Upload to TestFlight #7
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Upload to TestFlight | |
| # Dedicated workflow to build iOS (via build.yml) and upload to TestFlight. | |
| # All TestFlight logic lives here; build.yml only builds and uploads artifacts. | |
| # | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| environment: | |
| description: 'Build environment / track' | |
| required: true | |
| type: choice | |
| options: | |
| - exp | |
| - beta | |
| - rc | |
| default: rc | |
| testflight_group: | |
| description: 'TestFlight external testing group' | |
| required: true | |
| type: choice | |
| default: 'MetaMask BETA & Release Candidates' | |
| options: | |
| - 'MetaMask BETA & Release Candidates' | |
| - 'MM Card Team' | |
| - 'Ramp Provider Testing' | |
| # contents: write required by build.yml update-build-version job (version bump) | |
| permissions: | |
| contents: write | |
| id-token: write | |
| jobs: | |
| build: | |
| name: Build iOS (${{ inputs.environment || 'rc' }}) | |
| uses: ./.github/workflows/build.yml | |
| with: | |
| build_name: main-${{ inputs.environment || 'rc' }} | |
| platform: ios | |
| skip_version_bump: false | |
| secrets: inherit | |
| testflight-upload-summary: | |
| name: TestFlight upload summary | |
| needs: [build] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Display TestFlight upload summary | |
| run: | | |
| BUILD_VERSION=$(node -p "require('./package.json').version") | |
| { | |
| echo "### 📲 TestFlight Upload" | |
| echo "" | |
| echo "| Field | Value |" | |
| echo "| --- | --- |" | |
| echo "| **Build name** | main-${{ inputs.environment || 'rc' }} |" | |
| echo "| **Build version** | ${BUILD_VERSION} |" | |
| echo "| **TestFlight group** | ${{ inputs.testflight_group || 'MetaMask BETA & Release Candidates' }} |" | |
| echo "| **Branch** | ${{ github.ref_name }} |" | |
| } >> "$GITHUB_STEP_SUMMARY" | |
| # Pulls App Store Connect API keys from AWS Secrets Manager (OIDC). | |
| # AWS secret must be accessible only by this workflow when run from main. | |
| upload-ios-testflight: | |
| name: Upload iOS to TestFlight | |
| needs: [build, testflight-upload-summary] | |
| runs-on: ghcr.io/cirruslabs/macos-runner:sequoia-xl | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup Ruby (iOS) | |
| uses: ruby/setup-ruby@44511735964dcb71245e7e55f72539531f7bc0eb #v1 | |
| with: | |
| ruby-version: '3.2.9' | |
| working-directory: ios | |
| bundler-cache: true | |
| - name: Download iOS build artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: ios-main-${{ inputs.environment || 'rc' }} | |
| - name: Find IPA path | |
| id: ipa | |
| run: | | |
| IPA=$(find . -name '*.ipa' -type f | head -1) | |
| if [ -z "$IPA" ]; then | |
| echo "::error::No .ipa file found in artifact" | |
| exit 1 | |
| fi | |
| case "$IPA" in /*) ABS="$IPA" ;; *) ABS="$PWD/$IPA" ;; esac | |
| echo "path=$ABS" >> "$GITHUB_OUTPUT" | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: ${{ secrets.AWS_ROLE_APPLE_TESTFLIGHT }} | |
| aws-region: 'us-east-2' | |
| - name: Fetch Apple API keys from AWS Secrets Manager | |
| run: | | |
| echo "🔐 Fetching App Store Connect API keys from Secrets Manager..." | |
| secret_id="metamask-mobile-main-apple-api-keys" | |
| secret_json=$(aws secretsmanager get-secret-value \ | |
| --region 'us-east-2' \ | |
| --secret-id "$secret_id" \ | |
| --query SecretString \ | |
| --output text) | |
| for key in APP_STORE_CONNECT_API_KEY_ISSUER_ID APP_STORE_CONNECT_API_KEY_KEY_ID APP_STORE_CONNECT_API_KEY_KEY_CONTENT; do | |
| value=$(echo "$secret_json" | jq -r --arg k "$key" '.[$k] // empty') | |
| if [ -z "$value" ]; then | |
| echo "::error::Missing key in secret: $key" | |
| exit 1 | |
| fi | |
| echo "::add-mask::$value" | |
| echo "$key=$(printf '%s' "$value")" >> "$GITHUB_ENV" | |
| done | |
| echo "✅ Apple API keys loaded from AWS" | |
| - name: Setup App Store Connect API Key | |
| run: | | |
| bash scripts/setup-app-store-connect-api-key.sh \ | |
| "$APP_STORE_CONNECT_API_KEY_ISSUER_ID" \ | |
| "$APP_STORE_CONNECT_API_KEY_KEY_ID" \ | |
| "$APP_STORE_CONNECT_API_KEY_KEY_CONTENT" | |
| - name: Upload to TestFlight | |
| run: | | |
| bash scripts/upload-to-testflight.sh \ | |
| "github_actions_main-${{ inputs.environment || 'rc' }}" \ | |
| "${{ github.ref_name }}" \ | |
| "${{ steps.ipa.outputs.path }}" \ | |
| "${{ inputs.testflight_group || 'MetaMask BETA & Release Candidates' }}" | |
| - name: Cleanup API Key | |
| if: always() | |
| run: | | |
| rm -f ios/AuthKey.p8 | |
| echo "🧹 Cleaned up API key file" |