I have a GitHub action that runs fastlane to build and deploy releases to TestFlight in a CI pipeline. I use an App Store Connect API Key to authenticate non-interactively.
Apple's docs explicitly say:
Important
Keep your API keys secure and private. You should never share your keys, store keys in a code repository, or include keys in client-side code.
but every example I see just passes the .p8 file to the app_store_connect_api_key() command either as plain-text file checked into source control (via the key_filepath argument):
lane :release do
app_store_connect_api_key(
key_id: "D383SF739",
issuer_id: "6053b7fe-68a8-4acb-89be-165aa6465141",
key_filepath: "./AuthKey_D383SF739.p8"
)
pilot
end
or as the plaintext key itself (via the key argument):
lane :release do
app_store_connect_api_key(
key_id: "D383SF739",
issuer_id: "6053b7fe-68a8-4acb-89be-165aa6465141",
"key": "-----BEGIN PRIVATE KEY-----\nMIGTAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBHknlhdlYdLu\n-----END PRIVATE KEY-----"
)
pilot
end
Is there a more secure way to store it and still use it in a CI pipeline?
You can store the values you want to keep private as environment variables. As far as I know, all CI/CD services allow setting environment variables. You can use ENV['XYZ'] to access any environment variable in your Fastfile.
See more information: https://docs.fastlane.tools/best-practices/continuous-integration/github/