fix(release): extract .app from archive directly, skip -exportArchive

katipally · Copilot · katipally · commit 724715bb64ed · 2026-05-23T14:12:02.000-07:00
exportArchive with signingStyle=automatic requires cloud signing admin
role to download a Developer ID profile — our API key (App Manager) does
not have that permission. The archive .app is already built; extract it
directly from Products/Applications/ and let the manual re-sign step
apply the Developer ID certificate. Also use Release.entitlements for
production re-sign (aps-environment=production).

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -137,23 +137,28 @@ jobs:
             MARKETING_VERSION="${{ env.VERSION }}" \
             CURRENT_PROJECT_VERSION="${{ env.BUILD }}"
 
-      - name: Export Archive (Developer ID)
+      - name: Extract app from archive
         run: |
-          xcodebuild \
-            -exportArchive \
-            -archivePath build/DoomCoder.xcarchive \
-            -exportPath build/export \
-            -exportOptionsPlist scripts/ExportOptions.plist \
-            -allowProvisioningUpdates \
-            -authenticationKeyPath "${{ steps.write-asc-key.outputs.key_path }}" \
-            -authenticationKeyID "${{ steps.write-asc-key.outputs.key_id }}" \
-            -authenticationKeyIssuerID "${{ steps.write-asc-key.outputs.issuer_id }}"
+          # Skip xcodebuild -exportArchive — it requires downloading a
+          # Developer ID provisioning profile via cloud signing (needs Admin
+          # role). The archive already contains the built .app; we extract it
+          # directly and the re-sign step will apply the correct Developer ID.
+          mkdir -p build/export
+          APP_IN_ARCHIVE="build/DoomCoder.xcarchive/Products/Applications/DoomCoder.app"
+          if [ ! -d "$APP_IN_ARCHIVE" ]; then
+            echo "::error::App not found in archive at $APP_IN_ARCHIVE"
+            ls -laR build/DoomCoder.xcarchive/Products/ || true
+            exit 1
+          fi
+          cp -R "$APP_IN_ARCHIVE" build/export/DoomCoder.app
+          echo "✅ Extracted DoomCoder.app from archive"
+          echo "   Size: $(du -sh build/export/DoomCoder.app | cut -f1)"
 
       - name: Re-sign all embedded code (inside-out)
         run: |
           APP="build/export/DoomCoder.app"
           IDENTITY="Developer ID Application"
-          ENTS="DoomCoder/DoomCoder.entitlements"
+          ENTS="DoomCoder/DoomCoder.Release.entitlements"
 
           # Fail loudly if the app wasn't exported where we expect
           if [ ! -d "$APP" ]; then
