fix: pass keychain and provisioning profile flags for CI signing

Author: ayangabryl

.github/workflows/release.yml

@@ -60,6 +60,7 @@ jobs:
         env:
           CODE_SIGN_IDENTITY: ${{ secrets.CODE_SIGN_IDENTITY }}
           TEAM_ID: ${{ secrets.TEAM_ID }}
+          KEYCHAIN_NAME: ${{ env.KEYCHAIN_NAME }}
         run: |
           chmod +x Scripts/build-dmg.sh
           ./Scripts/build-dmg.sh

Scripts/build-dmg.sh

@@ -52,6 +52,13 @@ if [[ "$SKIP_BUILD" == false ]]; then
     # Use Developer ID signing if available (CI), otherwise ad-hoc for local dev
     if [[ -n "${CODE_SIGN_IDENTITY:-}" && -n "${TEAM_ID:-}" ]]; then
         echo "🔐 Code signing with: ${CODE_SIGN_IDENTITY}"
+
+        # Determine keychain flags (CI uses a temporary keychain)
+        KEYCHAIN_FLAGS=""
+        if [[ -n "${KEYCHAIN_NAME:-}" ]]; then
+            KEYCHAIN_FLAGS="--keychain ${KEYCHAIN_NAME}"
+        fi
+
         xcodebuild \
             -scheme "$SCHEME" \
             -configuration "$CONFIG" \
@@ -61,7 +68,10 @@ if [[ "$SKIP_BUILD" == false ]]; then
             CODE_SIGN_IDENTITY="${CODE_SIGN_IDENTITY}" \
             DEVELOPMENT_TEAM="${TEAM_ID}" \
             CODE_SIGN_STYLE="Manual" \
-            clean build 2>&1 | tail -3
+            PROVISIONING_PROFILE_SPECIFIER="" \
+            ENABLE_HARDENED_RUNTIME=YES \
+            OTHER_CODE_SIGN_FLAGS="${KEYCHAIN_FLAGS}" \
+            clean build
     else
         echo "⚠️  No signing identity — using ad-hoc signature (local dev)"
         xcodebuild \