Switch iOS CI to automatic code signing with App Store Connect API key

Replaced manual provisioning profile with an App Store Connect API key for CI, enabling Xcode to manage profiles via `-allowProvisioningUpdates` and simplifying the process by removing manual profile rotation. Local builds remain compatible with automatic signing.

Author: anhappdev

.github/workflows/ios-build-test-macos.yml

@@ -67,19 +67,18 @@ jobs:
           path: /tmp/bazel_cache
           key: ${{ runner.os }}-bazel_cache-${{ hashFiles('**/BUILD', '**/WORKSPACE') }}
           restore-keys: ${{ runner.os }}-bazel_cache-
-      - name: Install the Apple certificate and provisioning profile
+      - name: Install the Apple certificate and API key
         env:
           IOS_BUILD_CERTIFICATE_BASE64: ${{ secrets.IOS_BUILD_CERTIFICATE_BASE64 }}
           IOS_BUILD_CERTIFICATE_PASSWORD: ${{ secrets.IOS_BUILD_CERTIFICATE_PASSWORD }}
-          IOS_BUILD_PROVISION_PROFILE_BASE64: ${{ secrets.IOS_BUILD_PROVISION_PROFILE_BASE64 }}
           IOS_KEYCHAIN_PASSWORD: ${{ secrets.IOS_KEYCHAIN_PASSWORD }}
+          APP_STORE_CONNECT_API_KEY_BASE64: ${{ secrets.APP_STORE_CONNECT_API_KEY_BASE64 }}
         run: |
           CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
-          PP_PATH=$RUNNER_TEMP/build_pp.mobileprovision
           KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
 
           echo -n "$IOS_BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH
-          echo -n "$IOS_BUILD_PROVISION_PROFILE_BASE64" | base64 --decode -o $PP_PATH
+          echo -n "$APP_STORE_CONNECT_API_KEY_BASE64" | base64 --decode -o $RUNNER_TEMP/AuthKey.p8
 
           security create-keychain -p "$IOS_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
           security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
@@ -88,9 +87,6 @@ jobs:
           security import $CERTIFICATE_PATH -P "$IOS_BUILD_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
           security set-key-partition-list -S apple-tool:,apple: -k "$IOS_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
           security list-keychain -d user -s $KEYCHAIN_PATH
-
-          mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
-          cp $PP_PATH ~/Library/MobileDevice/Provisioning\ Profiles
       - name: Build iOS app
         env:
           BAZEL_OUTPUT_ROOT_ARG: "--output_user_root=/tmp/bazel_output"
@@ -103,6 +99,9 @@ jobs:
       - name: Build iOS test package
         env:
           DEVELOPMENT_TEAM: ${{ secrets.APPLE_DEVELOPMENT_TEAM }}
+          APP_STORE_CONNECT_API_KEY_PATH: ${{ runner.temp }}/AuthKey.p8
+          APP_STORE_CONNECT_API_KEY_ID: ${{ secrets.APP_STORE_CONNECT_API_KEY_ID }}
+          APP_STORE_CONNECT_API_KEY_ISSUER_ID: ${{ secrets.APP_STORE_CONNECT_API_KEY_ISSUER_ID }}
         run: |
           make flutter/ios/test-package
       - name: Upload test package artifact
@@ -112,11 +111,11 @@ jobs:
           path: output/ios-test-package/*.zip
           retention-days: 28
           if-no-files-found: error
-      - name: Clean up keychain and provisioning profile
+      - name: Clean up keychain and API key
         if: ${{ always() }}
         run: |
           security delete-keychain $RUNNER_TEMP/app-signing.keychain-db
-          rm ~/Library/MobileDevice/Provisioning\ Profiles/build_pp.mobileprovision
+          rm -f $RUNNER_TEMP/AuthKey.p8
 
   test-ios-browserstack:
     name: ${{ matrix.backend }}-${{ matrix.device }}

docs/browserstack-testing.md

@@ -67,9 +67,11 @@ make flutter/ios/test-package
 This produces `output/ios-test-package/ios_tests.zip` containing the
 `Release-iphoneos/` directory and `*.xctestrun` file.
 
-**Note:** `build-for-testing` requires code signing. By default it uses
-`CODE_SIGN_IDENTITY="Apple Development"` and the team configured in the
-Xcode project. Override via environment variables if needed:
+**Note:** `build-for-testing` requires code signing. The build uses automatic
+signing with `-allowProvisioningUpdates`. Locally, Xcode resolves profiles
+using your Apple account. In CI, an App Store Connect API key is passed via
+`-authenticationKeyPath` so Xcode can download profiles automatically.
+Override the team via environment variables if needed:
 
 ```bash
 DEVELOPMENT_TEAM=XXXXXXXXXX make flutter/ios/test-package

docs/github-workflows-setup/ios-browserstack-workflow-setup.md

@@ -35,11 +35,13 @@ for a detailed walkthrough.
 
 | Secret | Where to get it                                                                                                                                                                                                                                                                       |
 |---|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `IOS_BUILD_CERTIFICATE_BASE64` | Export a Development certificate (.p12) from Keychain Access or Xcode app, then base64-encode it: `base64 -i build_certificate.p12 \| pbcopy`                                                                                                                                         |
-| `IOS_BUILD_CERTIFICATE_PASSWORD` | The password you set when exporting the .p12 certificate.                                                                                                                                                                                                                             |
-| `IOS_BUILD_PROVISION_PROFILE_BASE64` | Download the provisioning profile (.mobileprovision) from [Apple Developer > Profiles](https://developer.apple.com/account/resources/profiles/list). It must include the app's bundle ID (`com.mlcommons.inference`). Base64-encode it: `base64 -i profile.mobileprovision \| pbcopy` |
-| `IOS_KEYCHAIN_PASSWORD` | Any random password for the temporary CI keychain. Generate one with: `openssl rand -base64 32`                                                                                                                                                                                       |
-| `APPLE_DEVELOPMENT_TEAM` | Your 10-character Apple Team ID. Find it at [Apple Developer > Membership details](https://developer.apple.com/account#MembershipDetailsCard) or in Xcode under **Signing & Capabilities**.                                                                                           |
+| `IOS_BUILD_CERTIFICATE_BASE64` | Export a Development certificate (.p12) from Keychain Access or Xcode app, then base64-encode it: `base64 -i build_certificate.p12 \| pbcopy` |
+| `IOS_BUILD_CERTIFICATE_PASSWORD` | The password you set when exporting the .p12 certificate. |
+| `IOS_KEYCHAIN_PASSWORD` | Any random password for the temporary CI keychain. Generate one with: `openssl rand -base64 32` |
+| `APPLE_DEVELOPMENT_TEAM` | Your 10-character Apple Team ID. Find it at [Apple Developer > Membership details](https://developer.apple.com/account#MembershipDetailsCard) or in Xcode under **Signing & Capabilities**. |
+| `APP_STORE_CONNECT_API_KEY_BASE64` | Base64-encoded App Store Connect API key (.p8 file). See steps below. |
+| `APP_STORE_CONNECT_API_KEY_ID` | The Key ID shown in App Store Connect when creating the API key. |
+| `APP_STORE_CONNECT_API_KEY_ISSUER_ID` | The Issuer ID from [App Store Connect > Users and Access > Integrations > App Store Connect API](https://appstoreconnect.apple.com/access/integrations/api). |
 
 ### Firebase
 
@@ -64,7 +66,7 @@ under **Project Settings > General > Your apps > iOS app**.
 |---|---|
 | `FLUTTER_BUILD_NUMBER_OFFSET` | Optional offset added to `GITHUB_RUN_NUMBER` to compute the build number. Set this if you need to align build numbers across workflows. Default: `0`. |
 
-## Step-by-step: Creating the Apple certificate and provisioning profile
+## Step-by-step: Creating the Apple certificate and API key
 
 ### 1. Create a certificate signing request (CSR)
 
@@ -88,19 +90,20 @@ under **Project Settings > General > Your apps > iOS app**.
   ```
 - Save the base64 string as `IOS_BUILD_CERTIFICATE_BASE64` and the password as `IOS_BUILD_CERTIFICATE_PASSWORD`
 
-### 4. Create a provisioning profile
+### 4. Create an App Store Connect API key
 
-- Go to [Apple Developer > Profiles](https://developer.apple.com/account/resources/profiles/list)
-- Click **+**, select **iOS App Development**
-- Select the App ID matching `com.mlcommons.inference`
-- Select the certificate created in step 2
-- Select the devices to test on (or select all)
-- Download the `.mobileprovision` file
-- Base64-encode it:
+- Go to [App Store Connect > Users and Access > Integrations > App Store Connect API](https://appstoreconnect.apple.com/access/integrations/api)
+- Click **+** to generate a new key
+- Give it a name (e.g. `CI Signing`) and select the **Developer** role
+- Download the `.p8` file (you can only download it once)
+- Note the **Key ID** and **Issuer ID** shown on the page
+- Base64-encode the key:
   ```bash
-  base64 -i profile.mobileprovision | pbcopy
+  base64 -i AuthKey_XXXXXXXXXX.p8 | pbcopy
   ```
-- Save as `IOS_BUILD_PROVISION_PROFILE_BASE64`
+- Save the base64 string as `APP_STORE_CONNECT_API_KEY_BASE64`
+- Save the Key ID as `APP_STORE_CONNECT_API_KEY_ID`
+- Save the Issuer ID as `APP_STORE_CONNECT_API_KEY_ISSUER_ID`
 
 ### 5. Set the keychain password
 

flutter/ios/ios.mk

@@ -67,8 +67,10 @@ flutter/ios/test-package/build:
 		-config Flutter/Release.xcconfig \
 		-derivedDataPath ../build/ios_integration \
 		-sdk iphoneos \
+		-allowProvisioningUpdates \
 		CODE_SIGN_IDENTITY="$${CODE_SIGN_IDENTITY:-Apple Development}" \
 		$$(if [ -n "$${DEVELOPMENT_TEAM}" ]; then echo "DEVELOPMENT_TEAM=$${DEVELOPMENT_TEAM}"; fi) \
+		$$(if [ -n "$${APP_STORE_CONNECT_API_KEY_PATH}" ]; then echo "-authenticationKeyPath $${APP_STORE_CONNECT_API_KEY_PATH} -authenticationKeyID $${APP_STORE_CONNECT_API_KEY_ID} -authenticationKeyIssuerID $${APP_STORE_CONNECT_API_KEY_ISSUER_ID}"; fi) \
 		build-for-testing
 
 FLUTTER_IOS_TEST_PACKAGE?=ios_tests-${FLUTTER_BUILD_NUMBER}.zip