fix(mobile): use fastlane setup_ci for keychain management (official approach)

.github/workflows/build-mobile.yml

@@ -243,40 +243,11 @@ jobs:
           mkdir -p ~/.appstoreconnect/private_keys
           echo "$API_KEY_CONTENT" | base64 --decode > ~/.appstoreconnect/private_keys/AuthKey_${API_KEY_ID}.p8
 
-      - name: Create keychain for match
-        env:
-          KEYCHAIN_PASSWORD: ${{ github.run_id }}
-        run: |
-          # Create a temporary keychain for CI
-          security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
-          security default-keychain -s build.keychain
-          security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
-          security set-keychain-settings -t 3600 -l -u build.keychain
-
-          # Add keychain to search list (required for codesign to find certificates)
-          security list-keychains -d user -s build.keychain login.keychain
-
-          # Download and install Apple WWDR certificates (required for code signing)
-          curl -sL https://developer.apple.com/certificationauthority/AppleWWDRCA.cer -o AppleWWDRCA.cer
-          curl -sL https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer -o AppleWWDRCAG3.cer
-          curl -sL https://www.apple.com/certificateauthority/AppleWWDRCAG4.cer -o AppleWWDRCAG4.cer
-          curl -sL https://www.apple.com/certificateauthority/AppleWWDRCAG5.cer -o AppleWWDRCAG5.cer
-          curl -sL https://www.apple.com/certificateauthority/AppleWWDRCAG6.cer -o AppleWWDRCAG6.cer
-          security import AppleWWDRCA.cer -k build.keychain -T /usr/bin/codesign || true
-          security import AppleWWDRCAG3.cer -k build.keychain -T /usr/bin/codesign || true
-          security import AppleWWDRCAG4.cer -k build.keychain -T /usr/bin/codesign || true
-          security import AppleWWDRCAG5.cer -k build.keychain -T /usr/bin/codesign || true
-          security import AppleWWDRCAG6.cer -k build.keychain -T /usr/bin/codesign || true
-
       - name: Build and deploy to TestFlight
         env:
           FASTLANE_TEAM_ID: ${{ secrets.FASTLANE_TEAM_ID }}
           MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }}
           MATCH_GIT_BASIC_AUTHORIZATION: ${{ steps.match-auth.outputs.base64_token }}
-          KEYCHAIN_NAME: build.keychain
-          KEYCHAIN_PASSWORD: ${{ github.run_id }}
-          MATCH_KEYCHAIN_NAME: build.keychain
-          MATCH_KEYCHAIN_PASSWORD: ${{ github.run_id }}
           APP_STORE_CONNECT_API_KEY_ID: ${{ secrets.APP_STORE_CONNECT_API_KEY_ID }}
           APP_STORE_CONNECT_API_KEY_ISSUER_ID: ${{ secrets.APP_STORE_CONNECT_API_KEY_ISSUER_ID }}
           ENVIRONMENT: ${{ inputs.environment || 'development' }}
@@ -295,11 +266,6 @@ jobs:
             bundle exec fastlane gha_build_only
           fi
 
-      - name: Clean up keychain
-        if: always()
-        run: |
-          security delete-keychain build.keychain || true
-
       - name: Upload IPA artifact
         uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:

mobile/ios/fastlane/Fastfile

@@ -48,21 +48,16 @@ platform :ios do
   
   # Helper method to sync certificates and profiles using match
   def sync_code_signing(app_identifiers:, readonly: true)
-    keychain = ENV["KEYCHAIN_NAME"] || "login.keychain"
-    keychain_password = ENV["KEYCHAIN_PASSWORD"] || ""
+    # Use fastlane's setup_ci which creates a temporary keychain and handles everything
+    if ENV["CI"]
+      setup_ci
+    end
     
     match(
       type: "appstore",
       app_identifier: app_identifiers,
-      readonly: readonly,
-      keychain_name: keychain,
-      keychain_password: keychain_password
+      readonly: readonly
     )
-    
-    # Set key partition list after match imports certificates (required for CI)
-    if ENV["CI"] && !keychain_password.empty?
-      sh("security set-key-partition-list -S apple-tool:,apple: -s -k \"#{keychain_password}\" #{keychain} 2>/dev/null || true")
-    end
   end
   
   # Helper method to get version from pubspec.yaml