E2e env actions #85
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,114 @@ | ||
| name: 'Configure Keystore' | ||
| description: 'Assume an AWS role and fetch a secret into environment variables' | ||
|
|
||
| inputs: | ||
| aws-role-to-assume: | ||
| description: 'The AWS IAM role to assume' | ||
| required: true | ||
| aws-region: | ||
| description: 'The AWS region where the secret is stored' | ||
| required: true | ||
| secret-name: | ||
| description: 'The name of the secret in AWS Secrets Manager' | ||
| required: true | ||
|
There was a problem hiding this comment. Bug: Unused Required Input Causes Misleading BehaviorThe Locations (1)
There was a problem hiding this comment. Bug: Unused Required InputThe Locations (1)
There was a problem hiding this comment. Bug: Unused Required Input Causes Workflow FailuresThe Locations (1)
There was a problem hiding this comment. Bug: Required Input Ignored in ActionThe Locations (1)
There was a problem hiding this comment. Bug: Unused Required Input Causes Misleading ConfigurationThe
|
||
| platform: | ||
|
There was a problem hiding this comment. Bug: Redundant Secret Name InputThe Locations (1)
|
||
| description: 'The platform for which the keystore is being configured (e.g., ios, android)' | ||
| required: true | ||
| target: | ||
| description: 'The target for which the keystore is being configured (e.g., qa, flask, main)' | ||
| required: true | ||
|
|
||
| runs: | ||
| using: 'composite' | ||
| steps: | ||
| - name: Determine signing secret name | ||
| shell: bash | ||
| run: | | ||
| case "${{ inputs.target }}" in | ||
| qa) | ||
| SECRET_NAME="metamask-mobile-qa-signing-certificates" | ||
| ;; | ||
| flask) | ||
| SECRET_NAME="metamask-mobile-flask-signing-certificates" | ||
| ;; | ||
| main) | ||
| SECRET_NAME="metamask-mobile-main-signing-certificates" | ||
| ;; | ||
| *) | ||
| echo "β Unknown environment: ${{ inputs.environment }}" | ||
|
There was a problem hiding this comment. Bug: Incorrect Error Message for Unknown TargetsThe error message for unknown targets incorrectly references
There was a problem hiding this comment. Bug: Incorrect Error Message Variable ReferenceThe
There was a problem hiding this comment. Bug: Invalid Target Error Message BugThe error message for unknown targets incorrectly references
There was a problem hiding this comment. Bug: Incorrect Target Reference in Error MessageThe error message for an unknown target in the
|
||
| exit 1 | ||
| ;; | ||
| esac | ||
| echo "AWS_SIGNING_CERT_SECRET_NAME=$SECRET_NAME" >> "$GITHUB_ENV" | ||
cursor[bot] marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| - name: Configure AWS credentials | ||
| uses: aws-actions/configure-aws-credentials@v4 | ||
| with: | ||
| role-to-assume: ${{ inputs.aws-role-to-assume }} | ||
| aws-region: ${{ inputs.aws-region }} | ||
|
|
||
| - name: Fetch secret and export as environment variables | ||
| shell: bash | ||
| run: | | ||
| echo "π Fetching secret from Secrets Manager..." | ||
| secret_json=$(aws secretsmanager get-secret-value \ | ||
| --region "${{ inputs.aws-region }}" \ | ||
| --secret-id "${AWS_SIGNING_CERT_SECRET_NAME}" \ | ||
| --query SecretString \ | ||
| --output text) | ||
|
|
||
| keys=$(echo "$secret_json" | jq -r 'keys[]') | ||
| for key in $keys; do | ||
| value=$(echo "$secret_json" | jq -r --arg k "$key" '.[$k]') | ||
| echo "::add-mask::$value" | ||
| echo "$key=$(printf '%s' "$value")" >> "$GITHUB_ENV" | ||
| echo "β Set secret for key: $key" | ||
| done | ||
|
|
||
| - name: Configure Android Signing Certificates | ||
| if: inputs.platform == 'android' | ||
| shell: bash | ||
| run: | | ||
| echo "π¦ Configuring Android keystore..." | ||
| if [[ -z "$ANDROID_KEYSTORE" ]]; then | ||
| echo "β οΈ ANDROID_KEYSTORE is not set. Skipping keystore decoding." | ||
| exit 1 | ||
| fi | ||
|
|
||
| # Use provided path if set, fallback to default | ||
| KEYSTORE_PATH="${ANDROID_KEYSTORE_PATH:-/tmp/android.keystore}" | ||
| echo "$ANDROID_KEYSTORE" | base64 --decode > "$KEYSTORE_PATH" | ||
| echo "β Android keystore written to $KEYSTORE_PATH" | ||
|
|
||
| - name: Configure iOS Signing Certificates | ||
| if: inputs.platform == 'ios' | ||
| shell: bash | ||
| run: | | ||
| echo "π¦ Configuring iOS code signing..." | ||
|
|
||
| # Create paths | ||
| CERT_PATH="$RUNNER_TEMP/build_certificate.p12" | ||
| PROFILE_PATH="$RUNNER_TEMP/build_pp.mobileprovision" | ||
| KEYCHAIN_PATH="$RUNNER_TEMP/app-signing.keychain-db" | ||
| CERT_PW="${IOS_SIGNING_KEYSTORE_PASSWORD}" | ||
|
|
||
| # Decode base64 files | ||
| echo "$IOS_SIGNING_KEYSTORE" | base64 --decode > "$CERT_PATH" | ||
| echo "$IOS_SIGNING_PROFILE" | base64 --decode > "$PROFILE_PATH" | ||
| echo "β Decoded .p12 and provisioning profile" | ||
|
|
||
| # Create and unlock keychain | ||
| security create-keychain -p "$CERT_PW" "$KEYCHAIN_PATH" | ||
| security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH" | ||
| security unlock-keychain -p "$CERT_PW" "$KEYCHAIN_PATH" | ||
|
|
||
| # Import cert | ||
| security import "$CERT_PATH" -P "$CERT_PW" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH" > /dev/null | ||
| security set-key-partition-list -S apple-tool:,apple: -k "$CERT_PW" "$KEYCHAIN_PATH" > /dev/null | ||
| security find-identity -p codesigning "$KEYCHAIN_PATH" | ||
|
|
||
|
|
||
| # Install provisioning profile | ||
| mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles | ||
| cp "$PROFILE_PATH" ~/Library/MobileDevice/Provisioning\ Profiles/ | ||
| echo "β Installed provisioning profile" | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Bug: Redundant Secret Input Causes Confusion
The
secret-nameinput is defined as required but is never used by the action. Instead, the secret name is dynamically determined from theenvironmentinput, renderingsecret-nameredundant and confusing.Locations (1)
.github/actions/configure-keystore/action.yml#L10-L13