From 0062f37b9ff67433a2cb94bf6b0b48238ca83139 Mon Sep 17 00:00:00 2001 From: James Magahern Date: Thu, 25 Jun 2026 22:12:17 -0700 Subject: [PATCH] ios: sign with disposable login keychain --- .gitea/workflows/testflight-release.yml | 2 +- ios/fastlane/CI.md | 9 +++++---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/.gitea/workflows/testflight-release.yml b/.gitea/workflows/testflight-release.yml index 2370891..742d253 100644 --- a/.gitea/workflows/testflight-release.yml +++ b/.gitea/workflows/testflight-release.yml @@ -91,7 +91,7 @@ jobs: developer_dir="$(xcode-select -p)" signing_dir="$(mktemp -d "${RUNNER_TEMP:-${TMPDIR:-/tmp}}/sybil-signing.XXXXXX")" mkdir -p "${HOME}/Library/Keychains" - keychain_name="${HOME}/Library/Keychains/${SIGNING_KEYCHAIN}-${GITHUB_RUN_ID:-$(uuidgen)}.keychain" + keychain_name="${HOME}/Library/Keychains/login.keychain" certificate_path="${signing_dir}/appstore-signing.p12" wwdr_certificate_path="${signing_dir}/AppleWWDRCAG3.cer" profile_path="${signing_dir}/Sybil_AppStore_CI.mobileprovision" diff --git a/ios/fastlane/CI.md b/ios/fastlane/CI.md index a147561..33004c4 100644 --- a/ios/fastlane/CI.md +++ b/ios/fastlane/CI.md @@ -13,14 +13,15 @@ git tag release/v1.10.0 git push origin release/v1.10.0 ``` -The release job runs on the `xcode` runner label, imports the signing p12 into -a temporary per-user keychain, makes that keychain the user default for the +The release job runs on the `xcode` runner label, creates the runner user's +login keychain from Gitea secrets, makes that keychain the user default for the duration of the job, installs the App Store provisioning profile in both the legacy MobileDevice directory and the Xcode UserData directory used by newer Xcode releases, builds and uploads the app with fastlane, then creates or updates the matching Gitea release with the generated IPA as an asset. The job -restores the previous user default keychain and deletes the temporary signing -keychain and installed profiles in an `always()` cleanup step. +restores the previous user default keychain and deletes the user login keychain +and installed profiles in an `always()` cleanup step. No signing material is +installed into the system keychain. Required repository secrets: