Open in app

Sign in

Write

Sign in

[CI/CD] Manage Sensitive Data

Muhammad Alfiansyah
2 min readAug 1, 2024

--

Photo by Richy Great on Unsplash

One of the ways to manage Sensitive Data or Secret is not upload secret to git. Then how we build app on cloud without secret uploaded ?

So one way is to generate .xcconfig when runner running. So where we store the secret and how to get or create .xcconfig file ?

Where ?

Here’s where we store our secret, we can use github action secret environment.

How ?

Then how we create .xcconfig while runner is running. We can use bash script to do that, after we get secret from github secret environment we create .xcconfig with this script, name the file as generate_xcconfig.sh

#!/bin/bash

# Function to display usage
usage() {
    echo "Usage: $0 -key <debug_api_key> -base <debug_api_base_url> -img <debug_api_image_placeholder>"
    exit 1
}

# Parse command line arguments
while [[ "$#" -gt 0 ]]; do
    case $1 in
        -key) API_KEY="$2"; shift ;;
        -base) API_BASE_URL="$2"; shift ;;
        -img) API_IMAGE_PLACEHOLDER="$2"; shift ;;
        *) usage ;;
    esac
    shift
done

# Check if all parameters are provided
if [[ -z "$API_KEY" || -z "$API_BASE_URL" || -z "$API_IMAGE_PLACEHOLDER" ]]; then
    usage
fi

# Create and write to Debug.xcconfig
echo "Creating Debug.xcconfig..."
cat <<EOL > TheMovieDB/Config/Debug.xcconfig
API_KEY = $API_KEY
API_BASE_URL = $API_BASE_URL
API_IMAGE_PLACEHOLDER = $API_IMAGE_PLACEHOLDER
EOL

# Create and write to Release.xcconfig
echo "Creating Release.xcconfig..."
cat <<EOL > TheMovieDB/Config/Release.xcconfig
API_KEY = $API_KEY
API_BASE_URL = $API_BASE_URL
API_IMAGE_PLACEHOLDER = $API_IMAGE_PLACEHOLDER
EOL

echo "xcconfig files created successfully."

Then on the github workflow .yml we add this

- name: Make script executable
  run: |
    chmod +x scripts/generate_xcconfig.sh
- name: Set up environment
  env:
    API_KEY: ${{ secrets.API_KEY }}
    API_BASE_URL: ${{ secrets.API_BASE_URL }}
    API_IMAGE_PLACEHOLDER: ${{ secrets.API_IMAGE_PLACEHOLDER }}
  run: |
    ./scripts/generate_xcconfig.sh \
    -key "$API_KEY" \
    -base "$API_BASE_URL" \
    -img "$API_IMAGE_PLACEHOLDER" \
- name: Verify xcconfig files
  run: |
    cat TheMovieDB/Config/Debug.xcconfig
    cat TheMovieDB/Config/Release.xcconfig

Actually this is not the best solution because we can get secret use reverse engineering.

The best way is to not store sensitive data on the client app.

API_BASE_URL =
API_KEY =
API_IMAGE_PLACEHOLDER =
Xcconfig
Secrets
Bash
Github
Ci Cd Pipeline

--

--

Muhammad Alfiansyah
Muhammad Alfiansyah

Written by Muhammad Alfiansyah

82 Followers
222 Following

📱 Mobile App Enthusiast https://www.instagram.com/_alfian0_/ https://www.linkedin.com/in/alfian0/ https://github.com/alfian0

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams