These setup instructions should only need to be done 1 time for this project to work. These docs exist as a reference in case there is something wrong with the CI server.
These instructions will allow GitHub Actions for this repository (apple-code-signing) to have read and write access to the Google Cloud Storage Bucket that stores all iOS code signing files for all iOS apps. This GitHub repository's GitHub Actions should be the only GitHub repository with write access to the Google Cloud Storage bucket. All other GitHub repositories (such as iOS SDK, React Native SDK, etc) will only have read-only access. View create read-only access section for how to set that up.
-
First, let's find the Google Cloud Project (GCP) that is used for the iOS apps in the company. Go to the Firebase Console > Select the Firebase project that the company uses to store the iOS sample apps. Next, navigate to the Firebase project settings > Service accounts page. Click the button for "All service accounts" and it should navigate you away from Firebase and to the website
https://console.cloud.google.com. When this webpage opens, you will notice aproject=Xvalue in the URL in your browser. ThatXis the project id for your GCP. Make sure that for all of the following instructions, you perform all steps for this GCP project ID and not another project. -
Create a Google Cloud Storage Bucket if it doesn't exist already. A bucket name such as
ios_code_signing_filesis recommended. -
Create a new Google Cloud Service Account if it doesn't exist already. A name
fastlane-matchis recommended. -
After you create the service account, copy the email address for the service account (probably looks like
[email protected]). You will need to use it in steps below. -
For the Service Account, select the "Keys" tab > Add key > Create new key > JSON > Create. This will download a
.jsonfile to your computer. Do not send this file to anyone, upload to cloud storage, upload to 1Password, or keep it on your computer. You will save the value in a future step and then you will delete all copies of this file. -
Open the GCP Storage Bucket created > Permissions tab. Select Grant Access > put the Service Account email address in "New principals" > Assign roles add Storage Bucket Owner and Storage Object Owner > Save.
This gives the Service Account read and write access to the Storage Bucket.
- Remember that
.jsonfile that got saved to your computer in a previous step? Let's say that you saved this.jsonfile to/tmp/service-account-file.jsonon your computer. You will use this file in the next steps.
Create a secret for GitHub Actions in this GitHub repository. The apple-code-signing GitHub project is the only project with write access to the GCP Storage Bucket and therefore, only set the GitHub Actions secret for this apple-code-signing GitHub repository.
The key for the secret is GOOGLE_CLOUD_MATCH_WRITE_SERVICE_ACCOUNT_B64.
Get the value for the secret from running this command: cat /tmp/service-account-file.json | base64
- Done! All of the files in this project will use the secret you just saved in order to have write access to the GCP Storage Bucket. Remember to now delete the file
/tmp/service-account-file.jsonfrom your computer and make sure it's not saved anywhere else such as cloud hosting or 1Password. If anyone in the future needs the contents of this file, they will be instructed to instead generate a new Service Account key file and upload the new value to GitHub Actions secrets.
The GitHub repository for this project (apple-code-signing) is the only GitHub repository that has write access to iOS code signing files. What about all of the other GitHub repositories in the company such as the iOS SDK or React Native SDK? Those GitHub repositories need to compile iOS apps and sign those apps. This section talks about how to setup all iOS GitHub repositories in the company to be able to build and sign iOS apps.
The instructions in this setting are almost identical to the section that sets up write access in a GitHub repository. Therefore, you are encourage to follow all of those steps in that section with the following modifications to the matching step:
-
Create a Service Account if it does not exist already with the recommended name
fastlane-match-readonly. -
Grant Access to the GCP Storage Bucket for the
fastlane-match-readonlyService Account you created. Assign the roles Storage Bucket Reader and Storage Object Reader. This is important - make sure the roles are Reader and not Owner. -
You will create a GitHub Actions secret but the secret key is
GOOGLE_CLOUD_MATCH_READONLY_SERVICE_ACCOUNT_B64.
It's recommended that you go ahead and enter this secret value in all GitHub repositories that might build an iOS app in the future. This is because you will be deleting the Service Account .json file, you might as well save this value to all GitHub repositories before you delete the file from your computer.
These instructions will allow GitHub Actions for this repository (apple-code-signing) to have write access to the company Apple Developer account to be able to create and delete iOS code signing files. This repository will use the App Store Connect API to communicate with Apple to perform these actions.
- Follow these docs for instructions on how to create this API key. For permissions, use App Manager.
When you create these new credentials, the Apple website will prompt you to save a .p8 file to your computer. Do not send this file to anyone, upload to cloud storage, upload to 1Password, or keep it on your computer. You will save the value in a future step and then you will delete all copies of this file.
Also on this screen, notice that there is a App id and Issuer id. You will reference both of these files in future steps.
- On your computer, you will be creating a
.jsonfile that looks similar to this:
{
"key_id": "D383SF739",
"issuer_id": "6053b7fe-68a8-4acb-89be-165aa6465141",
"key": "MIGTAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBHknlhdlYdLu",
"in_house": false
}Using your favorite text editor on your computer, create a new file and save the blank file on your computer. Let's say that you saved this .json file to /tmp/apple_api_credentials.json on your computer. In your text editor, copy and paste the above .json sample.
Time to modify each of the values in this .json file.
in_houseistrueif you have an Enterprise Apple Developer Account. Otherwise, set tofalse.key_idandissuer_idare the values that you found when you created the API key on the Apple Developer account website.- For
key, you need the.p8file downloaded to your computer that Apple gave you when you created the API key. Runcat /tmp/apple_api_credentials.p8 | base64to get a base64 encoded string of the.p8file contents. This string that gets printed in your terminal is the value ofkeyin the.jsonfile.
- Now that you have populated all of the fields of the
.jsonfile, there is one last step.
Create a secret for GitHub Actions in this GitHub repository. The apple-code-signing GitHub project is the only project with write access to the Apple Developer account and therefore, only set the GitHub Actions secret for this apple-code-signing GitHub repository.
The key for the secret is APP_STORE_CONNECT_API_KEY_CONTENT_B64.
Get the value for the secret from running this command: cat /tmp/apple_api_credentials.json | base64
- Done! All of the files in this project will use the secret you just saved in order to have write access to the Apple Developer account. Remember to now delete the file
/tmp/apple_api_credentials.jsonfrom your computer and make sure it's not saved anywhere else such as cloud hosting or 1Password. If anyone in the future needs the contents of this file, they will be instructed to instead generate a new API key file and upload the new value to GitHub Actions secrets.
Create a secret for GitHub Actions in the GitHub repository.
The key for the secret is SLACK_NOTIFY_WEBHOOK_URL.
Get the value from 1Password "Mobile squad Slack incoming webhook URL".