Create CI login keychain when missing

ios/fastlane/Fastfile

@@ -1,3 +1,4 @@
+require "fileutils"
 require "shellwords"
 
 default_platform(:ios)
@@ -8,6 +9,10 @@ TEAM_ID = "DQQH5H6GBD"
 PROFILE_NAME = "Sybil AppStore CI"
 SIGNING_IDENTITY_NAME = "Apple Distribution: James Magahern (DQQH5H6GBD)"
 SIGNING_IDENTITY_SHA1 = "6B74B268C4761720FB2051D01D8BB3E47B55D9F5"
+CI_KEYCHAIN_DIR = "/private/var/lib/act_runner/Library/Keychains"
+CI_LOGIN_KEYCHAIN = File.join(CI_KEYCHAIN_DIR, "login.keychain")
+CI_LOGIN_KEYCHAIN_DB = "#{CI_LOGIN_KEYCHAIN}-db"
+CI_KEYCHAIN_PASSWORD = "sybil-ci-keychain-password"
 MATCH_BRANCH = "master"
 IOS_ROOT = File.expand_path("..", __dir__)
 PROJECT_FILE = File.join(IOS_ROOT, "Sybil.xcodeproj")
@@ -32,7 +37,7 @@ def release_version
 end
 
 def ci_login_keychain_path
-  return "/private/var/lib/act_runner/Library/Keychains/login.keychain-db" if ENV["CI"]
+  return CI_LOGIN_KEYCHAIN_DB if ENV["CI"]
 
   candidates = [
     "/private/var/lib/act_runner/Library/Keychains/login.keychain-db",
@@ -61,8 +66,16 @@ platform :ios do
   private_lane :prepare_ci_keychain do
     next unless ENV["CI"]
 
+    FileUtils.mkdir_p(CI_KEYCHAIN_DIR)
+    unless File.file?(CI_LOGIN_KEYCHAIN_DB)
+      sh("security create-keychain -p #{CI_KEYCHAIN_PASSWORD.shellescape} #{CI_LOGIN_KEYCHAIN.shellescape}", log: false)
+    end
+
     ENV["MATCH_KEYCHAIN_NAME"] = ci_login_keychain_path
-    ENV.delete("MATCH_KEYCHAIN_PASSWORD")
+    ENV["MATCH_KEYCHAIN_PASSWORD"] = CI_KEYCHAIN_PASSWORD
+    sh("security unlock-keychain -p #{CI_KEYCHAIN_PASSWORD.shellescape} #{ENV.fetch("MATCH_KEYCHAIN_NAME").shellescape}", log: false)
+    sh("security set-keychain-settings -t 3600 #{ENV.fetch("MATCH_KEYCHAIN_NAME").shellescape}", log: false)
+    sh("security login-keychain -s #{ENV.fetch("MATCH_KEYCHAIN_NAME").shellescape}", log: false)
     sh("security list-keychains -d user -s #{ENV.fetch("MATCH_KEYCHAIN_NAME").shellescape}", log: false)
     cleanup_ci_signing_identity
   end