ci: update iOS publish workflow

2026-05-25 09:54:12 +00:00 · 2026-05-21 23:57:45 +08:00 · 2026-05-21 23:57:45 +08:00 · f25340c0b3
commit f25340c0b3
parent 24f607f442
1 changed files with 59 additions and 6 deletions
--- a/.github/workflows/ios-publish.yml
+++ b/.github/workflows/ios-publish.yml
@ -5,6 +5,7 @@ name: "iOS Publish"
 #   IOS_CERTIFICATE_BASE64         - Apple distribution certificate (.p12) encoded in base64
 #   IOS_CERTIFICATE_PASSWORD       - Password for the .p12 certificate
 #   IOS_PROVISION_PROFILE_BASE64   - App Store provisioning profile (.mobileprovision) encoded in base64
+#   IOS_SHARE_EXTENSION_PROVISION_PROFILE_BASE64 - Share extension App Store provisioning profile (.mobileprovision) encoded in base64
 #   ASC_API_KEY_P8_BASE64          - App Store Connect API key (.p8) encoded in base64
 #   ASC_API_KEY_ID                 - App Store Connect API Key ID
 #   ASC_ISSUER_ID                  - App Store Connect Issuer ID
@ -12,10 +13,18 @@ name: "iOS Publish"
 on:
  workflow_dispatch:

+permissions:
+  contents: read
+
+concurrency:
+  group: ios-publish-${{ github.ref }}
+  cancel-in-progress: false
+
 jobs:
  prepare-assets:
    name: Prepare iOS Assets
    runs-on: ubuntu-latest
+    timeout-minutes: 30
    outputs:
      version: ${{ steps.get-version.outputs.version }}

@ -60,7 +69,8 @@ jobs:
  build-ios:
    name: Build & Submit iOS
    needs: prepare-assets
-    runs-on: macos-15
+    runs-on: macos-26
+    timeout-minutes: 60
    environment: build

    steps:
@ -118,12 +128,32 @@ jobs:
      - name: Import provisioning profile
        env:
          IOS_PROVISION_PROFILE_BASE64: ${{ secrets.IOS_PROVISION_PROFILE_BASE64 }}
+          IOS_SHARE_EXTENSION_PROVISION_PROFILE_BASE64: ${{ secrets.IOS_SHARE_EXTENSION_PROVISION_PROFILE_BASE64 }}
        run: |
-          PROFILE_PATH=$RUNNER_TEMP/profile.mobileprovision
-          echo "$IOS_PROVISION_PROFILE_BASE64" | base64 --decode > "$PROFILE_PATH"
+          set -euo pipefail
+
+          APP_PROFILE_PATH=$RUNNER_TEMP/app.mobileprovision
+          SHARE_PROFILE_PATH=$RUNNER_TEMP/share-extension.mobileprovision
+          APP_PROFILE_PLIST=$RUNNER_TEMP/app-profile.plist
+          SHARE_PROFILE_PLIST=$RUNNER_TEMP/share-extension-profile.plist
+
+          echo "$IOS_PROVISION_PROFILE_BASE64" | base64 --decode > "$APP_PROFILE_PATH"
+          echo "$IOS_SHARE_EXTENSION_PROVISION_PROFILE_BASE64" | base64 --decode > "$SHARE_PROFILE_PATH"
+
+          security cms -D -i "$APP_PROFILE_PATH" > "$APP_PROFILE_PLIST"
+          security cms -D -i "$SHARE_PROFILE_PATH" > "$SHARE_PROFILE_PLIST"
+
+          APP_PROFILE_NAME=$(/usr/libexec/PlistBuddy -c "Print :Name" "$APP_PROFILE_PLIST")
+          SHARE_PROFILE_NAME=$(/usr/libexec/PlistBuddy -c "Print :Name" "$SHARE_PROFILE_PLIST")
+          IOS_TEAM_ID=$(/usr/libexec/PlistBuddy -c "Print :TeamIdentifier:0" "$APP_PROFILE_PLIST")

          mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
-          cp "$PROFILE_PATH" ~/Library/MobileDevice/Provisioning\ Profiles/
+          cp "$APP_PROFILE_PATH" ~/Library/MobileDevice/Provisioning\ Profiles/
+          cp "$SHARE_PROFILE_PATH" ~/Library/MobileDevice/Provisioning\ Profiles/
+
+          echo "APP_PROFILE_NAME=$APP_PROFILE_NAME" >> $GITHUB_ENV
+          echo "SHARE_PROFILE_NAME=$SHARE_PROFILE_NAME" >> $GITHUB_ENV
+          echo "IOS_TEAM_ID=$IOS_TEAM_ID" >> $GITHUB_ENV

      - name: Build archive
        run: |
@ -134,21 +164,35 @@ jobs:
            -configuration Release \
            -archivePath $RUNNER_TEMP/eeuiApp.xcarchive \
            -allowProvisioningUpdates \
+            DEVELOPMENT_TEAM=$IOS_TEAM_ID \
            CODE_SIGN_STYLE=Manual \
            | xcpretty

      - name: Export IPA
        run: |
+          set -euo pipefail
+
          cd resources/mobile/platforms/ios/eeuiApp

          # Generate ExportOptions.plist
-          cat > $RUNNER_TEMP/ExportOptions.plist << 'PLIST'
+          cat > $RUNNER_TEMP/ExportOptions.plist << PLIST
          <?xml version="1.0" encoding="UTF-8"?>
          <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
          <plist version="1.0">
          <dict>
              <key>method</key>
              <string>app-store</string>
+              <key>signingStyle</key>
+              <string>manual</string>
+              <key>teamID</key>
+              <string>${IOS_TEAM_ID}</string>
+              <key>provisioningProfiles</key>
+              <dict>
+                  <key>com.dootask.task</key>
+                  <string>${APP_PROFILE_NAME}</string>
+                  <key>com.dootask.task.shareExtension</key>
+                  <string>${SHARE_PROFILE_NAME}</string>
+              </dict>
              <key>uploadBitcode</key>
              <false/>
              <key>uploadSymbols</key>
@ -170,12 +214,18 @@ jobs:
          ASC_ISSUER_ID: ${{ secrets.ASC_ISSUER_ID }}
          ASC_API_KEY_P8_BASE64: ${{ secrets.ASC_API_KEY_P8_BASE64 }}
        run: |
+          set -euo pipefail
+
          # Prepare API key
          mkdir -p ~/private_keys
          echo "$ASC_API_KEY_P8_BASE64" | base64 --decode > ~/private_keys/AuthKey_${ASC_API_KEY_ID}.p8

          # Find and upload IPA
          IPA_PATH=$(find $RUNNER_TEMP/ipa-output -name "*.ipa" | head -1)
+          if [ -z "$IPA_PATH" ]; then
+            echo "No IPA file found in $RUNNER_TEMP/ipa-output"
+            exit 1
+          fi
          echo "Uploading: $IPA_PATH"

          xcrun altool --upload-app \
@ -189,5 +239,8 @@ jobs:
        run: |
          security delete-keychain $RUNNER_TEMP/app-signing.keychain-db 2>/dev/null || true
          rm -f $RUNNER_TEMP/certificate.p12
-          rm -f $RUNNER_TEMP/profile.mobileprovision
+          rm -f $RUNNER_TEMP/app.mobileprovision
+          rm -f $RUNNER_TEMP/share-extension.mobileprovision
+          rm -f $RUNNER_TEMP/app-profile.plist
+          rm -f $RUNNER_TEMP/share-extension-profile.plist
          rm -rf ~/private_keys