fix(ios): cleanup CI keychain after workflow completion

pythoninthegrass · claude · pythoninthegrass · commit 4ecfd66b7952 · 2026-01-23T15:08:28.000-06:00
Add after_all and error hooks to delete the fastlane_ci keychain
when lanes complete or fail. Also add workflow-level cleanup step
with `if: always()` as a safety net. Prevents stale keychains from
prompting unrelated apps for access on self-hosted runners.

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/build-ios-app.yml b/.github/workflows/build-ios-app.yml
@@ -97,3 +97,11 @@ jobs:
           APP_STORE_CONNECT_API_KEY_KEY_ID: ${{ secrets.APP_STORE_CONNECT_API_KEY_KEY_ID }}
           APP_STORE_CONNECT_API_KEY_ISSUER_ID: ${{ secrets.APP_STORE_CONNECT_API_KEY_ISSUER_ID }}
           APP_STORE_CONNECT_API_KEY_KEY: ${{ secrets.APP_STORE_CONNECT_API_KEY_KEY }}
+
+      - name: Cleanup CI keychain
+        if: always()
+        run: |
+          KEYCHAIN_PATH="$HOME/Library/Keychains/fastlane_ci-db"
+          if [ -f "$KEYCHAIN_PATH" ]; then
+            security delete-keychain "$KEYCHAIN_PATH" || true
+          fi
diff --git a/fastlane/Fastfile b/fastlane/Fastfile
@@ -158,6 +158,16 @@ def cleanup_ci_keychain
 end
 
 platform :ios do
+  # Cleanup CI keychain after successful lane completion
+  after_all do |lane|
+    cleanup_ci_keychain
+  end
+
+  # Cleanup CI keychain on error to prevent stale keychains
+  error do |lane, exception|
+    cleanup_ci_keychain
+  end
+
   desc "Sync code signing certificates"
   lane :certificates do
     configure_minio
