chahine/rebreak-monorepo
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

chore(deploy): persist iOS auth via .env.deploy.local + ASC API-Key

Browse Source 
- deploy.sh auto-sources apps/rebreak-native/.env.deploy.local (gitignored)
  and ~/.config/rebreak/deploy.env as fallback
- new helper xcodebuild_auth_args() injects -allowProvisioningUpdates +
  -authenticationKeyPath/ID/IssuerID into archive + both exportArchive calls
- ASC API-Key (free, .p8 from appstoreconnect.apple.com) is now the
  required path for exportArchive — app-specific-password no longer works
  for export since Xcode 14 (still used as altool-upload fallback)
- .env.deploy.local.example template added with one-time setup steps
- .gitignore: add *.p8 (.env*.local already covered)
This commit is contained in:
chahinebrini 2026-05-30 09:39:46 +02:00
parent b31066a04c
commit b029c00413
3 changed files with 74 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
apps/rebreak-native/.env.deploy.local.example Normal file
View File

@ -0,0 +1,35 @@
# Rebreak Deploy Secrets — Copy to .env.deploy.local (gitignored!)
#
# Source-Reihenfolge (deploy.sh lädt erstes vorhandenes File):
# 1. apps/rebreak-native/.env.deploy.local
# 2. ~/.config/rebreak/deploy.env
#
# ──────────────────────────────────────────────────────────────────────────
# iOS — App Store Connect API Key (GRATIS, einmal generieren)
# ──────────────────────────────────────────────────────────────────────────
# 1) Gehe zu https://appstoreconnect.apple.com/access/integrations/api
# 2) "Generate API Key" (Role: Admin oder App Manager)
# 3) Download AuthKey_XXXXXXXXXX.p8 — kann nur EINMAL heruntergeladen werden!
# 4) Speichere unter ~/.appstoreconnect/private_keys/AuthKey_<KEY_ID>.p8
# (altool sucht dort automatisch — Standort ist Pflicht)
# mkdir -p ~/.appstoreconnect/private_keys
# mv ~/Downloads/AuthKey_*.p8 ~/.appstoreconnect/private_keys/
# chmod 600 ~/.appstoreconnect/private_keys/AuthKey_*.p8
#
# Issuer-ID findest du auf derselben Seite ganz oben.
export ASC_API_KEY_ID="ABCDE12345"
export ASC_API_KEY_ISSUER="69a6de70-XXXX-XXXX-XXXX-5bc36a4XXXXX"
export ASC_API_KEY_PATH="$HOME/.appstoreconnect/private_keys/AuthKey_${ASC_API_KEY_ID}.p8"
# ──────────────────────────────────────────────────────────────────────────
# iOS — Fallback: App-Specific-Password (NUR für altool-Upload, NICHT für exportArchive)
# ──────────────────────────────────────────────────────────────────────────
# Generieren: https://appleid.apple.com → Sign-In and Security → App-Specific Passwords
# export APPLE_ID_EMAIL="chahinebrini@gmail.com"
# export APPLE_APP_SPECIFIC_PASSWORD="xxxx-xxxx-xxxx-xxxx"
# ──────────────────────────────────────────────────────────────────────────
# Android — Play Console Service Account
# ──────────────────────────────────────────────────────────────────────────
# export PLAY_SERVICE_ACCOUNT_JSON="$HOME/.config/rebreak/play-service-account.json"

1
apps/rebreak-native/.gitignore vendored
View File

@ -20,6 +20,7 @@ modules/*/ios/build/
modules/*/ios/Pods/ modules/*/ios/Pods/
*.jks *.jks
*.p12 *.p12
*.p8
*.key *.key
*.mobileprovision *.mobileprovision

44
apps/rebreak-native/deploy.sh
View File

@ -35,9 +35,13 @@
# ./deploy.sh all --dry-run # ./deploy.sh all --dry-run
# #
# CREDENTIALS: # CREDENTIALS:
# iOS TestFlight: # Persistenz (empfohlen): siehe .env.deploy.local.example
# - APPLE_APP_SPECIFIC_PASSWORD (oder) # cp .env.deploy.local.example .env.deploy.local # gitignored
# - ASC_API_KEY_PATH + ASC_API_KEY_ID + ASC_API_KEY_ISSUER # # einmalig editieren — deploy.sh source'd das automatisch
#
# iOS TestFlight / Ad-Hoc (ein Weg reicht):
# - ASC_API_KEY_PATH + ASC_API_KEY_ID + ASC_API_KEY_ISSUER (Pflicht für exportArchive)
# - APPLE_APP_SPECIFIC_PASSWORD (nur Fallback für altool-Upload)
# iOS MDM: # iOS MDM:
# - SSH-Access zu rebreak-mdm Server # - SSH-Access zu rebreak-mdm Server
# Android: # Android:
@ -205,6 +209,21 @@ while [[ $# -gt 0 ]]; do
esac esac
done done
# ═══════════════════════════════════════════════════════════════════════════
# Secrets-File auto-loading (NICHT committen — siehe .env.deploy.local.example)
# ═══════════════════════════════════════════════════════════════════════════
# Lädt automatisch:
# apps/rebreak-native/.env.deploy.local (lokal, gitignored)
# ~/.config/rebreak/deploy.env (global fallback, optional)
for secrets_file in "$SCRIPT_DIR/.env.deploy.local" "$HOME/.config/rebreak/deploy.env"; do
if [[ -f "$secrets_file" ]]; then
# shellcheck disable=SC1090
set -a; source "$secrets_file"; set +a
log "Secrets geladen aus: $secrets_file"
break
fi
done
# ═══════════════════════════════════════════════════════════════════════════ # ═══════════════════════════════════════════════════════════════════════════
# ENV & Paths # ENV & Paths
# ═══════════════════════════════════════════════════════════════════════════ # ═══════════════════════════════════════════════════════════════════════════
@ -233,6 +252,13 @@ ASC_API_KEY_PATH="${ASC_API_KEY_PATH:-}"
ASC_API_KEY_ID="${ASC_API_KEY_ID:-}" ASC_API_KEY_ID="${ASC_API_KEY_ID:-}"
ASC_API_KEY_ISSUER="${ASC_API_KEY_ISSUER:-}" ASC_API_KEY_ISSUER="${ASC_API_KEY_ISSUER:-}"
# Build xcodebuild auth-args (ASC API-Key enables automatic cert/profile download)
xcodebuild_auth_args() {
if [[ -n "$ASC_API_KEY_PATH" && -n "$ASC_API_KEY_ID" && -n "$ASC_API_KEY_ISSUER" ]]; then
echo "-allowProvisioningUpdates -authenticationKeyPath $ASC_API_KEY_PATH -authenticationKeyID $ASC_API_KEY_ID -authenticationKeyIssuerID $ASC_API_KEY_ISSUER"
fi
}
PLAY_SERVICE_ACCOUNT_JSON="${PLAY_SERVICE_ACCOUNT_JSON:-$HOME/secrets/rebreak-play-service-account.json}" PLAY_SERVICE_ACCOUNT_JSON="${PLAY_SERVICE_ACCOUNT_JSON:-$HOME/secrets/rebreak-play-service-account.json}"
mkdir -p "$LOG_DIR" 2>/dev/null || true mkdir -p "$LOG_DIR" 2>/dev/null || true
@ -456,6 +482,7 @@ deploy_mdm() {
# Archive # Archive
rm -rf "$ARCHIVE_PATH" rm -rf "$ARCHIVE_PATH"
# shellcheck disable=SC2046
run_quiet "Building xcarchive" "$LOG_DIR/mdm-archive-$TIMESTAMP.log" \ run_quiet "Building xcarchive" "$LOG_DIR/mdm-archive-$TIMESTAMP.log" \
xcodebuild archive \ xcodebuild archive \
-workspace "$WORKSPACE" \ -workspace "$WORKSPACE" \
@ -463,17 +490,20 @@ deploy_mdm() {
-configuration Release \ -configuration Release \
-archivePath "$ARCHIVE_PATH" \ -archivePath "$ARCHIVE_PATH" \
-destination 'generic/platform=iOS' \ -destination 'generic/platform=iOS' \
DEVELOPMENT_TEAM="$REBREAK_TEAM_ID" DEVELOPMENT_TEAM="$REBREAK_TEAM_ID" \
$(xcodebuild_auth_args)
ok "xcarchive fertig: $ARCHIVE_PATH" ok "xcarchive fertig: $ARCHIVE_PATH"
# Export IPA # Export IPA
rm -rf "$ADHOC_EXPORT_DIR" rm -rf "$ADHOC_EXPORT_DIR"
# shellcheck disable=SC2046
run_quiet "Exporting Ad-Hoc IPA" "$LOG_DIR/mdm-export-$TIMESTAMP.log" \ run_quiet "Exporting Ad-Hoc IPA" "$LOG_DIR/mdm-export-$TIMESTAMP.log" \
xcodebuild -exportArchive \ xcodebuild -exportArchive \
-archivePath "$ARCHIVE_PATH" \ -archivePath "$ARCHIVE_PATH" \
-exportPath "$ADHOC_EXPORT_DIR" \ -exportPath "$ADHOC_EXPORT_DIR" \
-exportOptionsPlist "$ADHOC_EXPORT_OPTIONS" -exportOptionsPlist "$ADHOC_EXPORT_OPTIONS" \
$(xcodebuild_auth_args)
[[ -f "$ADHOC_IPA" ]] || die "IPA nicht erzeugt: $ADHOC_IPA" [[ -f "$ADHOC_IPA" ]] || die "IPA nicht erzeugt: $ADHOC_IPA"
ok "IPA exportiert: $ADHOC_IPA" ok "IPA exportiert: $ADHOC_IPA"
@ -546,11 +576,13 @@ Entweder:
# Export IPA # Export IPA
rm -rf "$TF_EXPORT_DIR" rm -rf "$TF_EXPORT_DIR"
# shellcheck disable=SC2046
run_quiet "Exporting App-Store IPA" "$LOG_DIR/tf-export-$TIMESTAMP.log" \ run_quiet "Exporting App-Store IPA" "$LOG_DIR/tf-export-$TIMESTAMP.log" \
xcodebuild -exportArchive \ xcodebuild -exportArchive \
-archivePath "$USED_ARCHIVE" \ -archivePath "$USED_ARCHIVE" \
-exportPath "$TF_EXPORT_DIR" \ -exportPath "$TF_EXPORT_DIR" \
-exportOptionsPlist "$TF_EXPORT_OPTIONS" -exportOptionsPlist "$TF_EXPORT_OPTIONS" \
$(xcodebuild_auth_args)
[[ -f "$TF_IPA" ]] || die "IPA nicht erzeugt: $TF_IPA" [[ -f "$TF_IPA" ]] || die "IPA nicht erzeugt: $TF_IPA"
ok "IPA exportiert: $TF_IPA" ok "IPA exportiert: $TF_IPA"