fix(fastlane): restrict CI keychain to GitHub Actions only

pythoninthegrass · pythoninthegrass · commit e25c1c1bc893 · 2026-01-19T16:20:04.000-06:00
- Check GITHUB_ACTIONS env in addition to CI to avoid GUI prompts on dev machines
- Set default_keychain: false to preserve user's login keychain
- Add security set-key-partition-list call so codesign can access keys without prompts
- Cleanup function now uses same guard conditions
diff --git a/fastlane/Fastfile b/fastlane/Fastfile
@@ -124,25 +124,34 @@ def update_tauri_config_version
 end
 
 # Setup temporary keychain for CI environments
+# Only runs on GitHub Actions (not local CI) to avoid GUI prompts on dev machines
 def setup_ci_keychain
-  if ENV['CI']
-    create_keychain(
-      name: CI_KEYCHAIN_NAME,
-      password: CI_KEYCHAIN_PASSWORD,
-      default_keychain: true,
-      unlock: true,
-      timeout: 3600,
-      lock_when_sleeps: false,
-      add_to_search_list: true
-    )
+  return unless ENV['CI'] && ENV['GITHUB_ACTIONS']
+
+  keychain_path = File.expand_path("~/Library/Keychains/#{CI_KEYCHAIN_NAME}-db")
+
+  create_keychain(
+    name: CI_KEYCHAIN_NAME,
+    password: CI_KEYCHAIN_PASSWORD,
+    default_keychain: false,  # don't replace user's default keychain
+    unlock: true,
+    timeout: 3600,
+    lock_when_sleeps: false,
+    add_to_search_list: true
+  )
+
+  # Set partition list so codesign can access keys without GUI prompt
+  if File.exist?(keychain_path)
+    sh("security set-key-partition-list -S apple-tool:,apple: -s -k #{CI_KEYCHAIN_PASSWORD.shellescape} #{keychain_path.shellescape}", log: false)
   end
 end
 
 # Cleanup CI keychain
 def cleanup_ci_keychain
-  if ENV['CI']
-    delete_keychain(name: CI_KEYCHAIN_NAME) if File.exist?(File.expand_path("~/Library/Keychains/#{CI_KEYCHAIN_NAME}-db"))
-  end
+  return unless ENV['CI'] && ENV['GITHUB_ACTIONS']
+
+  keychain_path = File.expand_path("~/Library/Keychains/#{CI_KEYCHAIN_NAME}-db")
+  delete_keychain(name: CI_KEYCHAIN_NAME) if File.exist?(keychain_path)
 end
 
 platform :ios do
