From 414fe27c0f40d1e7aff403270a55de2c6d806394 Mon Sep 17 00:00:00 2001
From: Gray Zhang <ghuiii.zhang@gmail.com>
Date: Tue, 23 Sep 2025 00:27:39 +0800
Subject: [PATCH] fix: improve base64 decoding robustness in release pipeline

- Added validation for all required environment variables
- Implemented multiple base64 decoding methods as fallback
- Added automatic whitespace/newline removal if needed
- Added file verification to ensure API key was properly created
- Better error messages for debugging

This handles potential issues with:
- Different base64 command flags (-d vs --decode)
- Whitespace or newline characters in the secret
- Empty or missing secrets
---
 .github/workflows/release.yml | 53 +++++++++++++++++++++++++++++++++--
 1 file changed, 50 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 25a9a1d..1906ab7 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -122,14 +122,61 @@ jobs:
         APP_STORE_CONNECT_ISSUER_ID: ${{ secrets.APP_STORE_CONNECT_ISSUER_ID }}
         APP_STORE_CONNECT_API_KEY_BASE64: ${{ secrets.APP_STORE_CONNECT_API_KEY_BASE64 }}
       run: |
+        # Debug: Check if environment variables are set
+        if [ -z "$APP_STORE_CONNECT_KEY_ID" ]; then
+          echo "ERROR: APP_STORE_CONNECT_KEY_ID is not set"
+          exit 1
+        fi
+        if [ -z "$APP_STORE_CONNECT_ISSUER_ID" ]; then
+          echo "ERROR: APP_STORE_CONNECT_ISSUER_ID is not set"
+          exit 1
+        fi
+        if [ -z "$APP_STORE_CONNECT_API_KEY_BASE64" ]; then
+          echo "ERROR: APP_STORE_CONNECT_API_KEY_BASE64 is not set"
+          exit 1
+        fi
+
+        # Create directory for API key
         mkdir -p ~/.appstoreconnect/private_keys
-        echo "$APP_STORE_CONNECT_API_KEY_BASE64" | base64 --decode > ~/.appstoreconnect/private_keys/AuthKey_${APP_STORE_CONNECT_KEY_ID}.p8
-        chmod 600 ~/.appstoreconnect/private_keys/AuthKey_${APP_STORE_CONNECT_KEY_ID}.p8
+
+        # Decode base64 with better error handling
+        # Try different approaches to handle potential formatting issues
+        KEY_PATH=~/.appstoreconnect/private_keys/AuthKey_${APP_STORE_CONNECT_KEY_ID}.p8
+
+        # Method 1: Direct echo and decode
+        if echo "$APP_STORE_CONNECT_API_KEY_BASE64" | base64 -d > "$KEY_PATH" 2>/dev/null; then
+          echo "✅ Successfully decoded API key using base64 -d"
+        # Method 2: Try with --decode flag (macOS)
+        elif echo "$APP_STORE_CONNECT_API_KEY_BASE64" | base64 --decode > "$KEY_PATH" 2>/dev/null; then
+          echo "✅ Successfully decoded API key using base64 --decode"
+        # Method 3: Remove potential whitespace/newlines and try again
+        elif echo "$APP_STORE_CONNECT_API_KEY_BASE64" | tr -d '\n\r ' | base64 -d > "$KEY_PATH" 2>/dev/null; then
+          echo "✅ Successfully decoded API key after removing whitespace"
+        else
+          echo "ERROR: Failed to decode APP_STORE_CONNECT_API_KEY_BASE64"
+          echo "Please ensure the secret is properly base64 encoded"
+          exit 1
+        fi
+
+        # Verify the file was created and has content
+        if [ ! -f "$KEY_PATH" ]; then
+          echo "ERROR: API key file was not created"
+          exit 1
+        fi
+
+        if [ ! -s "$KEY_PATH" ]; then
+          echo "ERROR: API key file is empty"
+          exit 1
+        fi
+
+        # Set proper permissions
+        chmod 600 "$KEY_PATH"
+        echo "✅ API key file created successfully at $KEY_PATH"
 
         # Set environment variables for Fastlane
         echo "APP_STORE_CONNECT_API_KEY_KEY_ID=$APP_STORE_CONNECT_KEY_ID" >> $GITHUB_ENV
         echo "APP_STORE_CONNECT_API_KEY_ISSUER_ID=$APP_STORE_CONNECT_ISSUER_ID" >> $GITHUB_ENV
-        echo "APP_STORE_CONNECT_API_KEY_KEY=~/.appstoreconnect/private_keys/AuthKey_${APP_STORE_CONNECT_KEY_ID}.p8" >> $GITHUB_ENV
+        echo "APP_STORE_CONNECT_API_KEY_KEY=$KEY_PATH" >> $GITHUB_ENV
 
     - name: Run Fastlane Match
       env: