super-productivity/.github/workflows/build-ios.yml
dependabot[bot] 1b8616ca89
chore(deps)(deps): bump the github-actions-minor group across 1 directory with 8 updates (#7289)
Bumps the github-actions-minor group with 8 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [step-security/harden-runner](https://github.com/step-security/harden-runner) | `2.17.0` | `2.19.0` |
| [actions/setup-node](https://github.com/actions/setup-node) | `6.3.0` | `6.4.0` |
| [actions/cache](https://github.com/actions/cache) | `5.0.4` | `5.0.5` |
| [KSXGitHub/github-actions-deploy-aur](https://github.com/ksxgithub/github-actions-deploy-aur) | `4.1.2` | `4.1.3` |
| [signpath/github-action-submit-signing-request](https://github.com/signpath/github-action-submit-signing-request) | `2.1` | `2.2` |
| [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) | `1.0.93` | `1.0.101` |
| [github/codeql-action](https://github.com/github/codeql-action) | `4.35.1` | `4.35.2` |
| [cloudflare/wrangler-action](https://github.com/cloudflare/wrangler-action) | `3.14.1` | `3.15.0` |



Updates `step-security/harden-runner` from 2.17.0 to 2.19.0
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](f808768d15...8d3c67de8e)

Updates `actions/setup-node` from 6.3.0 to 6.4.0
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](53b83947a5...48b55a011b)

Updates `actions/cache` from 5.0.4 to 5.0.5
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](668228422a...27d5ce7f10)

Updates `KSXGitHub/github-actions-deploy-aur` from 4.1.2 to 4.1.3
- [Release notes](https://github.com/ksxgithub/github-actions-deploy-aur/releases)
- [Commits](abe8ac26b5...da03e16036)

Updates `signpath/github-action-submit-signing-request` from 2.1 to 2.2
- [Release notes](https://github.com/signpath/github-action-submit-signing-request/releases)
- [Commits](bc66d86b01...b9d91eadd3)

Updates `anthropics/claude-code-action` from 1.0.93 to 1.0.101
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](b47fd721da...38ec876110)

Updates `github/codeql-action` from 4.35.1 to 4.35.2
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](c10b8064de...95e58e9a2c)

Updates `cloudflare/wrangler-action` from 3.14.1 to 3.15.0
- [Release notes](https://github.com/cloudflare/wrangler-action/releases)
- [Changelog](https://github.com/cloudflare/wrangler-action/blob/main/CHANGELOG.md)
- [Commits](da0e0dfe58...9acf94ace1)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-version: 2.19.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions-minor
- dependency-name: actions/setup-node
  dependency-version: 6.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions-minor
- dependency-name: actions/cache
  dependency-version: 5.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions-minor
- dependency-name: KSXGitHub/github-actions-deploy-aur
  dependency-version: 4.1.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions-minor
- dependency-name: signpath/github-action-submit-signing-request
  dependency-version: '2.2'
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions-minor
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.101
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions-minor
- dependency-name: github/codeql-action
  dependency-version: 4.35.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions-minor
- dependency-name: cloudflare/wrangler-action
  dependency-version: 3.15.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-20 13:41:16 +02:00

226 lines
9.2 KiB
YAML

name: iOS App Store Release on Release
on:
push:
tags:
- v*
workflow_dispatch:
inputs: {}
jobs:
ios-app-store-release:
runs-on: macos-15
env:
UNSPLASH_KEY: ${{ secrets.UNSPLASH_KEY }}
UNSPLASH_CLIENT_ID: ${{ secrets.UNSPLASH_CLIENT_ID }}
steps:
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
with:
node-version: 22
- name: Check out Git repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- name: Verify Xcode and SDK version
run: |
echo "=== Xcode Version ==="
xcodebuild -version
echo ""
echo "=== SDK Information ==="
xcrun --show-sdk-version
xcodebuild -showsdks | grep -E "(iOS|iphoneos)"
# work around for npm installs from git+https://github.com/johannesjo/J2M.git
- name: Reconfigure git to use HTTP authentication
run: >
git config --global url."https://github.com/".insteadOf
ssh://git@github.com/
- name: Install Apple WWDR intermediate certificate
run: |
curl -fsSL https://www.apple.com/certificateauthority/AppleWWDRCAG4.cer -o /tmp/AppleWWDRCAG4.cer
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /tmp/AppleWWDRCAG4.cer
- name: Configure signing keychain
env:
# Reuse mac_certs - "Apple Distribution" certificate works for both macOS and iOS
MAC_CERTS: ${{ secrets.mac_certs }}
MAC_CERTS_PASSWORD: ${{ secrets.mac_certs_password }}
run: |
CERT_PATH="$RUNNER_TEMP/dist-cert.p12"
KEYCHAIN_NAME="build.keychain"
KEYCHAIN_PATH="$HOME/Library/Keychains/${KEYCHAIN_NAME}-db"
echo "$MAC_CERTS" | base64 --decode > "$CERT_PATH"
echo "=== DIAGNOSTIC: Decoded .p12 SHA256 ==="
shasum -a 256 "$CERT_PATH"
echo "========================================"
security create-keychain -p "" "$KEYCHAIN_NAME"
security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
security unlock-keychain -p "" "$KEYCHAIN_PATH"
curl -fsSL https://www.apple.com/certificateauthority/AppleWWDRCAG4.cer -o "$RUNNER_TEMP/AppleWWDRCAG4.cer"
security import "$RUNNER_TEMP/AppleWWDRCAG4.cer" -k "$KEYCHAIN_PATH" -T /usr/bin/codesign
security import "$CERT_PATH" -k "$KEYCHAIN_PATH" -P "$MAC_CERTS_PASSWORD" -T /usr/bin/codesign -T /usr/bin/security
security list-keychains -s "$KEYCHAIN_PATH" "$HOME/Library/Keychains/login.keychain-db"
security default-keychain -s "$KEYCHAIN_PATH"
security set-key-partition-list -S apple-tool:,apple: -k "" "$KEYCHAIN_PATH"
security find-identity -v -p codesigning "$KEYCHAIN_PATH"
- name: List available signing identities
run: security find-identity -v -p codesigning
- name: Install provisioning profile
env:
IOS_PROVISION_PROFILE: ${{ secrets.IOS_PROVISION_PROFILE }}
run: |
PROFILE_PATH="$RUNNER_TEMP/ios-provisioning.mobileprovision"
echo "$IOS_PROVISION_PROFILE" | base64 --decode > "$PROFILE_PATH"
# Get the UUID from the provisioning profile
PROFILE_UUID=$(/usr/libexec/PlistBuddy -c "Print UUID" /dev/stdin <<< $(security cms -D -i "$PROFILE_PATH"))
echo "Profile UUID: $PROFILE_UUID"
# Create the provisioning profiles directory if it doesn't exist
mkdir -p "$HOME/Library/MobileDevice/Provisioning Profiles"
# Copy the profile with its UUID as the filename
cp "$PROFILE_PATH" "$HOME/Library/MobileDevice/Provisioning Profiles/${PROFILE_UUID}.mobileprovision"
echo "PROVISIONING_PROFILE_UUID=$PROFILE_UUID" >> "$GITHUB_ENV"
- name: Verify provisioning profile
run: |
security cms -D -i "$HOME/Library/MobileDevice/Provisioning Profiles/${PROVISIONING_PROFILE_UUID}.mobileprovision" > /tmp/profile.plist
echo "=== PROVISIONING PROFILE INFO ==="
echo "Name: $(/usr/libexec/PlistBuddy -c "Print Name" /tmp/profile.plist)"
echo "Team: $(/usr/libexec/PlistBuddy -c "Print TeamIdentifier:0" /tmp/profile.plist)"
PROFILE_APP_ID=$(/usr/libexec/PlistBuddy -c "Print Entitlements:application-identifier" /tmp/profile.plist | sed 's/^[A-Z0-9]*\.//')
echo "App ID: $PROFILE_APP_ID"
echo "=================================="
# Verify bundle ID matches
EXPECTED_BUNDLE_ID="com.super-productivity.app"
if [ "$PROFILE_APP_ID" != "$EXPECTED_BUNDLE_ID" ]; then
echo "ERROR: Provisioning profile app ID ($PROFILE_APP_ID) does not match expected bundle ID ($EXPECTED_BUNDLE_ID)"
echo "Please create a new provisioning profile with the correct bundle ID"
exit 1
fi
echo "Bundle ID verification passed!"
- name: Get npm cache directory
id: npm-cache-dir
run: |
echo "dir=$(npm config get cache)" >> $GITHUB_OUTPUT
- uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
id: npm-cache
with:
path: ${{ steps.npm-cache-dir.outputs.dir }}
key: ${{ runner.os }}-node22-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node22-
- name: Install npm Packages
run: npm i
- name: Generate environment
run: npm run env
- name: Set iOS version from package.json
run: |
FULL_VERSION=$(node -p "require('./package.json').version")
# Strip pre-release suffix (e.g., "17.0.0-RC.3" -> "17.0.0")
# App Store requires X.Y.Z format; build number differentiates uploads
VERSION=$(echo "$FULL_VERSION" | sed 's/-.*//')
BUILD_NUMBER=$(date +%Y%m%d%H%M)
echo "Setting iOS version to $VERSION (build $BUILD_NUMBER) [from $FULL_VERSION]"
cd ios/App
if ! xcrun agvtool new-marketing-version "$VERSION"; then
echo "Error: Failed to set marketing version to $VERSION"
exit 1
fi
if ! xcrun agvtool new-version -all "$BUILD_NUMBER"; then
echo "Error: Failed to set build number to $BUILD_NUMBER"
exit 1
fi
- name: Build Angular frontend
run: npm run buildFrontend:prodWeb
- name: Sync Capacitor iOS
run: npm run sync:ios
- name: Install CocoaPods
run: |
cd ios/App
pod install
- name: Archive iOS app
run: |
cd ios/App
# Archive without code signing - signing is handled during export
# This avoids conflicts with CocoaPods frameworks
xcodebuild archive \
-workspace App.xcworkspace \
-scheme App \
-configuration Release \
-archivePath "$RUNNER_TEMP/App.xcarchive" \
-destination 'generic/platform=iOS' \
CODE_SIGNING_REQUIRED=NO \
CODE_SIGNING_ALLOWED=NO
- name: Create ExportOptions.plist
run: |
cat > "$RUNNER_TEMP/ExportOptions.plist" << EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>method</key>
<string>app-store-connect</string>
<key>teamID</key>
<string>${{ secrets.APPLE_TEAM_ID }}</string>
<key>uploadSymbols</key>
<true/>
<key>signingStyle</key>
<string>manual</string>
<key>provisioningProfiles</key>
<dict>
<key>com.super-productivity.app</key>
<string>${{ env.PROVISIONING_PROFILE_UUID }}</string>
</dict>
</dict>
</plist>
EOF
- name: Export IPA
run: |
xcodebuild -exportArchive \
-archivePath "$RUNNER_TEMP/App.xcarchive" \
-exportPath "$RUNNER_TEMP/ipa-output" \
-exportOptionsPlist "$RUNNER_TEMP/ExportOptions.plist"
- name: List exported files
run: ls -la "$RUNNER_TEMP/ipa-output"
- name: Upload IPA artifact
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: sup-ios-release
path: ${{ runner.temp }}/ipa-output/*.ipa
- name: Validate App
run: |
xcrun altool --type ios --validate-app \
-f "$RUNNER_TEMP/ipa-output/"*.ipa \
-u "${{ secrets.APPLE_ID }}" \
-p "${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}"
env:
APPLE_ID: ${{ secrets.APPLE_ID }}
APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
- name: Upload to App Store Connect
run: |
xcrun altool --type ios --upload-app \
-f "$RUNNER_TEMP/ipa-output/"*.ipa \
-u "${{ secrets.APPLE_ID }}" \
-p "${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}"
env:
APPLE_ID: ${{ secrets.APPLE_ID }}
APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}