Permission error accessing keychain

I have a shell script (publish_testflight.sh ) which is basically this one line.

xcrun altool --upload-app -t ios -f app.ipa -p @keychain:APP_KEY --verbose

It runs just fine if I call it from the command line, but when I call it from my action, it fails.

run: ./.github/scripts/publish_testflight.sh

NSLocalizedDescription Failed to get the password for the keychain item 'APP_KEY'. NSLocalizedFailureReason The keychain returned error code: -25308.

The best I can find is that -25308 is a permissions error. But it does not make sense that this runs fine on the build machine, but not when run from the GitHub action.

Any suggestions on how to fix this?

@petehoch,

It runs just fine if I call it from the command line, but when I call it from my action

Do you mean that the command line can work fine when you directly execute it on your local macOS machine, but not work when executing it in the workflow?

What runner are you using in the workflow? GitHub-hosted runner or self-hosted runner on your local machine?
If GitHub-hosted runner, you can try to install a self-hosted runner on your local machine, then try using this self-hosted runner to run the workflow to see if it can work.

Yes, the command (or the shell script) work when executed on the ci machine.

It’s the same machine that we have a self-hosted runner on.

So the workflow runner is running on the same machine that I tested on. Script works fine, script called from the workflow action does not.

Also, the self-hosted runner was launched from the same user account that I tried the script manually.