fix(ci/release): iOS manual App Store signing (App-Manager key can't cloud-sign)

macOS Developer ID + notarize + DMG now works with the clean login-keychain
workflow. iOS export failed with 'Cloud signing permission error' — with
-allowProvisioningUpdates Xcode forces cloud-managed signing, which the
App-Manager-role ASC key can't authorize. Switch iOS to MANUAL signing with the
local (valid) Apple Distribution identity + the 'Punktfunk App Store
Distribution' provisioning profile; ASC key stays only for the upload. Profile
must be installed via Xcode -> Accounts -> Download Manual Profiles.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

.gitea/workflows/release.yml

@@ -152,19 +152,21 @@ jobs:
         # Best-effort until the App Store Connect app record for io.unom.punktfunk exists.
         continue-on-error: true
         run: |
-          # Standard App Store flow: automatic signing now works because the runner is in the
-          # logged-in session with the login keychain (Apple Distribution valid) and Xcode is
-          # signed into the team — so -allowProvisioningUpdates manages the cert + App Store
-          # profile, exactly like a local Archive.
+          # MANUAL App Store signing: the local (valid) Apple Distribution identity + the App
+          # Store provisioning profile. NOT -allowProvisioningUpdates — with an App-Manager-role
+          # ASC key that forces Xcode's CLOUD-managed signing, which the role can't do ("Cloud
+          # signing permission error"). The profile must be installed on the runner: Xcode ->
+          # Settings -> Accounts -> Download Manual Profiles.
+          PROFILE="Punktfunk App Store Distribution"
           DEVELOPER_DIR="$XCODE_DEV_DIR" xcodebuild archive \
             -project "$PROJECT" -scheme Punktfunk-iOS \
             -destination 'generic/platform=iOS' \
             -archivePath "$RUNNER_TEMP/Punktfunk-ios.xcarchive" \
             MARKETING_VERSION="$VERSION" CURRENT_PROJECT_VERSION="$BUILD_NUM" \
-            -allowProvisioningUpdates \
-            -authenticationKeyPath "$RUNNER_TEMP/asc.p8" \
-            -authenticationKeyID "${{ secrets.ASC_API_KEY_ID }}" \
-            -authenticationKeyIssuerID "${{ secrets.ASC_API_ISSUER_ID }}"
+            CODE_SIGN_STYLE=Manual \
+            CODE_SIGN_IDENTITY="Apple Distribution" \
+            DEVELOPMENT_TEAM="$TEAM_ID" \
+            PROVISIONING_PROFILE_SPECIFIER="$PROFILE"
           cat > "$RUNNER_TEMP/export-appstore.plist" <<EOF
           <?xml version="1.0" encoding="UTF-8"?>
           <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
@@ -173,6 +175,10 @@ jobs:
             <key>method</key><string>app-store-connect</string>
             <key>destination</key><string>upload</string>
             <key>teamID</key><string>$TEAM_ID</string>
+            <key>signingStyle</key><string>manual</string>
+            <key>signingCertificate</key><string>Apple Distribution</string>
+            <key>provisioningProfiles</key>
+            <dict><key>io.unom.punktfunk</key><string>$PROFILE</string></dict>
           </dict>
           </plist>
           EOF
@@ -180,7 +186,6 @@ jobs:
             -archivePath "$RUNNER_TEMP/Punktfunk-ios.xcarchive" \
             -exportOptionsPlist "$RUNNER_TEMP/export-appstore.plist" \
             -exportPath "$RUNNER_TEMP/export-appstore" \
-            -allowProvisioningUpdates \
             -authenticationKeyPath "$RUNNER_TEMP/asc.p8" \
             -authenticationKeyID "${{ secrets.ASC_API_KEY_ID }}" \
             -authenticationKeyIssuerID "${{ secrets.ASC_API_ISSUER_ID }}"