From 4947ccda9fc5fae3c8eed9ac50a93446d84e0bde Mon Sep 17 00:00:00 2001 From: Jake Perkins Date: Wed, 16 Jul 2025 14:24:58 -0500 Subject: [PATCH 1/8] keystore-actions --- .github/actions/configure-keystore/action.yml | 40 +++++++++++++++++++ .github/actions/setup-e2e-env/action.yml | 4 ++ 2 files changed, 44 insertions(+) create mode 100644 .github/actions/configure-keystore/action.yml diff --git a/.github/actions/configure-keystore/action.yml b/.github/actions/configure-keystore/action.yml new file mode 100644 index 00000000..ee6b4ea3 --- /dev/null +++ b/.github/actions/configure-keystore/action.yml @@ -0,0 +1,40 @@ +name: "Configure Keystore" +description: "Assume an AWS role and fetch a secret into environment variables" +inputs: + aws-role-to-assume: + description: "The AWS IAM role to assume" + required: true + aws-region: + description: "The AWS region where the secret is stored" + required: true + secret-name: + description: "The name of the secret in AWS Secrets Manager" + required: true + platform: + description: "The platform for which the keystore is being configured (e.g., ios, android)" + required: true + +runs: + using: "composite" + steps: + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: ${{ inputs.aws-role-to-assume }} + aws-region: ${{ inputs.aws-region }} + + - name: Fetch secret and export as environment variables + shell: bash + run: | + secret_json=$(aws secretsmanager get-secret-value \ + --region "${{ inputs.aws-region }}" \ + --secret-id "${{ inputs.secret-name }}" \ + --query SecretString \ + --output text) + + keys=$(echo "$secret_json" | jq -r 'keys[]') + for key in $keys; do + value=$(echo "$secret_json" | jq -r --arg k "$key" '.[$k]') + echo "::add-mask::$value" + echo "$key=$value" >> "$GITHUB_ENV" + done \ No newline at end of file diff --git a/.github/actions/setup-e2e-env/action.yml b/.github/actions/setup-e2e-env/action.yml index 2a29f58f..fe444734 100644 --- a/.github/actions/setup-e2e-env/action.yml +++ b/.github/actions/setup-e2e-env/action.yml @@ -69,6 +69,10 @@ inputs: description: 'System architecture ABI for the Android system image (e.g. x86_64, arm64-v8a, armeabi-v7a)' required: false default: 'x86_64' + configure-keystores: + description: 'Whether to configure keystores for E2E tests' + required: false + default: 'true' runs: using: 'composite' From 3594cb60bc03ade264236c889c2d8b33cb8e02db Mon Sep 17 00:00:00 2001 From: Jake Perkins Date: Wed, 16 Jul 2025 14:45:07 -0500 Subject: [PATCH 2/8] act --- .github/actions/configure-keystore/action.yml | 28 +++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/.github/actions/configure-keystore/action.yml b/.github/actions/configure-keystore/action.yml index ee6b4ea3..d7795aaf 100644 --- a/.github/actions/configure-keystore/action.yml +++ b/.github/actions/configure-keystore/action.yml @@ -1,5 +1,6 @@ name: "Configure Keystore" description: "Assume an AWS role and fetch a secret into environment variables" + inputs: aws-role-to-assume: description: "The AWS IAM role to assume" @@ -13,10 +14,33 @@ inputs: platform: description: "The platform for which the keystore is being configured (e.g., ios, android)" required: true + environment: + description: "The environment for which the keystore is being configured (e.g., qa, flask, main)" + required: true runs: using: "composite" steps: + - name: Determine signing secret name + shell: bash + run: | + case "${{ inputs.environment }}" in + qa) + SECRET_NAME="metamask-mobile-qa-signing-certificates" + ;; + flask) + SECRET_NAME="metamask-mobile-flask-signing-certificates" + ;; + main) + SECRET_NAME="metamask-mobile-main-signing-certificates" + ;; + *) + echo "❌ Unknown environment: ${{ inputs.environment }}" + exit 1 + ;; + esac + echo "AWS_SIGNING_CERT_SECRET_NAME=$SECRET_NAME" >> "$GITHUB_ENV" + - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v4 with: @@ -28,7 +52,7 @@ runs: run: | secret_json=$(aws secretsmanager get-secret-value \ --region "${{ inputs.aws-region }}" \ - --secret-id "${{ inputs.secret-name }}" \ + --secret-id "${AWS_SIGNING_CERT_SECRET_NAME}" \ --query SecretString \ --output text) @@ -36,5 +60,5 @@ runs: for key in $keys; do value=$(echo "$secret_json" | jq -r --arg k "$key" '.[$k]') echo "::add-mask::$value" - echo "$key=$value" >> "$GITHUB_ENV" + echo "$key=$(printf '%s' "$value")" >> "$GITHUB_ENV" done \ No newline at end of file From 68ab532683031a75e21d3b79bf7cd9c43993fac5 Mon Sep 17 00:00:00 2001 From: Jake Perkins Date: Wed, 16 Jul 2025 23:28:43 -0500 Subject: [PATCH 3/8] --repo-update on pod install --- .github/actions/setup-e2e-env/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/setup-e2e-env/action.yml b/.github/actions/setup-e2e-env/action.yml index fe444734..02c3ceb0 100644 --- a/.github/actions/setup-e2e-env/action.yml +++ b/.github/actions/setup-e2e-env/action.yml @@ -184,7 +184,7 @@ runs: # Install CocoaPods w/ cached bundler environment - name: Install CocoaPods via bundler if: ${{ inputs.platform == 'ios' && inputs.setup-simulator == 'true' }} - run: bundle exec pod install + run: bundle exec pod install --repo-update working-directory: ios shell: bash From 5c4a3c0ae4db4269ab0fc31a344b645005d3c713 Mon Sep 17 00:00:00 2001 From: Jake Perkins Date: Wed, 16 Jul 2025 23:33:20 -0500 Subject: [PATCH 4/8] keystore --- .github/actions/configure-keystore/action.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/actions/configure-keystore/action.yml b/.github/actions/configure-keystore/action.yml index d7795aaf..14c5aa6d 100644 --- a/.github/actions/configure-keystore/action.yml +++ b/.github/actions/configure-keystore/action.yml @@ -61,4 +61,5 @@ runs: value=$(echo "$secret_json" | jq -r --arg k "$key" '.[$k]') echo "::add-mask::$value" echo "$key=$(printf '%s' "$value")" >> "$GITHUB_ENV" - done \ No newline at end of file + echo "✅ Set secret for key: $key" + done From 6a7e3cd9f7c10867a5dae2ee1bbf3045887c0a21 Mon Sep 17 00:00:00 2001 From: Jake Perkins Date: Thu, 17 Jul 2025 00:22:36 -0500 Subject: [PATCH 5/8] android keystore configuration --- .github/actions/configure-keystore/action.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/.github/actions/configure-keystore/action.yml b/.github/actions/configure-keystore/action.yml index 14c5aa6d..00f51a9b 100644 --- a/.github/actions/configure-keystore/action.yml +++ b/.github/actions/configure-keystore/action.yml @@ -50,6 +50,7 @@ runs: - name: Fetch secret and export as environment variables shell: bash run: | + echo "🔐 Fetching secret from Secrets Manager..." secret_json=$(aws secretsmanager get-secret-value \ --region "${{ inputs.aws-region }}" \ --secret-id "${AWS_SIGNING_CERT_SECRET_NAME}" \ @@ -63,3 +64,19 @@ runs: echo "$key=$(printf '%s' "$value")" >> "$GITHUB_ENV" echo "✅ Set secret for key: $key" done + + - name: Configure Android Keystore + if: inputs.platform == 'android' + shell: bash + run: | + echo "📦 Configuring Android keystore..." + if [[ -z "$ANDROID_KEYSTORE" ]]; then + echo "⚠️ ANDROID_KEYSTORE is not set. Skipping keystore decoding." + exit 1 + fi + + # Use provided path if set, fallback to default + KEYSTORE_PATH="${ANDROID_KEYSTORE_PATH:-/tmp/android.keystore}" + echo "$ANDROID_KEYSTORE" | base64 --decode > "$KEYSTORE_PATH" + echo "✅ Android keystore written to $KEYSTORE_PATH" + From 97156f5ab97d84f0b48492c0893cfe93b297662b Mon Sep 17 00:00:00 2001 From: Jake Perkins Date: Thu, 17 Jul 2025 19:27:08 -0500 Subject: [PATCH 6/8] ios signing --- .github/actions/configure-keystore/action.yml | 34 ++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-) diff --git a/.github/actions/configure-keystore/action.yml b/.github/actions/configure-keystore/action.yml index 00f51a9b..bbf48aef 100644 --- a/.github/actions/configure-keystore/action.yml +++ b/.github/actions/configure-keystore/action.yml @@ -65,7 +65,7 @@ runs: echo "✅ Set secret for key: $key" done - - name: Configure Android Keystore + - name: Configure Android Signing Certificates if: inputs.platform == 'android' shell: bash run: | @@ -80,3 +80,35 @@ runs: echo "$ANDROID_KEYSTORE" | base64 --decode > "$KEYSTORE_PATH" echo "✅ Android keystore written to $KEYSTORE_PATH" + - name: Configure iOS Signing Certificates + if: inputs.platform == 'ios' + shell: bash + run: | + echo "📦 Configuring iOS code signing..." + + # Create paths + CERT_PATH="$RUNNER_TEMP/build_certificate.p12" + PROFILE_PATH="$RUNNER_TEMP/build_pp.mobileprovision" + KEYCHAIN_PATH="$RUNNER_TEMP/app-signing.keychain-db" + CERT_PW="${IOS_SIGNING_KEYSTORE_PASSWORD}" + + # Decode base64 files + echo "$IOS_SIGNING_KEYSTORE" | base64 --decode > "$CERT_PATH" + echo "$IOS_SIGNING_PROFILE" | base64 --decode > "$PROFILE_PATH" + echo "✅ Decoded .p12 and provisioning profile" + + # Create and unlock keychain + security create-keychain -p "$CERT_PW" "$KEYCHAIN_PATH" + security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH" + security unlock-keychain -p "$CERT_PW" "$KEYCHAIN_PATH" + + # Import cert + security import "$CERT_PATH" -P "$CERT_PW" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH" + security set-key-partition-list -S apple-tool:,apple: -k "$CERT_PW" "$KEYCHAIN_PATH" + security list-keychain -d user -s "$KEYCHAIN_PATH" + + # Install provisioning profile + mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles + cp "$PROFILE_PATH" ~/Library/MobileDevice/Provisioning\ Profiles/ + echo "✅ Installed provisioning profile" + From 52cf4749a107711d1a1960ecef4f151e96dd98fb Mon Sep 17 00:00:00 2001 From: Jake Perkins Date: Fri, 18 Jul 2025 01:48:16 -0500 Subject: [PATCH 7/8] keystores --- .github/actions/configure-keystore/action.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/actions/configure-keystore/action.yml b/.github/actions/configure-keystore/action.yml index bbf48aef..b926b6c3 100644 --- a/.github/actions/configure-keystore/action.yml +++ b/.github/actions/configure-keystore/action.yml @@ -105,7 +105,6 @@ runs: # Import cert security import "$CERT_PATH" -P "$CERT_PW" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH" security set-key-partition-list -S apple-tool:,apple: -k "$CERT_PW" "$KEYCHAIN_PATH" - security list-keychain -d user -s "$KEYCHAIN_PATH" # Install provisioning profile mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles From f59e5726dfc162a8fbb8471909a94d1b3b86080e Mon Sep 17 00:00:00 2001 From: Jake Perkins Date: Fri, 18 Jul 2025 01:53:23 -0500 Subject: [PATCH 8/8] ios-crypto --- .github/actions/configure-keystore/action.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/actions/configure-keystore/action.yml b/.github/actions/configure-keystore/action.yml index b926b6c3..d10cbc5c 100644 --- a/.github/actions/configure-keystore/action.yml +++ b/.github/actions/configure-keystore/action.yml @@ -103,8 +103,10 @@ runs: security unlock-keychain -p "$CERT_PW" "$KEYCHAIN_PATH" # Import cert - security import "$CERT_PATH" -P "$CERT_PW" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH" - security set-key-partition-list -S apple-tool:,apple: -k "$CERT_PW" "$KEYCHAIN_PATH" + security import "$CERT_PATH" -P "$CERT_PW" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH" > /dev/null + security set-key-partition-list -S apple-tool:,apple: -k "$CERT_PW" "$KEYCHAIN_PATH" > /dev/null + security find-identity -p codesigning "$KEYCHAIN_PATH" + # Install provisioning profile mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles