Wire Forge-native release infrastructure
Some checks failed
Cache: Publish Nix / Publish Nix Cache (push) Waiting to run
Build Rust / Cargo Test (push) Successful in 4m14s
Build Site / Next.js Build (push) Failing after 6s
Infra: OpenTofu / OpenTofu (grafana) (push) Successful in 5s
Lint Governance / BEP Metadata (push) Successful in 0s
Build: Android / Android Rust Core Stub (push) Failing after 23s

This commit is contained in:
Conrad Kramer 2026-06-07 05:51:12 -07:00
parent 97c569fb35
commit 002bd382e9
199 changed files with 14268 additions and 185 deletions

View file

@ -0,0 +1,18 @@
# App Store Connect Metadata
This directory is the repo-owned home for Burrow App Store Connect metadata.
The release upload lane expects dedicated App Store Connect API credentials
sealed with agenix:
- `secrets/apple/appstore-connect.env.age`
That single secret contains the key ID, issuer ID, and base64-encoded `.p8`.
CI decrypts it into a temporary App Store Connect key file, syncs provisioning
profiles from App Store Connect, and then uploads `.ipa`/`.pkg` artifacts.
Forgejo secrets should only provide the runner age identity fallback, not the
App Store key itself.
The initial release pipeline can upload `.ipa` and `.pkg` artifacts once the
Apple build lane produces signed outputs. TestFlight external distribution must
remain explicit until review metadata, groups, and tester policy are complete.