From b029c004139693964d5cc2ac2f1e178044cbfad5 Mon Sep 17 00:00:00 2001 From: chahinebrini Date: Sat, 30 May 2026 09:39:46 +0200 Subject: [PATCH] chore(deploy): persist iOS auth via .env.deploy.local + ASC API-Key MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - deploy.sh auto-sources apps/rebreak-native/.env.deploy.local (gitignored) and ~/.config/rebreak/deploy.env as fallback - new helper xcodebuild_auth_args() injects -allowProvisioningUpdates + -authenticationKeyPath/ID/IssuerID into archive + both exportArchive calls - ASC API-Key (free, .p8 from appstoreconnect.apple.com) is now the required path for exportArchive — app-specific-password no longer works for export since Xcode 14 (still used as altool-upload fallback) - .env.deploy.local.example template added with one-time setup steps - .gitignore: add *.p8 (.env*.local already covered) --- apps/rebreak-native/.env.deploy.local.example | 35 +++++++++++++++ apps/rebreak-native/.gitignore | 1 + apps/rebreak-native/deploy.sh | 44 ++++++++++++++++--- 3 files changed, 74 insertions(+), 6 deletions(-) create mode 100644 apps/rebreak-native/.env.deploy.local.example diff --git a/apps/rebreak-native/.env.deploy.local.example b/apps/rebreak-native/.env.deploy.local.example new file mode 100644 index 0000000..29be1a3 --- /dev/null +++ b/apps/rebreak-native/.env.deploy.local.example @@ -0,0 +1,35 @@ +# Rebreak Deploy Secrets — Copy to .env.deploy.local (gitignored!) +# +# Source-Reihenfolge (deploy.sh lädt erstes vorhandenes File): +# 1. apps/rebreak-native/.env.deploy.local +# 2. ~/.config/rebreak/deploy.env +# +# ────────────────────────────────────────────────────────────────────────── +# iOS — App Store Connect API Key (GRATIS, einmal generieren) +# ────────────────────────────────────────────────────────────────────────── +# 1) Gehe zu https://appstoreconnect.apple.com/access/integrations/api +# 2) "Generate API Key" (Role: Admin oder App Manager) +# 3) Download AuthKey_XXXXXXXXXX.p8 — kann nur EINMAL heruntergeladen werden! +# 4) Speichere unter ~/.appstoreconnect/private_keys/AuthKey_.p8 +# (altool sucht dort automatisch — Standort ist Pflicht) +# mkdir -p ~/.appstoreconnect/private_keys +# mv ~/Downloads/AuthKey_*.p8 ~/.appstoreconnect/private_keys/ +# chmod 600 ~/.appstoreconnect/private_keys/AuthKey_*.p8 +# +# Issuer-ID findest du auf derselben Seite ganz oben. + +export ASC_API_KEY_ID="ABCDE12345" +export ASC_API_KEY_ISSUER="69a6de70-XXXX-XXXX-XXXX-5bc36a4XXXXX" +export ASC_API_KEY_PATH="$HOME/.appstoreconnect/private_keys/AuthKey_${ASC_API_KEY_ID}.p8" + +# ────────────────────────────────────────────────────────────────────────── +# iOS — Fallback: App-Specific-Password (NUR für altool-Upload, NICHT für exportArchive) +# ────────────────────────────────────────────────────────────────────────── +# Generieren: https://appleid.apple.com → Sign-In and Security → App-Specific Passwords +# export APPLE_ID_EMAIL="chahinebrini@gmail.com" +# export APPLE_APP_SPECIFIC_PASSWORD="xxxx-xxxx-xxxx-xxxx" + +# ────────────────────────────────────────────────────────────────────────── +# Android — Play Console Service Account +# ────────────────────────────────────────────────────────────────────────── +# export PLAY_SERVICE_ACCOUNT_JSON="$HOME/.config/rebreak/play-service-account.json" diff --git a/apps/rebreak-native/.gitignore b/apps/rebreak-native/.gitignore index 6a15af4..1c4b717 100644 --- a/apps/rebreak-native/.gitignore +++ b/apps/rebreak-native/.gitignore @@ -20,6 +20,7 @@ modules/*/ios/build/ modules/*/ios/Pods/ *.jks *.p12 +*.p8 *.key *.mobileprovision diff --git a/apps/rebreak-native/deploy.sh b/apps/rebreak-native/deploy.sh index ac7a53b..b2b8ecb 100755 --- a/apps/rebreak-native/deploy.sh +++ b/apps/rebreak-native/deploy.sh @@ -35,9 +35,13 @@ # ./deploy.sh all --dry-run # # CREDENTIALS: -# iOS TestFlight: -# - APPLE_APP_SPECIFIC_PASSWORD (oder) -# - ASC_API_KEY_PATH + ASC_API_KEY_ID + ASC_API_KEY_ISSUER +# Persistenz (empfohlen): siehe .env.deploy.local.example +# cp .env.deploy.local.example .env.deploy.local # gitignored +# # einmalig editieren — deploy.sh source'd das automatisch +# +# iOS TestFlight / Ad-Hoc (ein Weg reicht): +# - ASC_API_KEY_PATH + ASC_API_KEY_ID + ASC_API_KEY_ISSUER (Pflicht für exportArchive) +# - APPLE_APP_SPECIFIC_PASSWORD (nur Fallback für altool-Upload) # iOS MDM: # - SSH-Access zu rebreak-mdm Server # Android: @@ -205,6 +209,21 @@ while [[ $# -gt 0 ]]; do esac done +# ═══════════════════════════════════════════════════════════════════════════ +# Secrets-File auto-loading (NICHT committen — siehe .env.deploy.local.example) +# ═══════════════════════════════════════════════════════════════════════════ +# Lädt automatisch: +# apps/rebreak-native/.env.deploy.local (lokal, gitignored) +# ~/.config/rebreak/deploy.env (global fallback, optional) +for secrets_file in "$SCRIPT_DIR/.env.deploy.local" "$HOME/.config/rebreak/deploy.env"; do + if [[ -f "$secrets_file" ]]; then + # shellcheck disable=SC1090 + set -a; source "$secrets_file"; set +a + log "Secrets geladen aus: $secrets_file" + break + fi +done + # ═══════════════════════════════════════════════════════════════════════════ # ENV & Paths # ═══════════════════════════════════════════════════════════════════════════ @@ -233,6 +252,13 @@ ASC_API_KEY_PATH="${ASC_API_KEY_PATH:-}" ASC_API_KEY_ID="${ASC_API_KEY_ID:-}" ASC_API_KEY_ISSUER="${ASC_API_KEY_ISSUER:-}" +# Build xcodebuild auth-args (ASC API-Key enables automatic cert/profile download) +xcodebuild_auth_args() { + if [[ -n "$ASC_API_KEY_PATH" && -n "$ASC_API_KEY_ID" && -n "$ASC_API_KEY_ISSUER" ]]; then + echo "-allowProvisioningUpdates -authenticationKeyPath $ASC_API_KEY_PATH -authenticationKeyID $ASC_API_KEY_ID -authenticationKeyIssuerID $ASC_API_KEY_ISSUER" + fi +} + PLAY_SERVICE_ACCOUNT_JSON="${PLAY_SERVICE_ACCOUNT_JSON:-$HOME/secrets/rebreak-play-service-account.json}" mkdir -p "$LOG_DIR" 2>/dev/null || true @@ -456,6 +482,7 @@ deploy_mdm() { # Archive rm -rf "$ARCHIVE_PATH" + # shellcheck disable=SC2046 run_quiet "Building xcarchive" "$LOG_DIR/mdm-archive-$TIMESTAMP.log" \ xcodebuild archive \ -workspace "$WORKSPACE" \ @@ -463,17 +490,20 @@ deploy_mdm() { -configuration Release \ -archivePath "$ARCHIVE_PATH" \ -destination 'generic/platform=iOS' \ - DEVELOPMENT_TEAM="$REBREAK_TEAM_ID" + DEVELOPMENT_TEAM="$REBREAK_TEAM_ID" \ + $(xcodebuild_auth_args) ok "xcarchive fertig: $ARCHIVE_PATH" # Export IPA rm -rf "$ADHOC_EXPORT_DIR" + # shellcheck disable=SC2046 run_quiet "Exporting Ad-Hoc IPA" "$LOG_DIR/mdm-export-$TIMESTAMP.log" \ xcodebuild -exportArchive \ -archivePath "$ARCHIVE_PATH" \ -exportPath "$ADHOC_EXPORT_DIR" \ - -exportOptionsPlist "$ADHOC_EXPORT_OPTIONS" + -exportOptionsPlist "$ADHOC_EXPORT_OPTIONS" \ + $(xcodebuild_auth_args) [[ -f "$ADHOC_IPA" ]] || die "IPA nicht erzeugt: $ADHOC_IPA" ok "IPA exportiert: $ADHOC_IPA" @@ -546,11 +576,13 @@ Entweder: # Export IPA rm -rf "$TF_EXPORT_DIR" + # shellcheck disable=SC2046 run_quiet "Exporting App-Store IPA" "$LOG_DIR/tf-export-$TIMESTAMP.log" \ xcodebuild -exportArchive \ -archivePath "$USED_ARCHIVE" \ -exportPath "$TF_EXPORT_DIR" \ - -exportOptionsPlist "$TF_EXPORT_OPTIONS" + -exportOptionsPlist "$TF_EXPORT_OPTIONS" \ + $(xcodebuild_auth_args) [[ -f "$TF_IPA" ]] || die "IPA nicht erzeugt: $TF_IPA" ok "IPA exportiert: $TF_IPA"