ci(apple): persistent signing — stop minting throwaway certs every run

[MatheusKindrazki]

Problema

Os jobs de archive Apple assinavam com CODE_SIGN_STYLE=Automatic + -allowProvisioningUpdates. Em runners efêmeros do GitHub, isso cria um certificado de Development novo a cada run — acumulou dezenas de certs Created via API / Development e estourou o limite de certificados da conta. Resultado: todo archive falhava com Your account has reached the maximum number of certificates + No profiles found. O caminho de release no CI nunca produziu um build assinado (falhou em abril e agora).

Causa raiz

-allowProvisioningUpdates num runner sem certificado persistente = fábrica de certificados-lixo. O próprio ExportOptions.plist já documentava a solução prevista ("CI step sets this up with fastlane match or manual p12 import") — só nunca foi implementada.

Correção (signing manual persistente)

• Nova composite action .github/actions/setup-apple-signing: importa um .p12 de Apple Distribution num keychain temporário (set-key-partition-list p/ codesign headless) e instala os provisioning profiles.
• apple-release.yml / apple-production.yml: chamam a action, removem -allowProvisioningUpdates, buildam com CODE_SIGN_STYLE=Manual.
• ExportOptions.plist: signingStyle automatic → manual.
• docs/ops/ci-signing-setup.md: setup único (revogar certs-lixo, exportar .p12, baixar profiles, criar os 3 secrets).

⚠️ Requer 3 secrets novos antes do próximo build assinar

Secret	Conteúdo
BUILD_CERT_P12_B64	base64 do .p12 Apple Distribution
BUILD_CERT_PASSWORD	senha do .p12
PROVISIONING_PROFILES_B64	base64 de um .tar.gz dos profiles App Store

Passo-a-passo completo em docs/ops/ci-signing-setup.md. Também é preciso revogar os certs Created via API / Development no portal pra liberar o limite.

🤖 Generated with Claude Code

[coderabbitai]

Warning

Review limit reached

@MatheusKindrazki, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 25 minutes and 12 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1e232135-2b19-4c99-a0a0-1b3fe289db6a

📥 Commits

Reviewing files that changed from the base of the PR and between a9e7f53 and 6923e85.

📒 Files selected for processing (5)

• .github/actions/setup-apple-signing/action.yml
• .github/workflows/apple-production.yml
• .github/workflows/apple-release.yml
• apple/ExportOptions.plist
• docs/ops/ci-signing-setup.md

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/ci-persistent-signing

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}