Improve provisioning profiles update workflow from Fastlane (#8658)

Author: mokagio

fastlane/Fastfile

@@ -618,13 +618,7 @@ platform :ios do
     # We're about to use `add_development_certificates_to_provisioning_profiles` and `add_all_devices_to_provisioning_profiles`.
     # These actions use Developer Portal APIs that don't yet support authentication via API key (-.-').
     # Let's preemptively ask for and set the email here to avoid being asked twice for it if not set.
-
-    require 'credentials_manager'
-
-    # If Fastlane cannot instantiate a user, it will ask the caller for the email.
-    # Once we have it, we can set it as `FASTLANE_USER` in the environment (which has lifecycle limited to this call) so that the next commands will already have access to it.
-    # Note that if the user is already available to `AccountManager`, setting it in the environment is redundant, but Fastlane doesn't provide a way to check it so we have to do it anyway.
-    ENV['FASTLANE_USER'] = CredentialsManager::AccountManager.new.user
+    prompt_user_for_app_store_connect_credentials
 
     # Add all development certificates to the provisioning profiles (just in case – this is an easy step to miss)
     add_development_certificates_to_provisioning_profiles(
@@ -930,41 +924,55 @@ platform :ios do
   ########################################################################
   # Configure Lanes
   ########################################################################
-  #####################################################################################
-  # update_certs_and_profiles
-  # -----------------------------------------------------------------------------------
-  # This lane downloads all the required certs and profiles and,
-  # if not run on CI it creates the missing ones.
-  # -----------------------------------------------------------------------------------
-  # Usage:
-  # bundle exec fastlane update_certs_and_profiles
+
+  # Downloads all the required certificates and profiles for both production and internal distribution builds.
+  # Optionally, it can create any new necessary certificate or profile.
   #
-  # Example:
-  # bundle exec fastlane update_certs_and_profiles
-  #####################################################################################
-  lane :update_certs_and_profiles do
-    alpha_code_signing
-    appstore_code_signing
+  # @option [Boolean] readonly (default: true) Whether to only fetch existing certificates and profiles, without generating new ones.
+  lane :update_certs_and_profiles do |options|
+    alpha_code_signing(options)
+    appstore_code_signing(options)
   end
 
-  ########################################################################
-  # Fastlane match code signing
-  ########################################################################
-  private_lane :alpha_code_signing do
+  # Downloads all the required certificates and profiles the enterprise build.
+  # Optionally, it can create any new necessary certificate or profile.
+  #
+  # @option [Boolean] readonly (default: true) Whether to only fetch existing certificates and profiles, without generating new ones.
+  private_lane :alpha_code_signing do |options|
+    readonly = options.fetch(:readonly, true)
+
+    if readonly
+      # In readonly mode, we can use the API key
+      api_key_path = ASC_KEY_PATH
+    else
+      # The Enterprise account APIs do not support authentication via API key.
+      # If we want to modify data (readonly = false) we need to authenticate manually.
+      prompt_user_for_app_store_connect_credentials
+      # We also need to pass no API key path, otherwise Fastlane will give
+      # precedence to that authentication mode.
+      api_key_path = nil
+    end
+
     match(
       type: 'enterprise',
       team_id: get_required_env('INT_EXPORT_TEAM_ID'),
       app_identifier: ALPHA_BUNDLE_IDENTIFIERS,
-      readonly: true
+      readonly: readonly,
+      api_key_path: api_key_path
     )
   end
 
-  private_lane :appstore_code_signing do
+  # Downloads all the required certificates and profiles the production build.
+  # Optionally, it can create any new necessary certificate or profile.
+  #
+  # @option [Boolean] readonly (default: true) Whether to only fetch existing certificates and profiles, without generating new ones.
+  private_lane :appstore_code_signing do |options|
     match(
       type: 'appstore',
       team_id: get_required_env('EXT_EXPORT_TEAM_ID'),
       app_identifier: MAIN_BUNDLE_IDENTIFIERS,
-      readonly: true
+      readonly: options.fetch(:readonly, true),
+      api_key_path: ASC_KEY_PATH
     )
   end
 
@@ -1172,6 +1180,15 @@ def buildkite_ci?
   ENV.fetch('BUILDKITE', false)
 end
 
+def prompt_user_for_app_store_connect_credentials
+  require 'credentials_manager'
+
+  # If Fastlane cannot instantiate a user, it will ask the caller for the email.
+  # Once we have it, we can set it as `FASTLANE_USER` in the environment (which has lifecycle limited to this call) so that the next commands will already have access to it.
+  # Note that if the user is already available to `AccountManager`, setting it in the environment is redundant, but Fastlane doesn't provide a way to check it so we have to do it anyway.
+  ENV['FASTLANE_USER'] = CredentialsManager::AccountManager.new.user
+end
+
 # https://buildkite.com/docs/test-analytics/ci-environments
 TEST_ANALYTICS_ENVIRONMENT = %w[
   BUILDKITE_ANALYTICS_TOKEN

fastlane/Matchfile

@@ -7,6 +7,3 @@ storage_mode('google_cloud')
 google_cloud_bucket_name('a8c-fastlane-match')
 secrets_directory = File.join(Dir.home, '.configure', 'woocommerce-ios', 'secrets')
 google_cloud_keys_file(File.join(secrets_directory, 'google_cloud_keys.json'))
-
-# Use the decrypted API Key for authentication
-api_key_path(File.join(secrets_directory, 'app_store_connect_fastlane_api_key.json'))