From abc057fbfe09cc6e2226c52a2290daac702bdb6a Mon Sep 17 00:00:00 2001
From: enricobuehler <buehler@unom.io>
Date: Sun, 14 Jun 2026 12:57:18 +0200
Subject: [PATCH] fix(ci/apple): scope iOS/tvOS archive signing to the device
 SDK
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

A global PROVISIONING_PROFILE_SPECIFIER on the xcodebuild command line is
applied to every target in the graph, including the shared SwiftPM compiler-
plugin macros (OnceMacro/SwizzlingMacro/AssociationMacro). Those build for the
macOS host and reject a provisioning profile, so the iOS/tvOS device archives
failed at build-description time with "<macro> does not support provisioning
profiles". (The macOS archive is immune: its host-SDK macros carry
CODE_SIGNING_ALLOWED=NO, so the global specifier is silently ignored there.)

Move the signing settings into a generated -xcconfig and condition the profile
+ identity on the device SDK ([sdk=iphoneos*] / [sdk=appletvos*]). xcconfig
conditionals are honored and a command-line -xcconfig outranks target settings,
whereas a CLI "SETTING[sdk=..]=val" is mis-parsed — both verified via
xcodebuild -showBuildSettings against the real project. The profile now lands on
the app/framework slices only; the macosx-host macros get nothing.

macOS App Store archive is unchanged (already green; installer cert now present
on the runner). tvOS upload may still need tvOS on the App Store Connect record,
but that step is continue-on-error.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .gitea/workflows/release.yml | 41 +++++++++++++++++++++++++++---------
 1 file changed, 31 insertions(+), 10 deletions(-)

diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
index 20ebb7a..1c84049 100644
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -236,16 +236,24 @@ jobs:
           osascript -e 'tell application "Xcode" to quit' >/dev/null 2>&1 || true
           pkill -x Xcode 2>/dev/null || true
           PROFILE="Punktfunk iOS App Store Distribution"
+          # Scope signing to the iOS device SDK via an xcconfig — see the tvOS step below for the
+          # full rationale. A global (CLI) profile specifier would also be forced onto the shared
+          # macOS-host SwiftPM macro plugins, which reject it and fail the archive; [sdk=iphoneos*]
+          # in an xcconfig lands it on the app/framework slices only.
+          SIGN_XCCONFIG="$RUNNER_TEMP/sign-ios.xcconfig"
+          cat > "$SIGN_XCCONFIG" <<XCCONF
+          CODE_SIGN_STYLE = Manual
+          DEVELOPMENT_TEAM = $TEAM_ID
+          CODE_SIGN_IDENTITY[sdk=iphoneos*] = Apple Distribution
+          PROVISIONING_PROFILE_SPECIFIER[sdk=iphoneos*] = $PROFILE
+          XCCONF
           DEVELOPER_DIR="$XCODE_DEV_DIR" xcodebuild archive \
             -project "$PROJECT" -scheme Punktfunk-iOS \
             -destination 'generic/platform=iOS' \
             -archivePath "$RUNNER_TEMP/Punktfunk-ios.xcarchive" \
             -skipMacroValidation -skipPackagePluginValidation \
-            MARKETING_VERSION="$VERSION" CURRENT_PROJECT_VERSION="$BUILD_NUM" \
-            CODE_SIGN_STYLE=Manual \
-            CODE_SIGN_IDENTITY="Apple Distribution" \
-            DEVELOPMENT_TEAM="$TEAM_ID" \
-            PROVISIONING_PROFILE_SPECIFIER="$PROFILE"
+            -xcconfig "$SIGN_XCCONFIG" \
+            MARKETING_VERSION="$VERSION" CURRENT_PROJECT_VERSION="$BUILD_NUM"
           cat > "$RUNNER_TEMP/export-appstore.plist" <<EOF
           <?xml version="1.0" encoding="UTF-8"?>
           <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
@@ -279,16 +287,29 @@ jobs:
           osascript -e 'tell application "Xcode" to quit' >/dev/null 2>&1 || true
           pkill -x Xcode 2>/dev/null || true
           PROFILE="Punktfunk tvOS App Store Distribution"
+          # Scope signing to the tvOS device SDK via an xcconfig. A global (CLI) profile specifier
+          # hits EVERY target, including the shared SwiftPM macro plugins (OnceMacro/SwizzlingMacro/
+          # AssociationMacro) which build for the macOS host and reject a provisioning profile
+          # ("<macro> does not support provisioning profiles"), failing the archive. Conditionals
+          # work only in an xcconfig (xcodebuild mis-parses a CLI "SETTING[sdk=..]=val"), and a
+          # command-line -xcconfig outranks target settings, so [sdk=appletvos*] puts the profile on
+          # the app/framework slices only — the macosx-host macros get nothing. (The macOS archive
+          # above is immune: its host-SDK macros are CODE_SIGNING_ALLOWED=NO, so a global specifier
+          # is ignored there.)
+          SIGN_XCCONFIG="$RUNNER_TEMP/sign-tvos.xcconfig"
+          cat > "$SIGN_XCCONFIG" <<XCCONF
+          CODE_SIGN_STYLE = Manual
+          DEVELOPMENT_TEAM = $TEAM_ID
+          CODE_SIGN_IDENTITY[sdk=appletvos*] = Apple Distribution
+          PROVISIONING_PROFILE_SPECIFIER[sdk=appletvos*] = $PROFILE
+          XCCONF
           DEVELOPER_DIR="$XCODE_DEV_DIR" xcodebuild archive \
             -project "$PROJECT" -scheme Punktfunk-tvOS \
             -destination 'generic/platform=tvOS' \
             -archivePath "$RUNNER_TEMP/Punktfunk-tvos.xcarchive" \
             -skipMacroValidation -skipPackagePluginValidation \
-            MARKETING_VERSION="$VERSION" CURRENT_PROJECT_VERSION="$BUILD_NUM" \
-            CODE_SIGN_STYLE=Manual \
-            CODE_SIGN_IDENTITY="Apple Distribution" \
-            DEVELOPMENT_TEAM="$TEAM_ID" \
-            PROVISIONING_PROFILE_SPECIFIER="$PROFILE"
+            -xcconfig "$SIGN_XCCONFIG" \
+            MARKETING_VERSION="$VERSION" CURRENT_PROJECT_VERSION="$BUILD_NUM"
           cat > "$RUNNER_TEMP/export-tvos.plist" <<EOF
           <?xml version="1.0" encoding="UTF-8"?>
           <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">