Add iOS build workflow for pull requests with code signing support

.github/workflows/ios-build.yml

@@ -0,0 +1,157 @@
+name: iOS Build
+
+on:
+  pull_request:
+    branches: [ main, develop ]
+
+jobs:
+  build-ios:
+    runs-on: macos-latest
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Setup Flutter
+      uses: subosito/flutter-action@v2
+      with:
+        flutter-version: '3.27.1'
+        channel: 'stable'
+
+    - name: Install dependencies
+      run: flutter pub get
+
+    - name: Setup iOS code signing
+      if: ${{ secrets.APPLE_CERTIFICATE_BASE64 != '' }}
+      env:
+        APPLE_CERTIFICATE_BASE64: ${{ secrets.APPLE_CERTIFICATE_BASE64 }}
+        APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+        APPLE_PROVISIONING_PROFILE_BASE64: ${{ secrets.APPLE_PROVISIONING_PROFILE_BASE64 }}
+        APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+      run: |
+        # Create temporary keychain
+        security create-keychain -p "" build.keychain
+        security set-keychain-settings -t 3600 -l build.keychain
+        security default-keychain -s build.keychain
+        security unlock-keychain -p "" build.keychain
+
+        # Import certificate
+        echo "$APPLE_CERTIFICATE_BASE64" | base64 --decode > certificate.p12
+        security import certificate.p12 -k build.keychain -P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign
+
+        # Install provisioning profile
+        echo "$APPLE_PROVISIONING_PROFILE_BASE64" | base64 --decode > profile.mobileprovision
+        mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
+        cp profile.mobileprovision ~/Library/MobileDevice/Provisioning\ Profiles/
+
+        # Set code signing identity
+        security set-key-partition-list -S apple-tool:,apple: -s -k "" build.keychain
+
+        # Clean up sensitive files
+        rm certificate.p12 profile.mobileprovision
+
+    - name: Build iOS app (Signed)
+      if: ${{ secrets.APPLE_CERTIFICATE_BASE64 != '' }}
+      env:
+        APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+      run: |
+        flutter build ios
+
+    - name: Build iOS app (Unsigned)
+      if: ${{ secrets.APPLE_CERTIFICATE_BASE64 == '' }}
+      run: |
+        flutter build ios --no-codesign
+        echo "⚠️ Building unsigned IPA - Code signing secrets not configured"
+
+    - name: Create IPA
+      run: |
+        mkdir -p build/ios/ipa
+        cp -r build/ios/iphoneos/Runner.app build/ios/ipa/
+        cd build/ios/ipa
+        zip -r ../Runner.ipa Runner.app/
+
+    - name: Generate build report
+      run: |
+        echo "# 📱 iOS Build Report" > build_report.md
+        echo "" >> build_report.md
+        echo "## Build Information" >> build_report.md
+        echo "- **Date**: $(date)" >> build_report.md
+        echo "- **Flutter Version**: $(flutter --version | head -n 1)" >> build_report.md
+        echo "- **Build Mode**: Release" >> build_report.md
+
+        if [ -n "${{ secrets.APPLE_CERTIFICATE_BASE64 }}" ]; then
+          echo "- **Code Signing**: ✅ Signed with Apple Developer Certificate" >> build_report.md
+          echo "- **Team ID**: ${{ secrets.APPLE_TEAM_ID }}" >> build_report.md
+          echo "" >> build_report.md
+          echo "## 📲 Installing on Device" >> build_report.md
+          echo "" >> build_report.md
+          echo "### Option 1: Xcode" >> build_report.md
+          echo "1. Download the \`ios-ipa\` artifact from this workflow run" >> build_report.md
+          echo "2. Extract the \`Runner.ipa\` file" >> build_report.md
+          echo "3. Open Xcode and go to **Window → Devices and Simulators**" >> build_report.md
+          echo "4. Connect your iOS device via USB" >> build_report.md
+          echo "5. Select your device and click the **+** button" >> build_report.md
+          echo "6. Browse and select the \`Runner.ipa\` file" >> build_report.md
+          echo "7. The app will install on your device" >> build_report.md
+          echo "" >> build_report.md
+          echo "### Option 2: 3uTools or iTunes" >> build_report.md
+          echo "1. Download the \`ios-ipa\` artifact" >> build_report.md
+          echo "2. Extract the \`Runner.ipa\` file" >> build_report.md
+          echo "3. Use 3uTools or iTunes to install the IPA file on your device" >> build_report.md
+          echo "" >> build_report.md
+          echo "### Option 3: TestFlight (if configured)" >> build_report.md
+          echo "- Upload the IPA to App Store Connect for TestFlight distribution" >> build_report.md
+          echo "- Share the TestFlight link with testers" >> build_report.md
+        else
+          echo "- **Code Signing**: ⚠️ Unsigned (Development/Testing only)" >> build_report.md
+          echo "" >> build_report.md
+          echo "## ⚠️ Unsigned Build Notice" >> build_report.md
+          echo "" >> build_report.md
+          echo "This is an **unsigned build** that can only be used for development purposes." >> build_report.md
+          echo "To install on devices, you need to configure code signing secrets." >> build_report.md
+          echo "" >> build_report.md
+          echo "### Required Secrets for Code Signing:" >> build_report.md
+          echo "- \`APPLE_CERTIFICATE_BASE64\`: Base64-encoded P12 certificate" >> build_report.md
+          echo "- \`APPLE_CERTIFICATE_PASSWORD\`: Password for the P12 certificate" >> build_report.md
+          echo "- \`APPLE_PROVISIONING_PROFILE_BASE64\`: Base64-encoded provisioning profile" >> build_report.md
+          echo "- \`APPLE_TEAM_ID\`: Apple Developer Team ID (10-character string)" >> build_report.md
+          echo "" >> build_report.md
+          echo "See the repository documentation for detailed setup instructions." >> build_report.md
+        fi
+
+        echo "" >> build_report.md
+        echo "## 🔧 Technical Details" >> build_report.md
+        echo "" >> build_report.md
+        BUNDLE_ID=$(grep PRODUCT_BUNDLE_IDENTIFIER ios/Runner.xcodeproj/project.pbxproj | head -n 1 | cut -d= -f2 | tr -d '[:space:];')
+        IOS_VERSION=$(grep IPHONEOS_DEPLOYMENT_TARGET ios/Runner.xcodeproj/project.pbxproj | head -n 1 | cut -d= -f2 | tr -d '[:space:];')
+        echo "- **Bundle ID**: $BUNDLE_ID" >> build_report.md
+        echo "- **Build Configuration**: Release" >> build_report.md
+        echo "- **Architecture**: ARM64 (iOS devices)" >> build_report.md
+        echo "- **Minimum iOS Version**: $IOS_VERSION" >> build_report.md
+
+        # Display file size
+        if [ -f "build/ios/Runner.ipa" ]; then
+          IPA_SIZE=$(ls -lh build/ios/Runner.ipa | awk '{print $5}')
+          echo "- **IPA Size**: $IPA_SIZE" >> build_report.md
+        fi
+
+    - name: Upload iOS IPA
+      uses: actions/upload-artifact@v4
+      with:
+        name: ios-ipa
+        path: build/ios/Runner.ipa
+        retention-days: 30
+
+    - name: Upload build report
+      uses: actions/upload-artifact@v4
+      with:
+        name: ios-build-report
+        path: build_report.md
+        retention-days: 30
+
+    - name: Cleanup keychain
+      if: always()
+      run: |
+        if security list-keychains | grep -q "build.keychain"; then
+          security delete-keychain build.keychain
+        fi

IOS_CODE_SIGNING.md

@@ -0,0 +1,113 @@
+# iOS Code Signing Setup for GitHub Actions
+
+This document describes how to configure the iOS code signing secrets required for the automated iOS build workflow.
+
+## Required Secrets
+
+The iOS build workflow requires the following GitHub repository secrets to be configured:
+
+### 1. `APPLE_CERTIFICATE_BASE64`
+**Description**: Base64-encoded Apple Developer certificate (P12 file)
+
+**How to obtain**:
+1. Open **Keychain Access** on your Mac
+2. Find your Apple Developer certificate (usually named "Apple Development: [Your Name]" or "Apple Distribution: [Your Name]")
+3. Right-click the certificate and select "Export [Certificate Name]"
+4. Choose "Personal Information Exchange (.p12)" format
+5. Set a password for the P12 file
+6. Convert to base64: `base64 -i certificate.p12 | pbcopy`
+7. Paste the base64 string as the secret value
+
+### 2. `APPLE_CERTIFICATE_PASSWORD`
+**Description**: Password for the P12 certificate file
+
+**How to set**:
+- Use the password you set when exporting the P12 certificate
+- Store this as a GitHub secret
+
+### 3. `APPLE_PROVISIONING_PROFILE_BASE64`
+**Description**: Base64-encoded provisioning profile for the app
+
+**How to obtain**:
+1. Go to [Apple Developer Portal](https://developer.apple.com/account/)
+2. Navigate to **Certificates, Identifiers & Profiles**
+3. Go to **Profiles** section
+4. Create or download the provisioning profile for your app
+5. Convert to base64: `base64 -i profile.mobileprovision | pbcopy`
+6. Paste the base64 string as the secret value
+
+### 4. `APPLE_TEAM_ID`
+**Description**: Your Apple Developer Team ID (10-character alphanumeric string)
+
+**How to find**:
+1. Go to [Apple Developer Portal](https://developer.apple.com/account/)
+2. Look for "Team ID" in the top-right corner of the page
+3. It's a 10-character string like "A1B2C3D4E5"
+
+## Setting Up GitHub Secrets
+
+1. Go to your GitHub repository
+2. Navigate to **Settings** → **Secrets and variables** → **Actions**
+3. Click **New repository secret**
+4. Add each of the four secrets listed above
+
+## Bundle Identifier Configuration
+
+Ensure your app's bundle identifier in `ios/Runner.xcodeproj/project.pbxproj` matches the one used in your provisioning profile.
+
+## Provisioning Profile Types
+
+### Development Profile
+- Use for testing on registered devices
+- Allows installation via Xcode, iTunes, or 3uTools
+- Limited to devices registered in your developer account
+
+### Ad Hoc Distribution Profile
+- Use for distributing to a limited number of devices (up to 100)
+- Devices must be registered in your developer account
+- Good for beta testing
+
+### App Store Distribution Profile
+- Use for App Store submission
+- Can also be used for TestFlight distribution
+
+## Testing the Setup
+
+1. Create a pull request to trigger the iOS build workflow
+2. Check the workflow run for any code signing errors
+3. Download the `ios-ipa` artifact and test installation on a device
+4. Review the `ios-build-report` artifact for installation instructions
+
+## Troubleshooting
+
+### Common Issues
+
+1. **Certificate not found**
+   - Ensure the certificate is valid and not expired
+   - Check that the certificate matches the provisioning profile
+
+2. **Provisioning profile mismatch**
+   - Verify the bundle identifier matches
+   - Ensure the provisioning profile includes your certificate
+
+3. **Team ID mismatch**
+   - Double-check the Team ID in your developer account
+   - Ensure it matches the provisioning profile
+
+4. **Keychain issues**
+   - The workflow creates a temporary keychain that's cleaned up automatically
+   - If builds fail, check the keychain setup steps in the workflow
+
+### Getting Help
+
+For additional support:
+- Check Apple's [Code Signing Guide](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/)
+- Review GitHub Actions logs for specific error messages
+- Contact the development team at [technology@internationaltouch.org](mailto:technology@internationaltouch.org)
+
+## Security Notes
+
+- Never commit certificates or provisioning profiles to the repository
+- Use GitHub's encrypted secrets for all sensitive data
+- Regularly rotate certificates and update secrets as needed
+- Limit repository access to trusted team members

README.md

@@ -108,17 +108,36 @@ The project includes GitHub Actions workflows for:
 - 🧪 **Testing**: Automated test suite execution
 - 📦 **Build Artifacts**: 
   - Android APK and App Bundle
-  - iOS IPA (unsigned for testing)
+  - iOS IPA (signed/unsigned for testing)
 
-### Workflow Triggers
-- Push to `main` or `develop` branches
-- Pull requests to `main` branch
+### Workflows
+
+#### Main CI/CD (`flutter.yml`)
+- **Triggers**: Push to `main`/`develop` branches, PRs to `main`
+- **Runs**: Tests, analysis, Android builds, iOS builds
+- **Artifacts**: `android-apk`, `android-aab`, `ios-ipa`
+
+#### iOS Build (`ios-build.yml`)
+- **Triggers**: Pull requests only
+- **Runs**: iOS-specific builds with code signing support
+- **Artifacts**: `ios-ipa`, `ios-build-report`
+- **Features**: Automatic device installation instructions
 
 ### Artifacts
 Download build artifacts from GitHub Actions runs:
 - `android-apk`: Android APK for direct installation
 - `android-aab`: Android App Bundle for Play Store
-- `ios-ipa`: iOS IPA for testing (requires developer provisioning)
+- `ios-ipa`: iOS IPA for testing (signed if secrets configured)
+- `ios-build-report`: Device installation instructions and build details
+
+### iOS Code Signing
+For signed iOS builds, configure the following repository secrets:
+- `APPLE_CERTIFICATE_BASE64`: Base64-encoded P12 certificate
+- `APPLE_CERTIFICATE_PASSWORD`: Certificate password
+- `APPLE_PROVISIONING_PROFILE_BASE64`: Base64-encoded provisioning profile
+- `APPLE_TEAM_ID`: Apple Developer Team ID
+
+See [IOS_CODE_SIGNING.md](IOS_CODE_SIGNING.md) for detailed setup instructions.
 
 ## Development