- CI/CD Tech Stack
- CircleCI
- Configuring CircleCI
- Configuring Secrets
- Workflows
- Creating a new Release or Promotion
- GitHub Access
- Fastlane
- App Signing
We use CircleCI to run our CI/CD workflows. If you need access, message one of the devs. See CircleCI for project-specific information.
Important: Sign in to CircleCI using GitHub. Creating a normal CircleCI account does NOT work.
We use Fastlane to automate our build and release process for both android and ios. See Fastlane for project-specific information.
The upload key (android) and certificates and provisioning profiles (ios) necessary for app signing for the stores are stored in the app-signing repository.
For general information on CircleCI and its configuration, have a look at the general concepts and configuration reference.
All our CircleCI configuration is located in the .circleci directory. Workflows, jobs and commands are located in the according subdirectories and should be adjusted there. From these, the following script auto-generates the final config.yml: script:
./tools/circleci-update-configHint: The CircleCI command line tools are required to update the config.yml.
WARNING: Since the config.yml is autogenerated, DO NOT manually edit the config.yml or review it for PRs.
In order to pass secrets to CI steps or the app, e.g. API keys or signing secrets, CircleCI offers two possibilities:
- Environment variables in the project settings
- Contexts in the organization settings
While environment variables are project specific and are automatically available for all steps in the project, contexts are shared organization-wide and have to be added to steps manually ( see contexts).
As our secrets for delivery and app signing are organization-wide, they are configured in contexts.
WARNING: Make sure to update the secrets in passbolt as they are write-only in CircleCI!
Several workflows exist for different purposes:
| Workflow | Schedule/Trigger | Checks | Delivery | Version Bump |
|---|---|---|---|---|
| commit | commits of PRs | ✅ | ❌ | ❌ |
| commit_main | commits on main | ❌ | ❌ | ❌ |
| beta_delivery | script | ✅ | beta | ✅ |
| production_delivery | script | ✅ | production | ✅ |
| promotion | script | ❌ | promotion | ❌ |
Steps executed if Checks is checked ✅:
- Check CircleCI config (see #)
- Formatting (
dart format) - Analyzing and Linting (
flutter analyze)
Steps executed if Version Bump is checked ✅:
- Bump the version(s) in version.yaml
- Create separate tags and releases for android and ios on GitHub
- Add .apk, .aab and .ipa files to the release
To deliver a new release to beta or production or to promote an existing release from beta to production you can either run our trigger-pipeline script or trigger a pipeline directly in the CircleCI UI.
If you want to trigger a pipeline with our script
npx tsx trigger-pipeline trigger <workflow-name> --api-token <api-token> [--branch <branch>]WARNING: If you trigger a delivery pipeline from a feature branch, make sure to merge the version bump commit. Otherwise, the next delivery from another branch will fail as the version code must be incremented.
There are currently three different delivery workflows, beta_delivery, production_delivery and promotion.
Usually, the order would be as follows:
- Deliver new releases to beta (android: Open Testing, ios: Testflight) by triggering the
beta_deliveryworkflow - Testing the new releases
- Promoting the beta releases to production (ios: distribution) by triggering the
promotionworkflow
In special cases (e.g. for an urgent hotfix), releases can be directly delivered to production (ios: distribution) by
triggering the production_delivery workflow.
CircleCI is configured to use different methods to access GitHub.
- For normal read-only access to this repository, CircleCI automatically adds a deploy key during initial setup of CircleCI for the repo.
- For write access to this repository the VerdigadoBot GitHub app is used. It has to be installed in the repo. CircleCI has access to this app using its private key (set in contexts). The GitHub app is used for version bump commits and the creation of tags and releases.
- For read-only access to additional repos, the GitHub machine user
VerdigadoCIis used. CircleCI has access to this user through a user key. This is used to access the app-signing repository.
We use Fastlane for automating the build and deliver to the app stores. The lanes are configured platform-specific in the corresponding Fastfile for android and ios. The lanes can then be called in the CI (or locally using the command line).
To install Fastlane and run it locally, follow the steps in the docs.
Android and ios apps use differing methods for app signing. Necessary files are stored in the app signing repository and secrets are configured as CircleCI contexts.
WARNING: Make sure to update the secrets in passbolt as they are write-only in CircleCI!
Android apps have to be signed with an Upload Key before uploading the release to the Google Play Console as described here.
The upload key is stored in the app signing repository as java keystore (.jks) with additional gpg encryption. Signing the app with an upload key is only necessary for delivery to the Google Play Console. For development, a debug keystore is automatically used.
If necessary (e.g. due to loss of the key), a new upload key can be created and added to the Google Play Console manually.
For ios, certificates and provisioning profiles are managed using Fastlane match and stored in the corresponding directories in the app-signing repository. Additional information can be found in the app-signing repository README.
To install certificates and provisioning profiles locally (necessary for debugging on a real device) or to renew them once (they expire every 1-2 years), run the following command in the ios directory:
fastlane match appstorefastlane match developmentThe current certificates and provisioning profiles can be viewed in Appstoreconnect.