build: migrate release.yml to ushr + fastlane match#11
Open
paddo wants to merge 1 commit into
Open
Conversation
Replaces the persistent self-hosted runner with ushr's ephemeral macOS
VMs (runs-on: [self-hosted, macOS, ARM64]). The Developer ID Application
certificate is no longer pre-installed on the runner — instead it lives
encrypted in paddo-tech/fastlane-match and is installed into a fresh
temporary keychain per build.
Adds:
- Gemfile pulling in fastlane
- fastlane/Appfile (apple_id + team_id from env)
- fastlane/Fastfile with two lanes:
sync_developer_id - create temp keychain, fetch cert via match
cleanup_keychain - delete the temp keychain
Pattern mirrors trivialis but scoped to a single Developer ID cert.
Workflow changes:
- bundle install + sync_developer_id steps before existing build/sign/notarize
- MATCH_GIT_URL overridden inline to use HTTPS+token form. Org-level
MATCH_GIT_URL is SSH (works on home-server which has the key); ushr
ephemeral VMs don't, so we need a token-bearing URL. Requires a new
repo or org secret FASTLANE_MATCH_TOKEN (PAT with Contents:Read on
paddo-tech/fastlane-match).
- Always-run cleanup step destroys the temp keychain + API key file.
Prerequisites before this can run successfully:
1. fastlane match developer_id has been run once locally to populate
certs/developer_id/ in the match repo (Apple will create a new
Developer ID cert if the existing one's private key isn't available).
2. FASTLANE_MATCH_TOKEN secret is set on tether-cli (or paddo-tech org).
The other org-level secrets (APPLE_ID, APPLE_TEAM_ID, APPLE_APP_PASSWORD,
APP_STORE_CONNECT_API_KEY_CONTENT, MATCH_PASSWORD, KEYCHAIN_PASSWORD)
are already present and inherited from paddo-tech.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Migrates the release pipeline off the legacy persistent self-hosted runner (which had the Developer ID cert pre-installed in its login keychain) onto ushr's ephemeral macOS VMs.
Why
What
Gemfile,fastlane/Appfile,fastlane/Fastfilewithsync_developer_idandcleanup_keychainlanesrelease.ymlswitches toruns-on: [self-hosted, macOS, ARM64], adds bundle-install + match steps before the existing codesign/notarize/release/Homebrew flow, always cleans up afterwardsMATCH_GIT_URLis overridden inline to an HTTPS+token URL because the org-level value is SSH (works on home-server, doesn't work on a fresh ephemeral VM with no SSH key)Required before this can run
fastlane match developer_idhas been run once locally so the cert lands inpaddo-tech/fastlane-match/certs/developer_id/. Apple may issue a new Developer ID cert if the existing private key isn't on the local Mac — old binaries shipped with the previous cert remain valid until expiry.FASTLANE_MATCH_TOKENsecret is set on tether-cli or paddo-tech org (a PAT with Contents:Read onpaddo-tech/fastlane-match).Test plan
fastlane match developer_idlocally to populate the match repoFASTLANE_MATCH_TOKENsecretworkflow_dispatchwithdry_run: true— verifies cert install + build + sign + notarize without creating a releaseAlready in place
Org-level secrets already inherited: APPLE_ID, APPLE_TEAM_ID, APPLE_APP_PASSWORD, APP_STORE_CONNECT_API_KEY_CONTENT, MATCH_PASSWORD, KEYCHAIN_PASSWORD.