ios: configure api-key TestFlight signing

ios/fastlane/CI.md

@@ -13,21 +13,40 @@ git tag release/v1.10.0
 git push origin release/v1.10.0
 ```
 
-The release job runs on the `xcode` runner label, imports the signing p12 with
-`Apple-Actions/import-codesign-certs`, builds and uploads the app with fastlane,
-then creates or updates the matching Gitea release with the generated IPA as an
-asset. The job deletes the temporary signing keychain in an `always()` cleanup
-step.
+The release job runs on the `xcode` runner label, imports the signing p12 into
+a temporary keychain, installs the App Store provisioning profile, builds and
+uploads the app with fastlane, then creates or updates the matching Gitea
+release with the generated IPA as an asset. The job deletes the temporary
+signing keychain in an `always()` cleanup step.
 
 Required repository secrets:
 
 ```text
+APP_STORE_CONNECT_API_KEY_ID
+APP_STORE_CONNECT_API_ISSUER_ID
+APP_STORE_CONNECT_API_KEY_CONTENT
 APPSTORE_CERTIFICATES_FILE_BASE64
 APPSTORE_CERTIFICATES_PASSWORD
-FASTLANE_USER
-FASTLANE_APPLE_APPLICATION_SPECIFIC_PASSWORD
+APPSTORE_PROVISIONING_PROFILE_BASE64
 ```
 
+Generate or refresh the signing assets locally with:
+
+```sh
+cd ios
+fastlane ios create_ci_signing
+```
+
+The generated `build/signing/ci-secrets.env` file is ignored by Git. Copy its
+certificate and provisioning profile values into the repository secrets listed
+above. The workflow uses the `Sybil AppStore CI` provisioning profile name by
+default.
+
+If `create_ci_signing` fails with an expired or missing agreement error, the
+Apple Developer Program account holder must accept the current agreements in
+App Store Connect before new certificates or provisioning profiles can be
+created through the API.
+
 The workflow uses Gitea's built-in `GITEA_TOKEN` for release creation and asset
 upload, with `contents: write` permissions. In Gitea this covers release asset
 publication.