ci: migrate iOS workflows to SSH-based Match, add Firebase and TestFlight publishing support (#31)

Author: HekmatullahAmin

.github/workflows/multi-platform-build-and-publish.yaml

@@ -109,22 +109,53 @@ on:
         type: string
         required: true
 
-      build_ios:
+      # Toggle for building and uploading iOS app to Firebase App Distribution
+      distribute_ios_firebase:
         type: boolean
         default: false
-        description: Build iOS App
+        description: Distribute iOS App via Firebase App Distribution
 
-      # Toggle for iOS App Store publishing
-      publish_ios:
+      # Toggle for uploading iOS app to TestFlight (App Store Connect)
+      distribute_ios_testflight:
         type: boolean
         default: false
-        description: Publish iOS App On App Store
+        description: Distribute iOS App via TestFlight (App Store Connect)
 
       tester_groups:
         type: string
         description: 'Firebase Tester Group'
         required: true
 
+      app_identifier:
+        type: string
+        description: 'The unique bundle identifier for the iOS application'
+        required: true
+
+      git_url:
+        type: string
+        description: 'Git URL to the private repository containing certificates and provisioning profiles for code signing (used by Fastlane Match)'
+        required: true
+
+      git_branch:
+        type: string
+        description: 'Branch name inside the certificates repository that Fastlane Match should use to fetch signing assets'
+        required: true
+
+      match_type:
+        type: string
+        description: 'Type of provisioning profile to fetch using Match (e.g., adhoc, appstore, development)'
+        required: true
+
+      provisioning_profile_name:
+        type: string
+        description: 'Name of the provisioning profile to use for code signing (e.g., match AdHoc com.example.app or match AppStore com.example.app)'
+        required: true
+
+      firebase_app_id:
+        type: string
+        description: 'Firebase App ID'
+        required: true
+
     secrets:
       # Android-related secrets
       original_keystore_file:
@@ -177,6 +208,21 @@ on:
       notarization_team_id:
         description: 'Apple developer team ID'
         required: false
+      appstore_key_id:
+        description: 'Key ID from App Store Connect API Key'
+        required: true
+      appstore_issuer_id:
+        description: 'Issuer ID from App Store Connect API Key'
+        required: true
+      appstore_auth_key:
+        description: 'Base64-encoded contents of the .p8 auth key file'
+        required: true
+      match_password:
+        description: 'Password used to encrypt/decrypt the certificates repository used by match'
+        required: true
+      match_ssh_private_key:
+        description: 'SSH private key for accessing the certificates repository'
+        required: true
 
       # Desktop signing secrets
       windows_signing_key:
@@ -266,37 +312,64 @@ jobs:
   # Firebase Distribution Job for iOS
   publish_ios_app_to_firebase:
     name: Publish iOS App On Firebase
-    runs-on: macos-latest
+    if: inputs.distribute_ios_firebase
+    runs-on: macos-14
     permissions:
       contents: write
     steps:
+      - name: Set Xcode version 16.2
+        uses: maxim-lobanov/setup-xcode@v1
+        with:
+          xcode-version: '16.2'
+
       - name: Checkout Repository
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
       - name: Deploy iOS App to Firebase
-        if: inputs.build_ios
         uses: openMF/[email protected]
         continue-on-error: true
         with:
+          app_identifier: ${{ inputs.app_identifier }}
+          git_url: ${{ inputs.git_url }}
+          git_branch: ${{ inputs.git_branch }}
+          match_type: ${{ inputs.match_type }}
+          provisioning_profile_name: ${{ inputs.provisioning_profile_name }}
+          match_password: ${{ secrets.match_password }}
+          match_ssh_private_key: ${{ secrets.match_ssh_private_key }}
           ios_package_name: ${{ inputs.ios_package_name }}
+          firebase_app_id: ${{ inputs.firebase_app_id }}
           firebase_creds: ${{ secrets.firebase_creds }}
           tester_groups: ${{ inputs.tester_groups }}
 
-  # App Store Publishing Job
-  publish_ios_app_to_app_center:
+  # Testflight Publishing Job
+  publish_ios_app_to_testflight:
     name: Publish iOS App On App Center
-    if: inputs.publish_ios
-    runs-on: macos-latest
+    if: inputs.distribute_ios_testflight
+    runs-on: macos-14
     steps:
+      - name: Set Xcode version 16.2
+        uses: maxim-lobanov/setup-xcode@v1
+        with:
+          xcode-version: '16.2'
+
       - name: Checkout Repository
         uses: actions/checkout@v4
 
-      - name: Git Status
-        run: git status
-
-      # TODO: Implement App Store publishing
+      - name: Deploy iOS app to TestFlight
+        uses: openMF/mifos-x-actionhub-publish-ios-on-appstore-production@main
+        with:
+          app_identifier: ${{ inputs.app_identifier }}
+          git_url: ${{ inputs.git_url }}
+          git_branch: ${{ inputs.git_branch }}
+          match_type: ${{ inputs.match_type }}
+          provisioning_profile_name: ${{ inputs.provisioning_profile_name }}
+          appstore_key_id: ${{ secrets.appstore_key_id }}
+          appstore_issuer_id: ${{ secrets.appstore_issuer_id }}
+          appstore_auth_key: ${{ secrets.appstore_auth_key }}
+          match_password: ${{ secrets.match_password }}
+          match_ssh_private_key: ${{ secrets.match_ssh_private_key }}
 
   # Desktop Publishing Job
   publish_desktop:

.github/workflows/pr-check.yaml

@@ -115,23 +115,23 @@ on:
         required: false  
         default: true
 
-      keychain_name:
-        description: 'Name of the keychain to use for signing'
+      git_url:
+        description: 'Git URL to the private repository containing certificates and provisioning profiles for code signing (used by Fastlane Match)'
         type: string
         required: false
-        default: 'ci-signing.keychain'
+        default: '[email protected]:openMF/ios-provisioning-profile.git'
 
-      match_type:
-        description: 'Specifies the type of provisioning profile to use for code signing (e.g., adhoc, appstore, development)'
+      git_branch:
+        description: 'Branch name inside the certificates repository that Fastlane Match should use to fetch signing assets'
         type: string
         required: false
-        default: 'adhoc'
+        default: 'master'
 
-      export_method:
-        description: 'Defines how the app should be packaged for distribution (e.g., ad-hoc, app-store, development)'
+      match_type:
+        description: 'Specifies the type of provisioning profile to use for code signing (e.g., adhoc, appstore, development)'
         type: string
         required: false
-        default: 'ad-hoc'
+        default: 'adhoc'
 
       app_identifier:
         description: 'The bundle identifier used to uniquely identify your iOS application'
@@ -146,18 +146,14 @@ on:
         default: 'match AdHoc org.mifos.kmp.template'
 
     secrets:
-      MATCH_GIT_BASIC_AUTHORIZATION:
-        description: 'Base64-encoded GitHub token used by Fastlane Match to authenticate and clone the certificates/profiles repository securely'
+      match_ssh_private_key:
+        description: 'SSH private key for accessing the certificates repository'
         required: true
 
-      MATCH_PASSWORD:
+      match_password:
         description: 'Encryption passphrase used by Fastlane Match to decrypt the signing certificates and provisioning profiles stored in the remote repository'
         required: true
 
-      KEYCHAIN_PASSWORD:
-        description: 'Password used to create and unlock a temporary keychain during the CI build, allowing codesigning without user interaction'
-        required: true
-
 # Concurrency settings to prevent multiple simultaneous workflow runs
 concurrency:
   group: build-${{ github.ref }}
@@ -229,13 +225,12 @@ jobs:
 
       - name: Build iOS App
         if: ${{ inputs.build_ios }}
-        uses: openMF/mifos-x-actionhub-build-ios-app@v1.0.1
+        uses: openMF/mifos-x-actionhub-build-ios-app@main
         with:
-          match_git_basic_authorization: ${{ secrets.MATCH_GIT_BASIC_AUTHORIZATION }}
-          match_password: ${{ secrets.MATCH_PASSWORD }}
-          keychain_name: ${{ inputs.keychain_name }}
-          keychain_password: ${{ secrets.KEYCHAIN_PASSWORD }}
+          match_ssh_private_key: ${{ secrets.match_ssh_private_key}}
+          match_password: ${{ secrets.match_password }}
+          git_url: ${{ inputs.git_url }}
+          git_branch: ${{ inputs.git_branch }}
           match_type: ${{ inputs.match_type }}
-          export_method: ${{ inputs.export_method }}
           app_identifier: ${{ inputs.app_identifier }}
           provisioning_profile_name: ${{ inputs.provisioning_profile_name }}