Xcodebuild Archive fails to errSecInternalComponent in GitHub Action

Hi!

I have an issue to build Archive when using xcodebuild in GitHub Action workflow. The project s quite basic iOS project. Archiving works fine locally using command

xcodebuild -quiet -workspace MyProject.xcworkspace -scheme "MyProject Release" clean archive -configuration release -destination=generic/platform=iOS -archivePath MyProject.xcarchive

Same command via SSH gives an error

errSecInternalComponent. Command CodeSign failed with a nonzero exit code

IF I run a command security unlock-keychain beforehand, then creating .xcarchive passes.

In Keychain Access, I have necessary certificates. Those are located in login.keychain and every certificate seems to be valid.

Also, based on this answer, I have tried to put 6 different Apple Worldwide Developer Relations Certification Authority -certs in System.keychain and removed same stuff from login.keychain. This didn't bring solution either.

Our GitHub (Enterprise) Action workflow is quite simple (here is an extract):

name: Build_Tests
on:
  push:
    branches: 
        - 'GHA_tests'
  workflow_dispatch:

jobs:
  build:
    runs-on: [ self-hosted, macos-1 ]
     .....
      - name: Archive
        shell: bash
        run: |
          xcodebuild -quiet -workspace MyProject.xcworkspace -scheme "MyProject Release" clean archive -configuration release -destination=generic/platform=iOS -archivePath MyProject.xcarchive

In our CI/CD environment is a stack of Macs with latest macOS, and every those has a unique password, so embedding "security unlock-keychain" with password is not a (good) solution. If it is only one to get our build and test environment to work, then we have to start to live with it, but I would love to get some other solution to work. Easiest for us would be that old workflows, with example above, continues to work. I mean that just using commands like "xcodebuild" would work like a charm.

I have also run through this excellent post by eskimo and seems like that certificates are fine. No issues found. Locally run security find-identity -p codesigning gives  in "Matching identities" "4 identities found" and in "Valid identities only" "4 valid identities found". Also, I can run codesign -s "Apple Development" -f "MyTrue" for my certificates four time in a row with success. (We have four certificates, yes. There is one dev for in-house, one for public, one Distribution and an old iPhone Distribution from...past.)

Also, each 4 certs in login.keychain has in Access Control "Confirm before allowing access" selected and in the list "Always allow access..." there is at least a tools codesign and Keychain Access. Apple Distribution cert's Key has four "Always allow..." apps: Keychain Access, Xcode, codesign and productbuild. These certificates are imported to Keychain Access using commands

security unlock-keychain -p <keychain password> login.keychain

security import <certificate file>.p12 -k login.keychain -P <cert password> -T /usr/bin/codesign

security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k <keychain password>

Via SSH I have run command codesign -s and it gave similar issues than in eskimo's example: "MyTrue: errSecInternalComponent". A command security unlock-keychain naturally fixed this. The problem here is that I can't include passwords in CI after unlock-keychain command.

Any ideas what I am doing wrong? My guess is that I am not a far of working solution, but just can make in my mind what I am doing wrong atm. I think that I have tried about everything during these two weeks when wondering this issue. I appreciate everyone who reads this posts and specially you who posts a working solution :)

-Harri