feat(ci/release): wire iOS App Store signing via an Apple Distribution secret

Prepares the iOS/TestFlight path. The runner has the iOS 26.5 SDK but no
signing identities, so import an Apple Distribution cert+key from
IOS_DIST_CERT_P12_B64 / IOS_DIST_CERT_PASSWORD into the same throwaway keychain
(the WWDR intermediates already fetched chain it). The iOS archive uses
automatic signing (-allowProvisioningUpdates + the ASC key creates/downloads the
App Store profile against the present cert, so no keychain-write that would hit
the macOS -61). Re-assert the keychain on the search list like the macOS sign
step. Until the secret is set the step self-skips with a warning, so it stays
green. Still needs an App Store Connect app record for io.unom.punktfunk to
upload.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

.gitea/workflows/release.yml

@@ -80,10 +80,12 @@ jobs:
       - name: Build PunktfunkCore.xcframework (mac + iOS)
         run: BUILD_IOS=1 bash scripts/build-xcframework.sh
 
-      - name: Import Developer ID certificate (throwaway keychain)
+      - name: Import signing certificates (throwaway keychain)
         env:
           P12_B64: ${{ secrets.DEVID_CERT_P12_B64 }}
           P12_PASSWORD: ${{ secrets.DEVID_CERT_PASSWORD }}
+          IOS_P12_B64: ${{ secrets.IOS_DIST_CERT_P12_B64 }}
+          IOS_P12_PASSWORD: ${{ secrets.IOS_DIST_CERT_PASSWORD }}
         run: |
           KEYCHAIN="$RUNNER_TEMP/punktfunk-ci.keychain-db"
           KEYCHAIN_PASS="$(uuidgen)"
@@ -108,6 +110,15 @@ jobs:
           security import "$RUNNER_TEMP/devid.p12" -k "$KEYCHAIN" -P "$P12_PASSWORD" \
             -T /usr/bin/codesign -T /usr/bin/security
           rm -f "$RUNNER_TEMP/devid.p12"
+          # iOS App Store distribution identity (optional — imported only when the secret is
+          # set; the iOS/TestFlight job stays best-effort until it is). The WWDR intermediates
+          # fetched above also chain this Apple Distribution cert.
+          if [ -n "$IOS_P12_B64" ]; then
+            printf '%s' "$IOS_P12_B64" | base64 -d > "$RUNNER_TEMP/ios-dist.p12"
+            security import "$RUNNER_TEMP/ios-dist.p12" -k "$KEYCHAIN" -P "$IOS_P12_PASSWORD" \
+              -T /usr/bin/codesign -T /usr/bin/security
+            rm -f "$RUNNER_TEMP/ios-dist.p12"
+          fi
           security set-key-partition-list -S apple-tool:,apple:,codesign: \
             -s -k "$KEYCHAIN_PASS" "$KEYCHAIN" >/dev/null
           security list-keychains -d user -s "$KEYCHAIN" login.keychain-db
@@ -226,6 +237,16 @@ jobs:
             echo "::warning::iOS platform SDK not installed on this runner — skipping iOS/TestFlight."
             exit 0
           fi
+          # App Store signing uses the Apple Distribution identity imported above from
+          # IOS_DIST_CERT_P12_B64. Skip cleanly until that secret exists; re-assert the
+          # throwaway keychain on the search list + as default so automatic signing finds it
+          # (the search list doesn't reliably carry across steps on this runner).
+          if ! security find-identity -v -p codesigning "$KEYCHAIN" | grep -q "Apple Distribution"; then
+            echo "::warning::no Apple Distribution identity present — set IOS_DIST_CERT_P12_B64. Skipping iOS/TestFlight."
+            exit 0
+          fi
+          security list-keychains -d user -s "$KEYCHAIN" login.keychain-db
+          security default-keychain -d user -s "$KEYCHAIN"
           DEVELOPER_DIR="$XCODE_DEV_DIR" xcodebuild archive \
             -project "$PROJECT" -scheme Punktfunk-iOS \
             -destination 'generic/platform=iOS' \