.github/workflows/publishing.yml

name: Publishing

on:
  push:
    branches:
      - develop
      - hotfix/*
      - release/*
    tags:
      - v*.*.*

jobs:
  build:
    name: Build
    runs-on: macos-latest
    environment: apple-app-store
    strategy:
      matrix:
        platform:
          - iOS
          - macOS
        distribution:
          - app-store
          - standalone
        exclude:
          - platform: iOS
            distribution: standalone
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
          submodules: true

      - name: Cache packages
        uses: actions/cache@v4
        with:
          path: |
            ~/Library/Caches/org.swift.swiftpm
            ~/Library/Developer/Xcode/DerivedData/**/SourcePackages/checkouts
            ~/Library/Developer/Xcode/DerivedData/**/SourcePackages/repositories
          key: ${{ runner.os }}-${{ matrix.platform }}-spm-${{ hashFiles('**/Package.resolved') }}
          restore-keys: |
            ${{ runner.os }}-${{ matrix.platform }}-spm-

      - name: Set up signing certificate
        env:
          CERTIFICATE_DISTRIBUTION_B64: ${{ vars.CERTIFICATE_DISTRIBUTION_B64 }}
          CERTIFICATE_DISTRIBUTION_PRIVATE_KEY_B64: ${{ secrets.CERTIFICATE_DISTRIBUTION_PRIVATE_KEY_B64 }}
          CERTIFICATE_MAC_INSTALLER_B64: ${{ vars.CERTIFICATE_MAC_INSTALLER_B64 }}
          CERTIFICATE_MAC_INSTALLER_PRIVATE_KEY_B64: ${{ secrets.CERTIFICATE_MAC_INSTALLER_PRIVATE_KEY_B64 }}
          CERTIFICATE_DEVELOPER_ID_APPLICATION_B64: ${{ vars.CERTIFICATE_DEVELOPER_ID_APPLICATION_B64 }}
          CERTIFICATE_DEVELOPER_ID_APPLICATION_PRIVATE_KEY_B64: ${{ secrets.CERTIFICATE_DEVELOPER_ID_APPLICATION_PRIVATE_KEY_B64 }}
          CERTIFICATE_DEVELOPER_ID_INSTALLER_B64: ${{ vars.CERTIFICATE_DEVELOPER_ID_INSTALLER_B64 }}
          CERTIFICATE_DEVELOPER_ID_INSTALLER_PRIVATE_KEY_B64: ${{ secrets.CERTIFICATE_DEVELOPER_ID_INSTALLER_PRIVATE_KEY_B64 }}
        run: |
          security create-keychain -p password build.keychain
          security default-keychain -s build.keychain
          security unlock-keychain -p password build.keychain
          security set-keychain-settings build.keychain
          for CERTIFICATE in \
            $CERTIFICATE_DISTRIBUTION_B64 \
            $CERTIFICATE_MAC_INSTALLER_B64 \
            $CERTIFICATE_DEVELOPER_ID_APPLICATION_B64 \
            $CERTIFICATE_DEVELOPER_ID_INSTALLER_B64; \
          do
            echo $CERTIFICATE | base64 --decode > /tmp/certificate.cer
            security import /tmp/certificate.cer -k build.keychain -P '' -T /usr/bin/codesign -T /usr/bin/productsign
          done
          for KEY in \
            $CERTIFICATE_DISTRIBUTION_PRIVATE_KEY_B64 \
            $CERTIFICATE_MAC_INSTALLER_PRIVATE_KEY_B64 \
            $CERTIFICATE_DEVELOPER_ID_APPLICATION_PRIVATE_KEY_B64 \
            $CERTIFICATE_DEVELOPER_ID_INSTALLER_PRIVATE_KEY_B64; \
          do
            echo $KEY | base64 --decode > /tmp/key.p12
            security import /tmp/key.p12 -k build.keychain -P '' -T /usr/bin/codesign -T /usr/bin/productsign
          done
          security set-key-partition-list -S apple-tool:,apple: -s -k password build.keychain

      - name: Set up App Store Connect authentication
        env:
          APP_STORE_CONNECT_PRIVATE_KEY_B64: ${{ secrets.APP_STORE_CONNECT_PRIVATE_KEY_B64 }}
        run: echo $APP_STORE_CONNECT_PRIVATE_KEY_B64 | base64 --decode > /tmp/connect-key.p8

      - name: Select Xcode version
        run: sudo xcode-select -s /Applications/Xcode_$(cat .xcode-version).app/Contents/Developer

      - name: Prepare files
        if: ${{ matrix.distribution == 'app-store' }}
        env:
          CODE_SIGN_IDENTITY: 'Apple Distribution'
          PROVISIONING_PROFILE_SPECIFIER: ${{ matrix.platform == 'macOS' && vars.PROVISIONING_PROFILE_NAME_MACOS || vars.PROVISIONING_PROFILE_NAME }}
          SENTRY_DSN: ${{ matrix.platform == 'iOS' && secrets.SENTRY_DSN_IOS || secrets.SENTRY_DSN_MACOS }}
          SENTRY_ORG: ${{ vars.SENTRY_ORG }}
          SENTRY_PROJECT: ${{ matrix.platform == 'iOS' && vars.SENTRY_PROJECT_IOS || vars.SENTRY_PROJECT_MACOS }}
          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
        run: make

      - name: Prepare files
        if: ${{ matrix.distribution == 'standalone' }}
        env:
          CODE_SIGN_IDENTITY: 'Developer ID Application'
          PROVISIONING_PROFILE_SPECIFIER: ${{ vars.PROVISIONING_PROFILE_NAME_MACOS_STANDALONE }}
        run: make

      - name: Trust OpenAPI plugin
        run: bash .github/workflows/trust-openapi-plugin.sh

      - name: Set up Sentry
        if: ${{ matrix.distribution == 'app-store' }}
        run: curl -sL https://sentry.io/get-cli/ | sh

      - name: Build app
        env:
          CODE_SIGN_IDENTITY: Apple Distribution
          PROVISIONING_PROFILE_SPECIFIER: Fyreplace
        run: |
          xcodebuild archive \
            DEVELOPMENT_TEAM=${{ vars.TEAM_ID }} \
            -allowProvisioningUpdates \
            -authenticationKeyPath /tmp/connect-key.p8 \
            -authenticationKeyID ${{ vars.APP_STORE_CONNECT_KEY_ID }} \
            -authenticationKeyIssuerID ${{ vars.APP_STORE_CONNECT_ISSUER_ID }} \
            -scheme Fyreplace \
            -destination generic/platform=${{ matrix.platform }} \
            -archivePath archive.xcarchive

      - name: Export to IPA
        if: ${{ matrix.platform == 'iOS' }}
        run: |
          /usr/libexec/PlistBuddy -c "Add :method string" ExportOptions.plist
          /usr/libexec/PlistBuddy -c "Set :method app-store-connect" ExportOptions.plist
          /usr/libexec/PlistBuddy -c "Add :teamId string" ExportOptions.plist
          /usr/libexec/PlistBuddy -c "Set :teamId ${{ vars.TEAM_ID }}" ExportOptions.plist
          /usr/libexec/PlistBuddy -c "Add :provisioningProfiles dict" ExportOptions.plist
          /usr/libexec/PlistBuddy -c "Add :provisioningProfiles:${{ vars.APP_ID }} string ${{ vars.PROVISIONING_PROFILE_NAME }}" ExportOptions.plist
          xcodebuild export \
            -allowProvisioningUpdates \
            -authenticationKeyPath /tmp/connect-key.p8 \
            -authenticationKeyID ${{ vars.APP_STORE_CONNECT_KEY_ID }} \
            -authenticationKeyIssuerID ${{ vars.APP_STORE_CONNECT_ISSUER_ID }} \
            -archivePath archive.xcarchive \
            -exportArchive \
            -exportOptionsPlist ExportOptions.plist \
            -exportPath Export

      - name: Export to PKG
        if: ${{ matrix.platform == 'macOS' }}
        env:
          SIGNING_CERTIFICATE: ${{ matrix.distribution == 'app-store' && '3rd Party Mac Developer Installer' || 'Developer ID Installer' }}
        run: |
          mkdir Export
          productbuild \
            --component archive.xcarchive/Products/Applications/Fyreplace.app \
            /Applications \
            Export/Fyreplace.unsigned.pkg
          productsign \
            --sign "$SIGNING_CERTIFICATE" \
            Export/Fyreplace.unsigned.pkg \
            Export/Fyreplace.pkg

      - name: Upload IPA
        uses: actions/upload-artifact@v4
        if: ${{ matrix.platform == 'iOS' }}
        with:
          name: Fyreplace.ipa
          path: Export/Fyreplace.ipa
          if-no-files-found: error

      - name: Upload PKG
        uses: actions/upload-artifact@v4
        if: ${{ matrix.platform == 'macOS' }}
        with:
          name: ${{ matrix.distribution == 'standalone' && 'Fyreplace.standalone.pkg' || 'Fyreplace.pkg' }}
          path: Export/Fyreplace.pkg
          if-no-files-found: error

  publish:
    name: Publish
    needs: build
    runs-on: macos-latest
    environment: apple-app-store
    strategy:
      matrix:
        platform:
          - ios
          - osx
        distribution:
          - app-store
          - standalone
        exclude:
          - platform: ios
            distribution: standalone
    steps:
      - name: Download IPA
        uses: actions/download-artifact@v4
        if: ${{ matrix.platform == 'ios' }}
        with:
          name: Fyreplace.ipa
          path: /tmp

      - name: Download PKG
        uses: actions/download-artifact@v4
        if: ${{ matrix.platform == 'osx' }}
        with:
          name: ${{ matrix.distribution == 'standalone' && 'Fyreplace.standalone.pkg' || 'Fyreplace.pkg' }}
          path: /tmp

      - name: Set up App Store Connect authentication
        env:
          APP_STORE_CONNECT_PRIVATE_KEY_B64: ${{ secrets.APP_STORE_CONNECT_PRIVATE_KEY_B64 }}
        run: |
          mkdir ~/private_keys
          echo $APP_STORE_CONNECT_PRIVATE_KEY_B64 | base64 --decode > ~/private_keys/AuthKey_${{ vars.APP_STORE_CONNECT_KEY_ID }}.p8

      - name: Upload to App Store Connect
        if: ${{ matrix.distribution == 'app-store' }}
        run: |
          for OPERATION in '--validate-app' '--upload-app'
          do
            xcrun altool \
              $OPERATION \
              --type ${{ matrix.platform }} \
              --file /tmp/Fyreplace.* \
              --apiKey ${{ vars.APP_STORE_CONNECT_KEY_ID }} \
              --apiIssuer ${{ vars.APP_STORE_CONNECT_ISSUER_ID }}
          done

      - name: Notorize PKG
        if: ${{ matrix.distribution == 'standalone' }}
        run: |
          xcrun notarytool \
            submit \
            --wait \
            --key ~/private_keys/AuthKey_${{ vars.APP_STORE_CONNECT_KEY_ID }}.p8 \
            --key-id ${{ vars.APP_STORE_CONNECT_KEY_ID }} \
            --issuer ${{ vars.APP_STORE_CONNECT_ISSUER_ID }} \
            /tmp/Fyreplace.pkg
          xcrun stapler staple /tmp/Fyreplace.pkg

      - name: Upload PKG
        uses: actions/upload-artifact@v4
        if: ${{ matrix.distribution == 'standalone' }}
        with:
          name: Fyreplace.standalone.pkg
          path: /tmp/Fyreplace.pkg
          overwrite: true
          if-no-files-found: error