Add workflow (nuke_certs) for Annual Certificates Reset

[marionbarker]

Background

The manual directions in LoopDocs are difficult for users to implement.
The nuke_certs.yml was proposed by @ps2 at some time in the past when we were not quite sure of the steps.
I found a version of his code and updated it for macos-14 and node20.
The job shows up as 9. Annual Certificates Reset.

Details

Adding this workflow will change the section linked below to be:

When certificates expire

1. Run the action for Annual Certificates Reset
2. Then for every app built with browser, run the actions to Create Certificates followed by Build

LoopDocs link

Without this workflow, users need to follow these instructions:

• https://loopkit.github.io/loopdocs/browser/bb-update/#manual-steps-to-renew-your-distribution-certificate

[marionbarker]

This code was tested using the GitHub username of loopdocs-tester.

• https://github.com/loopdocs-tester/LoopWorkspace/actions

I see that I need to add the branch name to the workflow. I'll make another commit to do that.

[marionbarker]

I tested the update using the GitHub username marionbarker.
The configuration is that the certs were not in sync with Match-Secrets due to various testing.
Running Create Certs with main failed
Running Annual Certificates Reset followed by Create Certs succeeded.

The branch name is now included with the new workflow.

[dnzxy]

As per request via DM, putting my comments on this here as well.

• This PR is to LoopKit/LoopWorkspace main. Shouldn't this land in dev first?
• The issue / roadblock that kept us (@billybooth and me) from implementing this last summer was that fastlane didn't have the proper tools (yet, fastlane 2.22x.x may have that now) to fetch certificates, check each certificate‘s expiration, and act upon those expiration dates (nuke the ones that need nuking, specifically only those ones, not others).
• The idea was to automate this by fetching the certificate creation date on a schedule and if that specific certificate is about to expire, nuke and recreate it; in one workflow.
• The nuke_certs fastlane action you are proposing to use here will nuke all certificates and profiles under one‘s Apple Developer account (to be more precise: associated with a given TEAMID), not just the one to expire. This is too broadly scoped of a deletion operation, and not surgical enough.
• The new fastlane version should give you the means to seek out specific certificates, decode / encode them to check them, then nuke just the specific ones, then rerun the creation to recreate them. Rerunning the creation will also produce new certificate profiles with it. That’s the way this should go.
• Additionally, even if this isn’t automated to run on a schedule, the nuke workflow should only remove specific certificates and it should run create certificates in a subsequent step, just like we run validate as the first step in every other workflow. That way, users will not have to run two actions after one another.
• You should also run validate as a first step for the nuke workflow.

[marionbarker]

I agree with every thing that @dnzxy said. However, the procedure given in LoopDocs matches the sledge hammer that this procedure does. I was trying to come up with something to help people who build using GitHub actions on the main branch. They are struggling now being able to build after their Apple Distribution Certificate expires.

The improved procedure dnzxy advocates, once one is developed, would probably be tested in dev first and then, perhaps, patched to main.

[SmiteDiabeetus]

Would something like this work?
default_platform: ios

platforms:
ios:
lanes:
nuke_certificate:
description: "Nuke the certificate and provisioning profiles for a specific application"
steps:
- type: match
args:
action: "nuke"
type: "development"
app_identifier: "com.yourcompany.yourapp"
readonly: false
username: "your_apple_developer_account"