|
| 1 | +name: 'Configure Keystore' |
| 2 | +description: 'Assume an AWS role and fetch a secret into environment variables' |
| 3 | + |
| 4 | +inputs: |
| 5 | + aws-role-to-assume: |
| 6 | + description: 'The AWS IAM role to assume' |
| 7 | + required: true |
| 8 | + aws-region: |
| 9 | + description: 'The AWS region where the secret is stored' |
| 10 | + required: true |
| 11 | + platform: |
| 12 | + description: 'The platform for which the keystore is being configured (e.g., ios, android)' |
| 13 | + required: true |
| 14 | + target: |
| 15 | + description: 'The target for which the keystore is being configured (e.g., qa, flask, main)' |
| 16 | + required: true |
| 17 | + |
| 18 | +runs: |
| 19 | + using: 'composite' |
| 20 | + steps: |
| 21 | + - name: Determine signing secret name |
| 22 | + shell: bash |
| 23 | + run: | |
| 24 | + case "${{ inputs.target }}" in |
| 25 | + qa) |
| 26 | + SECRET_NAME="metamask-mobile-qa-signing-certificates" |
| 27 | + ;; |
| 28 | + flask) |
| 29 | + SECRET_NAME="metamask-mobile-flask-signing-certificates" |
| 30 | + ;; |
| 31 | + main) |
| 32 | + SECRET_NAME="metamask-mobile-main-signing-certificates" |
| 33 | + ;; |
| 34 | + *) |
| 35 | + echo "❌ Unknown target: ${{ inputs.target }}" |
| 36 | + exit 1 |
| 37 | + ;; |
| 38 | + esac |
| 39 | + echo "AWS_SIGNING_CERT_SECRET_NAME=$SECRET_NAME" >> "$GITHUB_ENV" |
| 40 | +
|
| 41 | + - name: Configure AWS credentials |
| 42 | + uses: aws-actions/configure-aws-credentials@v4 |
| 43 | + with: |
| 44 | + role-to-assume: ${{ inputs.aws-role-to-assume }} |
| 45 | + aws-region: ${{ inputs.aws-region }} |
| 46 | + |
| 47 | + - name: Fetch secret and export as environment variables |
| 48 | + shell: bash |
| 49 | + run: | |
| 50 | + echo "🔐 Fetching secret from Secrets Manager..." |
| 51 | + secret_json=$(aws secretsmanager get-secret-value \ |
| 52 | + --region "${{ inputs.aws-region }}" \ |
| 53 | + --secret-id "${AWS_SIGNING_CERT_SECRET_NAME}" \ |
| 54 | + --query SecretString \ |
| 55 | + --output text) |
| 56 | +
|
| 57 | + keys=$(echo "$secret_json" | jq -r 'keys[]') |
| 58 | + for key in $keys; do |
| 59 | + value=$(echo "$secret_json" | jq -r --arg k "$key" '.[$k]') |
| 60 | + echo "::add-mask::$value" |
| 61 | + echo "$key=$(printf '%s' "$value")" >> "$GITHUB_ENV" |
| 62 | + echo "✅ Set secret for key: $key" |
| 63 | + done |
| 64 | +
|
| 65 | + - name: Configure Android Signing Certificates |
| 66 | + if: inputs.platform == 'android' |
| 67 | + shell: bash |
| 68 | + run: | |
| 69 | + echo "📦 Configuring Android keystore..." |
| 70 | + if [[ -z "$ANDROID_KEYSTORE" ]]; then |
| 71 | + echo "⚠️ ANDROID_KEYSTORE is not set. Skipping keystore decoding." |
| 72 | + exit 1 |
| 73 | + fi |
| 74 | +
|
| 75 | + # Use provided path if set, fallback to default |
| 76 | + KEYSTORE_PATH="${ANDROID_KEYSTORE_PATH:-/tmp/android.keystore}" |
| 77 | + echo "$ANDROID_KEYSTORE" | base64 --decode > "$KEYSTORE_PATH" |
| 78 | + echo "✅ Android keystore written to $KEYSTORE_PATH" |
| 79 | +
|
| 80 | + - name: Configure iOS Signing Certificates |
| 81 | + if: inputs.platform == 'ios' |
| 82 | + shell: bash |
| 83 | + run: | |
| 84 | + echo "📦 Configuring iOS code signing..." |
| 85 | +
|
| 86 | + # Create paths |
| 87 | + CERT_PATH="$RUNNER_TEMP/build_certificate.p12" |
| 88 | + PROFILE_PATH="$RUNNER_TEMP/build_pp.mobileprovision" |
| 89 | + KEYCHAIN_PATH="$RUNNER_TEMP/app-signing.keychain-db" |
| 90 | + CERT_PW="${IOS_SIGNING_KEYSTORE_PASSWORD}" |
| 91 | +
|
| 92 | + # Decode base64 files |
| 93 | + echo "$IOS_SIGNING_KEYSTORE" | base64 --decode > "$CERT_PATH" |
| 94 | + echo "$IOS_SIGNING_PROFILE" | base64 --decode > "$PROFILE_PATH" |
| 95 | + echo "✅ Decoded .p12 and provisioning profile" |
| 96 | +
|
| 97 | + # Create and unlock keychain |
| 98 | + security create-keychain -p "$CERT_PW" "$KEYCHAIN_PATH" |
| 99 | + security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH" |
| 100 | + security unlock-keychain -p "$CERT_PW" "$KEYCHAIN_PATH" |
| 101 | +
|
| 102 | + # Import cert |
| 103 | + echo "🔐 Importing certificate..." |
| 104 | + if ! security import "$CERT_PATH" -P "$CERT_PW" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"; then |
| 105 | + echo "❌ Failed to import certificate. Check if the password is correct or the .p12 is valid." |
| 106 | + exit 1 |
| 107 | + fi |
| 108 | + echo "✅ Certificate imported" |
| 109 | +
|
| 110 | + # Set key partition list |
| 111 | + echo "🔑 Setting key partition list..." |
| 112 | + if ! security set-key-partition-list -S apple-tool:,apple: -k "$CERT_PW" "$KEYCHAIN_PATH" 2>/dev/null; then |
| 113 | + echo "❌ Failed to set key partition list. Codesigning tools may not have access." |
| 114 | + exit 1 |
| 115 | + fi |
| 116 | + echo "✅ Key partition list set" |
| 117 | +
|
| 118 | +
|
| 119 | + # Verify signing identities |
| 120 | + echo "🔍 Verifying code signing identities in keychain..." |
| 121 | + IDENTITIES=$(security find-identity -p codesigning "$KEYCHAIN_PATH") |
| 122 | +
|
| 123 | + if ! echo "$IDENTITIES" | grep -q "Valid identities"; then |
| 124 | + echo "❌ No valid code signing identities found in keychain." |
| 125 | + echo "$IDENTITIES" |
| 126 | + exit 1 |
| 127 | + fi |
| 128 | +
|
| 129 | + # Extract and print alias (first CN string) |
| 130 | + CERT_ALIAS=$(echo "$IDENTITIES" | awk -F '"' '/"Apple/ {print $2; exit}') |
| 131 | + if [[ -n "$CERT_ALIAS" ]]; then |
| 132 | + echo "✅ Code signing identity available: $CERT_ALIAS" |
| 133 | + else |
| 134 | + echo "✅ Code signing identity is available (alias not parsed)" |
| 135 | + fi |
| 136 | +
|
| 137 | + # Install provisioning profile |
| 138 | + mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles |
| 139 | + cp "$PROFILE_PATH" ~/Library/MobileDevice/Provisioning\ Profiles/ |
| 140 | + echo "✅ Installed provisioning profile" |
| 141 | +
|
| 142 | + echo "Configuring default keychain" |
| 143 | + security default-keychain -s "$KEYCHAIN_PATH" |
| 144 | + echo "✅ default keychain set" |
0 commit comments