Skip to content

[CI] Migrate iOS workflow to GitHub App Token#725

Open
CassioMG wants to merge 12 commits intomainfrom
cg-ios-ghapp-token
Open

[CI] Migrate iOS workflow to GitHub App Token#725
CassioMG wants to merge 12 commits intomainfrom
cg-ios-ghapp-token

Conversation

@CassioMG
Copy link
Contributor

@CassioMG CassioMG commented Feb 16, 2026

Summary

  • Migrate iOS CI workflow from SSH deploy key authenticationto GitHub App token
    for accessing the private Match certificates repository
  • Simplify Fastlane Match configuration

Changes

  • Replace FASTLANE_GIT_DEPLOY_KEY (SSH deploy key) with GitHub App token via
    actions/create-github-app-token@v2
  • Add MATCH_GITHUB_APP_ID (repository variable) and
    MATCH_GITHUB_APP_PRIVATE_KEY (secret) for GitHub App authentication
  • Use git_basic_authorization in Match instead of git_private_key
  • Add explicit permissions: contents: read for security hardening
  • Remove git_url from Matchfile (set dynamically in Fastfile)
  • Update Match configuration to use git_basic_authorization with GitHub App
    token

Required Configuration

Type Name Purpose
Variable MATCH_GITHUB_APP_ID GitHub App ID for Match repo access
Secret MATCH_GITHUB_APP_PRIVATE_KEY GitHub App private key

Why

  • No long-lived credentials: GitHub App tokens are short-lived (1 hour) and
    scoped to specific repositories
  • Principle of least privilege: Explicit workflow permissions declared,
    token scoped only to freighter-mobile-fastlane repository

Known limitations

Ops team to configure the GitHub App - DONE ✅

Checklist

PR structure

  • This PR does not mix refactoring changes with feature changes (break it down into smaller PRs if not).
  • This PR has reasonably narrow scope (break it down into smaller PRs if not).
  • This PR includes relevant before and after screenshots/videos highlighting these changes.
  • I took the time to review my own PR.

Testing

  • These changes have been tested and confirmed to work as intended on Android.
  • These changes have been tested and confirmed to work as intended on iOS.
  • These changes have been tested and confirmed to work as intended on small iOS screens.
  • These changes have been tested and confirmed to work as intended on small Android screens.
  • I have tried to break these changes while extensively testing them.
  • This PR adds tests for the new functionality or fixes.

Release

  • This is not a breaking change.
  • This PR updates existing JSDocs when applicable.
  • This PR adds JSDocs to new functionalities.
  • I've checked with the product team if we should add metrics to these changes.
  • I've shared relevant before and after screenshots/videos highlighting these changes with the design team and they've approved the changes.

Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request migrates the iOS CI workflow from SSH deploy key authentication to GitHub App token authentication for accessing the private Fastlane Match certificates repository. This improves security by using short-lived tokens (1 hour) instead of long-lived SSH keys and follows the principle of least privilege.

Changes:

  • Replaced SSH deploy key authentication with GitHub App token via actions/create-github-app-token@v2
  • Updated Fastlane Match configuration to use git_basic_authorization instead of git_private_key
  • Added explicit permissions: contents: read for security hardening

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
.github/workflows/ios.yml Added GitHub App token generation step, removed SSH key references, added explicit permissions
fastlane/Fastfile Changed authentication from SSH private key to GitHub App token with basic authorization
fastlane/Matchfile Removed git_url configuration (now set dynamically in Fastfile)

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Base automatically changed from cg-android-wif to main February 18, 2026 20:37
@CassioMG
Copy link
Contributor Author

I will keep this closed while we wait for ops

@CassioMG CassioMG closed this Feb 18, 2026
@CassioMG CassioMG reopened this Feb 26, 2026
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated no new comments.


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants