name: "Apple: Developer ID KMS CSR" run-name: "Apple: Developer ID KMS CSR (${{ github.event.inputs.kms_key || 'apple-developer-id-application' }})" on: workflow_dispatch: inputs: kms_key: description: Google KMS key name in the Burrow identity key ring required: false default: apple-developer-id-application kms_version: description: Google KMS key version required: false default: "1" common_name: description: CSR common name required: false default: Burrow Developer ID Application email_address: description: CSR email address required: false default: release@burrow.net permissions: contents: read concurrency: group: apple-developer-id-kms-csr-${{ github.ref }} cancel-in-progress: false env: BURROW_GOOGLE_PROJECT_ID: ${{ vars.GOOGLE_PROJECT_ID || 'project-88c23ce9-918a-470a-b33' }} GOOGLE_CLOUD_PROJECT: ${{ vars.GOOGLE_PROJECT_ID || 'project-88c23ce9-918a-470a-b33' }} BURROW_GOOGLE_PROJECT_NUMBER: ${{ vars.GOOGLE_PROJECT_NUMBER || '416198671487' }} BURROW_GOOGLE_WIF_POOL_ID: ${{ vars.BURROW_GOOGLE_WIF_POOL_ID || 'burrow-authentik' }} BURROW_GOOGLE_WIF_PROVIDER_ID: ${{ vars.BURROW_GOOGLE_WIF_PROVIDER_ID || 'forgejo-runners' }} BURROW_GOOGLE_WIF_SERVICE_ACCOUNT: ${{ vars.BURROW_GOOGLE_WIF_SERVICE_ACCOUNT || 'burrow-forgejo-runner@project-88c23ce9-918a-470a-b33.iam.gserviceaccount.com' }} BURROW_AUTHENTIK_WIF_ISSUER: ${{ vars.BURROW_AUTHENTIK_WIF_ISSUER || 'https://auth.burrow.net/application/o/google-cloud/' }} BURROW_AUTHENTIK_WIF_AUDIENCE: ${{ vars.BURROW_AUTHENTIK_WIF_AUDIENCE || 'google-wif.burrow.net' }} BURROW_AUTHENTIK_WIF_CLIENT_ID: ${{ vars.BURROW_AUTHENTIK_WIF_CLIENT_ID || 'google-wif.burrow.net' }} BURROW_AUTHENTIK_WIF_CLIENT_SECRET: ${{ secrets.BURROW_AUTHENTIK_WIF_CLIENT_SECRET }} BURROW_KMS_LOCATION: global BURROW_KMS_KEYRING: burrow-identity jobs: csr: name: Generate CSR runs-on: [self-hosted, linux, x86_64, burrow-forge] timeout-minutes: 20 steps: - name: Checkout uses: https://code.forgejo.org/actions/checkout@v4 with: token: ${{ github.token }} fetch-depth: 0 - name: Ensure Nix shell: bash run: bash Scripts/ci/ensure-nix.sh - name: Authenticate Google WIF shell: bash run: nix develop .#ci -c Scripts/ci/google-wif-auth.sh - name: Generate KMS-backed CSR shell: bash env: BURROW_APPLE_DEVELOPER_ID_KMS_KEY: ${{ github.event.inputs.kms_key || 'apple-developer-id-application' }} BURROW_KMS_VERSION: ${{ github.event.inputs.kms_version || '1' }} BURROW_APPLE_DEVELOPER_ID_CSR_COMMON_NAME: ${{ github.event.inputs.common_name || 'Burrow Developer ID Application' }} BURROW_APPLE_DEVELOPER_ID_CSR_EMAIL: ${{ github.event.inputs.email_address || 'release@burrow.net' }} run: | set -euo pipefail mkdir -p dist/apple-developer-id nix develop .#ci -c Scripts/apple/google-kms-csr.py \ --output dist/apple-developer-id/developer-id-application.certSigningRequest \ --public-key-output dist/apple-developer-id/google-kms-public-key.pem if command -v openssl >/dev/null 2>&1; then openssl req -in dist/apple-developer-id/developer-id-application.certSigningRequest -noout -verify fi cat > dist/apple-developer-id/README.txt <<'EOF' This CSR is backed by a non-exportable Google Cloud KMS key in the Burrow identity key ring. Apple currently documents Developer ID certificate creation through the Developer website or Xcode, not App Store Connect API creation. Upload developer-id-application.certSigningRequest in: Certificates, Identifiers & Profiles -> Certificates -> + -> Developer ID -> Developer ID Application. Keep the returned .cer file with release artifacts. The private key remains in Google Cloud KMS and is never exported as a p12. EOF - name: Upload CSR Artifact uses: https://code.forgejo.org/actions/upload-artifact@v3 with: name: burrow-developer-id-kms-csr path: dist/apple-developer-id