-
Notifications
You must be signed in to change notification settings - Fork 0
51 ‐ About continuous integration and delivery
Pierre-Yves Lapersonne edited this page Aug 22, 2025
·
16 revisions
Today we host the project fully in this GitHub repository. However, because we do not want to leave outside certificates and provisioning profiles, we keep these sensitive files in our own mutualized GitLab CI runners and use a dedicated project to make the alpha, beta and stable builds.
You can setup in your side a GitLab CI runner which can trigger some Fastlane actions for example each night. However of course you will need distribution certificate (in .p12 format with private key) and the release provisioning profile in your runner keychain. Of course you will need also to fill secrets and environement variables. Do not expect us to share these secrets.
bu
# Software Name: OUDS iOS
# SPDX-FileCopyrightText: Copyright (c) Orange SA
# SPDX-License-Identifier: MIT
#
# This software is distributed under the MIT license,
# the text of which is available at https://opensource.org/license/MIT/
#
# Software description: A SwiftUI components library with code examples for Orange Unified Design System
# See github.com/orange-OpenSource/ouds-ios
# Variables defined by user who wants to start the pipeline
variables:
ALPHA_BRANCH_TO_BUILD:
value: ""
description: "Mandatory: The name of the branch (in ouds-ios-design-system-toolbox) to build as alpha version"
ALPHA_ISSUES_NUMBERS:
value: ""
description: "Mandatory: The number(s) of the issue(s) in GitHub (in ouds-ios) which will be implemented in ALPHA_BRANCH_TO_BUILD and built (e.g.: '42' or seperated with commas '42, 666, 1337'). Will be used also for GitHub notifications."
GITHUB_REPOSITORY_NAME:
value: "ouds-ios-design-system-toolbox"
description: "Mandatory: The name of the repository to use for builds (default: ouds-ios-design-system-toolbox)"
GITHUB_ORGANIZATION_NAME:
value: "Orange-OpenSource"
description: "Mandatory: The name of the GitHub organization containing the repository to use for builds (default: Orange-OpenSource)"
BETA_BRANCH_TO_BUILD:
value: "develop"
description: "Mandatory: The name of the branch to build as beta version (default: develop)"
STABLE_BRANCH_TO_BUILD:
value: "main"
description: "Mandatory: The name of the branch to build as stable version (default: main)"
PATH_TO_TMP:
value: "./tmp/ouds"
description: "Mandatory: The path to the temporary folder where sources and artefacts can be found (default : ./tmp/ouds)"
PATH_TO_IPA:
value: "ouds-ios-design-system-toolbox/DesignToolbox/build/Design System Toolbox.ipa"
description: "Mandatory: The path relative to $PATH_TO_TMP to get the IPA for artifacts (default: ouds-ios-design-system-toolbox/DesignToolbox/build/Design System Toolbox.ipa)"
PATH_TO_ZIP:
value: "ouds-ios-design-system-toolbox/DesignToolbox/build/oudsApp.zip"
description: "Mandatory: The path relative to $PATH_TO_TMP to get the ZIP for artifacts (default: ouds-ios-design-system-toolbox/DesignToolbox/build/oudsApp.zip"
PATH_TO_DSYM:
value: "ouds-ios-design-system-toolbox/DesignToolbox/build/Design System Toolbox.app.dSYM.zip"
description: "Mandatory: The path relative to $PATH_TO_TMP to get the dSYM ZIP (default: ouds-ios-design-system-toolbox/DesignToolbox/build/Design System Toolbox.app.dSYM.zip"
PATH_TO_APP_SOURCES:
value: "DesignToolbox"
description: "Mandatory: The path relative to $PATH_TO_TMP/$GITHUB_REPOSITORY_NAME where the sources to build are (default: DesignToolbox)"
# All stages for alpha, beta, stable builds and releases
stages:
- test-alpha
- build-alpha
- test-beta
- build-beta
- build-stable
# Common to all builds
# Use if needed your own image if relevant or tag
# -----------------------------------------------
.common:
image: $IMAGE_OF_INTERNAL_MACOS_RUNNER
tags:
- $TAGS_FOR_YOUR_RUNNERS
.common_beta:
image: $IMAGE_OF_INTERNAL_MACOS_RUNNER
tags:
- $TAGS_FOR_YOUR_RUNNERS
rules:
- if: $CI_PIPELINE_SOURCE == "schedule" # Only scheduled pipeline needed
# Prepares environment with provisioning profiles and certificates
# You should not use this common job if you are on a local computer or not on SaaS like cloud, Tart, etc.
.setup_keychain:
variables:
TART_EXECUTOR_HOST_DIR: "true"
before_script:
# Prepare keychain
- echo "🍊📜 Begin install certificate and provisioning profile"
- CERTIFICATE_PATH=$TMPDIR/certificate.p12
- PROVISIONING_PROFILE_PATH=$TMPDIR/provisioning_profile.mobileprovision
- KEYCHAIN_PATH=$TMPDIR/app-signing.keychain-db
# Create certificate and provisioning profile into files from base 64
- echo -n "$OUDS_BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH
- echo -n "$OUDS_BUILD_PROVISIONING_PROFILE_BASE64" | base64 --decode -o $PROVISIONING_PROFILE_PATH
# Create keychain
- security create-keychain -p "$OUDS_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
- security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
- security unlock-keychain -p "$OUDS_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
# Import certificate to keychain
- security import $CERTIFICATE_PATH -P "$OUDS_P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
- 'security set-key-partition-list -S apple-tool:,apple: -k "$OUDS_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH'
- security list-keychain -d user -s $KEYCHAIN_PATH
# Install provisioning profile
- mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
- cp $PROVISIONING_PROFILE_PATH ~/Library/MobileDevice/Provisioning\ Profiles
- echo "🍊📜 End install certificate and provisioning profile"
# All jobs bellow for alpha, beta and stable
# TODO: Factorize jobs because scripts contain the same prerequisites (Shell scripts, etc)
# See issue #3: https://gitlab.tech.orange/ouds/ouds-ios-app-distribution/-/issues/3
# -------------------
# Alpha releases
# Dedicated branch to build on ask, triggered manualy, without Git tags
test_alpha:
extends:
- .common
stage: test-alpha
script:
# Check environment variabmes
- echo "🍊🔨 Preparing environment"
- ./prepare_build_environment.sh $GITHUB_ORGANIZATION_NAME $GITHUB_REPOSITORY_NAME $ALPHA_BRANCH_TO_BUILD
- echo "🍊🔨 Environment prepared"
# Download sources
- echo "🍊🔨 Downloading sources from GitHub repository"
- ENV_FILE_PATH=`realpath .env`
- IOS_APP_COMMIT_SHA=`grep 'IOS_APP_COMMIT_SHA' $ENV_FILE_PATH | cut -d '=' -f2`
- ./download_github_repository.sh $GITHUB_ORGANIZATION_NAME $GITHUB_REPOSITORY_NAME $IOS_APP_COMMIT_SHA
- echo "🍊🔨 Things downloaded"
# Build and test
- echo "🍊🔨 Testing alpha"
- cd "$PATH_TO_TMP/$GITHUB_REPOSITORY_NAME"
- bundle install
- cd "$PATH_TO_APP_SOURCES"
- bundle exec pod cache clean --all
- bundle exec pod install --repo-update
- bundle exec fastlane ios test_ui
- bundle exec fastlane ios test_snapshots
- echo "🍊🔨 Testing alpha completed"
when: manual
build_alpha:
extends:
- .common
- .setup_keychain
stage: build-alpha
needs: [test_alpha]
script:
# Check environment variabmes
- echo "🍊🔨 Preparing environment"
- ./prepare_build_environment.sh $GITHUB_ORGANIZATION_NAME $GITHUB_REPOSITORY_NAME $ALPHA_BRANCH_TO_BUILD
- echo "🍊🔨 Environment prepared"
# Download sources
- echo "🍊🔨 Downloading sources from GitHub repository"
- ENV_FILE_PATH=`realpath .env`
- IOS_APP_COMMIT_SHA=`grep 'IOS_APP_COMMIT_SHA' $ENV_FILE_PATH | cut -d '=' -f2`
- ./download_github_repository.sh $GITHUB_ORGANIZATION_NAME $GITHUB_REPOSITORY_NAME $IOS_APP_COMMIT_SHA
- echo "🍊🔨 Things downloaded"
# Build and upload
- echo "🍊🔨 Building alpha"
- cd "$PATH_TO_TMP/$GITHUB_REPOSITORY_NAME"
- bundle install
- cd "$PATH_TO_APP_SOURCES"
- bundle exec pod cache clean --all
- bundle exec pod install --repo-update
- bundle exec fastlane build_alpha commitHash:$IOS_APP_COMMIT_SHA issueNumber:"$ALPHA_ISSUES_NUMBERS"
- echo "🍊🔨 Building alpha done"
artifacts:
expire_in: 1 week
when: always
paths:
- $PATH_TO_TMP/$PATH_TO_IPA
- $PATH_TO_TMP/$PATH_TO_DSYM
- $PATH_TO_TMP/$PATH_TO_ZIP
# -------------------
# Beta releases
# develop branch to build nightly with dedicated tags
test_beta:
extends:
- .common_beta
- .setup_keychain
stage: test-beta
script:
# Check environment variabmes
- echo "🍊🔨 Preparing environment"
- ./prepare_build_environment.sh $GITHUB_ORGANIZATION_NAME $GITHUB_REPOSITORY_NAME $BETA_BRANCH_TO_BUILD
- echo "🍊🔨 Environment prepared"
# Download sources
- echo "🍊🔨 Downloading sources from GitHub repository"
- ENV_FILE_PATH=`realpath .env`
- IOS_APP_COMMIT_SHA=`grep 'IOS_APP_COMMIT_SHA' $ENV_FILE_PATH | cut -d '=' -f2`
- ./download_github_repository.sh $GITHUB_ORGANIZATION_NAME $GITHUB_REPOSITORY_NAME $IOS_APP_COMMIT_SHA
- echo "🍊🔨 Things downloaded"
# Build and test
- echo "🍊🔨 Testing beta"
- cd "$PATH_TO_TMP/$GITHUB_REPOSITORY_NAME"
- bundle install
- cd "$PATH_TO_APP_SOURCES"
- bundle exec pod cache clean --all
- bundle exec pod install --repo-update
- bundle exec fastlane ios test_ui
- bundle exec fastlane ios test_snapshots
- echo "🍊🔨 Testing completed"
build_beta:
extends:
- .common_beta
- .setup_keychain
stage: build-beta
needs: [test_beta]
script:
# Check environment variabmes
- echo "🍊🔨 Preparing environment"
- ./prepare_build_environment.sh $GITHUB_ORGANIZATION_NAME $GITHUB_REPOSITORY_NAME $BETA_BRANCH_TO_BUILD
- echo "🍊🔨 Environment prepared"
# Download sources
- echo "🍊🔨 Downloading sources from GitHub repository"
- ENV_FILE_PATH=`realpath .env`
- IOS_APP_COMMIT_SHA=`grep 'IOS_APP_COMMIT_SHA' $ENV_FILE_PATH | cut -d '=' -f2`
- ./download_github_repository.sh $GITHUB_ORGANIZATION_NAME $GITHUB_REPOSITORY_NAME $IOS_APP_COMMIT_SHA
- echo "🍊🔨 Things downloaded"
# Build and upload
- echo "🍊🔨 Building beta"
- cd "$PATH_TO_TMP/$GITHUB_REPOSITORY_NAME"
- bundle install
- brew install peripheryapp/periphery/periphery
- cd "$PATH_TO_APP_SOURCES"
- bundle exec pod cache clean --all
- bundle exec pod install --repo-update
- bundle exec fastlane build_beta commitHash:$IOS_APP_COMMIT_SHA
- echo "🍊🔨 Building beta done"
# Creates tags dedicated to the CI/CD builds and TestFlight uploads using some commit hash, e.g. the last commit hash.
# Will use first characters of the hash, but it might not be enough accurate because some commits may start with same value.
artifacts:
expire_in: 1 week
when: always
paths:
- $PATH_TO_TMP/$PATH_TO_IPA
- $PATH_TO_TMP/$PATH_TO_DSYM
- $PATH_TO_TMP/$PATH_TO_ZIP
# -------------------
# Stable releases
# main branch to build on ask
build_stable:
extends:
- .common
- .setup_keychain
stage: build-stable
script:
# Check environment variabmes
- echo "🍊🔨 Preparing environment"
- ./prepare_build_environment.sh $GITHUB_ORGANIZATION_NAME $GITHUB_REPOSITORY_NAME $STABLE_BRANCH_TO_BUILD
- echo "🍊🔨 Environment prepared"
# Download sources
- echo "🍊🔨 Downloading sources from GitHub repository"
- ENV_FILE_PATH=`realpath .env`
- IOS_APP_COMMIT_SHA=`grep 'IOS_APP_COMMIT_SHA' $ENV_FILE_PATH | cut -d '=' -f2`
- ./download_github_repository.sh $GITHUB_ORGANIZATION_NAME $GITHUB_REPOSITORY_NAME $IOS_APP_COMMIT_SHA
- echo "🍊🔨 Things downloaded"
# Build and upload
- echo "🍊🔨 Building stable"
- cd "$PATH_TO_TMP/$GITHUB_REPOSITORY_NAME"
- bundle install
- brew install peripheryapp/periphery/periphery
- cd "$PATH_TO_APP_SOURCES"
- bundle exec pod cache clean --all
- bundle exec pod install
- bundle exec fastlane build_stable upload:true
- echo "🍊🔨 Building stable done"
when: manual
artifacts:
expire_in: 3 weeks
when: always
paths:
- $PATH_TO_TMP/$PATH_TO_IPA
- $PATH_TO_TMP/$PATH_TO_DSYM
- $PATH_TO_TMP/$PATH_TO_ZIP We use a script to prepare the workspace
#!/usr/bin/env bash
# Software Name: OUDS iOS
# SPDX-FileCopyrightText: Copyright (c) Orange SA
# SPDX-License-Identifier: MIT
set -euxo pipefail
# Exit codes
# ----------
EXIT_STATUS_MISSING_PREREQUISITES=100
EXIT_STATUS_UNDEFINED_ENV_VARIABLES=101
EXIT_STATUS_ERROR_MISSING_TAG_OR_BRANCH=102
EXIT_STATUS_ERROR_NO_ORGANIZATION=200
EXIT_STATUS_ERROR_NO_PROJECT=201
EXIT_STATUS_GITHUB_REQUEST_FAILED=300
EXIT_STATUS_NO_COMMITS=301
# Functions
# ---------
DisplayUsage(){
echo " Usage: ./prepare_build_environement.sh orga_name repo_name tag_or_branch"
}
Assert(){
env_var_name=$1
env_var_value=$2
if [[ -z $env_var_value ]]; then
echo "❌ The environment variable '$env_var_name' is undefined"
exit $EXIT_STATUS_UNDEFINED_ENV_VARIABLES
else
echo "✅ The environment variable '$env_var_name' is defined"
fi
}
Check(){
env_var_name=$1
env_var_value=$2
if [[ -z $env_var_value ]]; then
echo "⚠️ The environment variable '$env_var_name' is undefined, are you aware of that?"
else
echo "✅ The environment variable '$env_var_name' is defined"
fi
}
# Requirements
# ------------
REQUIREMENTS=(curl jq)
for someCommand in ${REQUIREMENTS[@]}; do
command -v "$someCommand" > /dev/null 2>&1
if [[ $? -ne 0 ]]; then
>&2 echo "❌ Required '$someCommand' is not installed"
exit $EXIT_STATUS_MISSING_PREREQUISITES
fi
done
# Parameters
# ----------
GITHUB_ORGA_NAME=$1
if [[ -z $GITHUB_ORGA_NAME ]]; then
DisplayUsage
exit $EXIT_STATUS_ERROR_NO_ORGANIZATION
fi
GITHUB_REPO_NAME=$2
if [[ -z $GITHUB_REPO_NAME ]]; then
DisplayUsage
exit $EXIT_STATUS_ERROR_NO_PROJECT
fi
TAG_OR_BRANCH=$3 # e.g. "main" for stable, "develop" for beta, other branch name for alpha
if [[ -z $TAG_OR_BRANCH ]]; then
DisplayUsage
exit $EXIT_STATUS_ERROR_MISSING_TAG_OR_BRANCH
fi
# Check main environment variables (defined in GitLab project settings)
# ---------------------------------------------------------------------
# Apple glue
Assert "OUDS_APPLE_ISSUER_ID" "$OUDS_APPLE_ISSUER_ID"
Assert "OUDS_APPLE_KEY_ID" "$OUDS_APPLE_KEY_ID"
Assert "OUDS_APPLE_KEY_CONTENT" "$OUDS_APPLE_KEY_CONTENT"
Assert "OUDS_FASTLANE_APPLE_ID" "$OUDS_FASTLANE_APPLE_ID"
Assert "OUDS_DEVELOPER_PORTAL_TEAM_ID" "$OUDS_DEVELOPER_PORTAL_TEAM_ID"
Assert "OUDS_DEVELOPER_BUNDLE_IDENTIFIER" "$OUDS_DEVELOPER_BUNDLE_IDENTIFIER"
Assert "OUDS_BUILD_CERTIFICATE_BASE64" "$OUDS_BUILD_CERTIFICATE_BASE64"
Assert "OUDS_BUILD_PROVISIONING_PROFILE_BASE64" "$OUDS_BUILD_PROVISIONING_PROFILE_BASE64"
Assert "OUDS_P12_PASSWORD" "$OUDS_P12_PASSWORD"
Assert "OUDS_KEYCHAIN_PASSWORD" "$OUDS_KEYCHAIN_PASSWORD"
# Mattermost hook
Assert "OUDS_MATTERMOST_HOOK_URL" "$OUDS_MATTERMOST_HOOK_URL"
Assert "OUDS_MATTERMOST_HOOK_BOT_NAME" "$OUDS_MATTERMOST_HOOK_BOT_NAME"
Assert "OUDS_MATTERMOST_HOOK_BOT_ICON_URL" "$OUDS_MATTERMOST_HOOK_BOT_ICON_URL"
# For comments, tags, etc.
Assert "GITHUB_ACCESS_TOKEN" "$GITHUB_ACCESS_TOKEN"
# OMA upload
Assert "OUDS_UPLOAD_STORE_URL" "$OUDS_UPLOAD_STORE_URL"
# Non mandatory checks
Check "ALPHA_ISSUES_NUMBERS" "$ALPHA_ISSUES_NUMBERS"
# Get last commit hash
# --------------------
> .env
echo "Preparing environment..."
echo "Tag or branch to pull sources from is: '$TAG_OR_BRANCH'"
headers=(-L -H "Accept: application/vnd.github+json" -H "Authorization: Bearer $GITHUB_ACCESS_TOKEN" -H "X-GitHub-Api-Version: 2022-11-28")
commits=$(curl "${headers[@]}" https://api.github.com/repos/$GITHUB_ORGA_NAME/$GITHUB_REPO_NAME/commits\?per_page\=100\&sha\=$TAG_OR_BRANCH)
release_commit_sha=$(echo $commits | jq -r 'try(first | .sha)')
if [[ -z $release_commit_sha ]]; then
echo "❌ Could not find any commit in qualif '$TAG_OR_BRANCH' on GitHub '$GITHUB_REPO_NAME' repository."
exit $EXIT_STATUS_NO_COMMITS
else
echo "✅ Release commit to use is '$release_commit_sha'"
fi
echo "IOS_APP_COMMIT_SHA=$release_commit_sha" >> .env # Store environment variables for GitLab jobs
echo "✅ It seems all environment variables are defined, let's continue"The following script will download the source from GitHub with the workspace prepared by the previous script.
#!/usr/bin/env bash
# Software Name: OUDS iOS
# SPDX-FileCopyrightText: Copyright (c) Orange SA
# SPDX-License-Identifier: MIT
set -uxo pipefail
# Exit codes
# ----------
EXIT_STATUS_ERROR_NO_ORGANIZATION=1
EXIT_STATUS_ERROR_NO_PROJECT=2
EXIT_STATUS_ERROR_NO_SHA1=3
EXIT_STATUS_GITHUB_REQUEST_FAILED=4
# Utils
# ------
DisplayUsage(){
echo " Usage: ./download_github_repository.sh orga_name repo_name commit_sha1"
}
# Parameters
# ----------
GITHUB_ORGA_NAME=$1
if [[ -z $GITHUB_ORGA_NAME ]]; then
DisplayUsage
exit $EXIT_STATUS_ERROR_NO_ORGANIZATION
fi
GITHUB_REPO_NAME=$2
if [[ -z $GITHUB_REPO_NAME ]]; then
DisplayUsage
exit $EXIT_STATUS_ERROR_NO_PROJECT
fi
COMMIT_SHA=$3
if [[ -z $COMMIT_SHA ]]; then
DisplayUsage
exit $EXIT_STATUS_ERROR_NO_SHA1
fi
# Business logic
# --------------
echo "Downloading $GITHUB_ORGA_NAME/$GITHUB_REPO_NAME repository at $COMMIT_SHA"
TMP_DIR_PATH="tmp/ouds"
if [ -d $TMP_DIR_PATH ]; then
echo "Delete old temp directory"
rm -rf $TMP_DIR_PATH
fi
echo "Sources will be downloaded at: '$TMP_DIR_PATH'"
# No need to clone the Git repository which can be quite heavy.
# Using also SSH implies to have proxy settings allowing this protocol and to use private key
# but some developers of OUDS iOS are GitHub organization admins, thus their private key are much to powerfull
# and their use is too hazardous.
# Script can be used in runners and VM in the cloud, so HTTP API is enough and reliable.
echo "Create new temp directory"
mkdir -p "$TMP_DIR_PATH"
ZIP_FILE_PATH="$TMP_DIR_PATH/$GITHUB_REPO_NAME.zip"
HEADERS=(-L -H "Accept: application/vnd.github+json" -H "Authorization: Bearer $GITHUB_ACCESS_TOKEN" -H "X-GitHub-Api-Version: 2022-11-28")
echo "Download version..."
curlReturn=$(curl "${HEADERS[@]}" "https://api.github.com/repos/"$GITHUB_ORGA_NAME"/"$GITHUB_REPO_NAME"/zipball/"$COMMIT_SHA"" --output "$ZIP_FILE_PATH" 2>&1)
if [ $? -ne 0 ] ; then
echo "Error with GitHub request: '$curlReturn'"
exit $EXIT_STATUS_GITHUB_REQUEST_FAILED
fi
echo "Unzip version"
yes | unzip "$ZIP_FILE_PATH" -d $TMP_DIR_PATH
echo "Unzip completed ($?)"
# Rename for future steps
echo "Moving items..."
mv $TMP_DIR_PATH/"$GITHUB_ORGA_NAME"-"$GITHUB_REPO_NAME"-* "$TMP_DIR_PATH/$GITHUB_REPO_NAME"
echo "✅ It seems the sources have been downloaded and extracted successfully!"Note that the GITHUB_ACCESS_TOKEN mus be a fine grained personal access token with permissions read and write for contents, read only for metadata, and read and write for commit statuses and issues. Click on this hyperlink to create such token, however you may need to contact your GitHub organization admins for validation or help. For Orange-OpenSource, use the usual help address you should know.
The alpha builds must be created using a manual trigger of our internal pipeline. It needs a branch to pull with sources to builds, and some issue(s) number(s). The last commit hash will be computed and used. A first step will prepare the build then a second step will build and upload the app.
The alpha build then will be uploaded automatically to TestFlight and available for a team defined in the fastlane/Appfile (here alpha-team).
Both our Mattermost hook and the Fastlane lanes produce details about the build like version, issues and build number.
There are also in the app some extra fields defined in the app Info.plist through Fastlane and GitLab CI showing the app version, its build number, the build type ("debug" for local builds, "alpha" for alpha release, "beta (nightly)" for beta release, "stable" for production release) and the build details (issues numbers). The display name will be modified too.
The beta builds are created with a scheduled pipeline. This is quite the same logic as alpha builds, but with Git tags associated to the builds on develop branch (one for the build prefixed by ci/, one for TestFlight upload prefixed by Test_Flight) with commit hash as suffix.
The beta build is automatically uploaded to TestFlight for a dedicated team (here beta-team).
The Mattermost hook is also used, the app display name and the build details are updated too.
The stable builds are created with manual trigger of pipeline. It will be done on mai branch, in release configuration, and shipped to TestFlight.
GitHub Actions workflows are used for CI/CD in GitHub side, in addition to GitLab CI side in our internal platform. These workflows:
- check if there is dead code (but no strict mode) (Periphery)
- run linter (but no strict mode) (SwiftLint)
- check if secrets have leaked (GitLeaks)
- check if some localizables are missing, are not reviewed or not translated (SwiftPolyglot)
- build and test the products
We use also two GitHub apps making controls on pull requests and defining wether or not prerequisites are filled or not. There is on control to check if PR template are all defined , and one if DCO is applied.
We do not use GitHub Actions for app building and shipping as their runers are too much volatile.
You can get details about certificate management on GitHub online in their documentation.