User Manual

Secret Injection for CI

Write signing credentials to GitHub Actions secrets so your pipelines can build and sign without a Mac.

Overview

For CI builds to sign your app, your GitHub Actions workflows need access to:

  • A distribution certificate (as a base64-encoded P12)
  • A provisioning profile (as a base64-encoded .mobileprovision)
  • The P12 password (if encrypted)
  • Your ASC API key details (for uploading builds with altool or xcrun notarytool)

Mainline’s Secret Injection feature automates writing these to your GitHub repository’s Actions secrets — no manual copy-paste of base64 strings.

Setting up secret injection

  1. Open the App Detail view and tap Secrets (shown in the repository section — requires a GitHub PAT and cert repo to be configured).
  2. Mainline shows a list of the secrets it can inject for this app, with a status indicator for each (present in GitHub, missing, or stale).
  3. Select a certificate and profile to inject.
  4. Tap Inject Secrets. Mainline writes each secret to the GitHub repo's Actions secrets via the GitHub API.

What gets written

Mainline writes the following secrets to your GitHub repo (exact names depend on your Secret Schema):

Secret Content
DISTRIBUTION_CERTIFICATE_P12 Base64-encoded P12
DISTRIBUTION_CERTIFICATE_PASSWORD P12 password (or empty string for passwordless P12s)
PROVISIONING_PROFILE Base64-encoded .mobileprovision
ASC_API_KEY_P8 Base64-encoded .p8 private key
ASC_KEY_ID ASC Key ID
ASC_ISSUER_ID ASC Issuer ID

Secret Schema

Different teams name their GitHub Actions secrets differently. Mainline uses a Secret Schema per app to map the above secret types to whatever names your workflows actually expect.

Editing the Secret Schema

  1. In the App Detail view, tap Secrets → Edit Schema.
  2. For each secret slot, enter the name your workflow uses (e.g. if your workflow reads $, set the certificate slot to CERT_P12).
  3. Save. Mainline uses the schema for all future injections for this app.

Auto-detection

Mainline can inspect your workflow YAML files and suggest a schema automatically. Tap Detect from Workflows to let Mainline scan the .github/workflows/ folder and infer the expected secret names.

YAML Mapper (advanced)

For complex setups where the workflow generates a signing configuration file (rather than reading individual secrets), the YAML Mapper lets you define how secret values map to entries in a YAML configuration file. This is an advanced feature intended for teams with non-standard CI setups.

Common pitfalls

⚠️
Certificate and profile must match

The P12 you inject must contain the same certificate that was used to generate the provisioning profile. If they don't match, signing will fail silently. Mainline helps by showing which certificate serial number is embedded in each profile.

ℹ️
GitHub secret writes require secrets: write permission

Your GitHub PAT needs permission to write repository secrets. For fine-grained tokens, this is the Secrets (read and write) permission. For classic tokens, the repo scope covers it.