Use disposable match keychain in CI

ios/fastlane/Fastfile

@@ -1,3 +1,5 @@
+require "fileutils"
+
 default_platform(:ios)
 
 APP_IDENTIFIER = "net.buzzert.sybil2"
@@ -25,6 +27,29 @@ def release_version
 end
 
 platform :ios do
+  private_lane :prepare_ci_keychain do
+    next unless ENV["CI"]
+
+    keychain_path = File.expand_path("../build/ci/sybil-signing.keychain", __dir__)
+    keychain_password = ENV["MATCH_KEYCHAIN_PASSWORD"].to_s
+    keychain_password = "sybil-ci-keychain-password" unless present?(keychain_password)
+
+    FileUtils.mkdir_p(File.dirname(keychain_path))
+
+    create_keychain(
+      path: keychain_path,
+      password: keychain_password,
+      default_keychain: false,
+      unlock: true,
+      timeout: 3600,
+      lock_after_timeout: false,
+      add_to_search_list: true
+    )
+
+    ENV["MATCH_KEYCHAIN_NAME"] = keychain_path
+    ENV["MATCH_KEYCHAIN_PASSWORD"] = keychain_password
+  end
+
   private_lane :app_store_api_key do
     app_store_connect_api_key(
       key_id: ENV.fetch("APP_STORE_CONNECT_KEY_ID"),
@@ -54,19 +79,21 @@ platform :ios do
       api_key: app_store_api_key
     }
     match_options[:git_url] = ENV.fetch("MATCH_GIT_URL")
+    match_options[:keychain_name] = ENV["MATCH_KEYCHAIN_NAME"] if present?(ENV["MATCH_KEYCHAIN_NAME"])
+    match_options[:keychain_password] = ENV["MATCH_KEYCHAIN_PASSWORD"] if present?(ENV["MATCH_KEYCHAIN_PASSWORD"])
 
     match(match_options)
   end
 
   desc "Create or update match signing assets"
   lane :setup_signing do
-    setup_ci
+    prepare_ci_keychain
     sync_match_signing(readonly: false)
   end
 
   desc "Build and upload to TestFlight"
   lane :beta do
-    setup_ci if ENV["CI"]
+    prepare_ci_keychain
 
     api_key = app_store_api_key