Refactor workflow and Fastlane scripts to replace revoked certificate…

…s check with expired certificates handling, update output mechanism to use GITHUB_ENV, and streamline notification process for expired certificates.
bjornoleh · Jan 8, 2025 · b995d57 · b995d57
1 parent ff17798
commit b995d57
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 22 deletions.
diff --git a/.github/workflows/check_certs.yml b/.github/workflows/check_certs.yml
@@ -12,7 +12,7 @@ jobs:
       FASTLANE_KEY_ID: ${{ secrets.FASTLANE_KEY_ID }}
       FASTLANE_KEY: ${{ secrets.FASTLANE_KEY }}
     outputs:
-      cert_revoked: ${{ steps.set_output.outputs.cert_revoked }} # Job-level output
+      cert_expired: ${{ steps.set_output.outputs.cert_expired }} # Job-level output for expired certificates
 
     steps:
       - name: Checkout repository
@@ -26,18 +26,23 @@ jobs:
       - name: Install dependencies
         run: bundle install
 
-      - name: Check and Revoke Certificates
+      - name: Check Certificates
         env:
           FASTLANE_USER: ${{ secrets.APPLE_ID }}
           FASTLANE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
-        run: bundle exec fastlane check_and_revoke_certificates
+        run: bundle exec fastlane check_and_notify_certificates
         id: check_certs
 
       - name: Set output based on Fastlane result
         id: set_output
-        run: echo "::set-output name=cert_revoked::$(cat cert_revoked.txt)" # Output from Fastlane saved to a file
+        run: |
+          if [ -f cert_expired.txt ]; then
+            echo "cert_expired=$(cat cert_expired.txt)" >> $GITHUB_ENV
+          else
+            echo "cert_expired=false" >> $GITHUB_ENV
+          fi
 
   trigger_create_certs:
     needs: check_certs
-    if: ${{ needs.check_certs.outputs.cert_revoked == 'true' }}
+    if: ${{ needs.check_certs.outputs.cert_expired == 'true' }}
     uses: ./.github/workflows/create_certs.yml
diff --git a/fastlane/Fastfile b/fastlane/Fastfile
@@ -278,8 +278,8 @@ platform :ios do
     )
   end
 
-  desc "Check Certificates"
-  lane :check_and_revoke_certificates do
+  desc "Check Certificates and Trigger Workflow for Expired Certificates"
+  lane :check_and_notify_certificates do
     setup_ci if ENV['CI']
     ENV["MATCH_READONLY"] = false.to_s
 
@@ -290,34 +290,41 @@ platform :ios do
       key_content: ENV["FASTLANE_KEY"] # Ensure valid key content
     )
 
-    revoked = false
+    # Initialize flag to track if any certificates are expired
+    expired_certificate_found = false
 
-    # Fetch all certificates using the authenticated session
-    certificates = Spaceship::ConnectAPI::Certificate.all # No need to pass api_key explicitly
+    # Fetch all certificates
+    certificates = Spaceship::ConnectAPI::Certificate.all
 
-    # Filter for Production/Distribution certificates
+    # Filter for Distribution Certificates
     distribution_certs = certificates.select { |cert| cert.certificate_type == "DISTRIBUTION" }
 
     # Check for expiration
     distribution_certs.each do |cert|
-      expiration_date_str = cert.expiration_date
-      expiration_date = Time.parse(expiration_date_str) # Convert the string to Time
+      expiration_date = Time.parse(cert.expiration_date)
 
       puts "Checking Distribution Certificate: #{cert.id}, Expiration: #{expiration_date}"
 
-      if expiration_date < Time.now + 30 * 24 * 60 * 60 # Less than 30 days to expiry
-        puts "Certificate #{cert.id} is expiring soon or already expired. Revoking..."
-        cert.delete! # Use `delete!` for API-based revocation
-        revoked = true
+      if expiration_date < Time.now
+        puts "❌ Certificate #{cert.id} is already expired!"
+        expired_certificate_found = true
+      elsif expiration_date < Time.now + 30 * 24 * 60 * 60
+        puts "⚠️ Certificate #{cert.id} is expiring soon!"
+      else
+        puts "✅ Certificate #{cert.id} is valid."
       end
     end
 
-    if revoked
-      puts "Certificates were revoked. Triggering workflow to recreate them."
-      File.write('cert_revoked.txt', 'true')
+    # Write result to cert_expired.txt
+    File.write('cert_expired.txt', expired_certificate_found ? 'true' : 'false')
+
+    # Handle output for triggering workflow
+    if expired_certificate_found
+      puts "❌ At least one certificate is expired. Creating flag file to trigger workflow."
+      File.write('cert_expired.txt', 'true')
     else
-      puts "All certificates are valid. No action required."
-      File.write('cert_revoked.txt', 'false')
+      puts "✅ No certificates are expired. No action required."
+      File.write('cert_expired.txt', 'false')
     end
   end
 end