iOSΞϓϦ։ൃͰGitHub Actionsͷ self-hosted runnerΛ࢖͏ YORIFUJI MITSUNORI potatotips #82

ࣗݾ঺հ • ໊લ • YORIFUJI MITSUNORI • Twitter/GitHub/Zenn @yorifuji • ܦྺ • SIerͰγεςϜΤϯδχΞ -> ࡢ೥4݄͔ΒFOLIOͰiOSΤϯδχΞʢ2೥໨ʣ • Swift, FlutterΞϓϦ։ൃ • ࠷ۙڵຯͷ͋Δ͜ͱ • CI/CD

About GitHub Actions • GitHubʹ౷߹͞ΕͨCIػೳɺGitHubΛར༻͍ͯ͠Ε͹௚͙ʹར༻Ͱ͖Δ • ଞࣾ੡ͷCI/CDαʔϏεͷαΠϯΞοϓ΍GitHub࿈ܞͳͲ͕ෆཁ • GitHub্Ͱൃੜ͢ΔΠϕϯτΛτϦΨʔʹϫʔΫϑϩʔʢδϣϒʣΛ࣮ߦͰ͖Δ • ϑΝΠϧͷมߋʢίʔυͷϓογϡʣɺϒϥϯνɺTagɺͳͲͷGitͷΠϕϯτ • Issueͷ࡞੒ɺPRͷApproveɺϦϙδτϦΛforkͨ͠ɺͳͲͷGitHubͷΠϕϯτ

Work fl ow name: sample workflow run-name: Hello GitHub Actions on: [push] jobs: job1: runs-on: macos-latest steps: - run: uname -a - run: echo Hello, job1 job2: runs-on: ubuntu-latest steps: - run: uname -a - run: echo Hello, job2 δϣϒͷ಺༰Λهड़ͨ͠YAMLϑΝΠϧ ΛϦϙδτϦͷ .github/work fl ows ϑΥϧμʹ௥Ճ͢Δ

GitHub-hosted runner • GitHub͕ఏڙ͢ΔϫʔΫϑϩʔͷ࣮ߦ؀ڥʢVMʣ • Windows, Linux, macOS • ϫʔΫϑϩʔͰLabelΛ࢖ͬͯࢦఆ͢Δ • ͦͷ౎౓ΫϦʔϯͳ؀ڥׂ͕Γ౰ͯΒΕΔ • Xcode΍Android SDKͳͲͷ୅දతͳ։ൃπʔϧ͕ΠϯετʔϧࡁΈ runs-on: macos-latest

GitHub-hosted runnerͷߏ੒ • https://github.com/actions/runner-images Ͱެ։͞Ε͍ͯΔ

https://github.com/actions/runner-images/blob/main/images/macos/macos-13-Readme.md (2023.6.18࣌఺)

Example .github/work fl ows/sample.yml

Example .github/work fl ows/sample.yml

ྉۚ • ύϒϦοΫϦϙδτϦͰͷར༻͸ແྉʂ • ϓϥΠϕʔτϦϙδτϦ • GitHub-hosted runnerͷར༻࣌ؒͱετϨʔδʹରͯ͠՝ۚ • ແྉ࿮͋Γ

GitHub Actions(GitHub-hosted runnerʣͷᙱ͍ͱ͜Ζ • macOSΠϯελϯεͷεϖοΫ • 3-Core Intel mac • Xcodeͷߋ৽ʹλΠϜϥά͕͋Δ • Xcode14.3.1͕࠷৽ɺXcode15.0(beta)͸·ͩ࢖͑ͳ͍ʢ6.18࣌఺ʣ • PR͕Approve͞Ε͍ͯΔͷͰ΋͏௚͙࢖͑ͦ͏ʢʁʣ • https://github.com/actions/runner-images/pull/7707 • ഑෍༻ূ໌ॻɺProvisioning Pro fi leͳͲͷѻ͍ʹҰख͔͔ؒΔ • GitHub ActionsʹϑΝΠϧΞοϓϩʔμʔ͸ఏڙ͞Ε͍ͯͳ͍ • ϓϥΠϕʔτϦϙδτϦͰͷ՝ۚ

About self-hosted runner • self-hosted runner=ॴ༗͍ͯ͠ΔϚγϯͰϫʔΫϑϩʔ࣮ߦ͢ΔγεςϜɾϗετ • ϩʔΧϧϚγϯͰϫʔΫϑϩʔΛ࣮ߦ͢ΔͨΊͷrunnerʢagentʣ͕ఏڙ͞Ε͍ͯΔ • ಛ௃ • ೚ҙͷϚγϯΛϫʔΫϑϩʔͷ࣮ߦʹར༻Ͱ͖Δ • ։ൃπʔϧ΋ඞཁʹԠͯࣗ͡༝ʹΠϯετʔϧͰ͖Δ • ϓϥΠϕʔτϦϙδτϦͰͷϫʔΫϑϩʔͷ࣮ߦ࣌ؒʹର͢Δྉ͕ۚൃੜ͠ͳ͍ • ੍໿ • Ϛγϯͷ؅ཧɾӡ༻ίετʢOSͷΞοϓσʔτ΍ιϑτ΢ΣΞͳͲʣ͸ࣗ෼΋ͪ • VMͷػೳ͸ఏڙ͞Ε͍ͯͳ͍ͷͰΰϛ͕࢒ͬͨΓ͢Δ • GitHub-hosted runnerͱself-hosted runnerͷ࢓༷ࠩҟ΁ͷରԠ -

Setup self-hostd runner name: self hosted sample workflow run-name: Hello self-hosted runner on: [push] jobs: job1: runs-on: self-hosted steps: - run: uname -a - run: echo Hello, job1 • CIαʔόʔ༻ͷϚγϯΛ༻ҙ͢Δ • iOS։ൃͳΒmacOS୺຤͕ඞཁ • ։ൃπʔϧΛΠϯετʔϧ • XcodeͳͲ • self-hosted runnerΛΠϯετʔϧ • ϫʔΫϑϩʔͰself-hosted runnerΛࢦఆ

CIαʔόͷϚγϯΛ༻ҙ͢Δ🤔

💸

GitHub-hostedͱself-hostedͷϫʔΫϑϩʔڞ௨Խ • GitHub-hostedͱself-hostedͷϫʔΫϑϩʔͷେ෦෼͸ڞ௨ • VariablesΛ࢖࣮ͬͯߦ؀ڥΛ੾Γସ͑Δ • ϦϙδτϦʹରͯ͠ϫʔΫϑϩʔ͔ΒࢀরͰ͖Δม਺ΛઃఆͰ͖Δ • ύϒϦοΫϦϙδτϦͳΒGitHub-hostedΛɺϓϥΠϕʔτ͸self-hostedΛ࢖͏

Xcodeόʔδϣϯͷ੾Γସ͑ • Xcodeͷόʔδϣϯͷ੾Γସ͑͸ϫʔΫϑϩʔͰ env: Λఆٛͯ͠DEVELOPER_DIR؀ڥม ਺Λઃఆ͢Δ • export DEVELOPER_DIR=/Applications/Xcode... ͱಉ͡ޮՌΛൃش • VariablesʹόʔδϣϯΛఆٛ͢Δͱ੾Γସ͕͑؆୯

iOSϏϧυͷূ໌ॻ؅ཧ • ipaͷϏϧυ͸഑෍༻ূ໌ॻʢApple DistributionʣͱProvisioning Pro fi le͕ඞཁ • ূ໌ॻ؅ཧύλʔϯ • ϗετϚγϯʹ௚઀ΠϯετʔϧʢKeychainʹొ࿥ʣ • self-hosted runnerͰͷར༻&ಛఆͷTeamͷॺ໊ͷΈͰ͋Ε͹બ୒Մೳͳํ๏ • GitHub Actions͕ఏڙ͢ΔSecretsʢKey-Value storeʣΛ࢖ͬͯϦϙδτϦʹొ࿥ • ϑΝΠϧΛbase64Ͱencodeͯ͠ొ࿥ -> ࣮ߦ࣌ʹdecodeͯ͠ϑΝΠϧʹॻ͖ग़͢ • Cloud signingʢApp Store Connect APIʣ

Cloud signing(App Store Connect API) • Xcode13 Ҏ߱Ͱར༻ՄೳͳɺAppleͷαʔόʔ্Ͱipaʹॺ໊͢Δػೳ • https://developer.apple.com/videos/play/wwdc2021/10204/ • XcodeͰ͸AppleIDΛར༻ɺCI؀ڥʢxcodebuildʣͰ͸App Store Connect APIͷೝূ৘ใ͕ඞཁ • ϝϦοτ • ഑৴ূ໌ॻʢApple Distributionʣ΍Provisioning Pro fi leͷ࡞੒ɾ഑ஔ͕ෆཁ • App Store Connect APIͷೝূ৘ใ͸ແظݶͷͨΊߋ৽ͷඞཁ͕ͳ͍ • σϝϦοτ • App Store Connect APIͷೝূ৘ใΛAdminݖݶͰ෷͍ग़͢ඞཁ͕͋Δ

Cloud signingͷར༻खॱ • ϓϩδΣΫτϑΝΠϧͷAutomatically manage signing͕༗ޮͰ͋Δ͜ͱ

Cloud signingͷར༻खॱ • App Store ConnectͰAPIΩʔΛ෷͍ग़͢ • Issue ID • Key ID • .p8ϑΝΠϧ

ExportOptions.plist ... method app-store signingStyle automatic destination export teamID {͝ར༻ͷTeamID} ... 9DPEF͔Β"SDIJWFΛ࣮ߦͨ͠ޙʹ0SHBOJ[FSͷ%JTUSJCVUF"QQͰ&YQPSUͯ͠ੜ੒

xcodebuild with Cloud signing xcodebuild archive CODE_SIGNING_ALLOWED=NO ... xcodebuild -exportArchive ... \ -exportOptionsPlist ./ExportOptions.plist \ -allowProvisioningUpdates \ -authenticationKeyIssuerID $ISSUER_ID \ -authenticationKeyID $KEY_ID \ -authenticationKeyPath `pwd`/private_keys/AuthKey_$KEY_ID.p8 • xcodebuild archiveʹCODE_SIGNING_ALLOWED=NOΛ෇༩͢Δ͜ͱͰarchiveͰͷॺ໊ΛແޮԽ͢Δ • xcodebuild -exportArchiveʹCloud signingʹඞཁͳύϥϝʔλΛࢦఆ͢Δ

xcodebuild with Cloud signing(for Flutter iOS) flutter build ios --no-codesign xcodebuild archive CODE_SIGNING_ALLOWED=NO ... xcodebuild -exportArchive ... \ -exportOptionsPlist ./ExportOptions.plist \ -allowProvisioningUpdates \ -authenticationKeyIssuerID $APPLE_API_ISSUER_ID \ -authenticationKeyID $APPLE_API_KEY_ID \ -authenticationKeyPath `pwd`/private_keys/AuthKey_$APPLE_API_KEY_ID.p8 • fl utter build ios --no-codesign Ҏ֎͸ڞ௨ • fl utter build ipa ʹ͸ରԠ͍ͯ͠ͳ͍໛༷

self-hosted runnerͰͷCacheͷར༻ • ϫʔΫϑϩʔߴ଎ԽʢCIΛૣ͘ऴΘΒͤΔʣͷͨΊʹதؒੜ੒෺΍ ύοέʔδϚωʔδϟͷґଘؔ܎͸Cacheͷར༻͕ਪ঑͞Ε͍ͯΔ • CocoaPods, Pub.devͳͲͷϩʔΧϧΩϟογϡͯ͠ॲཧΛεΩοϓ • ඪ४ͷΩϟογϡػೳʢCache actionʣΛ࢖͏ͱGitHub͕ఏڙ͢Δ ΩϟογϡαʔόΛ֤ϦϙδτϦ࠷େ10GB·Ͱར༻Ͱ͖Δ

self-hosted runnerͰCache͕஗͍ • GitHub-hosted runner • Cacheͷupload/download͕଎͍ʢover 1Gbpsʣ • 1GBఔ౓ͷΩϟογϡͰ͋Ε͹10ඵ΄ͲͰల։Ͱ͖Δ • self-hosted runner • ΊͪΌͪ͘Ό஗͍ʢ20Mbpsఔ౓ʣ • CacheΛ࢖Θͳ͍࣌ΑΓ΋஗͘ͳΔ😰

self-hosted runnerͰΩϟογϡ͕஗͍ͷ͸ͳ͔ͥ • GitHub ActionsͷΠϯϑϥͷ࣮ଶ͸Azure PipelinesʢͱݴΘΕ͍ͯΔʣ • GitHub-hosted runnerͷϩέʔγϣϯ • ʮmacOS ΠϝʔδΛ࣮ߦ͢ΔΤʔδΣϯτ͸ɺ3 ίΞͷ CPUɺ14 GB ͷ RAMɺ14 GB ͷ SSD σΟ εΫྖҬΛඋ͑ͨ Mac Pro ʹϓϩϏδϣχϯά͞Ε·͢ɻ ͜ΕΒͷΤʔδΣϯτ͸ɺAzure DevOps ૊৫ͷ৔ॴʹؔ܎ͳ͘ɺৗʹถࠃͰ࣮ߦ͞Ε·͢ɻʯʢAzure PipelineΑΓʣ • GitHubͷΩϟογϡαʔόʢΞϝϦΧʣͱࣗ୐ʢ೔ຊʣͷself-hostedϚγϯؒͷ௨৴͕஗͍ͨΊʢͨͿ Μʣ • GitHub-hosted runnerͰͷΩϟογϡ͕ര଎ͳͷ͸ར༻͍ͯ͠ΔΩϟογϡαʔόʢAzure Blob Storageʣ͕෺ཧతʹ͍ۙϩέʔγϣϯʹ͋Δ͔Β

ηΩϡϦςΟ • ηΩϡϦςΟେࣄ • https://docs.github.com/ja/actions/security-guides/security-hardening-for- github-actions • self-hosted runner͸ύϒϦοΫϦϙδτϦͰ͸࢖Θͳ͍ • https://docs.github.com/ja/actions/hosting-your-own-runners/managing-self- hosted-runners/about-self-hosted-runners#self-hosted-runner-security • ٕज़هࣄͳͲ΋ࢀߟʹͳΓ·͢ • https://engineering.mercari.com/blog/entry/20230609-github-actions-guideline/

GitHub-hosted runner vs self-hosted runner • ΄ͱΜͲͷϢʔεέʔεͰ͸GitHub-hosted runner͕ద͍ͯ͠Δ • ඞཁͳ࣌ʹ͙͢ʹ࢖͑ͯೖ໳͔Β࣮ӡ༻·ͰΧόʔ • ϗετ؀ڥͷӡ༻ɾ؅ཧίετ͕͔͔Βͳ͍ • ύϒϦοΫϦϙδτϦ͸ແྉ • Self-hosted runnerͷ࢖͍ॴ • GitHub hostedͰ͸ఏڙ͞Εͳ͍؀ڥΛ࢖͍͍ͨ

͋Γ͕ͱ͏͍͟͝·ͨ͠