Use fastlane match for code signing DMG builds (#3246)

Task/Issue URL: https://app.asana.com/0/1203301625297703/1208273969808386/f

Description:
This change adds support for using fastlane match to manage code signing with
Developer ID Application certificate. New lanes are added for syncing code signing
for local and CI use. Build settings are updated to use provisioning profiles generated
by fastlane. archive.sh script and all CI workflows are updated to use fastlane for signing
DMG builds and other CI binaries that use Developer ID Application certificate (e.g. unit tests).

Author: ayoy

.github/actions/install-certs-and-profiles/action.yml

@@ -76,11 +76,10 @@ jobs:
           *) echo "👎 Not a release or hotfix branch"; exit 1 ;;
         esac
 
-    - name: Register SSH keys for submodules access
+    - name: Register SSH key for certificates repository access
       uses: webfactory/ssh-agent@v0.7.0
       with:
-        ssh-private-key: |
-          ${{ secrets.SSH_PRIVATE_KEY_FASTLANE_MATCH }}
+        ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY_FASTLANE_MATCH }}
 
     - name: Check out the code
       uses: actions/checkout@v4

.github/workflows/build_appstore.yml

@@ -41,33 +41,11 @@ jobs:
     needs: assert_release_branch
     uses: ./.github/workflows/pr.yml
     secrets:
+      APPLE_API_KEY_BASE64: ${{ secrets.APPLE_API_KEY_BASE64 }}
+      APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
+      APPLE_API_KEY_ISSUER: ${{ secrets.APPLE_API_KEY_ISSUER }}
       ASANA_ACCESS_TOKEN: ${{ secrets.ASANA_ACCESS_TOKEN }}
-      BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
-      P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
-      KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
-      APPSTORE_CI_PROVISION_PROFILE_BASE64: ${{ secrets.APPSTORE_CI_PROVISION_PROFILE_BASE64 }}
-      CI_PROVISION_PROFILE_BASE64: ${{ secrets.CI_PROVISION_PROFILE_BASE64 }}
-      DBP_AGENT_APPSTORE_CI_PROVISION_PROFILE_BASE64: ${{ secrets.DBP_AGENT_APPSTORE_CI_PROVISION_PROFILE_BASE64 }}
-      DBP_AGENT_CI_PROVISION_PROFILE_BASE64: ${{ secrets.DBP_AGENT_CI_PROVISION_PROFILE_BASE64 }}
-      DBP_AGENT_RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.DBP_AGENT_RELEASE_PROVISION_PROFILE_BASE64 }}
-      DBP_AGENT_REVIEW_PROVISION_PROFILE_BASE64: ${{ secrets.DBP_AGENT_REVIEW_PROVISION_PROFILE_BASE64 }}
-      INTEGRATION_TESTS_APPSTORE_CI_PROVISION_PROFILE_BASE64: ${{ secrets.INTEGRATION_TESTS_APPSTORE_CI_PROVISION_PROFILE_BASE64 }}
-      INTEGRATION_TESTS_CI_PROVISION_PROFILE_BASE64: ${{ secrets.INTEGRATION_TESTS_CI_PROVISION_PROFILE_BASE64 }}
-      NETP_AGENT_RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_AGENT_RELEASE_PROVISION_PROFILE_BASE64 }}
-      NETP_AGENT_REVIEW_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_AGENT_REVIEW_PROVISION_PROFILE_BASE64 }}
-      NETP_NOTIFICATIONS_CI_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_NOTIFICATIONS_CI_PROVISION_PROFILE_BASE64 }}
-      NETP_NOTIFICATIONS_RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_NOTIFICATIONS_RELEASE_PROVISION_PROFILE_BASE64 }}
-      NETP_NOTIFICATIONS_REVIEW_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_NOTIFICATIONS_REVIEW_PROVISION_PROFILE_BASE64 }}
-      NETP_SYSEX_RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_SYSEX_RELEASE_PROVISION_PROFILE_BASE64 }}
-      NETP_SYSEX_REVIEW_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_SYSEX_REVIEW_PROVISION_PROFILE_BASE64 }}
-      RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.RELEASE_PROVISION_PROFILE_BASE64 }}
-      REVIEW_PROVISION_PROFILE_BASE64: ${{ secrets.REVIEW_PROVISION_PROFILE_BASE64 }}
-      UNIT_TESTS_APPSTORE_CI_PROVISION_PROFILE_BASE64: ${{ secrets.UNIT_TESTS_APPSTORE_CI_PROVISION_PROFILE_BASE64 }}
-      UNIT_TESTS_CI_PROVISION_PROFILE_BASE64: ${{ secrets.UNIT_TESTS_CI_PROVISION_PROFILE_BASE64 }}
-      VPN_APPEX_APPSTORE_CI_PROVISION_PROFILE_BASE64: ${{ secrets.VPN_APPEX_APPSTORE_CI_PROVISION_PROFILE_BASE64 }}
-      VPN_APP_APPSTORE_CI_PROVISION_PROFILE_BASE64: ${{ secrets.VPN_APP_APPSTORE_CI_PROVISION_PROFILE_BASE64 }}
-      VPN_APP_CI_PROVISION_PROFILE_BASE64: ${{ secrets.VPN_APP_CI_PROVISION_PROFILE_BASE64 }}
-      VPN_PROXY_EXTENSION_CI_PROVISION_PROFILE_BASE64: ${{ secrets.VPN_PROXY_EXTENSION_CI_PROVISION_PROFILE_BASE64 }}
+      MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }}
 
   update_asana:
 

.github/workflows/build_hotfix_release.yml

@@ -41,58 +41,6 @@ on:
         required: false
         type: string
     secrets:
-      BUILD_CERTIFICATE_BASE64:
-        required: true
-      P12_PASSWORD:
-        required: true
-      KEYCHAIN_PASSWORD:
-        required: true
-      APPSTORE_CI_PROVISION_PROFILE_BASE64:
-        required: true
-      CI_PROVISION_PROFILE_BASE64:
-        required: true
-      DBP_AGENT_APPSTORE_CI_PROVISION_PROFILE_BASE64:
-        required: true
-      DBP_AGENT_CI_PROVISION_PROFILE_BASE64:
-        required: true
-      DBP_AGENT_RELEASE_PROVISION_PROFILE_BASE64:
-        required: true
-      DBP_AGENT_REVIEW_PROVISION_PROFILE_BASE64:
-        required: true
-      INTEGRATION_TESTS_APPSTORE_CI_PROVISION_PROFILE_BASE64:
-        required: true
-      INTEGRATION_TESTS_CI_PROVISION_PROFILE_BASE64:
-        required: true
-      NETP_AGENT_RELEASE_PROVISION_PROFILE_BASE64:
-        required: true
-      NETP_AGENT_REVIEW_PROVISION_PROFILE_BASE64:
-        required: true
-      NETP_NOTIFICATIONS_CI_PROVISION_PROFILE_BASE64:
-        required: true
-      NETP_NOTIFICATIONS_RELEASE_PROVISION_PROFILE_BASE64:
-        required: true
-      NETP_NOTIFICATIONS_REVIEW_PROVISION_PROFILE_BASE64:
-        required: true
-      NETP_SYSEX_RELEASE_PROVISION_PROFILE_BASE64:
-        required: true
-      NETP_SYSEX_REVIEW_PROVISION_PROFILE_BASE64:
-        required: true
-      RELEASE_PROVISION_PROFILE_BASE64:
-        required: true
-      REVIEW_PROVISION_PROFILE_BASE64:
-        required: true
-      UNIT_TESTS_APPSTORE_CI_PROVISION_PROFILE_BASE64:
-        required: true
-      UNIT_TESTS_CI_PROVISION_PROFILE_BASE64:
-        required: true
-      VPN_APPEX_APPSTORE_CI_PROVISION_PROFILE_BASE64:
-        required: true
-      VPN_APP_APPSTORE_CI_PROVISION_PROFILE_BASE64:
-        required: true
-      VPN_APP_CI_PROVISION_PROFILE_BASE64:
-        required: true
-      VPN_PROXY_EXTENSION_CI_PROVISION_PROFILE_BASE64:
-        required: true
       APPLE_API_KEY_BASE64:
         required: true
       APPLE_API_KEY_ID:
@@ -101,10 +49,6 @@ on:
         required: true
       ASANA_ACCESS_TOKEN:
         required: true
-      MM_HANDLES_BASE64:
-        required: true
-      MM_WEBHOOK_URL:
-        required: true
       AWS_ACCESS_KEY_ID:
         required: true
       AWS_ACCESS_KEY_ID_RELEASE_S3:
@@ -113,6 +57,14 @@ on:
         required: true
       AWS_SECRET_ACCESS_KEY_RELEASE_S3:
         required: true
+      MATCH_PASSWORD:
+        required: true
+      MM_HANDLES_BASE64:
+        required: true
+      MM_WEBHOOK_URL:
+        required: true
+      SSH_PRIVATE_KEY_FASTLANE_MATCH:
+        required: true
 
 jobs:
   export-notarized-app:
@@ -132,6 +84,10 @@ jobs:
       branch: ${{ inputs.branch || github.ref_name }}
 
     steps:
+    - name: Register SSH key for certificates repository access
+      uses: webfactory/ssh-agent@v0.7.0
+      with:
+        ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY_FASTLANE_MATCH }}
 
     - name: Check out the code
       uses: actions/checkout@v4
@@ -142,6 +98,20 @@ jobs:
     - name: Set up fastlane
       run: bundle install
 
+    - name: Sync code signing assets
+      env:
+        APPLE_API_KEY_BASE64: ${{ secrets.APPLE_API_KEY_BASE64 }}
+        APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
+        APPLE_API_KEY_ISSUER: ${{ secrets.APPLE_API_KEY_ISSUER }}
+        MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }}
+        SSH_PRIVATE_KEY_FASTLANE_MATCH: ${{ secrets.SSH_PRIVATE_KEY_FASTLANE_MATCH }}
+      run: |
+        if [[ "${{ env.release-type }}" == "release" ]]; then
+          bundle exec fastlane sync_signing_dmg_release
+        else
+          bundle exec fastlane sync_signing_dmg_review
+        fi
+
     - name: Check if this is an official release build
       id: is-official-release
       env:
@@ -155,36 +125,6 @@ jobs:
           echo "upload-to=asana" >> $GITHUB_ENV
         fi
 
-    - name: Install Apple Developer ID Application certificate
-      uses: ./.github/actions/install-certs-and-profiles
-      with:
-        BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
-        P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
-        KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
-        APPSTORE_CI_PROVISION_PROFILE_BASE64: ${{ secrets.APPSTORE_CI_PROVISION_PROFILE_BASE64 }}
-        CI_PROVISION_PROFILE_BASE64: ${{ secrets.CI_PROVISION_PROFILE_BASE64 }}
-        DBP_AGENT_APPSTORE_CI_PROVISION_PROFILE_BASE64: ${{ secrets.DBP_AGENT_APPSTORE_CI_PROVISION_PROFILE_BASE64 }}
-        DBP_AGENT_CI_PROVISION_PROFILE_BASE64: ${{ secrets.DBP_AGENT_CI_PROVISION_PROFILE_BASE64 }}
-        DBP_AGENT_RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.DBP_AGENT_RELEASE_PROVISION_PROFILE_BASE64 }}
-        DBP_AGENT_REVIEW_PROVISION_PROFILE_BASE64: ${{ secrets.DBP_AGENT_REVIEW_PROVISION_PROFILE_BASE64 }}
-        INTEGRATION_TESTS_APPSTORE_CI_PROVISION_PROFILE_BASE64: ${{ secrets.INTEGRATION_TESTS_APPSTORE_CI_PROVISION_PROFILE_BASE64 }}
-        INTEGRATION_TESTS_CI_PROVISION_PROFILE_BASE64: ${{ secrets.INTEGRATION_TESTS_CI_PROVISION_PROFILE_BASE64 }}
-        NETP_AGENT_RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_AGENT_RELEASE_PROVISION_PROFILE_BASE64 }}
-        NETP_AGENT_REVIEW_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_AGENT_REVIEW_PROVISION_PROFILE_BASE64 }}
-        NETP_NOTIFICATIONS_CI_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_NOTIFICATIONS_CI_PROVISION_PROFILE_BASE64 }}
-        NETP_NOTIFICATIONS_RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_NOTIFICATIONS_RELEASE_PROVISION_PROFILE_BASE64 }}
-        NETP_NOTIFICATIONS_REVIEW_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_NOTIFICATIONS_REVIEW_PROVISION_PROFILE_BASE64 }}
-        NETP_SYSEX_RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_SYSEX_RELEASE_PROVISION_PROFILE_BASE64 }}
-        NETP_SYSEX_REVIEW_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_SYSEX_REVIEW_PROVISION_PROFILE_BASE64 }}
-        RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.RELEASE_PROVISION_PROFILE_BASE64 }}
-        REVIEW_PROVISION_PROFILE_BASE64: ${{ secrets.REVIEW_PROVISION_PROFILE_BASE64 }}
-        UNIT_TESTS_APPSTORE_CI_PROVISION_PROFILE_BASE64: ${{ secrets.UNIT_TESTS_APPSTORE_CI_PROVISION_PROFILE_BASE64 }}
-        UNIT_TESTS_CI_PROVISION_PROFILE_BASE64: ${{ secrets.UNIT_TESTS_CI_PROVISION_PROFILE_BASE64 }}
-        VPN_APPEX_APPSTORE_CI_PROVISION_PROFILE_BASE64: ${{ secrets.VPN_APPEX_APPSTORE_CI_PROVISION_PROFILE_BASE64 }}
-        VPN_APP_APPSTORE_CI_PROVISION_PROFILE_BASE64: ${{ secrets.VPN_APP_APPSTORE_CI_PROVISION_PROFILE_BASE64 }}
-        VPN_APP_CI_PROVISION_PROFILE_BASE64: ${{ secrets.VPN_APP_CI_PROVISION_PROFILE_BASE64 }}
-        VPN_PROXY_EXTENSION_CI_PROVISION_PROFILE_BASE64: ${{ secrets.VPN_PROXY_EXTENSION_CI_PROVISION_PROFILE_BASE64 }}
-
     - name: Select Xcode
       run: sudo xcode-select -s /Applications/Xcode_$(<.xcode-version).app/Contents/Developer