fix(release): drop CODE_SIGN_IDENTITY from archive, add API key to export

katipally · Copilot · katipally · commit 4daf1c5b4037 · 2026-05-23T14:09:17.000-07:00
Automatic + explicit CODE_SIGN_IDENTITY=Developer ID Application is an
invalid combo — Xcode rejects it. Let allowProvisioningUpdates handle
the archive cert; export step (developer-id, signingStyle=automatic)
and the manual re-sign step produce the final Developer ID binary.

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -117,6 +117,11 @@ jobs:
 
       - name: Build Release Archive
         run: |
+          # Archive with Automatic signing + allowProvisioningUpdates.
+          # The API key lets Xcode auto-create/download the Mac Development
+          # provisioning profile for iCloud/App Groups entitlements.
+          # CODE_SIGN_IDENTITY is NOT overridden here — that conflicts with
+          # Automatic style. The export + re-sign steps apply Developer ID.
           xcodebuild \
             -project DoomCoder.xcodeproj \
             -scheme DoomCoder \
@@ -128,7 +133,6 @@ jobs:
             -authenticationKeyIssuerID "${{ steps.write-asc-key.outputs.issuer_id }}" \
             archive \
             CODE_SIGN_STYLE=Automatic \
-            CODE_SIGN_IDENTITY="Developer ID Application" \
             DEVELOPMENT_TEAM="${{ secrets.APPLE_TEAM_ID }}" \
             MARKETING_VERSION="${{ env.VERSION }}" \
             CURRENT_PROJECT_VERSION="${{ env.BUILD }}"
@@ -139,7 +143,11 @@ jobs:
             -exportArchive \
             -archivePath build/DoomCoder.xcarchive \
             -exportPath build/export \
-            -exportOptionsPlist scripts/ExportOptions.plist
+            -exportOptionsPlist scripts/ExportOptions.plist \
+            -allowProvisioningUpdates \
+            -authenticationKeyPath "${{ steps.write-asc-key.outputs.key_path }}" \
+            -authenticationKeyID "${{ steps.write-asc-key.outputs.key_id }}" \
+            -authenticationKeyIssuerID "${{ steps.write-asc-key.outputs.issuer_id }}"
 
       - name: Re-sign all embedded code (inside-out)
         run: |
