feat(mobile): full TestFlight CI on mobile-v* tag push (NAN-700)

[yagudaev]

Summary

• Rewrites the scaffold .github/workflows/release-mobile.yml with a full xcodebuild pipeline on macos-14, mirroring release-desktop.yml
• Adds workflow_dispatch inputs: tag (required), variant (staging|production, default staging), submit (boolean, default true — set false for dry-run)
• Build step always runs; submit step is gated on inputs.submit != 'false' (tag-push defaults to submit=true)
• Fixes mobile/eas.json staging ascApiKeyPath from hardcoded absolute local path to ~/ so EAS CLI resolves it correctly on CI runners

⚠ BLOCKER: iOS Distribution cert secret missing

The DEVELOPER_ID_CERT_P12 secret in the repo contains the macOS "Developer ID Application" certificate — used for macOS DMG notarization via electron-builder. This is a DIFFERENT cert than what iOS App Store distribution requires.

iOS App Store distribution (method: app-store-connect in ExportOptions.plist) needs an "Apple Distribution" cert (also called "iPhone Distribution"). xcodebuild with CODE_SIGN_STYLE=Automatic will look for this cert in the keychain at archive time. Without it, the archive step fails.

Action required before the first real build:

1. Open Keychain Access on your Mac
2. Find the cert named "Apple Distribution: ..." (or "iPhone Distribution: ...")
3. Right-click → Export → choose .p12 format → set a password
4. Run: base64 -i cert.p12 | pbcopy
5. Go to Settings → Secrets → Actions in the GitHub repo
6. Add two new secrets:
   • IOS_DIST_CERT_P12 — the base64 string from step 4
   • IOS_DIST_CERT_PASSWORD — the password from step 3

The workflow will fail at the "Import iOS Distribution certificate" step with a clear error until these are added. It will NOT silently produce an ad-hoc-signed IPA.

How to test before relying on this

1. Merge this PR.
2. Add IOS_DIST_CERT_P12 + IOS_DIST_CERT_PASSWORD secrets (see BLOCKER above).
3. Go to https://github.com/yagudaev/voiceclaw/actions/workflows/release-mobile.yml
4. Click "Run workflow"
5. Inputs:
   • tag: mobile-v1.2.0 (latest existing — re-uses existing version, won't bump)
   • variant: staging
   • submit: false ← KEY — skips upload to TestFlight, just verifies build path
6. Click "Run workflow"
7. Wait ~20 min for build to complete. Download the IPA artifact from the run page.
8. If build succeeded: re-run with submit: true to do a full end-to-end test. Note: TestFlight will reject as duplicate build number — that's OK, it proves the submit auth + path works without polluting TestFlight with a real release.
9. After both pass: next real mobile-v* tag push (created by release-please) will hands-off ship to TestFlight.

Other fixes in this PR

mobile/eas.json staging profile path fix — the ascApiKeyPath was "/Users/michaelyagudaev/.appstore/..." (absolute local path). Changed to "~/.appstore/...". Without this fix, EAS CLI on the runner couldn't find the API key and would fall back to interactive Apple ID login, breaking CI. Local flow is unaffected since ~ resolves to the same place.

Secrets summary

Secret	Status	Used for
APPLE_API_KEY_P8	✅ exists	Write .p8 for altool validate + eas submit
APPLE_API_KEY_ID	✅ exists	Key ID for both
APPLE_API_ISSUER	✅ exists	Issuer UUID for both
IOS_DIST_CERT_P12	❌ MISSING — add before first run	iOS Distribution cert import
IOS_DIST_CERT_PASSWORD	❌ MISSING — add before first run	Cert import password
EXPO_TOKEN	✅ exists	eas submit authentication

Test plan

• Add IOS_DIST_CERT_P12 + IOS_DIST_CERT_PASSWORD secrets to repo
• workflow_dispatch with submit: false → IPA artifact downloads, build log present
• workflow_dispatch with submit: true → EAS submit runs, TestFlight processes build
• Local yarn release:ios:staging still works unchanged

🤖 Generated with Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
voiceclaw	Ready	Preview, Comment	May 1, 2026 2:03am