Enhance: Add SSH support to Firebase iOS publish action (#4)

Author: HekmatullahAmin

README.md

@@ -9,6 +9,7 @@ This GitHub Action automates the process of building and publishing iOS applicat
 - Build artifact archiving
 - Gradle and Ruby dependency caching
 - Firebase tester group management
+- SSH key authentication via base64 secrets
 
 ## Prerequisites
 
@@ -18,9 +19,61 @@ Before using this action, ensure you have:
 2. Firebase service account credentials
 3. An iOS app set up in Firebase
 4. Xcode project configured with proper signing
+5. A private GitHub repo with certificates and provisioning profiles for Fastlane Match
+6. SSH key added as a deploy key to the certificates repo
 
 ## Setup
 
+### SSH Key Setup
+1. Generate SSH Key Locally<br>
+   In your terminal, run:
+```yaml
+ssh-keygen -t ed25519 -C "your_email@example.com"
+```
+It will ask for a file path. Press enter a custom path like:
+```yaml
+~/.ssh/match_ci_key
+```
+You can skip setting a passphrase when prompted (just hit enter twice).
+
+This generates two files:
+
+- `~/.ssh/match_ci_key` → Private key
+
+- `~/.ssh/match_ci_key.pub` → Public key
+
+2. Add the Private Key to the SSH Agent (optional but helpful)
+   This step ensures the key is used during local development.
+```yaml
+eval "$(ssh-agent -s)"
+ssh-add ~/.ssh/match_ci_key
+```
+3. Add the Public Key to Your Certificates Repo (GitHub)
+- Go to your certificates repo on GitHub (e.g., openMF/ios-provisioning-profile).
+- Go to Settings → Deploy Keys.
+- Click “Add deploy key”.
+- Set title as `CI Match SSH Key` and paste the content of:
+
+```yaml
+cat ~/.ssh/match_ci_key.pub
+```
+- Check **Allow write access**.
+- Click Add key.
+
+4. Convert the Private Key to Base64
+   This is how we pass it to GitHub Actions securely.
+```yaml
+base64 -i ~/.ssh/match_ci_key | pbcopy
+```
+This command copies the base64-encoded private key to your clipboard (macOS).
+
+5. Save the Private Key as a GitHub Secret
+- Go to the repo with your Fastfile (the project repo, not the certs repo).
+- Navigate to Settings → Secrets and variables → Actions → New repository secret.
+- Add the following:
+   - Name: MATCH_SSH_PRIVATE_KEY
+   - Value: Paste the base64-encoded private key
+
 ### Fastlane Setup
 
 Create a `Gemfile` in your project root:
@@ -40,16 +93,56 @@ default_platform(:ios)
 platform :ios do
   desc "Deploy to Firebase App Distribution"
   lane :deploy_on_firebase do |options|
+  
+    firebase_app_id = options[:firebase_app_id] || ENV["FIREBASE_APP_ID"]
+    match_type = options[:match_type] || ENV["MATCH_TYPE"]
+    app_identifier = options[:app_identifier] || ENV["APP_IDENTIFIER"]
+    git_url = options[:git_url] || ENV["GIT_URL"]
+    git_branch = options[:git_branch] || ENV["GIT_BRANCH"]
+    match_password = options[:match_password] || ENV["MATCH_PASSWORD"]
+    git_private_key = options[:git_private_key] || ENV["GIT_PRIVATE_KEY"] || "./secrets/match_ci_key"
+    groups = options[:groups] || ENV["GROUPS"]
+    serviceCredsFile = options[:serviceCredsFile] || ENV["SERVICE_CREDS_FILE"]
+    
+    setup_ci(
+      provider: "circleci"
+    )
+    
+    latest_release = firebase_app_distribution_get_latest_release(
+      app: firebase_app_id,
+      service_credentials_file: options[:serviceCredsFile] || firebase_config[:serviceCredsFile]
+    )
+
+    if latest_release
+      increment_build_number(
+        xcodeproj: iosApp/iosApp.xcodeproj,
+        build_number: latest_release[:buildVersion].to_i + 1
+      )
+    else
+      UI.important("⚠️ No existing Firebase release found. Skipping build number increment.")
+    end
+
+    match(
+      type: match_type,
+      app_identifier: app_identifier,,
+      readonly: true,
+      git_url: git_url,
+      git_branch: git_branch,
+      git_private_key: git_private_key
+    )
+    
     build_ios_app(
-      scheme: ENV["IOS_PACKAGE_NAME"],
-      export_method: "ad-hoc"
+        scheme: "iosApp",
+        project: "iosApp/iosApp.xcodeproj",
+        output_name: "DeployIosApp.ipa",
+        output_directory: "iosApp/build",
     )
 
     firebase_app_distribution(
-      app: ENV["FIREBASE_APP_ID"],
-      groups: options[:groups],
-      service_credentials_file: options[:serviceCredsFile],
-      release_notes: "New build from GitHub Actions"
+      app: firebase_app_id,
+      service_credentials_file: serviceCredsFile,
+      release_notes: r"New build from GitHub Actions",
+      groups: groups
     )
   end
 end
@@ -78,18 +171,28 @@ jobs:
       - name: Deploy to Firebase
         uses: openMF/kmp-publish-ios-on-firebase-action@v1.0.0
         with:
-          ios_package_name: 'YourAppName'
-          firebase_creds: ${{ secrets.FIREBASE_CREDS }}
-          tester_groups: 'qa-team,beta-testers'
+           app_identifier: 'org.mifos.kmp.template'
+           git_url: 'git@github.com:openMF/ios-provisioning-profile.git'
+           git_branch: 'master'
+           match_type: 'adhoc'
+           provisioning_profile_name: 'match AdHoc org.mifos.kmp.template'
+           match_password: ${{ secrets.MATCH_PASSWORD }}
+           match_ssh_private_key: ${{ secrets.MATCH_SSH_PRIVATE_KEY }}
+           ios_package_name: 'YourAppName'
+           firebase_creds: ${{ secrets.FIREBASE_CREDS }}
+           firebase_app_id: '1:xxxx:ios:xxxxxxxx'
+           tester_groups: 'qa-team,beta-testers'
 ```
 
-## Inputs
+## Inputs and Secrets
 
 | Input              | Description                                         | Required |
 |--------------------|-----------------------------------------------------|----------|
 | `ios_package_name` | Name of your iOS app/scheme                         | Yes      |
 | `firebase_creds`   | Base64 encoded Firebase service account credentials | Yes      |
 | `tester_groups`    | Comma-separated list of Firebase tester groups      | Yes      |
+| `MATCH_PASSWORD`    | Used to encrypt/decrypt match certs      | Yes      |
+| `MATCH_SSH_PRIVATE_KEY`    | base64 encoded private SSH key used by Fastlane Match      | Yes      |
 
 ## Setting up Secrets
 
@@ -132,4 +235,4 @@ Common issues and solutions:
 2. Firebase deployment fails
    - Check if the service account has sufficient permissions
    - Verify the Firebase app ID is correct
-   - Ensure tester groups exist in Firebase console
+   - Ensure tester groups exist in Firebase console

action.yaml

@@ -6,12 +6,46 @@ branding:
   color: 'blue'
 
 inputs:
+  app_identifier:
+    required: true
+    description: 'The unique bundle identifier for the iOS application'
+
+  git_url:
+    required: true
+    description: 'Git URL to the private repository containing certificates and provisioning profiles for code signing (used by Fastlane Match)'
+
+  git_branch:
+    required: true
+    description: 'Branch name inside the certificates repository that Fastlane Match should use to fetch signing assets'
+
+  match_type:
+    required: true
+    description: 'Type of provisioning profile to fetch using Match (e.g., adhoc, appstore, development)'
+
+  provisioning_profile_name:
+    required: true
+    description: 'Name of the provisioning profile to use for code signing (e.g., match AdHoc com.example.app or match AppStore com.example.app)'
+
+  match_password:
+    required: true
+    description: 'Password used to encrypt/decrypt the certificates repository used by match'
+
+  match_ssh_private_key:
+    required: true
+    description: 'SSH private key for accessing the certificates repository'
+
   ios_package_name:
     description: 'Name of the Android project module'
     required: true
+
+  firebase_app_id:
+    description: 'Firebase App ID'
+    required: true
+
   firebase_creds:
     description: 'Firebase credentials'
     required: true
+
   tester_groups:
     description: 'Firebase Tester Group'
     required: true
@@ -42,28 +76,55 @@ runs:
         bundle exec fastlane add_plugin firebase_app_distribution
         bundle exec fastlane add_plugin increment_build_number
 
+    - name: Set up SSH for Match
+      shell: bash
+      env:
+        MATCH_SSH_PRIVATE_KEY: ${{ inputs.match_ssh_private_key }}
+      run: |
+        mkdir -p ~/.ssh
+        echo "$MATCH_SSH_PRIVATE_KEY" | base64 --decode > ~/.ssh/match_ci_key
+        chmod 600 ~/.ssh/match_ci_key
+        ssh-keyscan github.com >> ~/.ssh/known_hosts
+        echo -e "Host github.com\n  IdentityFile ~/.ssh/match_ci_key\n  StrictHostKeyChecking no" >> ~/.ssh/config
+
+    # Inflate Firebase credentials
     - name: Inflate Secrets
       shell: bash
       env:
-        GOOGLE_SERVICES: ${{ inputs.google_services }}
         FIREBASE_CREDS: ${{ inputs.firebase_creds }}
       run: |
         mkdir -p secrets
-        
-        # Inflate Firebase credentials
         touch secrets/firebaseAppDistributionServiceCredentialsFile.json
         echo $FIREBASE_CREDS | base64 --decode > secrets/firebaseAppDistributionServiceCredentialsFile.json
 
     - name: Upload iOS App to Firebase Distribution
       shell: bash
+      env:
+        APP_IDENTIFIER: ${{ inputs.app_identifier }}
+        GIT_URL: ${{ inputs.git_url }}
+        GIT_BRANCH: ${{ inputs.git_branch }}
+        MATCH_TYPE: ${{ inputs.match_type }}
+        PROVISIONING_PROFILE_NAME: ${{ inputs.provisioning_profile_name }}
+        MATCH_PASSWORD: ${{ inputs.match_password }}
+        FIREBASE_APP_ID: ${{ inputs.firebase_app_id }}
+        GROUPS: ${{ inputs.tester_groups }}
+
       run: bundle exec fastlane ios deploy_on_firebase \
+        app_identifier:"$APP_IDENTIFIER" \
+        git_url:"$GIT_URL" \
+        git_branch:"$GIT_BRANCH" \
+        match_type:"$MATCH_TYPE" \
+        provisioning_profile_name:"$PROVISIONING_PROFILE_NAME" \
+        match_password:"$MATCH_PASSWORD" \
+        git_private_key:~/.ssh/match_ci_key \
+        firebase_app_id:"$FIREBASE_APP_ID" \
         serviceCredsFile:secrets/firebaseAppDistributionServiceCredentialsFile.json \
-        groups:${{ inputs.tester_groups }}
+        groups:"$GROUPS"
 
     - name: Upload iOS Artifact
       uses: actions/upload-artifact@v4
       with:
         name: ios-app
         retention-days: 1
         compression-level: 9
-        path: '**/*.ipa'
+        path: '**/*.ipa'