From 9d8b473037f5cad2359bb894a3b32b63b9040a0c Mon Sep 17 00:00:00 2001 From: Tomasz Lesniakiewicz Date: Fri, 3 Oct 2025 12:02:31 +0200 Subject: [PATCH 1/6] feat: make certificate-pass and keychain-pass optional --- action.yml | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/action.yml b/action.yml index 66b525e..f651caf 100644 --- a/action.yml +++ b/action.yml @@ -98,10 +98,6 @@ runs: fi fi - if [ -z "${{ inputs.certificate-password }}" ]; then - echo "Input 'certificate-password' is required for device builds." - exit 1 - fi # Legacy provisioning profile validation (only when not using provisioning-profiles) if [ -z "${{ inputs.provisioning-profiles }}" ]; then @@ -134,10 +130,6 @@ runs: exit 1 fi - if [ -z "${{ inputs.keychain-password }}" ]; then - echo "Input 'keychain-password' is required for device builds." - exit 1 - fi # Validate provisioning profiles if provided if [ -n "${{ inputs.provisioning-profiles }}" ]; then @@ -241,9 +233,14 @@ runs: # Create temporary keychain KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db - security create-keychain -p "${{ inputs.keychain-password }}" $KEYCHAIN_PATH + KEYCHAIN_PASSWORD="${{ inputs.keychain-password }}" + if [ -z "$KEYCHAIN_PASSWORD" ]; then + KEYCHAIN_PASSWORD="default-keychain-password" + fi + + security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH security set-keychain-settings -lut 21600 $KEYCHAIN_PATH - security unlock-keychain -p "${{ inputs.keychain-password }}" $KEYCHAIN_PATH + security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH # Import certificate to keychain CERTIFICATE_PATH=$RUNNER_TEMP/certificate.p12 @@ -255,8 +252,12 @@ runs: # Decode base64 certificate echo -n "${{ inputs.certificate-base64 }}" | base64 --decode -o $CERTIFICATE_PATH fi - security import $CERTIFICATE_PATH -P "${{ inputs.certificate-password }}" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH - security set-key-partition-list -S apple-tool:,apple: -k "${{ inputs.keychain-password }}" $KEYCHAIN_PATH + if [ -n "${{ inputs.certificate-password }}" ]; then + security import $CERTIFICATE_PATH -P "${{ inputs.certificate-password }}" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH + else + security import $CERTIFICATE_PATH -A -t cert -f pkcs12 -k $KEYCHAIN_PATH + fi + security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH security list-keychain -d user -s $KEYCHAIN_PATH # Infer certificate identity From 1d48600efa76dde5378fd00c244e7b172bbe4734 Mon Sep 17 00:00:00 2001 From: Tomasz Lesniakiewicz Date: Fri, 3 Oct 2025 12:03:06 +0200 Subject: [PATCH 2/6] docs: info about optional certificate-pass --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 041c702..66ef58c 100644 --- a/README.md +++ b/README.md @@ -38,8 +38,8 @@ jobs: # For device builds, add these (for certificate and provisioning profile - either file OR base64): # certificate-file: './certs/distribution.p12' # certificate-base64: ${{ secrets.CERTIFICATE_BASE64 }} - # certificate-password: ${{ secrets.CERTIFICATE_PASSWORD }} - # keychain-password: ${{ secrets.KEYCHAIN_PASSWORD }} + # certificate-password: ${{ secrets.CERTIFICATE_PASSWORD }} # Optional - only needed if P12 has a password + # keychain-password: ${{ secrets.KEYCHAIN_PASSWORD }} # Optional - defaults to auto-generated password # re-sign: true # ad-hoc: true # For apps that require provisioning profiles: @@ -73,12 +73,12 @@ jobs: | `ad-hoc` | Upload the IPA for ad-hoc distribution to easily install on provisioned devices | No | `false` | | `certificate-base64` | Base64 encoded P12 file for device builds | No | - | | `certificate-file` | P12 file for device builds | No | - | -| `certificate-password` | Password for the P12 file | No | - | +| `certificate-password` | Password for the P12 file (optional - only needed if certificate has a password) | No | - | | `provisioning-profile-base64` | Base64 encoded provisioning profile | No | - | | `provisioning-profile-file` | Provisioning profile file | No | - | | `provisioning-profile-name` | Name of the provisioning profile | No | - | | `provisioning-profiles` | JSON array of provisioning profiles. Supports passing PP as both file and base64 string. Supported keys: `name`, `file`, `base64` | No | - | -| `keychain-password` | Password for temporary keychain | No | - | +| `keychain-password` | Password for temporary keychain (optional - defaults to auto-generated password) | No | - | | `rock-build-extra-params` | Extra parameters for rock build:ios | No | - | | `comment-bot` | Whether to comment PR with build link | No | `true` | From 5c67d609fcabec0cf0d2ef595ed46ae9033e4198 Mon Sep 17 00:00:00 2001 From: Tomasz Lesniakiewicz Date: Fri, 3 Oct 2025 12:10:25 +0200 Subject: [PATCH 3/6] feat: fix hardcoded keychange pass --- action.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/action.yml b/action.yml index f651caf..b349735 100644 --- a/action.yml +++ b/action.yml @@ -91,7 +91,7 @@ runs: exit 1 fi - if [ -n "${{ inputs.certificate-file }}" ]; then + if [ -n "${{ inputs.certificate-file }}" ]; then if [ ! -f "${{ inputs.certificate-file }}" ]; then echo "Certificate file not found: '${{ inputs.certificate-file }}'" exit 1 @@ -235,7 +235,7 @@ runs: KEYCHAIN_PASSWORD="${{ inputs.keychain-password }}" if [ -z "$KEYCHAIN_PASSWORD" ]; then - KEYCHAIN_PASSWORD="default-keychain-password" + KEYCHAIN_PASSWORD=$(openssl rand -base64 32) fi security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH @@ -255,7 +255,10 @@ runs: if [ -n "${{ inputs.certificate-password }}" ]; then security import $CERTIFICATE_PATH -P "${{ inputs.certificate-password }}" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH else - security import $CERTIFICATE_PATH -A -t cert -f pkcs12 -k $KEYCHAIN_PATH + if ! security import $CERTIFICATE_PATH -A -t cert -f pkcs12 -k $KEYCHAIN_PATH; then + echo "Certificate import failed. If this P12 file requires a password, please provide certificate-password input." + exit 1 + fi fi security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH security list-keychain -d user -s $KEYCHAIN_PATH From 614670f84990046c32e78312c0e04a381eaadad2 Mon Sep 17 00:00:00 2001 From: Tomasz Lesniakiewicz Date: Fri, 3 Oct 2025 14:34:35 +0200 Subject: [PATCH 4/6] chore: add more descriptive error logs --- action.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/action.yml b/action.yml index b349735..ee7bcea 100644 --- a/action.yml +++ b/action.yml @@ -238,6 +238,9 @@ runs: KEYCHAIN_PASSWORD=$(openssl rand -base64 32) fi + # Mask the keychain password to prevent accidental logging + echo "::add-mask::$KEYCHAIN_PASSWORD" + security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH security set-keychain-settings -lut 21600 $KEYCHAIN_PATH security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH @@ -257,6 +260,12 @@ runs: else if ! security import $CERTIFICATE_PATH -A -t cert -f pkcs12 -k $KEYCHAIN_PATH; then echo "Certificate import failed. If this P12 file requires a password, please provide certificate-password input." + SECURITY_IMPORT_ERROR=$(security import $CERTIFICATE_PATH -A -t cert -f pkcs12 -k $KEYCHAIN_PATH 2>&1) + if [ $? -ne 0 ]; then + echo "Certificate import failed. If this P12 file requires a password, please provide certificate-password input." + echo "Error output from 'security import':" + echo "$SECURITY_IMPORT_ERROR" + fi exit 1 fi fi From 77492eae8dbfdc5eb559232712fa71867210d18f Mon Sep 17 00:00:00 2001 From: Tomasz Lesniakiewicz Date: Fri, 3 Oct 2025 14:41:17 +0200 Subject: [PATCH 5/6] chore: adjust error handling --- action.yml | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/action.yml b/action.yml index ee7bcea..49b90e5 100644 --- a/action.yml +++ b/action.yml @@ -258,14 +258,11 @@ runs: if [ -n "${{ inputs.certificate-password }}" ]; then security import $CERTIFICATE_PATH -P "${{ inputs.certificate-password }}" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH else - if ! security import $CERTIFICATE_PATH -A -t cert -f pkcs12 -k $KEYCHAIN_PATH; then + SECURITY_IMPORT_ERROR=$(security import $CERTIFICATE_PATH -A -t cert -f pkcs12 -k $KEYCHAIN_PATH 2>&1) + if [ $? -ne 0 ]; then echo "Certificate import failed. If this P12 file requires a password, please provide certificate-password input." - SECURITY_IMPORT_ERROR=$(security import $CERTIFICATE_PATH -A -t cert -f pkcs12 -k $KEYCHAIN_PATH 2>&1) - if [ $? -ne 0 ]; then - echo "Certificate import failed. If this P12 file requires a password, please provide certificate-password input." - echo "Error output from 'security import':" - echo "$SECURITY_IMPORT_ERROR" - fi + echo "Error output from 'security import':" + echo "$SECURITY_IMPORT_ERROR" exit 1 fi fi From 94c981670fa15a37769b444a7f9a83bf54bb62ab Mon Sep 17 00:00:00 2001 From: Tomasz Lesniakiewicz Date: Tue, 7 Oct 2025 12:06:57 +0200 Subject: [PATCH 6/6] remove redundand logging --- action.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/action.yml b/action.yml index 49b90e5..75043c3 100644 --- a/action.yml +++ b/action.yml @@ -238,8 +238,6 @@ runs: KEYCHAIN_PASSWORD=$(openssl rand -base64 32) fi - # Mask the keychain password to prevent accidental logging - echo "::add-mask::$KEYCHAIN_PASSWORD" security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH security set-keychain-settings -lut 21600 $KEYCHAIN_PATH