ios: avoid system default keychain writes

ios: set ci keychain in default domain
ios: sign with disposable login keychain
2026-06-25 22:16:24 -07:00 · 2026-06-25 22:14:25 -07:00 · 2026-06-25 22:12:17 -07:00
2 changed files with 9 additions and 5 deletions
--- a/.gitea/workflows/testflight-release.yml
+++ b/.gitea/workflows/testflight-release.yml
@@ -91,7 +91,7 @@ jobs:
          developer_dir="$(xcode-select -p)"
          signing_dir="$(mktemp -d "${RUNNER_TEMP:-${TMPDIR:-/tmp}}/sybil-signing.XXXXXX")"
          mkdir -p "${HOME}/Library/Keychains"
-          keychain_name="${HOME}/Library/Keychains/${SIGNING_KEYCHAIN}-${GITHUB_RUN_ID:-$(uuidgen)}.keychain"
+          keychain_name="${HOME}/Library/Keychains/login.keychain"
          certificate_path="${signing_dir}/appstore-signing.p12"
          wwdr_certificate_path="${signing_dir}/AppleWWDRCAG3.cer"
          profile_path="${signing_dir}/Sybil_AppStore_CI.mobileprovision"
@@ -143,8 +143,10 @@ jobs:
          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${keychain_password}" "${keychain_name}"
          if [[ "${#base_keychains[@]}" -gt 0 ]]; then
            security list-keychains -d user -s "${keychain_name}" "${base_keychains[@]}"
            security list-keychains -s "${keychain_name}" "${base_keychains[@]}"
          else
            security list-keychains -d user -s "${keychain_name}"
            security list-keychains -s "${keychain_name}"
          fi
          security default-keychain -d user -s "${keychain_name}"
          keychain_path="$(security list-keychains -d user | sed 's/[ "]//g' | head -n 1)"
@@ -181,6 +183,7 @@ jobs:
          security unlock-keychain -p "${SYBIL_SIGNING_KEYCHAIN_PASSWORD}" "${SYBIL_SIGNING_KEYCHAIN_PATH}"
          security list-keychains -d user -s "${SYBIL_SIGNING_KEYCHAIN_PATH}" $(security list-keychains -d user | sed 's/[ "]//g')
          security default-keychain -d user -s "${SYBIL_SIGNING_KEYCHAIN_PATH}"
          security list-keychains -s "${SYBIL_SIGNING_KEYCHAIN_PATH}" $(security list-keychains | sed 's/[ "]//g')
          security find-identity -v -p codesigning "${SYBIL_SIGNING_KEYCHAIN_PATH}"
          security find-identity -v -p codesigning
--- a/ios/fastlane/CI.md
+++ b/ios/fastlane/CI.md
@@ -13,14 +13,15 @@ git tag release/v1.10.0
 git push origin release/v1.10.0
 ```
-The release job runs on the `xcode` runner label, imports the signing p12 into
+The release job runs on the `xcode` runner label, creates the runner user's
-a temporary per-user keychain, makes that keychain the user default for the
+login keychain from Gitea secrets, makes that keychain the user default for the
 duration of the job, installs the App Store provisioning profile in both the
 legacy MobileDevice directory and the Xcode UserData directory used by newer
 Xcode releases, builds and uploads the app with fastlane, then creates or
 updates the matching Gitea release with the generated IPA as an asset. The job
-restores the previous user default keychain and deletes the temporary signing
+restores the previous user default keychain and deletes the user login keychain
-keychain and installed profiles in an `always()` cleanup step.
+and installed profiles in an `always()` cleanup step. No signing material is
 installed into the system keychain.
 Required repository secrets:
Author	SHA1	Message	Date
James Magahern	de7b448bc5	ios: avoid system default keychain writes Some checks failed TestFlight Release / testflight (push) Failing after 16s Details	2026-06-25 22:16:24 -07:00
James Magahern	3c7fc51fdb	ios: set ci keychain in default domain Some checks failed TestFlight Release / testflight (push) Failing after 10s Details	2026-06-25 22:14:25 -07:00
James Magahern	0062f37b9f	ios: sign with disposable login keychain Some checks failed TestFlight Release / testflight (push) Failing after 17s Details	2026-06-25 22:12:17 -07:00