months
+  #schedule:
+    #- cron: '0 17 1 */2 *' # Runs at 17:00 UTC on the 1st in Jan, Mar, May, Jul, Sep and Nov.
+
 
 jobs:
+  secrets:
+    uses: ./.github/workflows/validate_secrets.yml
+    secrets: inherit
+
   build:
+    needs: secrets
     runs-on: macos-12
     steps:
       # Uncomment to manually select latest Xcode if needed
@@ -49,4 +63,4 @@ jobs:
           name: build-artifacts
           path: |
             artifacts
-            buildlog
+            buildlog

.github/workflows/create_certs.yml

@@ -1,9 +1,15 @@
-name: Create Certificates
+name: 3. Create Certificates
+run-name: Create Certificates
 on:
   workflow_dispatch:
 
 jobs:
+  secrets:
+    uses: ./.github/workflows/validate_secrets.yml
+    secrets: inherit
+
   certificates:
+    needs: secrets
     runs-on: macos-12
     steps:
       # Uncomment to manually select latest Xcode if needed

.github/workflows/validate_secrets.yml

@@ -0,0 +1,70 @@
+name: 1. Validate Secrets
+run-name: Validate Secrets
+on: [workflow_call, workflow_dispatch]
+
+jobs:
+  validate:
+    runs-on: macos-12
+    steps:
+      # Checks-out the repo
+      - name: Checkout Repo
+        uses: actions/checkout@v3
+
+      # Validates the repo secrets
+      - name: Validate Secrets
+        run: |
+          # Validate Secrets
+          echo Validating Repository Secrets...
+
+          # Validate TEAMID
+          if [ -z "$TEAMID" ]; then
+            failed=true
+            echo "::error::TEAMID secret is unset or empty. Set it and try again."
+          elif [ ${#TEAMID} -ne 10 ]; then
+            failed=true
+            echo "::error::TEAMID secret is set but has wrong length. Verify that it is set correctly and try again."
+          fi
+
+          # Validate GH_PAT
+          if [ -z "$GH_PAT" ]; then
+            failed=true
+            echo "::error::GH_PAT secret is unset or empty. Set it and try again."
+          elif [ "$(gh api -H "Accept: application/vnd.github+json" /repos/${{ github.repository_owner }}/Match-Secrets | jq --raw-output '.permissions.push')" != "true" ]; then
+            failed=true
+            echo "::error::GH_PAT secret is set but invalid or lacking appropriate privileges on the ${{ github.repository_owner }}/Match-Secrets repository. Verify that it is set correctly and try again."
+          fi
+
+          # Validate FASTLANE_ISSUER_ID, FASTLANE_KEY_ID, and FASTLANE_KEY
+          if [ -z "$FASTLANE_ISSUER_ID" ] || [ -z "$FASTLANE_KEY_ID" ] || [ -z "$FASTLANE_KEY" ]; then
+            failed=true
+            [ -z "$FASTLANE_ISSUER_ID" ] && echo "::error::The FASTLANE_ISSUER_ID secret is unset or empty. Set it and try again."
+            [ -z "$FASTLANE_KEY_ID"    ] && echo "::error::The FASTLANE_KEY_ID secret is unset or empty. Set it and try again."
+            [ -z "$FASTLANE_KEY"       ] && echo "::error::The FASTLANE_KEY secret is unset or empty. Set it and try again."
+          elif ! echo "$FASTLANE_KEY" | openssl pkcs8 -nocrypt >/dev/null; then
+            failed=true
+            echo "::error::The FASTLANE_KEY secret is set but invalid. Verify that it is set correctly and try again."
+          elif ! fastlane validate_secrets; then
+            failed=true
+            echo "::error::Unable to create a valid authorization token for the App Store Connect API.\
+            Verify that the FASTLANE_ISSUER_ID, FASTLANE_KEY_ID, and FASTLANE_KEY secrets are set correctly and try again."
+          fi
+
+          # Validate MATCH_PASSWORD
+          if [ -z "$MATCH_PASSWORD" ]; then
+            failed=true
+            echo "::error::The MATCH_PASSWORD secret is unset or empty. Set it and try again."
+          fi
+
+          # Exit unsuccessfully if secret validation failed.
+          if [ $failed ]; then
+            exit 2
+          fi
+        shell: bash
+        env:
+          TEAMID: ${{ secrets.TEAMID }}
+          GH_PAT: ${{ secrets.GH_PAT }}
+          FASTLANE_ISSUER_ID: ${{ secrets.FASTLANE_ISSUER_ID }}
+          FASTLANE_KEY_ID: ${{ secrets.FASTLANE_KEY_ID }}
+          FASTLANE_KEY: ${{ secrets.FASTLANE_KEY }}
+          MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }}
+          GH_TOKEN: ${{ secrets.GH_PAT }}

fastlane/Fastfile

@@ -186,6 +186,24 @@ platform :ios do
     )
   end
 
+  desc "Validate Secrets"
+  lane :validate_secrets do
+    setup_ci if ENV['CI']
+    ENV["MATCH_READONLY"] = true.to_s
+
+    app_store_connect_api_key(
+      key_id: "#{FASTLANE_KEY_ID}",
+      issuer_id: "#{FASTLANE_ISSUER_ID}",
+      key_content: "#{FASTLANE_KEY}"
+    )
+
+    def find_bundle_id(identifier)
+      bundle_id = Spaceship::ConnectAPI::BundleId.find(identifier)
+    end
+
+    find_bundle_id("com.#{TEAMID}.loopkit.Loop")
+  end
+
   desc "Nuke Certs"
   lane :nuke_certs do
     setup_ci if ENV['CI']

fastlane/testflight.md

@@ -1,18 +1,27 @@
-# Using Github Actions + FastLane to deploy to TestFlight
+# Using Github Actions + FastLane to deploy to TestFlight: the "Browser Build" method
 
 These instructions allow you to build FreeAPS X without having access to a Mac. They also allow you to easily install FreeAPS X on phones that are not connected to your computer. So you can send builds and updates to those you care for easily, or have an easy to access backup if you run FreeAPS X for yourself. You do not need to worry about correct Xcode/Mac versions either. An app built using this method can easily be deployed to newer versions of iOS, as soon as they are available.
 
-The setup steps are somewhat involved, but nearly all are one time steps. Subsequent builds are trivial.  Note that TestFlight requires apple id accounts 13 years or older. Your app must be updated once every 90 days, but it's a simple click to make a new build and can be done from anywhere.
+The setup steps are somewhat involved, but nearly all are one time steps. Subsequent builds are trivial. Your app must be updated once every 90 days, but it's a simple click to make a new build and can be done from anywhere.
+
+Note that TestFlight requires apple id accounts 13 years or older. This can be circumvented by logging into Media & Purchase on the child's phone with an adult's account. More details on this can be found in [LoopDocs](https://loopkit.github.io/loopdocs/gh-actions/gh-deploy/#install-testflight-loop-for-child).
+
+This method for building without a Mac was ported from Loop. If you have used this method for Loop or one of the other DIY apps (Loop, Loop Caregiver, Loop Follow, Xdrip4iOS), some of the steps can be re-used and the full set of instructions does not need to be repeated. This will be mentioned in relevant sections below.
+
+There are more detailed instructions in LoopDocs for doing Browser Builds of Loop and other apps, including troubleshooting and build errors. Please refer to [LoopDocs](https://loopkit.github.io/loopdocs/gh-actions/gh-other-apps/) for more details.
 
 ## Prerequisites
 
 * A [github account](https://github.com/signup). The free level comes with plenty of storage and free compute time to build FreeAPS X, multiple times a day, if you wanted to.
 * A paid [Apple Developer account](https://developer.apple.com). You may be able to use the free version, but that has not been tested.
-* Some time. Set aside a couple of hours to perform the setup.
+* Some time. Set aside a couple of hours to perform the setup. 
+* Use the same GitHub account for all "Browser Builds" of the various DIY apps.
 
 
 ## Generate App Store Connect API Key
 
+This step is common for all "Browser Builds", and should be done ony once. Please save the API key somewhere safe, so it can be re-used for other builds, or if needing to start from scratch.
+
 1. Sign in to the [Apple developer portal page](https://developer.apple.com/account/resources/certificates/list).
 1. Copy the team id from the upper right of the screen. Record this as your `TEAMID`.
 1. Go to the [App Store Connect](https://appstoreconnect.apple.com/access/api) interface, click the "Keys" tab, and create a new key with "Admin" access. Give it a name like "FastLane API Key".
@@ -20,9 +29,15 @@ The setup steps are somewhat involved, but nearly all are one time steps. Subseq
 1. Record the issuer id; this will be used for `FASTLANE_ISSUER_ID`.
 1. Download the API key itself, and open it in a text editor. The contents of this file will be used for `FASTLANE_KEY`. Copy the full text, including the "-----BEGIN PRIVATE KEY-----" and "-----END PRIVATE KEY-----" lines.
 
-## Setup Github
+## Setup Github Match-Secrets repository
+
+This is also a common step for all "browser builds", do this step only once
 1. Create a [new empty repository](https://github.com/new) titled `Match-Secrets`. It should be private.
+
+## Setup Github FreeAPS X repository
 1. Fork https://github.com/Jon-b-m/freeaps into your account. If you already have a fork of FreeAPS X in GitHub, you can't make another one. You can continue to work with your existing fork, or delete that from GitHub and then and fork https://github.com/Jon-b-m/freeaps.
+
+If you have previously built Loop or another app using the "browser build" method, you can can re-use your previous personal access token (`GH_PAT`) and skip ahead to `step 2`.
 1. Create a [new personal access token](https://github.com/settings/tokens/new):
     * Enter a name for your token. Something like "FastLane Access Token".
     * 30 days is fine, or you can select longer if you'd like.
@@ -38,10 +53,18 @@ The setup steps are somewhat involved, but nearly all are one time steps. Subseq
     * `GH_PAT`
     * `MATCH_PASSWORD` - just make up a password for this
 
+## Validate repository secrets
+
+1. Click on the "Actions" tab of your FreeAPS X repository.
+1. Select "1. Validate Secrets".
+1. Click "Run Workflow", and tap the green button.
+1. Wait, and within a minute or two you should see a green checkmark indicating the workflow succeeded.
+1. The workflow will check if the required secrets are added and that they are correctly formatted. If errors are detected, please check the run log for details. 
+
 ## Add Identifiers for FreeAPS X App
 
 1. Click on the "Actions" tab of your FreeAPS X repository.
-1. Select "Add Identifiers".
+1. Select "2. Add Identifiers".
 1. Click "Run Workflow", and tap the green button.
 1. Wait, and within a minute or two you should see a green checkmark indicating the workflow succeeded.
 
@@ -96,17 +119,17 @@ You do not need to fill out the next form. That is for submitting to the app sto
 ## Create Building Certficates
 
 1. Go back to the "Actions" tab of your FreeAPS X repository in github.
-1. Select "Create Certificates".
+1. Select "3. Create Certificates".
 1. Click "Run Workflow", and tap the green button.
 1. Wait, and within a minute or two you should see a green checkmark indicating the workflow succeeded.
 
 ## Build FreeAPS X!
 
 1. Click on the "Actions" tab of your FreeAPS X repository.
-1. Select "Build FAX". _Are you working on a previuos fork of FreeAPS X and not seeing any GitHub workflows in the Actions tab? You may have to change the default branch so that it contains the .github/workflows files, or merge these changes into your default branch (typically `master`)._
+1. Select "4. Build FAX". _Are you working on a previuos fork of FreeAPS X and not seeing any GitHub workflows in the Actions tab? You may have to change the default branch so that it contains the .github/workflows files, or merge these changes into your default branch (typically `master`)._
 1. Click "Run Workflow", select your branch, and tap the green button.
 1. You have some time now. Go enjoy a coffee. The build should take about 15 minutes.
 1. Your app should eventually appear on [App Store Connect](https://appstoreconnect.apple.com/apps).
 1. For each phone/person you would like to support FreeAPS X on:
     * Add them in [Users and Access](https://appstoreconnect.apple.com/access/users) on App Store Connect.
-    * Add them to your TestFlight Internal Testing group.
+    * Add them to your TestFlight Internal Testing group.