Skip to content

Make certificate-password and keychain-password optional #17

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Oct 7, 2025
Merged

Make certificate-password and keychain-password optional #17

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
9d8b473
feat: make certificate-pass and keychain-pass optional
rinej Oct 3, 2025
1d48600
docs: info about optional certificate-pass
rinej Oct 3, 2025
5c67d60
feat: fix hardcoded keychange pass
rinej Oct 3, 2025
614670f
chore: add more descriptive error logs
rinej Oct 3, 2025
77492ea
chore: adjust error handling
rinej Oct 3, 2025
94c9816
remove redundand logging
rinej Oct 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,8 +38,8 @@ jobs:
# For device builds, add these (for certificate and provisioning profile - either file OR base64):
# certificate-file: './certs/distribution.p12'
# certificate-base64: ${{ secrets.CERTIFICATE_BASE64 }}
# certificate-password: ${{ secrets.CERTIFICATE_PASSWORD }}
# keychain-password: ${{ secrets.KEYCHAIN_PASSWORD }}
# certificate-password: ${{ secrets.CERTIFICATE_PASSWORD }} # Optional - only needed if P12 has a password
# keychain-password: ${{ secrets.KEYCHAIN_PASSWORD }} # Optional - defaults to auto-generated password
# re-sign: true
# ad-hoc: true
# For apps that require provisioning profiles:
Expand Down Expand Up @@ -73,12 +73,12 @@ jobs:
| `ad-hoc` | Upload the IPA for ad-hoc distribution to easily install on provisioned devices | No | `false` |
| `certificate-base64` | Base64 encoded P12 file for device builds | No | - |
| `certificate-file` | P12 file for device builds | No | - |
| `certificate-password` | Password for the P12 file | No | - |
| `certificate-password` | Password for the P12 file (optional - only needed if certificate has a password) | No | - |
| `provisioning-profile-base64` | Base64 encoded provisioning profile | No | - |
| `provisioning-profile-file` | Provisioning profile file | No | - |
| `provisioning-profile-name` | Name of the provisioning profile | No | - |
| `provisioning-profiles` | JSON array of provisioning profiles. Supports passing PP as both file and base64 string. Supported keys: `name`, `file`, `base64` | No | - |
| `keychain-password` | Password for temporary keychain | No | - |
| `keychain-password` | Password for temporary keychain (optional - defaults to auto-generated password) | No | - |
| `rock-build-extra-params` | Extra parameters for rock build:ios | No | - |
| `comment-bot` | Whether to comment PR with build link | No | `true` |

Expand Down
34 changes: 21 additions & 13 deletions action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,17 +91,13 @@ runs:
exit 1
fi

if [ -n "${{ inputs.certificate-file }}" ]; then
if [ -n "${{ inputs.certificate-file }}" ]; then
if [ ! -f "${{ inputs.certificate-file }}" ]; then
echo "Certificate file not found: '${{ inputs.certificate-file }}'"
exit 1
fi
fi

if [ -z "${{ inputs.certificate-password }}" ]; then
echo "Input 'certificate-password' is required for device builds."
exit 1
fi

# Legacy provisioning profile validation (only when not using provisioning-profiles)
if [ -z "${{ inputs.provisioning-profiles }}" ]; then
Expand Down Expand Up @@ -134,10 +130,6 @@ runs:
exit 1
fi

if [ -z "${{ inputs.keychain-password }}" ]; then
echo "Input 'keychain-password' is required for device builds."
exit 1
fi

# Validate provisioning profiles if provided
if [ -n "${{ inputs.provisioning-profiles }}" ]; then
Expand Down Expand Up @@ -241,9 +233,15 @@ runs:
# Create temporary keychain
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db

security create-keychain -p "${{ inputs.keychain-password }}" $KEYCHAIN_PATH
KEYCHAIN_PASSWORD="${{ inputs.keychain-password }}"
if [ -z "$KEYCHAIN_PASSWORD" ]; then
KEYCHAIN_PASSWORD=$(openssl rand -base64 32)
fi


security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
security unlock-keychain -p "${{ inputs.keychain-password }}" $KEYCHAIN_PATH
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH

# Import certificate to keychain
CERTIFICATE_PATH=$RUNNER_TEMP/certificate.p12
Expand All @@ -255,8 +253,18 @@ runs:
# Decode base64 certificate
echo -n "${{ inputs.certificate-base64 }}" | base64 --decode -o $CERTIFICATE_PATH
fi
security import $CERTIFICATE_PATH -P "${{ inputs.certificate-password }}" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security set-key-partition-list -S apple-tool:,apple: -k "${{ inputs.keychain-password }}" $KEYCHAIN_PATH
if [ -n "${{ inputs.certificate-password }}" ]; then
security import $CERTIFICATE_PATH -P "${{ inputs.certificate-password }}" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
else
SECURITY_IMPORT_ERROR=$(security import $CERTIFICATE_PATH -A -t cert -f pkcs12 -k $KEYCHAIN_PATH 2>&1)
if [ $? -ne 0 ]; then
echo "Certificate import failed. If this P12 file requires a password, please provide certificate-password input."
echo "Error output from 'security import':"
echo "$SECURITY_IMPORT_ERROR"
exit 1
fi
fi
security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security list-keychain -d user -s $KEYCHAIN_PATH

# Infer certificate identity
Expand Down