Install archive provisioning profile for release CI

Author: offyotto

.github/workflows/release.yml

@@ -72,7 +72,30 @@ jobs:
           security list-keychains -d user -s "${KEYCHAIN_PATH}" $(security list-keychains -d user | tr -d '"')
           security set-key-partition-list -S apple-tool:,apple: -s -k "${KEYCHAIN_PASSWORD}" "${KEYCHAIN_PATH}"
 
-      - name: Install WeatherKit provisioning profile
+      - name: Install archive provisioning profile
+        env:
+          ARCHIVE_PROVISIONING_PROFILE_BASE64: ${{ secrets.ARCHIVE_PROVISIONING_PROFILE_BASE64 }}
+        run: |
+          if [[ -z "${ARCHIVE_PROVISIONING_PROFILE_BASE64}" ]]; then
+            echo "Missing signing secret. Configure ARCHIVE_PROVISIONING_PROFILE_BASE64." >&2
+            exit 1
+          fi
+
+          PROFILE_DIR="$HOME/Library/MobileDevice/Provisioning Profiles"
+          PROFILE_PATH="$RUNNER_TEMP/core-monitor-archive.provisionprofile"
+          PROFILE_PLIST="$RUNNER_TEMP/core-monitor-archive.plist"
+
+          mkdir -p "${PROFILE_DIR}"
+          echo -n "${ARCHIVE_PROVISIONING_PROFILE_BASE64}" | base64 -D > "${PROFILE_PATH}"
+          security cms -D -i "${PROFILE_PATH}" > "${PROFILE_PLIST}"
+
+          PROFILE_UUID=$(/usr/libexec/PlistBuddy -c "Print UUID" "${PROFILE_PLIST}")
+          PROFILE_NAME=$(/usr/libexec/PlistBuddy -c "Print Name" "${PROFILE_PLIST}")
+
+          cp "${PROFILE_PATH}" "${PROFILE_DIR}/${PROFILE_UUID}.provisionprofile"
+          echo "ARCHIVE_PROVISIONING_PROFILE_SPECIFIER=${PROFILE_NAME}" >> "${GITHUB_ENV}"
+
+      - name: Install direct distribution provisioning profile
         env:
           WEATHERKIT_PROVISIONING_PROFILE_BASE64: ${{ secrets.WEATHERKIT_PROVISIONING_PROFILE_BASE64 }}
         run: |

RELEASING.md

@@ -20,6 +20,7 @@ The release workflow expects these repository or organization secrets:
 - `BUILD_CERTIFICATE_BASE64`: base64-encoded Developer ID Application `.p12`
 - `P12_PASSWORD`: password for the `.p12`
 - `KEYCHAIN_PASSWORD`: temporary keychain password used on the runner
+- `ARCHIVE_PROVISIONING_PROFILE_BASE64`: base64-encoded `Mac Team Provisioning Profile: CoreTools.Core-Monitor` for the archive step
 - `WEATHERKIT_PROVISIONING_PROFILE_BASE64`: base64-encoded `Mac Team Direct Provisioning Profile: CoreTools.Core-Monitor`
 - `APPLE_TEAM_ID`: Apple Developer team id when using Apple ID notarization
 - For notarization, configure one of these:
@@ -71,10 +72,9 @@ Signed archive + zip:
 ./scripts/release/build_release.sh
 ```
 
-`build_release.sh` forces a manual `Developer ID Application` signing identity for the archive step so the release path does not depend on whichever automatic-signing identity Xcode happens to prefer locally.
-`build_release.sh` now archives with automatic signing and then performs a `developer-id` export so the release artifact keeps the WeatherKit entitlement while still shipping as a Developer ID app.
+`build_release.sh` now archives with automatic signing against the WeatherKit-enabled development profile installed on the machine, then performs a `developer-id` export so the release artifact keeps the WeatherKit entitlement while still shipping as a Developer ID app.
 
-The repository's `Release` configuration now uses the WeatherKit entitlement. The direct-download path therefore depends on the direct-distribution provisioning profile secret listed above.
+The repository's `Release` configuration now uses the WeatherKit entitlement. The direct-download path therefore depends on both provisioning profile secrets listed above: the development profile for the archive phase and the direct-distribution profile for the export phase.
 
 Notarize and staple the app: