chore(deploy): persist iOS auth via .env.deploy.local + ASC API-Key

- deploy.sh auto-sources apps/rebreak-native/.env.deploy.local (gitignored) and ~/.config/rebreak/deploy.env as fallback - new helper xcodebuild_auth_args() injects -allowProvisioningUpdates + -authenticationKeyPath/ID/IssuerID into archive + both exportArchive calls - ASC API-Key (free, .p8 from appstoreconnect.apple.com) is now the required path for exportArchive — app-specific-password no longer works for export since Xcode 14 (still used as altool-upload fallback) - .env.deploy.local.example template added with one-time setup steps - .gitignore: add *.p8 (.env*.local already covered)
2026-05-30 09:39:46 +02:00 · 2026-05-30 09:39:46 +02:00 · b029c00413
commit b029c00413
parent b31066a04c
3 changed files with 74 additions and 6 deletions
--- a/apps/rebreak-native/.env.deploy.local.example
+++ b/apps/rebreak-native/.env.deploy.local.example
@ -0,0 +1,35 @@
+# Rebreak Deploy Secrets — Copy to .env.deploy.local (gitignored!)
+#
+# Source-Reihenfolge (deploy.sh lädt erstes vorhandenes File):
+#   1. apps/rebreak-native/.env.deploy.local
+#   2. ~/.config/rebreak/deploy.env
+#
+# ──────────────────────────────────────────────────────────────────────────
+# iOS — App Store Connect API Key (GRATIS, einmal generieren)
+# ──────────────────────────────────────────────────────────────────────────
+# 1) Gehe zu https://appstoreconnect.apple.com/access/integrations/api
+# 2) "Generate API Key" (Role: Admin oder App Manager)
+# 3) Download AuthKey_XXXXXXXXXX.p8 — kann nur EINMAL heruntergeladen werden!
+# 4) Speichere unter ~/.appstoreconnect/private_keys/AuthKey_<KEY_ID>.p8
+#    (altool sucht dort automatisch — Standort ist Pflicht)
+#    mkdir -p ~/.appstoreconnect/private_keys
+#    mv ~/Downloads/AuthKey_*.p8 ~/.appstoreconnect/private_keys/
+#    chmod 600 ~/.appstoreconnect/private_keys/AuthKey_*.p8
+#
+# Issuer-ID findest du auf derselben Seite ganz oben.
+
+export ASC_API_KEY_ID="ABCDE12345"
+export ASC_API_KEY_ISSUER="69a6de70-XXXX-XXXX-XXXX-5bc36a4XXXXX"
+export ASC_API_KEY_PATH="$HOME/.appstoreconnect/private_keys/AuthKey_${ASC_API_KEY_ID}.p8"
+
+# ──────────────────────────────────────────────────────────────────────────
+# iOS — Fallback: App-Specific-Password (NUR für altool-Upload, NICHT für exportArchive)
+# ──────────────────────────────────────────────────────────────────────────
+# Generieren: https://appleid.apple.com → Sign-In and Security → App-Specific Passwords
+# export APPLE_ID_EMAIL="chahinebrini@gmail.com"
+# export APPLE_APP_SPECIFIC_PASSWORD="xxxx-xxxx-xxxx-xxxx"
+
+# ──────────────────────────────────────────────────────────────────────────
+# Android — Play Console Service Account
+# ──────────────────────────────────────────────────────────────────────────
+# export PLAY_SERVICE_ACCOUNT_JSON="$HOME/.config/rebreak/play-service-account.json"
--- a/apps/rebreak-native/.gitignore
+++ b/apps/rebreak-native/.gitignore
@ -20,6 +20,7 @@ modules/*/ios/build/
 modules/*/ios/Pods/
 *.jks
 *.p12
+*.p8
 *.key
 *.mobileprovision

--- a/apps/rebreak-native/deploy.sh
+++ b/apps/rebreak-native/deploy.sh
@ -35,9 +35,13 @@
 #   ./deploy.sh all --dry-run
 #
 # CREDENTIALS:
-#   iOS TestFlight:
-#     - APPLE_APP_SPECIFIC_PASSWORD (oder)
-#     - ASC_API_KEY_PATH + ASC_API_KEY_ID + ASC_API_KEY_ISSUER
+#   Persistenz (empfohlen): siehe .env.deploy.local.example
+#     cp .env.deploy.local.example .env.deploy.local   # gitignored
+#     # einmalig editieren — deploy.sh source'd das automatisch
+#
+#   iOS TestFlight / Ad-Hoc (ein Weg reicht):
+#     - ASC_API_KEY_PATH + ASC_API_KEY_ID + ASC_API_KEY_ISSUER  (Pflicht für exportArchive)
+#     - APPLE_APP_SPECIFIC_PASSWORD                              (nur Fallback für altool-Upload)
 #   iOS MDM:
 #     - SSH-Access zu rebreak-mdm Server
 #   Android:
@ -205,6 +209,21 @@ while [[ $# -gt 0 ]]; do
  esac
 done

+# ═══════════════════════════════════════════════════════════════════════════
+# Secrets-File auto-loading (NICHT committen — siehe .env.deploy.local.example)
+# ═══════════════════════════════════════════════════════════════════════════
+# Lädt automatisch:
+#   apps/rebreak-native/.env.deploy.local      (lokal, gitignored)
+#   ~/.config/rebreak/deploy.env                (global fallback, optional)
+for secrets_file in "$SCRIPT_DIR/.env.deploy.local" "$HOME/.config/rebreak/deploy.env"; do
+  if [[ -f "$secrets_file" ]]; then
+    # shellcheck disable=SC1090
+    set -a; source "$secrets_file"; set +a
+    log "Secrets geladen aus: $secrets_file"
+    break
+  fi
+done
+
 # ═══════════════════════════════════════════════════════════════════════════
 # ENV & Paths
 # ═══════════════════════════════════════════════════════════════════════════
@ -233,6 +252,13 @@ ASC_API_KEY_PATH="${ASC_API_KEY_PATH:-}"
 ASC_API_KEY_ID="${ASC_API_KEY_ID:-}"
 ASC_API_KEY_ISSUER="${ASC_API_KEY_ISSUER:-}"

+# Build xcodebuild auth-args (ASC API-Key enables automatic cert/profile download)
+xcodebuild_auth_args() {
+  if [[ -n "$ASC_API_KEY_PATH" && -n "$ASC_API_KEY_ID" && -n "$ASC_API_KEY_ISSUER" ]]; then
+    echo "-allowProvisioningUpdates -authenticationKeyPath $ASC_API_KEY_PATH -authenticationKeyID $ASC_API_KEY_ID -authenticationKeyIssuerID $ASC_API_KEY_ISSUER"
+  fi
+}
+
 PLAY_SERVICE_ACCOUNT_JSON="${PLAY_SERVICE_ACCOUNT_JSON:-$HOME/secrets/rebreak-play-service-account.json}"

 mkdir -p "$LOG_DIR" 2>/dev/null || true
@ -456,6 +482,7 @@ deploy_mdm() {
  
  # Archive
  rm -rf "$ARCHIVE_PATH"
+  # shellcheck disable=SC2046
  run_quiet "Building xcarchive" "$LOG_DIR/mdm-archive-$TIMESTAMP.log" \
    xcodebuild archive \
    -workspace "$WORKSPACE" \
@ -463,17 +490,20 @@ deploy_mdm() {
    -configuration Release \
    -archivePath "$ARCHIVE_PATH" \
    -destination 'generic/platform=iOS' \
-    DEVELOPMENT_TEAM="$REBREAK_TEAM_ID"
+    DEVELOPMENT_TEAM="$REBREAK_TEAM_ID" \
+    $(xcodebuild_auth_args)
  
  ok "xcarchive fertig: $ARCHIVE_PATH"
  
  # Export IPA
  rm -rf "$ADHOC_EXPORT_DIR"
+  # shellcheck disable=SC2046
  run_quiet "Exporting Ad-Hoc IPA" "$LOG_DIR/mdm-export-$TIMESTAMP.log" \
    xcodebuild -exportArchive \
    -archivePath "$ARCHIVE_PATH" \
    -exportPath "$ADHOC_EXPORT_DIR" \
-    -exportOptionsPlist "$ADHOC_EXPORT_OPTIONS"
+    -exportOptionsPlist "$ADHOC_EXPORT_OPTIONS" \
+    $(xcodebuild_auth_args)
  
  [[ -f "$ADHOC_IPA" ]] || die "IPA nicht erzeugt: $ADHOC_IPA"
  ok "IPA exportiert: $ADHOC_IPA"
@ -546,11 +576,13 @@ Entweder:
  
  # Export IPA
  rm -rf "$TF_EXPORT_DIR"
+  # shellcheck disable=SC2046
  run_quiet "Exporting App-Store IPA" "$LOG_DIR/tf-export-$TIMESTAMP.log" \
    xcodebuild -exportArchive \
    -archivePath "$USED_ARCHIVE" \
    -exportPath "$TF_EXPORT_DIR" \
-    -exportOptionsPlist "$TF_EXPORT_OPTIONS"
+    -exportOptionsPlist "$TF_EXPORT_OPTIONS" \
+    $(xcodebuild_auth_args)
  
  [[ -f "$TF_IPA" ]] || die "IPA nicht erzeugt: $TF_IPA"
  ok "IPA exportiert: $TF_IPA"