Skip to content

Add automated weekly TestFlight build via fastlane match #776

Merged
theospears merged 13 commits into
masterfrom
claude/auto-testflight-builds-ZbOTz
May 16, 2026
Merged

Add automated weekly TestFlight build via fastlane match #776
theospears merged 13 commits into
masterfrom
claude/auto-testflight-builds-ZbOTz

Conversation

@theospears
Copy link
Copy Markdown
Collaborator

@theospears theospears commented May 15, 2026
edited
Loading

Summary

  • Adds a scheduled (weekly, Mondays 09:00 UTC) and manually-dispatchable
    GitHub Actions workflow that builds the app and uploads it to TestFlight,
    fully unattended.
  • Adds a beta_ci fastlane lane: App Store Connect API key from env, build
    number bumped to latest_testflight_build_number + 1, distribution signing
    via fastlane match, archive, upload, and a build tag.
  • Adds a Matchfile pointing at the beeminder/BeeSwift-credentials storage
    repo (git storage, accessed over an SSH deploy key). Local development keeps
    Xcode automatic signing unchanged.
  • Housekeeping: gitignore the new fastlane/build_output log dir; list
    beta_ci in the auto-generated fastlane README.

Required configuration (already set up out-of-band)

  • beeminder/BeeSwift-credentials private repo seeded via fastlane match appstore.
  • A testflight GitHub Environment (restricted to master) with secrets:
    MATCH_PASSWORD, MATCH_SSH_KEY, ASC_KEY_ID, ASC_ISSUER_ID,
    ASC_KEY_P8_BASE64, CONFIG_SWIFT.
  • A write-enabled SSH deploy key on the credentials repo (needed for the
    match(readonly: false) self-heal path; first run only needs read).

Test plan

  • Temporarily add this branch to the testflight environment's allowed
    branches, dispatch "Weekly TestFlight Build", confirm a build lands in
    TestFlight.
  • Verify the distribution archive signs correctly (watch the BeeKit
    framework target — only the BeeSwift app target is flipped to the match
    profile; fix is one line if framework signing fails).
  • Remove the branch from the environment rules after a green run.
  • Confirm the per-build git tag is pushed.

https://claude.ai/code/session_016a6ivCc3wjKG8osTb4h8Fx

claude added 3 commits May 10, 2026 05:51
@claude
Add plan for automated weekly TestFlight builds
29f4a36 
Documents the approach for a scheduled GitHub Actions workflow that builds
and uploads to TestFlight, using fastlane match (git storage + deploy key)
for unattended code signing, plus the one-time setup and required secrets.

https://claude.ai/code/session_016a6ivCc3wjKG8osTb4h8Fx
@claude
Add weekly TestFlight build workflow and beta_ci lane
d9aad26 
Adds a scheduled (weekly) + manually dispatchable GitHub Actions workflow
that builds and uploads to TestFlight, plus a `beta_ci` fastlane lane and a
Matchfile. Signing is handled by `fastlane match` (git storage repo accessed
over an SSH deploy key); App Store Connect credentials, the match passphrase,
and the BeeKit config are supplied via the `testflight` environment's secrets.

https://claude.ai/code/session_016a6ivCc3wjKG8osTb4h8Fx
@claude
Clean up branch: drop plan doc, ignore build_output, list beta_ci
1da542d 
Removes the scratch planning doc, gitignores the new fastlane build log
directory so local lane runs don't leave untracked output, and adds the
beta_ci lane to the auto-generated fastlane README.

https://claude.ai/code/session_016a6ivCc3wjKG8osTb4h8Fx
@theospears theospears requested a review from a team as a code owner May 15, 2026 04:32
@theospears theospears changed the title Add plan for automated weekly TestFlight builds Add automated weekly TestFlight build via fastlane match May 15, 2026
@claude
TEMP: trigger TestFlight workflow on branch push for pre-merge valida…
7a03486 
…tion

Adds a branch-scoped push trigger so the workflow can be validated before
it lands on master. Must be removed before merging.

https://claude.ai/code/session_016a6ivCc3wjKG8osTb4h8Fx
@claude
Flip BeeKit framework target to manual signing for CI archive
89f4674 
The archive failed because BeeKit was still on automatic signing and tried
to resolve an iOS Development certificate that doesn't exist on the runner.
Sign it with the distribution identity (no provisioning profile needed for
an embedded framework).

https://claude.ai/code/session_016a6ivCc3wjKG8osTb4h8Fx
@claude
Skip the build when master is unchanged since the last build
913cad2 
Adds a cheap pre-check job that compares HEAD against the commit of the
most recent builds/* tag and only runs the build/upload job when they
differ. Avoids redundant weekly TestFlight builds (and spurious testflight
environment approval prompts) when nothing has changed.

https://claude.ai/code/session_016a6ivCc3wjKG8osTb4h8Fx
github-advanced-security[bot]
github-advanced-security AI found potential problems May 15, 2026
View reviewed changes
Comment thread .github/workflows/testflight-weekly.yml Fixed
claude added 2 commits May 15, 2026 05:02
@claude
Use a single moving ci-latest tag for the unchanged check
67b2ad0 
Replaces the builds/* creatordate scan with a dedicated ci-latest pointer
that the build job force-updates after a successful upload. Simpler and
unambiguous; the per-build builds/beta_ci/* tags are kept for history.

https://claude.ai/code/session_016a6ivCc3wjKG8osTb4h8Fx
@claude
Add setup_ci so codesign doesn't hang on a keychain prompt
ada2328 
The archive was hanging indefinitely on the signing step: without a CI
keychain, codesign blocks on an interactive keychain-access prompt that
can't be answered on a headless runner. setup_ci creates a temporary
unlocked keychain and points match at it.

https://claude.ai/code/session_016a6ivCc3wjKG8osTb4h8Fx
claude added 5 commits May 15, 2026 05:21
@claude
Remove temporary pre-merge push trigger
f7abe78 
Pipeline validated end-to-end on the branch. The workflow now runs only on
the weekly schedule and manual dispatch.

https://claude.ai/code/session_016a6ivCc3wjKG8osTb4h8Fx
@claude
Restrict GITHUB_TOKEN to least privilege
ff9af31 
Adds a workflow-level default of contents: read so the check job and any
future jobs get a minimal token; the build job keeps its explicit
contents: write for the per-build and ci-latest tag pushes.

https://claude.ai/code/session_016a6ivCc3wjKG8osTb4h8Fx
@claude
Pin third-party actions to commit SHAs
b290ddc 
Security review C1: the build job holds the App Store signing chain, so
pin every action to a full commit SHA (version in trailing comment)
instead of a mutable tag. SHAs resolved from upstream tag refs.

https://claude.ai/code/session_016a6ivCc3wjKG8osTb4h8Fx
@claude
Extract shared constants in Fastfile
89ec574 
Replaces repeated team id, bundle id, and ASC key duration literals with
TEAM_ID / APP_IDENTIFIER / ASC_KEY_DURATION constants across the beta and
beta_ci lanes; the match profile env var is now derived from APP_IDENTIFIER.

https://claude.ai/code/session_016a6ivCc3wjKG8osTb4h8Fx
@claude
Use production APNs entitlement for Release builds
03035c9 
The single entitlements file pinned aps-environment to development for all
configurations. Under the new manual signing in beta_ci that risks either a
profile/entitlement mismatch or, worse, TestFlight builds silently getting
sandbox push tokens while the backend sends via production APNs. Add a
Release-only entitlements file with aps-environment=production and point the
Release build configuration at it; Debug is unchanged (development/sandbox).

https://claude.ai/code/session_016a6ivCc3wjKG8osTb4h8Fx
@theospears theospears merged commit 918e449 into master May 16, 2026
6 checks passed
@theospears theospears deleted the claude/auto-testflight-builds-ZbOTz branch May 16, 2026 01:05
@theospears theospears mentioned this pull request May 17, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@theospears @github-advanced-security @claude