Skip to content

Fix keychain deletion in multi-certificate workflows (Resubmit)#100

Merged
daveisfera merged 1 commit intoApple-Actions:mainfrom
FelixLisczyk:pl-78
Jun 7, 2025
Merged

Fix keychain deletion in multi-certificate workflows (Resubmit)#100
daveisfera merged 1 commit intoApple-Actions:mainfrom
FelixLisczyk:pl-78

Conversation

@FelixLisczyk
Copy link
Copy Markdown
Contributor

@FelixLisczyk FelixLisczyk commented Jun 7, 2025

This PR is a resubmission of #74 (see discussion).

Problem Description

When import-codesign-certs@v5 is used multiple times in the same workflow, the same keychain is deleted more than once during the post-job cleanup phase. This results in workflow failures, as the second deletion attempt leads to the following error:

security: SecKeychainDelete: The specified keychain could not be found.
Error: The process '/usr/bin/security' failed with exit code 50

This issue occurs when multiple certificates, such as development and distribution certificates, are imported in separate steps using the same keychain.

Changes Made

  • Added a check to only attempt keychain deletion if it was created by the current action instance.

Example Workflow

This PR fixes issues with workflows structured like:

- name: Import Development Certificate
  id: create_keychain
  uses: apple-actions/import-codesign-certs@v5
  with:
    p12-file-base64: ${{ inputs.p12-file-development }}
    p12-password: ${{ inputs.p12-file-development-password }}
- name: Import Distribution Certificate
  uses: apple-actions/import-codesign-certs@v5
  with:
    create-keychain: false
    keychain-password: "${{ steps.create_keychain.outputs.keychain-password }}"
    p12-file-base64: ${{ inputs.p12-file-distribution }}
    p12-password: ${{ inputs.p12-file-distribution-password }}

Notes

I know it's possible to import multiple certificates at once, as mentioned in the README.md. However, I prefer to keep the certificate files separate since they are also used in other locations.

Copilot AI review requested due to automatic review settings June 7, 2025 13:55
Copilot AI reviewed Jun 7, 2025
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR fixes an issue in multi-certificate workflows where the same keychain is attempted to be deleted multiple times by adding a flag check before deletion.

  • Introduces a check using the 'create-keychain' input to conditionally delete the keychain.
  • Reorders some import statements for consistency.
Comments suppressed due to low confidence (1)

src/main.ts:67

  • Consider adding a brief comment or note in the documentation explaining the expected behavior of the 'create-keychain' input value, to clarify its role in the keychain deletion logic.
const didCreateKeychain: boolean = getInput('create-keychain') === 'true'

@FelixLisczyk FelixLisczyk mentioned this pull request Jun 7, 2025
Closed
@daveisfera daveisfera mentioned this pull request Jun 7, 2025
Closed
@daveisfera daveisfera merged commit 65cfbc3 into Apple-Actions:main Jun 7, 2025
4 checks passed
@daveisfera
Copy link
Copy Markdown
Collaborator

daveisfera commented Jun 7, 2025

Thanks for working through this with me!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@daveisfera daveisfera daveisfera approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@FelixLisczyk @daveisfera