name: "Apple: iOS Distribution KMS CSR" run-name: "Apple: iOS Distribution KMS CSR (${{ github.event.inputs.kms_key || 'apple-ios-distribution' }})" on: workflow_dispatch: inputs: kms_key: description: Google KMS key name in the Burrow identity key ring required: false default: apple-ios-distribution kms_version: description: Google KMS key version required: false default: "1" common_name: description: CSR common name required: false default: Burrow iOS Distribution email_address: description: CSR email address required: false default: release@burrow.net permissions: contents: read concurrency: group: apple-ios-distribution-kms-csr-${{ github.ref }} cancel-in-progress: false env: BURROW_GOOGLE_PROJECT_ID: ${{ vars.GOOGLE_PROJECT_ID || 'project-88c23ce9-918a-470a-b33' }} GOOGLE_CLOUD_PROJECT: ${{ vars.GOOGLE_PROJECT_ID || 'project-88c23ce9-918a-470a-b33' }} BURROW_GOOGLE_PROJECT_NUMBER: ${{ vars.GOOGLE_PROJECT_NUMBER || '416198671487' }} BURROW_GOOGLE_WIF_POOL_ID: ${{ vars.BURROW_GOOGLE_WIF_POOL_ID || 'burrow-authentik' }} BURROW_GOOGLE_WIF_PROVIDER_ID: ${{ vars.BURROW_GOOGLE_WIF_PROVIDER_ID || 'forgejo-runners' }} BURROW_GOOGLE_WIF_SERVICE_ACCOUNT: ${{ vars.BURROW_GOOGLE_WIF_SERVICE_ACCOUNT || 'burrow-forgejo-runner@project-88c23ce9-918a-470a-b33.iam.gserviceaccount.com' }} BURROW_AUTHENTIK_WIF_ISSUER: ${{ vars.BURROW_AUTHENTIK_WIF_ISSUER || 'https://auth.burrow.net/application/o/google-cloud/' }} BURROW_AUTHENTIK_WIF_AUDIENCE: ${{ vars.BURROW_AUTHENTIK_WIF_AUDIENCE || 'google-wif.burrow.net' }} BURROW_AUTHENTIK_WIF_CLIENT_ID: ${{ vars.BURROW_AUTHENTIK_WIF_CLIENT_ID || 'google-wif.burrow.net' }} BURROW_AUTHENTIK_WIF_CLIENT_SECRET: ${{ secrets.BURROW_AUTHENTIK_WIF_CLIENT_SECRET }} BURROW_KMS_LOCATION: global BURROW_KMS_KEYRING: burrow-identity jobs: csr: name: Generate CSR runs-on: [self-hosted, linux, x86_64, burrow-forge] timeout-minutes: 20 steps: - name: Checkout uses: https://code.forgejo.org/actions/checkout@v4 with: token: ${{ github.token }} fetch-depth: 0 - name: Ensure Nix shell: bash run: bash Scripts/ci/ensure-nix.sh - name: Authenticate Google WIF shell: bash run: nix develop .#ci -c Scripts/ci/google-wif-auth.sh - name: Generate KMS-backed CSR shell: bash run: | set -euo pipefail mkdir -p dist/apple-ios-distribution nix develop .#ci -c Scripts/apple/google-kms-csr.py \ --kms-key "${{ github.event.inputs.kms_key || 'apple-ios-distribution' }}" \ --kms-version "${{ github.event.inputs.kms_version || '1' }}" \ --common-name "${{ github.event.inputs.common_name || 'Burrow iOS Distribution' }}" \ --email-address "${{ github.event.inputs.email_address || 'release@burrow.net' }}" \ --output dist/apple-ios-distribution/ios-distribution.certSigningRequest \ --public-key-output dist/apple-ios-distribution/google-kms-public-key.pem if command -v openssl >/dev/null 2>&1; then openssl req -in dist/apple-ios-distribution/ios-distribution.certSigningRequest -noout -verify fi cat > dist/apple-ios-distribution/README.txt <<'EOF' This CSR is backed by a non-exportable Google Cloud KMS key in the Burrow identity key ring. Create an iOS Distribution certificate explicitly through App Store Connect: Scripts/apple/create-asc-certificate.mjs \ --certificate-type IOS_DISTRIBUTION \ --csr-file ios-distribution.certSigningRequest \ --out-dir Apple/Certificates Keep the returned .cer file with release artifacts. The private key remains in Google Cloud KMS and is never exported as a p12. EOF - name: Upload CSR Artifact uses: https://code.forgejo.org/actions/upload-artifact@v3 with: name: burrow-ios-distribution-kms-csr path: dist/apple-ios-distribution