fix: use App Store Connect API key for iCloud provisioning in CI

Author: datlechin

.github/workflows/build.yml

@@ -106,10 +106,20 @@ jobs:
             --team-id "$APPLE_TEAM_ID" \
             --password "$NOTARY_PASSWORD"
 
+      - name: Install App Store Connect API key
+        env:
+          ASC_KEY_P8: ${{ secrets.ASC_KEY_P8 }}
+          ASC_KEY_ID: ${{ secrets.ASC_KEY_ID }}
+        run: |
+          mkdir -p ~/private_keys
+          echo "$ASC_KEY_P8" | base64 --decode > ~/private_keys/AuthKey_${ASC_KEY_ID}.p8
+
       - name: Build ARM64
         env:
           ANALYTICS_HMAC_SECRET: ${{ secrets.ANALYTICS_HMAC_SECRET }}
           NOTARIZE: "true"
+          ASC_KEY_ID: ${{ secrets.ASC_KEY_ID }}
+          ASC_ISSUER_ID: ${{ secrets.ASC_ISSUER_ID }}
         run: |
           chmod +x scripts/build-release.sh
           scripts/build-release.sh arm64
@@ -217,10 +227,20 @@ jobs:
             --team-id "$APPLE_TEAM_ID" \
             --password "$NOTARY_PASSWORD"
 
+      - name: Install App Store Connect API key
+        env:
+          ASC_KEY_P8: ${{ secrets.ASC_KEY_P8 }}
+          ASC_KEY_ID: ${{ secrets.ASC_KEY_ID }}
+        run: |
+          mkdir -p ~/private_keys
+          echo "$ASC_KEY_P8" | base64 --decode > ~/private_keys/AuthKey_${ASC_KEY_ID}.p8
+
       - name: Build x86_64
         env:
           ANALYTICS_HMAC_SECRET: ${{ secrets.ANALYTICS_HMAC_SECRET }}
           NOTARIZE: "true"
+          ASC_KEY_ID: ${{ secrets.ASC_KEY_ID }}
+          ASC_ISSUER_ID: ${{ secrets.ASC_ISSUER_ID }}
         run: |
           chmod +x scripts/build-release.sh
           scripts/build-release.sh x86_64

TablePro/TablePro.ci.entitlements

@@ -336,16 +336,6 @@ build_for_arch() {
     SPM_CACHE_DIR="${HOME}/.spm-cache"
     mkdir -p "$SPM_CACHE_DIR"
 
-    # Use CI entitlements (without iCloud) during build to avoid provisioning
-    # profile requirement. The app is re-signed with real entitlements after build.
-    local ci_entitlements="TablePro/TablePro.ci.entitlements"
-    local real_entitlements="TablePro/TablePro.entitlements"
-    if [ -f "$ci_entitlements" ]; then
-        echo "📋 Using CI entitlements (iCloud stripped for build)..."
-        cp "$real_entitlements" "$real_entitlements.bak"
-        cp "$ci_entitlements" "$real_entitlements"
-    fi
-
     # Build with xcodebuild
     echo "Running xcodebuild..."
     if ! xcodebuild \
@@ -355,9 +345,12 @@ build_for_arch() {
         -arch "$arch" \
         ONLY_ACTIVE_ARCH=YES \
         CODE_SIGN_IDENTITY="$SIGN_IDENTITY" \
-        CODE_SIGN_STYLE=Manual \
         DEVELOPMENT_TEAM="$TEAM_ID" \
         ${ANALYTICS_HMAC_SECRET:+ANALYTICS_HMAC_SECRET="$ANALYTICS_HMAC_SECRET"} \
+        -allowProvisioningUpdates \
+        ${ASC_KEY_ID:+-authenticationKeyID "$ASC_KEY_ID"} \
+        ${ASC_ISSUER_ID:+-authenticationKeyIssuerID "$ASC_ISSUER_ID"} \
+        ${ASC_KEY_ID:+-authenticationKeyPath "$HOME/private_keys/AuthKey_${ASC_KEY_ID}.p8"} \
         -skipPackagePluginValidation \
         -clonedSourcePackagesDirPath "$SPM_CACHE_DIR" \
         build 2>&1 | tee "build-${arch}.log"; then
@@ -367,11 +360,6 @@ build_for_arch() {
     fi
     echo "✅ Build succeeded for $arch"
 
-    # Restore real entitlements
-    if [ -f "$real_entitlements.bak" ]; then
-        mv "$real_entitlements.bak" "$real_entitlements"
-    fi
-
     # Get binary path with validation
     DERIVED_DATA=$(echo "$build_settings" | grep -m 1 "BUILD_DIR" | awk '{print $3}')
 
@@ -517,8 +505,8 @@ build_for_arch() {
         done
     fi
 
-    # Sign the app bundle last (with real entitlements including iCloud)
-    codesign -fs "$SIGN_IDENTITY" --force --options runtime --timestamp --entitlements "$real_entitlements" "$BUILD_DIR/$OUTPUT_NAME"
+    # Sign the app bundle last
+    codesign -fs "$SIGN_IDENTITY" --force --options runtime --timestamp --entitlements "TablePro/TablePro.entitlements" "$BUILD_DIR/$OUTPUT_NAME"
     echo "✅ Code signing complete"
 
     # Verify signature