diff --git a/.github/workflows/ios-publish.yml b/.github/workflows/ios-publish.yml
index a82db0ea8..2a6c2ee6a 100644
--- a/.github/workflows/ios-publish.yml
+++ b/.github/workflows/ios-publish.yml
@@ -5,6 +5,7 @@ name: "iOS Publish"
 #   IOS_CERTIFICATE_BASE64         - Apple distribution certificate (.p12) encoded in base64
 #   IOS_CERTIFICATE_PASSWORD       - Password for the .p12 certificate
 #   IOS_PROVISION_PROFILE_BASE64   - App Store provisioning profile (.mobileprovision) encoded in base64
+#   IOS_SHARE_EXTENSION_PROVISION_PROFILE_BASE64 - Share extension App Store provisioning profile (.mobileprovision) encoded in base64
 #   ASC_API_KEY_P8_BASE64          - App Store Connect API key (.p8) encoded in base64
 #   ASC_API_KEY_ID                 - App Store Connect API Key ID
 #   ASC_ISSUER_ID                  - App Store Connect Issuer ID
@@ -12,10 +13,18 @@ name: "iOS Publish"
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
+concurrency:
+  group: ios-publish-${{ github.ref }}
+  cancel-in-progress: false
+
 jobs:
   prepare-assets:
     name: Prepare iOS Assets
     runs-on: ubuntu-latest
+    timeout-minutes: 30
     outputs:
       version: ${{ steps.get-version.outputs.version }}
 
@@ -60,7 +69,8 @@ jobs:
   build-ios:
     name: Build & Submit iOS
     needs: prepare-assets
-    runs-on: macos-15
+    runs-on: macos-26
+    timeout-minutes: 60
     environment: build
 
     steps:
@@ -118,12 +128,32 @@ jobs:
       - name: Import provisioning profile
         env:
           IOS_PROVISION_PROFILE_BASE64: ${{ secrets.IOS_PROVISION_PROFILE_BASE64 }}
+          IOS_SHARE_EXTENSION_PROVISION_PROFILE_BASE64: ${{ secrets.IOS_SHARE_EXTENSION_PROVISION_PROFILE_BASE64 }}
         run: |
-          PROFILE_PATH=$RUNNER_TEMP/profile.mobileprovision
-          echo "$IOS_PROVISION_PROFILE_BASE64" | base64 --decode > "$PROFILE_PATH"
+          set -euo pipefail
+
+          APP_PROFILE_PATH=$RUNNER_TEMP/app.mobileprovision
+          SHARE_PROFILE_PATH=$RUNNER_TEMP/share-extension.mobileprovision
+          APP_PROFILE_PLIST=$RUNNER_TEMP/app-profile.plist
+          SHARE_PROFILE_PLIST=$RUNNER_TEMP/share-extension-profile.plist
+
+          echo "$IOS_PROVISION_PROFILE_BASE64" | base64 --decode > "$APP_PROFILE_PATH"
+          echo "$IOS_SHARE_EXTENSION_PROVISION_PROFILE_BASE64" | base64 --decode > "$SHARE_PROFILE_PATH"
+
+          security cms -D -i "$APP_PROFILE_PATH" > "$APP_PROFILE_PLIST"
+          security cms -D -i "$SHARE_PROFILE_PATH" > "$SHARE_PROFILE_PLIST"
+
+          APP_PROFILE_NAME=$(/usr/libexec/PlistBuddy -c "Print :Name" "$APP_PROFILE_PLIST")
+          SHARE_PROFILE_NAME=$(/usr/libexec/PlistBuddy -c "Print :Name" "$SHARE_PROFILE_PLIST")
+          IOS_TEAM_ID=$(/usr/libexec/PlistBuddy -c "Print :TeamIdentifier:0" "$APP_PROFILE_PLIST")
 
           mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
-          cp "$PROFILE_PATH" ~/Library/MobileDevice/Provisioning\ Profiles/
+          cp "$APP_PROFILE_PATH" ~/Library/MobileDevice/Provisioning\ Profiles/
+          cp "$SHARE_PROFILE_PATH" ~/Library/MobileDevice/Provisioning\ Profiles/
+
+          echo "APP_PROFILE_NAME=$APP_PROFILE_NAME" >> $GITHUB_ENV
+          echo "SHARE_PROFILE_NAME=$SHARE_PROFILE_NAME" >> $GITHUB_ENV
+          echo "IOS_TEAM_ID=$IOS_TEAM_ID" >> $GITHUB_ENV
 
       - name: Build archive
         run: |
@@ -134,21 +164,35 @@ jobs:
             -configuration Release \
             -archivePath $RUNNER_TEMP/eeuiApp.xcarchive \
             -allowProvisioningUpdates \
+            DEVELOPMENT_TEAM=$IOS_TEAM_ID \
             CODE_SIGN_STYLE=Manual \
             | xcpretty
 
       - name: Export IPA
         run: |
+          set -euo pipefail
+
           cd resources/mobile/platforms/ios/eeuiApp
 
           # Generate ExportOptions.plist
-          cat > $RUNNER_TEMP/ExportOptions.plist << 'PLIST'
+          cat > $RUNNER_TEMP/ExportOptions.plist << PLIST
           <?xml version="1.0" encoding="UTF-8"?>
           <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
           <plist version="1.0">
           <dict>
               <key>method</key>
               <string>app-store</string>
+              <key>signingStyle</key>
+              <string>manual</string>
+              <key>teamID</key>
+              <string>${IOS_TEAM_ID}</string>
+              <key>provisioningProfiles</key>
+              <dict>
+                  <key>com.dootask.task</key>
+                  <string>${APP_PROFILE_NAME}</string>
+                  <key>com.dootask.task.shareExtension</key>
+                  <string>${SHARE_PROFILE_NAME}</string>
+              </dict>
               <key>uploadBitcode</key>
               <false/>
               <key>uploadSymbols</key>
@@ -170,12 +214,18 @@ jobs:
           ASC_ISSUER_ID: ${{ secrets.ASC_ISSUER_ID }}
           ASC_API_KEY_P8_BASE64: ${{ secrets.ASC_API_KEY_P8_BASE64 }}
         run: |
+          set -euo pipefail
+
           # Prepare API key
           mkdir -p ~/private_keys
           echo "$ASC_API_KEY_P8_BASE64" | base64 --decode > ~/private_keys/AuthKey_${ASC_API_KEY_ID}.p8
 
           # Find and upload IPA
           IPA_PATH=$(find $RUNNER_TEMP/ipa-output -name "*.ipa" | head -1)
+          if [ -z "$IPA_PATH" ]; then
+            echo "No IPA file found in $RUNNER_TEMP/ipa-output"
+            exit 1
+          fi
           echo "Uploading: $IPA_PATH"
 
           xcrun altool --upload-app \
@@ -189,5 +239,8 @@ jobs:
         run: |
           security delete-keychain $RUNNER_TEMP/app-signing.keychain-db 2>/dev/null || true
           rm -f $RUNNER_TEMP/certificate.p12
-          rm -f $RUNNER_TEMP/profile.mobileprovision
+          rm -f $RUNNER_TEMP/app.mobileprovision
+          rm -f $RUNNER_TEMP/share-extension.mobileprovision
+          rm -f $RUNNER_TEMP/app-profile.plist
+          rm -f $RUNNER_TEMP/share-extension-profile.plist
           rm -rf ~/private_keys