Merge pull request #533 from nimblehq/feature/#522-google-service-account-firebase

[#522] Replace Firebase Token with Google Service Account

Author: blyscuit

.github/project_workflows/deploy_production_firebase.yml

@@ -3,7 +3,7 @@ name: Deploy Production Build To Firebase
 # SECRETS needed:
 ### SSH_PRIVATE_KEY for Match Repo
 ### MATCH_PASS
-### FIREBASE_TOKEN
+### FIREBASE_GOOGLE_APPLICATION_CREDENTIALS_BASE64
 
 on:
   push:
@@ -50,6 +50,13 @@ jobs:
         touch .env
         echo $ENV | base64 --decode > .env
 
+    - name: Read Google Service Account
+      id: firebase_service_account
+      uses: timheuer/[email protected]
+      with:
+        fileName: 'firebase_service_account.json'
+        encodedString: ${{ secrets.FIREBASE_GOOGLE_APPLICATION_CREDENTIALS_BASE64 }}
+
     - name: Bundle install
       run: bundle install
 
@@ -80,7 +87,7 @@ jobs:
     - name: Build Production App and Distribute to Firebase
       run: bundle exec fastlane buildProductionAndUploadToFirebase
       env:
-        FIREBASE_TOKEN: ${{ secrets.FIREBASE_TOKEN }}
+        GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.firebase_service_account.outputs.filePath }}
 
     - name: Upload Artifacts
       uses: actions/upload-artifact@v3

.github/project_workflows/deploy_staging_firebase.yml

@@ -3,7 +3,7 @@ name: Deploy Staging Build To Firebase
 # SECRETS needed:
 ### SSH_PRIVATE_KEY for Match Repo
 ### MATCH_PASS
-### FIREBASE_TOKEN
+### FIREBASE_GOOGLE_APPLICATION_CREDENTIALS_BASE64
 
 on:
   push:
@@ -55,6 +55,13 @@ jobs:
         touch .env
         echo $ENV | base64 --decode > .env
 
+    - name: Read Google Service Account
+      id: firebase_service_account
+      uses: timheuer/[email protected]
+      with:
+        fileName: 'firebase_service_account.json'
+        encodedString: ${{ secrets.FIREBASE_GOOGLE_APPLICATION_CREDENTIALS_BASE64 }}
+
     - name: Bundle install
       # if: steps.bundleCache.outputs.cache-hit != 'true'
       run: bundle install
@@ -86,7 +93,7 @@ jobs:
     - name: Build App and Distribute to Firebase
       run: bundle exec fastlane buildStagingAndUploadToFirebase
       env:
-        FIREBASE_TOKEN: ${{ secrets.FIREBASE_TOKEN }}
+        GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.firebase_service_account.outputs.filePath }}
 
     - name: Upload Artifacts
       uses: actions/upload-artifact@v3

.github/wiki/CodeMagic.md

@@ -33,7 +33,7 @@ Out of the box, the CodeMagic Template has the following workflows and steps:
 | MATCH_PASSWORD              | The password is used to encrypt/decrypt the Match repository to store the distribution certificates and provisioning profiles. |
 | MATCH_SSH_KEY               | The SSH private key is used for cloning the Match repository that contains your distribution certificates and provisioning. |
 | KEYCHAIN_PASSWORD           | The password to access the keychain.                         |
-| FIREBASE_CLI_TOKEN          | [Firebase token](https://firebase.google.com/docs/cli#cli-ci-systems) for uploading build to Firebase Distributions and Analytics. |
+| FIREBASE_SERVICE_ACCOUNT    | [Google Service Firebase Account](https://firebase.google.com/docs/app-distribution/ios/distribute-fastlane#service-acc-fastlane) for uploading build to Firebase Distributions and Analytics. |
 | APPSTORE_CONNECT_API_KEY    | [App Store Connect API](https://docs.fastlane.tools/actions/app_store_connect_api_key/) for uploading build to TestFlight or App Store. It should be `base64` encoded. |
 | API_KEY_ID                  | The key identifier of your App Store Connect API key.        |
 | ISSUER_ID                   | The issuer of your App Store Connect API key.                |
@@ -57,4 +57,4 @@ ROOT
 ├──...
 ```
 
-4. Push changes to SCM.
+4. Push changes to SCM.

.github/wiki/Github-Actions.md

@@ -53,7 +53,7 @@ Make sure the following secrets are set up.
 |SSH_PRIVATE_KEY         |SSH key connected to a user with access to the match repo for check out the match repo.                                             |-   |✅              |✅                      |✅                                  |
 |MATCH_PASS              |Fastlane Match Passphrase for decrypting a match repository.                                                                        |-   |✅              |✅                      |✅                                  |
 |APPSTORE_CONNECT_API_KEY|App Store Connect API https://docs.fastlane.tools/actions/app_store_connect_api_key/ for uploading build to TestFlight or App Store. Should be `base64` encoded.|-   |-              |-                      |✅                                  |
-|FIREBASE_TOKEN          |Firebase token https://firebase.google.com/docs/cli#cli-ci-systems for uploading build to Firebase Distributions and Analytics.     |-   |✅              |✅                      |✅ For uploading dSYM to Crashlytics|
+|FIREBASE_GOOGLE_APPLICATION_CREDENTIALS_BASE64|Google Service Firebase Account https://firebase.google.com/docs/app-distribution/ios/distribute-fastlane#service-acc-fastlane for uploading build to Firebase Distributions and Analytics. Should be `base64` encoded.|-   |✅              |✅                      |✅ For uploading dSYM to Crashlytics|
 
 ## Installation
 
@@ -63,4 +63,4 @@ Make sure the following secrets are set up.
     - fastlane/Constants/Constants.rb
 3. Get APPSTORE_CONNECT_API_KEY base64 from AuthKey file (.p8) with `cat AuthKey_ABCDEFGH.p8 | base64`.
 4. Provide SECRETS noted in `yml` file in [Github Project's Setting](https://docs.github.com/en/actions/reference/encrypted-secrets)
-4. Push changes to Github
+4. Push changes to Github

.github/workflows/test_upload_build_to_firebase.yml

@@ -3,7 +3,7 @@ name: Test Upload Build to Firebase
 # SECRETS needed:
 ### SSH_PRIVATE_KEY for Match Repo
 ### MATCH_PASS
-### FIREBASE_TOKEN
+### FIREBASE_GOOGLE_APPLICATION_CREDENTIALS_BASE64
 ### STAGING_FIREBASE_APP_ID
 ### TEAM_ID
 
@@ -34,6 +34,13 @@ jobs:
         yarn global add firebase-tools
         echo "$(yarn global bin)" >> $GITHUB_PATH
 
+    - name: Read Google Service Account
+      id: firebase_service_account
+      uses: timheuer/[email protected]
+      with:
+        fileName: 'firebase_service_account.json'
+        encodedString: ${{ secrets.FIREBASE_GOOGLE_APPLICATION_CREDENTIALS_BASE64 }}
+
     - name: Bundle install
       run: bundle install
 
@@ -67,7 +74,7 @@ jobs:
     - name: Build App and Distribute to Firebase
       run: bundle exec fastlane buildStagingAndUploadToFirebase
       env:
-        FIREBASE_TOKEN: ${{ secrets.FIREBASE_TOKEN }}
+        GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.firebase_service_account.outputs.filePath }}
 
     - name: Upload Artifacts
       uses: actions/upload-artifact@v3

codemagic.yaml

@@ -7,6 +7,7 @@ workflows:
           - fastlane
         xcode: latest
         cocoapods: default
+        firebase_service_account: $FIREBASE_SERVICE_ACCOUNT
       cache:
         cache_paths:
           - $HOME/Library/Caches/CocoaPods
@@ -71,6 +72,7 @@ workflows:
           - fastlane
         xcode: latest
         cocoapods: default
+        firebase_service_account: $FIREBASE_SERVICE_ACCOUNT
       cache:
         cache_paths:
           - $HOME/Library/Caches/CocoaPods

fastlane/Constants/Secret.swift

@@ -11,8 +11,6 @@ enum Secret {
 
     static let keychainPassword = EnvironmentParser.string(key: "KEYCHAIN_PASSWORD")
 
-    static let firebaseCLIToken = EnvironmentParser.string(key: "FIREBASE_TOKEN")
-
     static let appstoreConnectAPIKey = EnvironmentParser.string(key: "APPSTORE_CONNECT_API_KEY")
 
     static let appStoreKeyIdKey = EnvironmentParser.string(key: "API_KEY_ID")

fastlane/Helpers/Distribution.swift

@@ -21,7 +21,6 @@ enum Distribution {
             app: .userDefined(environment.firebaseAppId),
             groups: .userDefined(groups),
             releaseNotes: .userDefined(releaseNotes),
-            firebaseCliToken: .userDefined(Secret.firebaseCLIToken),
             debug: .userDefined(true)
         )
     }