Skip to main content

CI/CD Integration

Ship OTA updates automatically on every push to your main branch. Your pipeline runs swiftpatch deploy, and users receive the update in minutes.

How It Works

Every release from CI appears in your dashboard with commit SHA, timestamp, and pipeline info.

Step 1: Create a CI Token

  1. Open your app in the dashboard
  2. Go to Settings > API Keys
  3. Click Create Token and name it (e.g., github-actions-prod)
  4. Copy the token immediately

Create CI tokens in the API keys settings

danger

The token is displayed once. If you lose it, revoke it and create a new one.

info

CI tokens are scoped to one app, do not expire unless revoked, and use the sp_ci_ prefix. The server stores only a SHA-256 hash.

Step 2: Add the Token to Your CI Provider

Store your token as a secret in your CI provider. Never hardcode it in your pipeline config.

Step 3: Use the Token

Option A: Environment variable (recommended)

# The CLI reads $SWIFTPATCH_CI_TOKEN automatically
swiftpatch deploy -p ios --hermes

Option B: Explicit flag

swiftpatch deploy -p ios --hermes --ci-token $SWIFTPATCH_CI_TOKEN_IOS

Pipeline Examples

GitHub Actions

.github/workflows/ota-deploy.yml
name: OTA Deploy

on:
  push:
    branches: [main]

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-node@v4
        with:
          node-version: '20'

      - name: Install dependencies
        run: npm ci

      - name: Install SwiftPatch CLI
        run: npm install -g @swiftpatch/cli

      - name: Deploy iOS
        run: |
          swiftpatch deploy \
            -p ios \
            --hermes \
            -n "Deploy from ${{ github.sha }}" \
            --ci-token ${{ secrets.SWIFTPATCH_CI_TOKEN }}

      - name: Deploy Android
        run: |
          swiftpatch deploy \
            -p android \
            --hermes \
            -n "Deploy from ${{ github.sha }}" \
            --ci-token ${{ secrets.SWIFTPATCH_CI_TOKEN }}
Setup

In your GitHub repo, go to Settings > Secrets and variables > Actions and add SWIFTPATCH_CI_TOKEN.

Deploy only on code changes

Add a paths filter to avoid deploying on README-only commits:

on:
  push:
    branches: [main]
    paths:
      - 'src/**'
      - 'app/**'
      - 'package.json'

GitLab CI

.gitlab-ci.yml
stages:
  - deploy

ota-deploy:
  stage: deploy
  image: node:20
  only:
    - main
  script:
    - npm ci
    - npm install -g @swiftpatch/cli
    - swiftpatch deploy -p ios --hermes -n "Deploy from $CI_COMMIT_SHORT_SHA" --ci-token $SWIFTPATCH_CI_TOKEN
    - swiftpatch deploy -p android --hermes -n "Deploy from $CI_COMMIT_SHORT_SHA" --ci-token $SWIFTPATCH_CI_TOKEN
Setup

In your GitLab project, go to Settings > CI/CD > Variables. Add SWIFTPATCH_CI_TOKEN with Mask variable and Protect variable enabled.

Bitrise

Bitrise Script Step
#!/bin/bash
set -euo pipefail

npm install -g @swiftpatch/cli

swiftpatch deploy -p ios --hermes \
  -n "Deploy from $BITRISE_GIT_COMMIT" \
  --ci-token $SWIFTPATCH_CI_TOKEN

swiftpatch deploy -p android --hermes \
  -n "Deploy from $BITRISE_GIT_COMMIT" \
  --ci-token $SWIFTPATCH_CI_TOKEN
Setup

In your Bitrise app, go to Workflow Editor > Secrets. Add SWIFTPATCH_CI_TOKEN. Disable Expose for Pull Requests.

Integrations

SwiftPatch provides native integrations with popular CI/CD platforms. Configure them from Settings > Integrations in the dashboard.

Connect CI/CD with integrations

Staged Rollout from CI

Deploy paused, then control rollout from the dashboard:

swiftpatch deploy -p ios --hermes --paused --ci-token $SWIFTPATCH_CI_TOKEN

Increase rollout gradually (10% to 50% to 100%) from the dashboard. If crash rates spike, pause before it reaches all users.

Bundle Signing in CI

Step 1: Generate a key pair (one-time)

swiftpatch generate-key-pair -o ./keys
  • keys/private.pem -- store in CI secrets
  • keys/public.pem -- add to your mobile app's SDK config

Step 2: Use the private key in your pipeline

echo "$SWIFTPATCH_PRIVATE_KEY" > /tmp/private.pem

swiftpatch deploy \
  -p ios \
  --hermes \
  --private-key /tmp/private.pem \
  --ci-token $SWIFTPATCH_CI_TOKEN

rm /tmp/private.pem
danger

Never commit private keys to your repository. Store them only in your CI provider's secrets.

Environment Variables

VariableDescriptionRequired
SWIFTPATCH_CI_TOKENCI token for authenticationYes
SWIFTPATCH_PRIVATE_KEYRSA private key (for signing)No

Security Best Practices

  • Create one CI token per pipeline or environment
  • Name tokens descriptively (e.g., github-actions-prod-ios)
  • Rotate tokens quarterly
  • Revoke tokens when team members leave
  • Store tokens only in your CI provider's secrets
  • Enable secret masking in build logs
  • Restrict CI tokens to protected branches
  • Disable secret exposure for PR builds
  • Use separate tokens for separate apps
Token exposed?

Revoke it immediately from Settings > API Keys. Revoking is instant and does not affect existing releases.

Troubleshooting

SymptomCauseFix
authentication failedMissing or invalid CI tokenVerify SWIFTPATCH_CI_TOKEN in CI secrets
app not foundToken scoped to a different appCreate a new token for the correct app
version mismatch--app-version differs from native binaryMatch the version exactly
Update not appearingRelease is pausedCheck rollout status in the dashboard