more updates regarding nuking

marionbarker · marionbarker · commit ef76f78f5d0e · 2025-04-07T16:15:05.000-07:00
diff --git a/docs/browser/automatic.md b/docs/browser/automatic.md
@@ -65,6 +65,64 @@ The `alive` branch you need is created automatically when you run the `Build Loo
     * You can delete every branch that starts with the name `alive`
     * Leave the other branches alone unless a mentor directs you to take action
 
+## Automatic Certificates
+
+Coming soon with `Loop 3.6.0`. 
+
+Already here with `LoopFollow 2.3.0` and some other Open-Source apps.
+
+### Requirements
+
+You must have the `ENABLE_NUKE_CERTS` variable set to `true` for your *GitHub* organization, or when using a personal account to build, add it to each repository.
+
+* Refer to [Add Variable](prepare-fork.md#add-variable){: target="_blank" }
+
+### Certificates and `Match-Secrets`
+
+The Create Certificates action does the following:
+
+* Reads existing signing credentials from your `Match-Secrets` private respository and confirms if they are valid
+* OR
+* Uses your `Distribution` Certificate from *Apple* or creates a new one if one does not exist
+* Securely stores, in  your `Match-Secrets` private repository, signing credentials (like certificates and provisioning profiles from *Apple*) used for code signing for each Identifier in your app when you build
+
+### Annual Renewal
+
+This happens once a year after *Apple* automatically expires your `Distribution` Certificate.
+
+* When the *Apple* `Distribution` certificate expires, the saved credentials in your `Match-Secrets` private repository are invalid and need to be removed (<code>nuke</code>)
+* You need a new `Distribution` Certificate at *Apple*
+* You need to create new signing credentials for `Match-Secrets`
+
+For the `Loop` app, up through version 3.4.4, you need to do this process manually.
+
+### Automatic Certificate Renewal
+
+Some Open-Source apps, in particular `Trio` and `LoopFollow 2.3.0` already have this capability.
+
+* If your signing credentials for the app being built are invalid and `ENABLE_NUKE_CERTS` is `true`, then signing credentials will be cleared from your `Match-Secrets` repository, a new `Distribution` certificate will be created at *Apple* and signing credentials for the current app will be generated and stored in `Match-Secrets`.
+
+* Next app you build will need certificates created because all signing credentials were cleared out of your `Match-Secrets` repository
+    * If that app is configured for automatic certificate renewal, you only need to run the `Build Action`; it detects no signing credentials are available and creates them
+    * If that app is not configured for automatic certificate renewal, you must first run the action  `Create Certificates` and then `Build`
+
+### Open-Source App Schedule
+
+Each Open-Source App has a schedule for when the automatic build happens. This determines when the automatic check for certificate status happens.
+
+The times are shifted to make sure only one Open-Source app performs a `nuke` process at one time. This only happens once a year, but we wanted to be sure there are no conflicts. Even if an app doesn't have automatic certificates implemented yet, they are added to the table as suggested values to use when this capability gets added. All times are UTC. If other apps decide to add this feature, please make a pull request to LoopDocs so we can add those times to the deconfliction table.
+
+| Open-Source App | AutoCerts? | Wed Time | 1st of Month Time |
+|:--|:-:|--:|--:|
+| <span translate="no">Loop</span> | `dev` only | 09:00 | 07:00 |
+| <span translate="no">LoopCaregiver</span> | n | 13:00 | 11:00 |
+| <span translate="no">LoopFollow</span> | y | 12:00 | 10:00 |
+| <span translate="no">LoopFollow_Second</span> | y | 12:20 | 10:20 |
+| <span translate="no">LoopFollow_Third</span> | y | 12:40 | 10:40 |
+| <span translate="no">Trio</span> | y | 08:00 | 06:00 |
+| <span translate="no">xDrip4iOS</span> | n | 16:00 | 14:00 |
+
+
 ## Modify Automatic Building
 
 For someone using [development code](build-dev-browser.md) for their own use, they could decide to choose when to update their `fork` to the most recent commit. They can still have the advantage of automatic building without automatic updates; in other words, they want a new build added to TestFlight every month. There may be other configurations someone would choose. These options are available starting with Loop 3.3.0 (`dev` branch) and later.
diff --git a/docs/browser/other-apps.md b/docs/browser/other-apps.md
@@ -59,7 +59,7 @@ You will return to this page after reviewing (but not doing) this step [Configur
     * Do you have more than one Looper, so you are using LoopFollow_Second or LoopFollow_Third?
     * The 3 LoopFollow repositories enable you to customize the name shown on your phone
 
-    In your *GitHub* repository, find the file named: `LoopFollowDisplayNameConfig.xcconfig`
+    After you `fork` your *LoopFollow* repository, find the file named: `LoopFollowDisplayNameConfig.xcconfig`
 
     * Open it in your browser
     * Follow the directions to change `display_name`
@@ -79,7 +79,7 @@ The two repositories below are only if you need to follow a second or third loop
 
 * All `repositories` in your *GitHub* organization use the organization <code>Secrets and Variables</code>
 * If you have not already completed [Add <code>Secrets</code> to your *GitHub* Organization](#add-secrets-to-your-github-organization), do it now
-* Skip ahead to [Validate <code>Secrets</code>](#validate-secrets)
+* Skip ahead to [Add Identifiers](#add-identifiers)
 
 ### Using a Personal *GitHub* Account
 
@@ -112,10 +112,10 @@ Open the text file in which you maintain a copy of your 6 <code>Secrets</code> s
     ![dialog for entering a new secret](img/repeat-secret-dialog.png){width="500"}
     {align="center"}
 
-Once all six <code>Secrets</code> are added, proceed to the first Action to validate your secrets.
-
 Be sure to [Add Variable](prepare-fork.md#add-variable){: target="_blank" } to the repository as well as `Secrets` to enable automatic certificate creation.
 
+Once the <code>Secrets</code> and `Variable` are added, proceed to the first Action to validate your secrets.
+
 ## Validate <code>Secrets</code>
 
 The first action step is to Validate <code>Secrets</code>. Near the top middle of your Repository fork, click on the `Actions` tab.
@@ -151,6 +151,8 @@ The `Validate Secrets` &nbsp;<span class=notranslate>Action</span>&nbsp; should
 
 Near the top middle of your Repository fork, click on the "Actions" tab.
 
+* If this is the first `Action` you run with this repository you'll be informed that `Workflows aren't being run on this forked repository`
+    * Tap on the green button that says: `I understand my workflows, go ahead and enable them`
 * The graphic below is an example from Loop, your screen will show your app and associated repository
 
 Refer to the graphic below for the numbered steps:
diff --git a/docs/faqs/glossary.md b/docs/faqs/glossary.md
@@ -164,6 +164,8 @@ When Google Translate is selected:
 
 **<span translate="no">Nightscout</span>**&nbsp; (Nightscout): a personal website used to view your glucose and diabetes management data, `Loop` can upload to `Nightscout`
 
+**<span translate="no">nuke</span>**&nbsp; (nuke): clear signing credentials from your Match-Secrets repository
+
 **<span translate="no">Onboarding</span>**&nbsp; (Onboarding): familiarize new, and existing, Loop users with settings in Loop 3 and ensure the Therapy Settings are all entered and are within safety guardrails
 
 **<span translate="no">Omnipod</span>**&nbsp; (Omnipod): Insulet tubeless insulin pump; Loop supports Eros (with RileyLink) and DASH.  Eros is also known as Classic, UST400, and System.
diff --git a/includes/tooltip-list.txt b/includes/tooltip-list.txt
@@ -75,6 +75,7 @@
 *[MPC]: model predictive control; the type of control algorithm used by Loop
 *[NFC]: Near-Field Communication is used for scanning devices such as Libre sensors
 *[Nightscout]: a personal website used to view your glucose and diabetes management data, `Loop` can upload to `Nightscout`
+*[nuke]: clear signing credentials from your Match-Secrets repository
 *[Onboarding]: familiarize new, and existing, Loop users with settings in Loop 3 and ensure the Therapy Settings are all entered and are within safety guardrails
 *[Omnipod]: Insulet tubeless insulin pump; Loop supports Eros (with RileyLink) and DASH.  Eros is also known as Classic, UST400, and System.
 *[OrangeLink]: radio-frequency device Loop uses to control Eros pods (aka. Gen 3) and older Medtronic pumps
