app: CI/CD pipeline for automated iOS + Android builds

[nadavosa]

Context

Sub-issue of #535. Depends on #653 (iOS) and #654 (Android). Automates the build + upload process so every push to main produces a new TestFlight / Play Internal build without manual Xcode/Android Studio steps.

Strategy

Use GitHub Actions with:

• iOS: macos-latest runner with Xcode + fastlane (or direct xcodebuild)
• Android: ubuntu-latest runner with Java + Gradle

Secrets needed (add to GitHub repo settings)

```
APPLE_ID
APP_SPECIFIC_PASSWORD # Apple app-specific password for altool
APPLE_TEAM_ID
IOS_DISTRIBUTION_CERT_P12 # base64-encoded .p12
IOS_DISTRIBUTION_CERT_PASSWORD
IOS_PROVISIONING_PROFILE # base64-encoded .mobileprovision
ANDROID_KEYSTORE_BASE64 # base64-encoded .keystore
ANDROID_KEYSTORE_PASSWORD
ANDROID_KEY_PASSWORD
GOOGLE_PLAY_JSON_KEY # service account JSON for Play API
```

Workflow: .github/workflows/native-build.yml

Triggers on push to main or manual dispatch.

Steps (iOS job — runs on macos-latest)

1. Checkout
2. Install Node + yarn, run next build
3. npx cap sync ios
4. Decode + install distribution cert + provisioning profile
5. xcodebuild archive → xcodebuild -exportArchive
6. Upload .ipa to TestFlight via altool or xcrun notarytool

Steps (Android job — runs on ubuntu-latest)

1. Checkout
2. Install Node + yarn, run next build
3. npx cap sync android
4. Decode keystore from secret
5. ./gradlew bundleRelease
6. Upload .aab to Play Internal Testing via google-github-actions/upload-to-play

Version bumping

Auto-increment build number from GITHUB_RUN_NUMBER so every CI build has a unique number. Version string set from package.json.

Tasks

• Add all secrets to GitHub repo settings
• Create .github/workflows/native-build.yml with iOS + Android jobs
• Test iOS job produces a valid .ipa and uploads to TestFlight
• Test Android job produces a valid .aab and uploads to Play Internal
• Add status badge to README

Depends on

#653 (iOS build), #654 (Android build)