Validate Secrets #8
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: 1. Validate Secrets | |
run-name: Validate Secrets | |
on: [workflow_call, workflow_dispatch] | |
jobs: | |
validate: | |
runs-on: macos-14 | |
steps: | |
# Checks-out the repo | |
- name: Checkout Repo | |
uses: actions/checkout@v4 | |
# Sync the GitHub runner clock with the Windows time server (workaround as suggested in https://github.com/actions/runner/issues/2996) | |
- name: Sync clock | |
run: sudo sntp -sS time.windows.com | |
# Validates the repo secrets | |
- name: Validate Secrets | |
run: | | |
# Validate Secrets | |
echo Validating Repository Secrets... | |
# Validate TEAMID | |
if [ -z "$TEAMID" ]; then | |
failed=true | |
echo "::error::TEAMID secret is unset or empty. Set it and try again." | |
elif [ ${#TEAMID} -ne 10 ]; then | |
failed=true | |
echo "::error::TEAMID secret is set but has wrong length. Verify that it is set correctly and try again." | |
fi | |
# Validate GH_PAT | |
if [ -z "$GH_PAT" ]; then | |
failed=true | |
echo "::error::GH_PAT secret is unset or empty. Set it and try again." | |
elif [ "$(gh api -H "Accept: application/vnd.github+json" /repos/${{ github.repository_owner }}/Match-Secrets | jq --raw-output '.permissions.push')" != "true" ]; then | |
failed=true | |
echo "::error::GH_PAT secret is set but invalid or lacking appropriate privileges on the ${{ github.repository_owner }}/Match-Secrets repository. Verify that it is set correctly and try again." | |
fi | |
# Validate FASTLANE_ISSUER_ID, FASTLANE_KEY_ID, and FASTLANE_KEY | |
if [ -z "$FASTLANE_ISSUER_ID" ] || [ -z "$FASTLANE_KEY_ID" ] || [ -z "$FASTLANE_KEY" ]; then | |
failed=true | |
[ -z "$FASTLANE_ISSUER_ID" ] && echo "::error::The FASTLANE_ISSUER_ID secret is unset or empty. Set it and try again." | |
[ -z "$FASTLANE_KEY_ID" ] && echo "::error::The FASTLANE_KEY_ID secret is unset or empty. Set it and try again." | |
[ -z "$FASTLANE_KEY" ] && echo "::error::The FASTLANE_KEY secret is unset or empty. Set it and try again." | |
elif ! echo "$FASTLANE_KEY" | openssl pkcs8 -nocrypt >/dev/null; then | |
failed=true | |
echo "::error::The FASTLANE_KEY secret is set but invalid. Verify that it is set correctly and try again." | |
elif ! fastlane validate_secrets; then | |
failed=true | |
echo "::error::Unable to create a valid authorization token for the App Store Connect API.\ | |
Verify that the FASTLANE_ISSUER_ID, FASTLANE_KEY_ID, and FASTLANE_KEY secrets are set correctly and try again." | |
fi | |
# Validate MATCH_PASSWORD | |
if [ -z "$MATCH_PASSWORD" ]; then | |
failed=true | |
echo "::error::The MATCH_PASSWORD secret is unset or empty. Set it and try again." | |
fi | |
# Exit unsuccessfully if secret validation failed. | |
if [ $failed ]; then | |
exit 2 | |
fi | |
shell: bash | |
env: | |
TEAMID: ${{ secrets.TEAMID }} | |
GH_PAT: ${{ secrets.GH_PAT }} | |
FASTLANE_ISSUER_ID: ${{ secrets.FASTLANE_ISSUER_ID }} | |
FASTLANE_KEY_ID: ${{ secrets.FASTLANE_KEY_ID }} | |
FASTLANE_KEY: ${{ secrets.FASTLANE_KEY }} | |
MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }} | |
GH_TOKEN: ${{ secrets.GH_PAT }} |