kiwix-apple-custom/.github/workflows/cd.yml

name: Publish Custom App

on:
  release:
    types: [published]
    branches:
      - main

# taken from: kiwix/kiwix-apple .github/workflows/cd.yml
env:
  KEYCHAIN: /Users/runner/build.keychain-db
  KEYCHAIN_PASSWORD: mysecretpassword
  KEYCHAIN_PROFILE: build-profile
  SSH_KEY: /tmp/id_rsa
  APPLE_STORE_AUTH_KEY_PATH: /tmp/authkey.p8

jobs:
  generate_build_deploy:
    strategy:
      fail-fast: false
      matrix:
        destination:
          - platform: macOS
          - platform: iOS
            xcode_extra: -sdk iphoneos
    runs-on: macos-13
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          path: custom

      - name: Set tag variable as an output
        id: vars
        run: echo "tag=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT

      - name: Validate tag
        run:
          |
          cd custom
          python src/tag_validator.py ${{ steps.vars.outputs.tag }}
          cd ..

      - name: Check-out kiwix/kiwix-apple
        uses: actions/checkout@v4
        with:
          repository: kiwix/kiwix-apple
          path: apple

      - name: Install Python dependencies for custom project generation
        run: python -m pip install pyyaml

      - name: Install Kiwix dependencies
        run: | # remove pre-commit, it's not needed for CI
          cd apple
          cat Brewfile | grep -v -e pre-commit > Brewfile_CI
          brew bundle --force --file Brewfile_CI
          cd ..

      - name: Generate project based on tag
        env:
          DWDS_HTTP_BASIC_ACCESS_AUTHENTICATION: ${{ secrets.DWDS_HTTP_BASIC_ACCESS_AUTHENTICATION }}
        run:
          |
          # move the custom files under the same folder as the kiwix repo
          mv custom/ apple/
          cd apple/custom

          # make a custom copy of the Info.plist file
          cp ../Support/Info.plist Custom.plist

          python src/tag_validator.py ${{ steps.vars.outputs.tag }}
          python src/generate_and_download.py

          # move the custom project file to the main folder
          mv custom_project.yml ../
          cd ..

          # run xcodegen on our custom project
          xcodegen -s custom_project.yml

          ls -la


      - name: Set up scheme, version, build_number from files
        run: |
          # move the checked out github actions to root folder:
          mv apple/.github/ .

          BRAND=$(<./apple/custom/.brand_name)
          echo "BRAND=$BRAND" >> $GITHUB_ENV

          VERSION=$(<./apple/custom/.version_number)
          echo "VERSION=$VERSION" >> $GITHUB_ENV

      # taken from: kiwix/kiwix-apple .github/workflows/cd.yml
      - name: Set up variables for build
        env:
          PLATFORM: ${{ matrix.destination.platform }}
          EXTRA_XCODEBUILD: ${{ matrix.destination.xcode_extra }}
          APPLE_STORE_AUTH_KEY_PATH: ${{ env.APPLE_STORE_AUTH_KEY_PATH }}
          APPLE_STORE_AUTH_KEY_ID: ${{ secrets.APPLE_STORE_AUTH_KEY_ID }}
          APPLE_STORE_AUTH_KEY_ISSUER_ID: ${{ secrets.APPLE_STORE_AUTH_KEY_ISSUER_ID }}
        shell: python
        run: |
          import os

          extra_xcode = os.getenv("EXTRA_XCODEBUILD", "")
          if os.getenv("PLATFORM") == "iOS":
            extra_xcode += f" -authenticationKeyPath {os.getenv('APPLE_STORE_AUTH_KEY_PATH')}"
            extra_xcode += f" -authenticationKeyID {os.getenv('APPLE_STORE_AUTH_KEY_ID')}"
            extra_xcode += f" -authenticationKeyIssuerID {os.getenv('APPLE_STORE_AUTH_KEY_ISSUER_ID')}"

          with open(os.getenv("GITHUB_ENV"), "a") as fh:
            fh.write(f"EXPORT_METHOD={'app-store'}\n")
            fh.write(f"EXTRA_XCODEBUILD={extra_xcode}\n")

      - name: Prepare use of Apple Distribution Certificate
        shell: bash
        env:
          APPLE_DISTRIBUTION_SIGNING_CERTIFICATE: ${{ secrets.APPLE_DISTRIBUTION_SIGNING_CERTIFICATE }}
          APPLE_DISTRIBUTION_SIGNING_P12_PASSWORD: ${{ secrets.APPLE_DISTRIBUTION_SIGNING_P12_PASSWORD }}
          APPLE_DEVELOPMENT_SIGNING_IDENTITY: ${{ secrets.APPLE_DEVELOPMENT_SIGNING_IDENTITY }}
        run: |
          echo "SIGNING_CERTIFICATE=${APPLE_DISTRIBUTION_SIGNING_CERTIFICATE}" >> "$GITHUB_ENV"
          echo "SIGNING_CERTIFICATE_P12_PASSWORD=${APPLE_DISTRIBUTION_SIGNING_P12_PASSWORD}" >> "$GITHUB_ENV"
          echo "SIGNING_IDENTITY=${APPLE_DEVELOPMENT_SIGNING_IDENTITY}" >> "$GITHUB_ENV"

      - name: Add Apple Store Key
        env:
          APPLE_STORE_AUTH_KEY_PATH: ${{ env.APPLE_STORE_AUTH_KEY_PATH }}
          APPLE_STORE_AUTH_KEY: ${{ secrets.APPLE_STORE_AUTH_KEY }}
        shell: bash
        run: echo "${APPLE_STORE_AUTH_KEY}" | base64 --decode -o $APPLE_STORE_AUTH_KEY_PATH

      - name: Build xcarchive
        uses: ./.github/actions/xcbuild
        with:
          action: archive
          xc-destination: generic/platform=${{ matrix.destination.platform }}
          # custom app specific
          version: ${{ env.VERSION }}
          XC_SCHEME: ${{ env.BRAND }}
          DOWNLOAD_DEPENDENCIES: false
          XC_WORKSPACE: apple/Kiwix.xcodeproj/project.xcworkspace/
          # eof custom app specific
          APPLE_DEVELOPMENT_SIGNING_CERTIFICATE: ${{ secrets.APPLE_DEVELOPMENT_SIGNING_CERTIFICATE }}
          APPLE_DEVELOPMENT_SIGNING_P12_PASSWORD: ${{ secrets.APPLE_DEVELOPMENT_SIGNING_P12_PASSWORD }}
          DEPLOYMENT_SIGNING_CERTIFICATE: ${{ env.SIGNING_CERTIFICATE }}
          DEPLOYMENT_SIGNING_CERTIFICATE_P12_PASSWORD: ${{ env.SIGNING_CERTIFICATE_P12_PASSWORD }}
          KEYCHAIN: ${{ env.KEYCHAIN }}
          KEYCHAIN_PASSWORD: ${{ env.KEYCHAIN_PASSWORD }}
          KEYCHAIN_PROFILE: ${{ env.KEYCHAIN_PROFILE }}
          EXTRA_XCODEBUILD: ${{ env.EXTRA_XCODEBUILD }}

      - name: Add altool credentials to Keychain
        shell: bash
        env:
          APPLE_SIGNING_ALTOOL_USERNAME: ${{ secrets.APPLE_SIGNING_ALTOOL_USERNAME }}
          APPLE_SIGNING_ALTOOL_PASSWORD: ${{ secrets.APPLE_SIGNING_ALTOOL_PASSWORD }}
          APPLE_SIGNING_TEAM: ${{ secrets.APPLE_SIGNING_TEAM }}
        run: |
          security find-identity -v $KEYCHAIN
          security unlock-keychain -p $KEYCHAIN_PASSWORD $KEYCHAIN
          xcrun notarytool store-credentials \
              --apple-id "${APPLE_SIGNING_ALTOOL_USERNAME}" \
              --password "${APPLE_SIGNING_ALTOOL_PASSWORD}" \
              --team-id "${APPLE_SIGNING_TEAM}" \
              --validate \
              --keychain $KEYCHAIN \
              $KEYCHAIN_PROFILE

      - name: Prepare export for ${{ env.EXPORT_METHOD }}
        run: |
          plutil -create xml1 ./export.plist
          plutil -insert destination -string upload ./export.plist
          plutil -insert method -string $EXPORT_METHOD ./export.plist

      - name: Upload Archive to Apple (App Store or Notarization)
        env:
          APPLE_STORE_AUTH_KEY_PATH: ${{ env.APPLE_STORE_AUTH_KEY_PATH }}
          APPLE_STORE_AUTH_KEY_ID: ${{ secrets.APPLE_STORE_AUTH_KEY_ID }}
          APPLE_STORE_AUTH_KEY_ISSUER_ID: ${{ secrets.APPLE_STORE_AUTH_KEY_ISSUER_ID }}
        run: xcrun xcodebuild -exportArchive -archivePath $PWD/Kiwix-$VERSION.xcarchive -exportPath $PWD/export/ -exportOptionsPlist export.plist -authenticationKeyPath $APPLE_STORE_AUTH_KEY_PATH -allowProvisioningUpdates -authenticationKeyID $APPLE_STORE_AUTH_KEY_ID -authenticationKeyIssuerID $APPLE_STORE_AUTH_KEY_ISSUER_ID