ios: grant ci key access to xcode tools

.gitea/workflows/testflight-release.yml

@@ -85,6 +85,8 @@ jobs:
 
           keychain_password="$(uuidgen)"
           keychain_path="${HOME}/Library/Keychains/${SIGNING_KEYCHAIN}.keychain-db"
+          previous_default_keychain="$(security default-keychain -d user | sed 's/[ "]//g' || true)"
+          developer_dir="$(xcode-select -p)"
           mkdir -p "${HOME}/Library/Keychains" "${HOME}/Library/MobileDevice/Provisioning Profiles" ios/build/secrets
 
           printf '%s' "${APPSTORE_CERTIFICATES_FILE_BASE64}" | base64 --decode > ios/build/secrets/appstore-signing.p12
@@ -95,6 +97,7 @@ jobs:
           security set-keychain-settings -lut 21600 "${keychain_path}"
           security unlock-keychain -p "${keychain_password}" "${keychain_path}"
           security list-keychains -d user -s "${keychain_path}" $(security list-keychains -d user | sed 's/[ "]//g')
+          security default-keychain -d user -s "${keychain_path}"
           security import ios/build/secrets/AppleWWDRCAG3.cer \
             -k "${keychain_path}" \
             -T /usr/bin/codesign \
@@ -103,14 +106,18 @@ jobs:
           security import ios/build/secrets/appstore-signing.p12 \
             -k "${keychain_path}" \
             -P "${APPSTORE_CERTIFICATES_PASSWORD}" \
+            -A \
             -T /usr/bin/codesign \
             -T /usr/bin/security \
-            -T /usr/bin/xcodebuild
+            -T /usr/bin/xcodebuild \
+            -T "${developer_dir}/usr/bin/xcodebuild" \
+            -T "${developer_dir}/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign"
           security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${keychain_password}" "${keychain_path}"
           security find-identity -v -p codesigning "${keychain_path}"
           {
             echo "SYBIL_SIGNING_KEYCHAIN_PATH=${keychain_path}"
             echo "SYBIL_SIGNING_KEYCHAIN_PASSWORD=${keychain_password}"
+            echo "SYBIL_PREVIOUS_DEFAULT_KEYCHAIN=${previous_default_keychain}"
           } >> "${GITHUB_ENV}"
 
       - name: Build and upload to TestFlight
@@ -129,6 +136,7 @@ jobs:
 
           security unlock-keychain -p "${SYBIL_SIGNING_KEYCHAIN_PASSWORD}" "${SYBIL_SIGNING_KEYCHAIN_PATH}"
           security list-keychains -d user -s "${SYBIL_SIGNING_KEYCHAIN_PATH}" $(security list-keychains -d user | sed 's/[ "]//g')
+          security default-keychain -d user -s "${SYBIL_SIGNING_KEYCHAIN_PATH}"
           security find-identity -v -p codesigning "${SYBIL_SIGNING_KEYCHAIN_PATH}"
 
           SYBIL_VERSION_TAG="${TAG_NAME}" bundle exec fastlane ios beta
@@ -220,4 +228,7 @@ jobs:
       - name: Clean up temporary keychain
         if: always()
         run: |
+          if [[ -n "${SYBIL_PREVIOUS_DEFAULT_KEYCHAIN:-}" ]]; then
+            security default-keychain -d user -s "${SYBIL_PREVIOUS_DEFAULT_KEYCHAIN}" || true
+          fi
           security delete-keychain "${HOME}/Library/Keychains/${SIGNING_KEYCHAIN}.keychain-db" || true

ios/fastlane/CI.md

@@ -14,10 +14,12 @@ git push origin release/v1.10.0
 ```
 
 The release job runs on the `xcode` runner label, imports the signing p12 into
-a temporary keychain, installs the App Store provisioning profile, builds and
+a temporary per-user keychain, makes that keychain the user default for the
+duration of the job, installs the App Store provisioning profile, builds and
 uploads the app with fastlane, then creates or updates the matching Gitea
-release with the generated IPA as an asset. The job deletes the temporary
+release with the generated IPA as an asset. The job restores the previous user
-signing keychain in an `always()` cleanup step.
+default keychain and deletes the temporary signing keychain in an `always()`
+cleanup step.
 
 Required repository secrets:
 

ios/fastlane/Fastfile

@@ -55,6 +55,26 @@ def app_project_settings
   YAML.safe_load(File.read(APP_SPEC)).fetch("targets").fetch(TARGET).fetch("settings").fetch("base")
 end
 
+def apply_release_signing_settings
+  require "xcodeproj"
+
+  project = Xcodeproj::Project.open(PROJECT_FILE)
+  target = project.targets.find { |candidate| candidate.name == TARGET }
+  UI.user_error!("Could not find target #{TARGET} in #{PROJECT_FILE}") unless target
+
+  target.build_configurations.each do |configuration|
+    next unless configuration.name == "Release"
+
+    settings = configuration.build_settings
+    settings["CODE_SIGN_STYLE"] = "Manual"
+    settings["DEVELOPMENT_TEAM"] = TEAM_ID
+    settings["PROVISIONING_PROFILE_SPECIFIER"] = PROFILE_SPECIFIER
+    settings["CODE_SIGN_IDENTITY"] = XCODE_CODE_SIGN_IDENTITY
+    settings["CODE_SIGN_IDENTITY[sdk=iphoneos*]"] = XCODE_CODE_SIGN_IDENTITY
+  end
+  project.save
+end
+
 def local_marketing_version
   app_project_settings.fetch("MARKETING_VERSION").to_s
 end
@@ -404,6 +424,7 @@ platform :ios do
     UI.user_error!("Build number must be a positive integer") unless build_number.match?(/\A[1-9]\d*\z/)
 
     sh("xcodegen --spec #{PROJECT_SPEC.shellescape}")
+    apply_release_signing_settings
 
     xcode_args = [
       xcode_build_setting("MARKETING_VERSION", version),