Problem
Even with the pinned Distribution cert (#422), xcodebuild still creates a new Apple Development certificate via the API on every CI run. Over time this will hit the per-account cert quota again.
The -allowProvisioningUpdates flag allows xcodebuild to create both certs and profiles automatically.
Options
Option A: Also pin a Development cert (recommended)
Same pattern as #422 — export the existing "Paul's MacBook Pro" Apple Development cert as a .p12 from Keychain Access, add two more GitHub secrets (IOS_DEV_CERT_P12, IOS_DEV_CERT_PASSWORD), and import it alongside the distribution cert in the workflow.
Option B: Remove -allowProvisioningUpdates
If provisioning profiles are already valid, xcodebuild doesn't need this flag. But any future profile changes (new device, expiry) would require manual portal updates.
Periodic cleanup
Until this is fixed, periodically revoke the "Created via API" Development certs in Certificates, Identifiers & Profiles to avoid hitting the limit again.
Problem
Even with the pinned Distribution cert (#422), xcodebuild still creates a new Apple Development certificate via the API on every CI run. Over time this will hit the per-account cert quota again.
The
-allowProvisioningUpdatesflag allows xcodebuild to create both certs and profiles automatically.Options
Option A: Also pin a Development cert (recommended)
Same pattern as #422 — export the existing "Paul's MacBook Pro" Apple Development cert as a
.p12from Keychain Access, add two more GitHub secrets (IOS_DEV_CERT_P12,IOS_DEV_CERT_PASSWORD), and import it alongside the distribution cert in the workflow.Option B: Remove
-allowProvisioningUpdatesIf provisioning profiles are already valid, xcodebuild doesn't need this flag. But any future profile changes (new device, expiry) would require manual portal updates.
Periodic cleanup
Until this is fixed, periodically revoke the "Created via API" Development certs in Certificates, Identifiers & Profiles to avoid hitting the limit again.