Refactor iOS deployment workflows and Fastfile

[davidmfinol]

Changes

• Clarify GitHub Actions workflows for iOS certificate setup

Checklist

• Read the contribution guide and accept the
  code of conduct
• Readme (updated or not needed)
• Tests (added, updated or not needed)

Summary by CodeRabbit

• Documentation

  • Updated iOS deployment docs with restructured certificate setup and refreshed guidance, including new names and triggers for the setup and sync workflows.
  • Updated instructions for running the updated workflows.

• Chores

  • Bumped Ruby requirement from 3.2 to 3.4 in deployment workflows.
  • Expanded Fastlane setup to support match-based certificate syncing, repository/org parameters, and writable deploy-key handling.

[coderabbitai]

Warning

Rate limit exceeded

@davidmfinol has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 8 minutes and 0 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 362d8103-c906-4e70-9870-83451e0f4ded

📥 Commits

Reviewing files that changed from the base of the PR and between dfd6e0b and e64b50b.

📒 Files selected for processing (1)

• docs/03-github/06-deployment/ios.mdx

📝 Walkthrough

Walkthrough

Renamed Fastlane lane init_ci → match_init_ci and added parameters (org, repo, match_org, match_repo, writable_deploy_key). Renamed GitHub Actions workflows for iOS certificate setup/sync, bumped Ruby from 3.2 → 3.4 in workflows, and updated documentation and workflow trigger references accordingly. (50 words)

Changes

Cohort / File(s)	Summary
Documentation docs/03-github/06-deployment/ios.mdx	Updated wording, workflow names, triggers, and run instructions to reference "iOS Match Certificates Setup" and "iOS Sync Certificates".
Fastlane fastlane/Fastfile	Renamed lane init_ci → match_init_ci; added/updated lane signature and parameters: org, repo, match_org, match_repo, writable_deploy_key; inlined env extraction; updated github_action(...) call to pass new params.
Workflows / CI .github/workflows/... (ios_setup.yml → ios_match_certificates_setup.yml, generate_certs.yml → ios_sync_certificates.yml)	Renamed workflow files/titles, updated triggers to depend on the new setup workflow, replaced fastlane invocation to use ios match_init_ci, and bumped Ruby version from 3.2 to 3.4 in workflow steps.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested reviewers

• GabLeRoux

Poem

🐇 I hopped through lanes and named them new,

match_init_ci now leads the crew.
Workflows renamed, Ruby raised to four,
Certificates marching to the door.
A tiny rabbit cheers — deploy once more!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Refactor iOS deployment workflows and Fastfile' accurately reflects the main changes, which involve renaming and restructuring iOS workflow files and Fastfile lanes.
Description check	✅ Passed	The PR description includes a brief summary and completed checklist items, but lacks detail about the specific changes made (new lane names, workflow renamings, Ruby version updates).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch davidmfinol-patch-5

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

[github-actions]

Visit the preview URL for this PR (updated for commit e64b50b):

https://game-ci-5559f--pr543-davidmfinol-patch-5-tg162rzv.web.app

_{(expires Mon, 16 Mar 2026 09:45:27 GMT)}

_{🔥 via Firebase Hosting GitHub Action 🌎}

_{Sign: 1f0574f15f83e11bfc148eae8646486a6d0e078b}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

docs/03-github/06-deployment/ios.mdx (2)

194-197: ⚠️ Potential issue | 🟠 Major

Call the renamed lane here too.

The snippet above now defines lane :match_init_ci, but Line 197 still runs bundle exec fastlane ios init_ci. Following step 4 verbatim will make the setup workflow fail on a missing lane.

Suggested fix

-          bundle exec fastlane ios init_ci
+          bundle exec fastlane ios match_init_ci

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/03-github/06-deployment/ios.mdx` around lines 194 - 197, The CI step
currently calls the old Fastlane lane name "init_ci"; update the run command in
the "Build iOS" step to invoke the renamed lane "match_init_ci" (i.e., change
the bundle exec fastlane invocation from "init_ci" to "match_init_ci") so it
matches the defined lane :match_init_ci and prevents a missing-lane failure.

---

127-154: ⚠️ Potential issue | 🔴 Critical

Move match_org and match_repo declarations to outer scope.

Variables assigned inside the match_init_ci lane block (lines 128–129) are not accessible in the sync_certificates lane block (line 152). In Ruby, block scope does not allow sibling blocks to share locally-scoped variables. Running this Fastfile will fail with an undefined variable error on sync_certificates.

Move both variable declarations to the outer platform :ios do scope before the lane definitions.

Suggested fix

+org, repo = (ENV["GITHUB_REPOSITORY"] || "").split("/")
+match_org, match_repo = (ENV["MATCH_REPOSITORY"] || "").split("/")
+
 platform :ios do
-
   desc "Initialize Match certificates for GitHub Actions"
   lane :match_init_ci do
-    org, repo = (ENV["GITHUB_REPOSITORY"]||"").split("/")
-    match_org, match_repo = (ENV["MATCH_REPOSITORY"]||"").split("/")
     setup_ci
     github_action(

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/03-github/06-deployment/ios.mdx` around lines 127 - 154, match_org and
match_repo are declared inside the match_init_ci lane so they are undefined in
the sibling lane sync_certificates; move the declarations for match_org and
match_repo out of the match_init_ci block into the enclosing platform :ios scope
(i.e. declare match_org, match_repo alongside any other top-level variables
before the lane definitions) so both match_init_ci and sync_certificates can
reference them.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@docs/03-github/06-deployment/ios.mdx`:
- Around line 194-197: The CI step currently calls the old Fastlane lane name
"init_ci"; update the run command in the "Build iOS" step to invoke the renamed
lane "match_init_ci" (i.e., change the bundle exec fastlane invocation from
"init_ci" to "match_init_ci") so it matches the defined lane :match_init_ci and
prevents a missing-lane failure.
- Around line 127-154: match_org and match_repo are declared inside the
match_init_ci lane so they are undefined in the sibling lane sync_certificates;
move the declarations for match_org and match_repo out of the match_init_ci
block into the enclosing platform :ios scope (i.e. declare match_org, match_repo
alongside any other top-level variables before the lane definitions) so both
match_init_ci and sync_certificates can reference them.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 98128c93-9bc4-4b0f-aadd-3831d1e9c522

📥 Commits

Reviewing files that changed from the base of the PR and between 6cf61c8 and e174bab.

📒 Files selected for processing (1)

• docs/03-github/06-deployment/ios.mdx

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

docs/03-github/06-deployment/ios.mdx (1)

210-218: ⚠️ Potential issue | 🟡 Minor

Gate the sync workflow on successful setup completion to prevent cascading failures.

The workflow_run trigger with types: [completed] fires regardless of whether the upstream workflow succeeded or failed. Without the success check, a failed setup run will still trigger the sync workflow, creating a second, unnecessary failure. Add the condition to only proceed on success:

🛠️ Suggested fix

 jobs:
   generate_certs:
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
     runs-on: macos-latest

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/03-github/06-deployment/ios.mdx` around lines 210 - 218, The workflow
currently triggers on workflow_run with types: [completed] which fires for both
successes and failures; update the jobs (e.g., the generate_certs job) to only
run when the upstream run concluded successfully by adding a condition that
checks github.event.workflow_run.conclusion == 'success' (for example add an if:
${{ github.event.workflow_run.conclusion == 'success' }} at the job level for
generate_certs) so the sync workflow is gated and won't run on failed upstream
runs.

🧹 Nitpick comments (1)

docs/03-github/06-deployment/ios.mdx (1)

198-204: Prefer ${{ github.repository }} here.

Default GITHUB_* variables are not available through the env context during workflow processing, so ${{ env.GITHUB_REPOSITORY }} is not the right pattern to document. Either use ${{ github.repository }} or drop this mapping and rely on the default runner env var. (docs.github.com)

🛠️ Suggested fix

-          GITHUB_REPOSITORY: ${{ env.GITHUB_REPOSITORY }}
+          GITHUB_REPOSITORY: ${{ github.repository }}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/03-github/06-deployment/ios.mdx` around lines 198 - 204, The env mapping
sets GITHUB_REPOSITORY using ${{ env.GITHUB_REPOSITORY }} which is incorrect
during workflow processing; update the mapping in the block that defines
APPSTORE_ISSUER_ID, APPSTORE_KEY_ID, APPSTORE_P8, GH_PAT, GITHUB_REPOSITORY,
MATCH_REPOSITORY to either use ${{ github.repository }} for GITHUB_REPOSITORY or
remove the GITHUB_REPOSITORY entry and rely on the runner-provided env var;
ensure other secret mappings (APPSTORE_ISSUER_ID, APPSTORE_KEY_ID, APPSTORE_P8,
GH_PAT, MATCH_REPOSITORY) remain unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/03-github/06-deployment/ios.mdx`:
- Line 197: The Fastfile example defines lane :init_ci but the documentation now
invokes bundle exec fastlane ios match_init_ci; update the Fastfile example to
rename the lane from :init_ci to :match_init_ci (or otherwise ensure the lane
name matches the invoked command) so the example and the earlier command are
consistent; update any references to lane :init_ci in the Fastfile snippet and
surrounding text to use match_init_ci (or vice versa if you prefer changing the
command) so the documented workflow calls an existing lane.
- Line 242: Add an explicit prior step that instructs readers to create the
IOS_BUNDLE_ID secret before they run the workflows: update the docs section that
lists the ios_sync_certificates.yml workflow dependency (reference the
IOS_BUNDLE_ID symbol and ios_sync_certificates.yml) to include a short step
telling users to set the IOS_BUNDLE_ID secret in their repository/secrets (or
show the GitHub UI/CLI command) before proceeding to the later “trigger setup
flow” steps (the workflow trigger described around the current run
instructions); ensure the secret creation step appears before the workflow
execution instructions so the first end-to-end run does not fail.
- Around line 127-129: The assignments for match_org and match_repo are inside
the lane match_init_ci but need to be available to sync_certificates and other
lanes; move the lines that set match_org and match_repo (currently using
ENV["MATCH_REPOSITORY"] split) out of the lane and into platform-level scope
(before platform :ios) so they are defined for the entire Fastfile/CI process
and accessible to sync_certificates and other lanes.

---

Outside diff comments:
In `@docs/03-github/06-deployment/ios.mdx`:
- Around line 210-218: The workflow currently triggers on workflow_run with
types: [completed] which fires for both successes and failures; update the jobs
(e.g., the generate_certs job) to only run when the upstream run concluded
successfully by adding a condition that checks
github.event.workflow_run.conclusion == 'success' (for example add an if: ${{
github.event.workflow_run.conclusion == 'success' }} at the job level for
generate_certs) so the sync workflow is gated and won't run on failed upstream
runs.

---

Nitpick comments:
In `@docs/03-github/06-deployment/ios.mdx`:
- Around line 198-204: The env mapping sets GITHUB_REPOSITORY using ${{
env.GITHUB_REPOSITORY }} which is incorrect during workflow processing; update
the mapping in the block that defines APPSTORE_ISSUER_ID, APPSTORE_KEY_ID,
APPSTORE_P8, GH_PAT, GITHUB_REPOSITORY, MATCH_REPOSITORY to either use ${{
github.repository }} for GITHUB_REPOSITORY or remove the GITHUB_REPOSITORY entry
and rely on the runner-provided env var; ensure other secret mappings
(APPSTORE_ISSUER_ID, APPSTORE_KEY_ID, APPSTORE_P8, GH_PAT, MATCH_REPOSITORY)
remain unchanged.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e4a7e7c4-274c-4206-976c-312fadb4f4c1

📥 Commits

Reviewing files that changed from the base of the PR and between e174bab and dfd6e0b.

📒 Files selected for processing (1)

• docs/03-github/06-deployment/ios.mdx

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n docs/03-github/06-deployment/ios.mdx | head -250 | tail -130

Repository: game-ci/documentation

Length of output: 5484

---

🏁 Script executed:

# Verify Fastlane lane scope semantics by checking if there are any other patterns in the file
rg "lane :" docs/03-github/06-deployment/ios.mdx -A 5

Repository: game-ci/documentation

Length of output: 1485

---

🏁 Script executed:

# Verify Ruby scoping rules in Fastlane - check if there's any documentation or prior examples showing shared scope
grep -n "platform :ios" docs/03-github/06-deployment/ios.mdx -A 30 | head -50

Repository: game-ci/documentation

Length of output: 1543

---

🏁 Script executed:

# Check the full later Fastfile example to see the correct pattern
sed -n '299,350p' docs/03-github/06-deployment/ios.mdx

Repository: game-ci/documentation

Length of output: 1414

---

🏁 Script executed:

# Final check: Verify this is indeed the step 4 code block and that the workflows reference match_init_ci
sed -n '115,160p' docs/03-github/06-deployment/ios.mdx | head -20

Repository: game-ci/documentation

Length of output: 802

---

Move variable assignments outside the lane to platform-level scope.

match_org and match_repo are assigned inside match_init_ci but are needed by sync_certificates at line 152. In Ruby, variables defined inside a method/lane block are local to that block and inaccessible to other lanes. The sync workflow runs in a separate process anyway, so the variables won't persist. This causes a runtime error when sync_certificates executes. The later Fastfile example in this guide (lines 300–301) shows the correct pattern: assign these variables before the platform :ios block.

Suggested fix

+org, repo = (ENV["GITHUB_REPOSITORY"] || "").split("/")
+match_org, match_repo = (ENV["MATCH_REPOSITORY"] || "").split("/")
+
 platform :ios do
-
   desc "Initialize Match certificates for GitHub Actions"
   lane :match_init_ci do
-    org, repo = (ENV["GITHUB_REPOSITORY"]||"").split("/")
-    match_org, match_repo = (ENV["MATCH_REPOSITORY"]||"").split("/")
     setup_ci

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/03-github/06-deployment/ios.mdx` around lines 127 - 129, The assignments
for match_org and match_repo are inside the lane match_init_ci but need to be
available to sync_certificates and other lanes; move the lines that set
match_org and match_repo (currently using ENV["MATCH_REPOSITORY"] split) out of
the lane and into platform-level scope (before platform :ios) so they are
defined for the entire Fastfile/CI process and accessible to sync_certificates
and other lanes.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Update the later Fastfile example to the new lane name.

Line 197 now runs bundle exec fastlane ios match_init_ci, but the later “replace the contents of the Fastfile” example still defines lane :init_ci. Following the guide end-to-end leaves the documented setup workflow calling a lane that no longer exists.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/03-github/06-deployment/ios.mdx` at line 197, The Fastfile example
defines lane :init_ci but the documentation now invokes bundle exec fastlane ios
match_init_ci; update the Fastfile example to rename the lane from :init_ci to
:match_init_ci (or otherwise ensure the lane name matches the invoked command)
so the example and the earlier command are consistent; update any references to
lane :init_ci in the Fastfile snippet and surrounding text to use match_init_ci
(or vice versa if you prefer changing the command) so the documented workflow
calls an existing lane.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Introduce IOS_BUNDLE_ID before asking readers to run these workflows.

Line 242 makes ios_sync_certificates.yml depend on secrets.IOS_BUNDLE_ID, but the guide tells readers to trigger the setup flow in Lines 254-257 before it ever instructs them to create that secret. The first end-to-end run will fail unless they infer the missing setup from later sections.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/03-github/06-deployment/ios.mdx` at line 242, Add an explicit prior step
that instructs readers to create the IOS_BUNDLE_ID secret before they run the
workflows: update the docs section that lists the ios_sync_certificates.yml
workflow dependency (reference the IOS_BUNDLE_ID symbol and
ios_sync_certificates.yml) to include a short step telling users to set the
IOS_BUNDLE_ID secret in their repository/secrets (or show the GitHub UI/CLI
command) before proceeding to the later “trigger setup flow” steps (the workflow
trigger described around the current run instructions); ensure the secret
creation step appears before the workflow execution instructions so the first
end-to-end run does not fail.