diff --git a/README.md b/README.md index 041c702..66ef58c 100644 --- a/README.md +++ b/README.md @@ -38,8 +38,8 @@ jobs: # For device builds, add these (for certificate and provisioning profile - either file OR base64): # certificate-file: './certs/distribution.p12' # certificate-base64: ${{ secrets.CERTIFICATE_BASE64 }} - # certificate-password: ${{ secrets.CERTIFICATE_PASSWORD }} - # keychain-password: ${{ secrets.KEYCHAIN_PASSWORD }} + # certificate-password: ${{ secrets.CERTIFICATE_PASSWORD }} # Optional - only needed if P12 has a password + # keychain-password: ${{ secrets.KEYCHAIN_PASSWORD }} # Optional - defaults to auto-generated password # re-sign: true # ad-hoc: true # For apps that require provisioning profiles: @@ -73,12 +73,12 @@ jobs: | `ad-hoc` | Upload the IPA for ad-hoc distribution to easily install on provisioned devices | No | `false` | | `certificate-base64` | Base64 encoded P12 file for device builds | No | - | | `certificate-file` | P12 file for device builds | No | - | -| `certificate-password` | Password for the P12 file | No | - | +| `certificate-password` | Password for the P12 file (optional - only needed if certificate has a password) | No | - | | `provisioning-profile-base64` | Base64 encoded provisioning profile | No | - | | `provisioning-profile-file` | Provisioning profile file | No | - | | `provisioning-profile-name` | Name of the provisioning profile | No | - | | `provisioning-profiles` | JSON array of provisioning profiles. Supports passing PP as both file and base64 string. Supported keys: `name`, `file`, `base64` | No | - | -| `keychain-password` | Password for temporary keychain | No | - | +| `keychain-password` | Password for temporary keychain (optional - defaults to auto-generated password) | No | - | | `rock-build-extra-params` | Extra parameters for rock build:ios | No | - | | `comment-bot` | Whether to comment PR with build link | No | `true` | diff --git a/action.yml b/action.yml index 66b525e..75043c3 100644 --- a/action.yml +++ b/action.yml @@ -91,17 +91,13 @@ runs: exit 1 fi - if [ -n "${{ inputs.certificate-file }}" ]; then + if [ -n "${{ inputs.certificate-file }}" ]; then if [ ! -f "${{ inputs.certificate-file }}" ]; then echo "Certificate file not found: '${{ inputs.certificate-file }}'" exit 1 fi fi - if [ -z "${{ inputs.certificate-password }}" ]; then - echo "Input 'certificate-password' is required for device builds." - exit 1 - fi # Legacy provisioning profile validation (only when not using provisioning-profiles) if [ -z "${{ inputs.provisioning-profiles }}" ]; then @@ -134,10 +130,6 @@ runs: exit 1 fi - if [ -z "${{ inputs.keychain-password }}" ]; then - echo "Input 'keychain-password' is required for device builds." - exit 1 - fi # Validate provisioning profiles if provided if [ -n "${{ inputs.provisioning-profiles }}" ]; then @@ -241,9 +233,15 @@ runs: # Create temporary keychain KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db - security create-keychain -p "${{ inputs.keychain-password }}" $KEYCHAIN_PATH + KEYCHAIN_PASSWORD="${{ inputs.keychain-password }}" + if [ -z "$KEYCHAIN_PASSWORD" ]; then + KEYCHAIN_PASSWORD=$(openssl rand -base64 32) + fi + + + security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH security set-keychain-settings -lut 21600 $KEYCHAIN_PATH - security unlock-keychain -p "${{ inputs.keychain-password }}" $KEYCHAIN_PATH + security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH # Import certificate to keychain CERTIFICATE_PATH=$RUNNER_TEMP/certificate.p12 @@ -255,8 +253,18 @@ runs: # Decode base64 certificate echo -n "${{ inputs.certificate-base64 }}" | base64 --decode -o $CERTIFICATE_PATH fi - security import $CERTIFICATE_PATH -P "${{ inputs.certificate-password }}" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH - security set-key-partition-list -S apple-tool:,apple: -k "${{ inputs.keychain-password }}" $KEYCHAIN_PATH + if [ -n "${{ inputs.certificate-password }}" ]; then + security import $CERTIFICATE_PATH -P "${{ inputs.certificate-password }}" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH + else + SECURITY_IMPORT_ERROR=$(security import $CERTIFICATE_PATH -A -t cert -f pkcs12 -k $KEYCHAIN_PATH 2>&1) + if [ $? -ne 0 ]; then + echo "Certificate import failed. If this P12 file requires a password, please provide certificate-password input." + echo "Error output from 'security import':" + echo "$SECURITY_IMPORT_ERROR" + exit 1 + fi + fi + security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH security list-keychain -d user -s $KEYCHAIN_PATH # Infer certificate identity