Trio/.github/workflows/create_certs.yml

name: 3. Create Certificates
run-name: Create Certificates (${{ github.ref_name }})

on: [workflow_call, workflow_dispatch]

env:
  TEAMID: ${{ secrets.TEAMID }}
  GH_PAT: ${{ secrets.GH_PAT }}
  GH_TOKEN: ${{ secrets.GH_PAT }}
  MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }}
  FASTLANE_KEY_ID: ${{ secrets.FASTLANE_KEY_ID }}
  FASTLANE_ISSUER_ID: ${{ secrets.FASTLANE_ISSUER_ID }}
  FASTLANE_KEY: ${{ secrets.FASTLANE_KEY }}

jobs:
  validate:
    name: Validate
    uses: ./.github/workflows/validate_secrets.yml
    secrets: inherit

  create_certs:
    name: Certificates
    needs: validate
    runs-on: macos-14
    outputs:
      new_certificate_needed: ${{ steps.set_output.outputs.new_certificate_needed }}

    steps:
      # Uncomment to manually select latest Xcode if needed
      #- name: Select Latest Xcode
      #  run: "sudo xcode-select --switch /Applications/Xcode_13.0.app/Contents/Developer"
      
      # Checks-out the repo
      - name: Checkout Repo
        uses: actions/checkout@v4
      
      # Patch Fastlane Match to not print tables
      - name: Patch Match Tables
        run: |
          TABLE_PRINTER_PATH=$(ruby -e 'puts Gem::Specification.find_by_name("fastlane").gem_dir')/match/lib/match/table_printer.rb
          if [ -f "$TABLE_PRINTER_PATH" ]; then
            sed -i "" "/puts(Terminal::Table.new(params))/d" "$TABLE_PRINTER_PATH"
          else
            echo "table_printer.rb not found"
            exit 1
          fi

      # Install project dependencies
      - name: Install Project Dependencies
        run: bundle install

      # Create or update Distribution certificate and provisioning profiles
      - name: Check and create or update Distribution certificate and profiles if needed
        run: |
          echo "Running Fastlane certs lane..."
          bundle exec fastlane certs || true # ignore and continue on errors without annotating an exit code

      - name: Check Distribution certificate and launch Nuke certificates if needed
        run: bundle exec fastlane check_and_renew_certificates
        id: check_certs

      - name: Set output and annotations based on Fastlane result
        id: set_output
        run: |
          CERT_STATUS_FILE="${{ github.workspace }}/fastlane/new_certificate_needed.txt"
          ENABLE_NUKE_CERTS=${{ vars.ENABLE_NUKE_CERTS }}
          
          if [ -f "$CERT_STATUS_FILE" ]; then
            CERT_STATUS=$(cat "$CERT_STATUS_FILE" | tr -d '\n' | tr -d '\r') # Read file content and strip newlines
            echo "new_certificate_needed: $CERT_STATUS"
            echo "new_certificate_needed=$CERT_STATUS" >> $GITHUB_OUTPUT
          else
            echo "Certificate status file not found. Defaulting to false."
            echo "new_certificate_needed=false" >> $GITHUB_OUTPUT
          fi

          # Check if ENABLE_NUKE_CERTS is not set to true when certs are valid
          if [ "$CERT_STATUS" != "true" ] && [ "$ENABLE_NUKE_CERTS" != "true" ]; then
            echo "::notice::🔔 Automated renewal of certificates is disabled because the repository variable ENABLE_NUKE_CERTS is not set to 'true'."
          fi

          # Check if ENABLE_NUKE_CERTS is not set to true when certs are not valid
          if [ "$CERT_STATUS" = "true" ] && [ "$ENABLE_NUKE_CERTS" != "true" ]; then
            echo "::error::❌ No valid distribution certificate found. Automated renewal of certificates was skipped because the repository variable ENABLE_NUKE_CERTS is not set to 'true'."
            exit 1
          fi

          # Check if vars.FORCE_NUKE_CERTS is not set to true
          if [ vars.FORCE_NUKE_CERTS = "true" ]; then
            echo "::warning::‼️ Nuking of certificates was forced because the repository variable FORCE_NUKE_CERTS is set to 'true'."
          fi

  # Nuke Certs if needed, and if the repository variable ENABLE_NUKE_CERTS is set to 'true', or if FORCE_NUKE_CERTS is set to 'true', which will always force certs to be nuked
  nuke_certs:
      name: Nuke certificates
      needs: [validate, create_certs]
      runs-on: macos-14
      if: ${{ (needs.create_certs.outputs.new_certificate_needed == 'true' && vars.ENABLE_NUKE_CERTS == 'true') || vars.FORCE_NUKE_CERTS == 'true' }}
      steps:
        - name: Output from step id 'check_certs'
          run: echo "new_certificate_needed=${{ needs.create_certs.outputs.new_certificate_needed }}"

        - name: Checkout repository
          uses: actions/checkout@v4

        - name: Install dependencies
          run: bundle install

        - name: Run Fastlane nuke_certs
          run: |
            set -e # Set error immediately after this step if error occurs
            bundle exec fastlane nuke_certs

        - name: Recreate Distribution certificate after nuking
          run: |
            set -e # Set error immediately after this step if error occurs
            bundle exec fastlane certs

        - name: Add success annotations for nuke and certificate recreation
          if: ${{ success() }}
          run: |
            echo "::warning::⚠️ All Distribution certificates and TestFlight profiles have been revoked and recreated."
            echo "::warning::❗️ If you have other apps being distributed by GitHub Actions / Fastlane / TestFlight that does not renew certificates automatically, please run the '3. Create Certificates' workflow for each of these apps to allow these apps to be built."
            echo "::warning::✅ But don't worry about your existing TestFlight builds, they will keep working!"