Skip to content

Validate Secrets

Validate Secrets #3

name: 1. Validate Secrets
run-name: Validate Secrets
on: [workflow_call, workflow_dispatch]
jobs:
validate:
runs-on: macos-12
steps:
# Checks-out the repo
- name: Checkout Repo
uses: actions/checkout@v3
# Sync the GitHub runner clock with the Windows time server (workaround as suggested in https://github.com/actions/runner/issues/2996)
- name: Sync clock
run: sudo sntp -sS time.windows.com
# Validates the repo secrets
- name: Validate Secrets
run: |
# Validate Secrets
echo Validating Repository Secrets...
# Validate TEAMID
if [ -z "$TEAMID" ]; then
failed=true
echo "::error::TEAMID secret is unset or empty. Set it and try again."
elif [ ${#TEAMID} -ne 10 ]; then
failed=true
echo "::error::TEAMID secret is set but has wrong length. Verify that it is set correctly and try again."
fi
# Validate GH_PAT
if [ -z "$GH_PAT" ]; then
failed=true
echo "::error::GH_PAT secret is unset or empty. Set it and try again."
elif [ "$(gh api -H "Accept: application/vnd.github+json" /repos/${{ github.repository_owner }}/Match-Secrets | jq --raw-output '.permissions.push')" != "true" ]; then
failed=true
echo "::error::GH_PAT secret is set but invalid or lacking appropriate privileges on the ${{ github.repository_owner }}/Match-Secrets repository. Verify that it is set correctly and try again."
fi
# Validate FASTLANE_ISSUER_ID, FASTLANE_KEY_ID, and FASTLANE_KEY
if [ -z "$FASTLANE_ISSUER_ID" ] || [ -z "$FASTLANE_KEY_ID" ] || [ -z "$FASTLANE_KEY" ]; then
failed=true
[ -z "$FASTLANE_ISSUER_ID" ] && echo "::error::The FASTLANE_ISSUER_ID secret is unset or empty. Set it and try again."
[ -z "$FASTLANE_KEY_ID" ] && echo "::error::The FASTLANE_KEY_ID secret is unset or empty. Set it and try again."
[ -z "$FASTLANE_KEY" ] && echo "::error::The FASTLANE_KEY secret is unset or empty. Set it and try again."
elif ! echo "$FASTLANE_KEY" | openssl pkcs8 -nocrypt >/dev/null; then
failed=true
echo "::error::The FASTLANE_KEY secret is set but invalid. Verify that it is set correctly and try again."
elif ! fastlane validate_secrets; then
failed=true
echo "::error::Unable to create a valid authorization token for the App Store Connect API.\
Verify that the FASTLANE_ISSUER_ID, FASTLANE_KEY_ID, and FASTLANE_KEY secrets are set correctly and try again."
fi
# Validate MATCH_PASSWORD
if [ -z "$MATCH_PASSWORD" ]; then
failed=true
echo "::error::The MATCH_PASSWORD secret is unset or empty. Set it and try again."
fi
# Exit unsuccessfully if secret validation failed.
if [ $failed ]; then
exit 2
fi
shell: bash
env:
TEAMID: ${{ secrets.TEAMID }}
GH_PAT: ${{ secrets.GH_PAT }}
FASTLANE_ISSUER_ID: ${{ secrets.FASTLANE_ISSUER_ID }}
FASTLANE_KEY_ID: ${{ secrets.FASTLANE_KEY_ID }}
FASTLANE_KEY: ${{ secrets.FASTLANE_KEY }}
MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }}
GH_TOKEN: ${{ secrets.GH_PAT }}