@daemux/store-automator 0.10.61 → 0.10.62

package/.claude-plugin/marketplace.json

@@ -5,14 +5,14 @@
   },
   "metadata": {
     "description": "App Store & Google Play automation for Flutter apps",
-    "version": "0.10.61"
+    "version": "0.10.62"
   },
   "plugins": [
     {
       "name": "store-automator",
       "source": "./plugins/store-automator",
       "description": "3 agents for app store publishing: reviewer, meta-creator, media-designer",
-      "version": "0.10.61",
+      "version": "0.10.62",
       "keywords": [
         "flutter",
         "app-store",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@daemux/store-automator",
-  "version": "0.10.61",
+  "version": "0.10.62",
   "description": "Full App Store & Google Play automation for Flutter apps with Claude Code agents",
   "type": "module",
   "bin": {

package/plugins/store-automator/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "store-automator",
-  "version": "0.10.61",
+  "version": "0.10.62",
   "description": "App Store & Google Play automation agents for Flutter app publishing",
   "author": {
     "name": "Daemux"

package/templates/github/workflows/ios-native-release.yml

@@ -0,0 +1,39 @@
+name: iOS Deploy
+
+# Native-Swift iOS release pipeline. Archives the app and uploads it to
+# TestFlight via the App Store Connect API.
+#
+# Required repository secrets:
+#   ASC_KEY_ID      App Store Connect API key id (e.g. "5NBDY6YXJ6")
+#   ASC_ISSUER_ID   App Store Connect API issuer id (uuid)
+#   ASC_KEY_P8      Full contents of the AuthKey_*.p8 file
+#
+# Edit the `with:` block below to match your project.
+
+on:
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+concurrency:
+  group: ios-deploy-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  deploy:
+    runs-on: macos-latest
+    timeout-minutes: 60
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: daemux/daemux-plugins/.github/actions/ios-native-testflight@main
+        with:
+          project: MyApp.xcodeproj
+          scheme: MyApp
+          bundle-id: com.example.myapp
+          team-id: ABCDE12345
+          app-store-apple-id: "1234567890"
+        env:
+          ASC_KEY_ID: ${{ secrets.ASC_KEY_ID }}
+          ASC_ISSUER_ID: ${{ secrets.ASC_ISSUER_ID }}
+          ASC_KEY_P8: ${{ secrets.ASC_KEY_P8 }}

package/templates/scripts/ci/ios-native/next_build_number.py

@@ -0,0 +1,73 @@
+#!/usr/bin/env python3
+"""
+Query App Store Connect for the highest-numbered build (across all states,
+all platforms) for this app and print `<highest + 1>` to stdout.
+
+If no builds exist yet, print 1.
+
+Environment:
+  ASC_KEY_ID           - API key ID
+  ASC_ISSUER_ID        - API issuer ID
+  ASC_KEY_PATH         - Path to the .p8 key file
+  APP_STORE_APPLE_ID   - App Store numeric app id
+"""
+
+from __future__ import annotations
+
+import os
+import sys
+import time
+
+import jwt
+import requests
+
+
+def env(name: str) -> str:
+    val = os.environ.get(name)
+    if not val:
+        raise SystemExit(f"missing env var: {name}")
+    return val
+
+
+def main() -> None:
+    key_id = env("ASC_KEY_ID")
+    issuer_id = env("ASC_ISSUER_ID")
+    key_path = env("ASC_KEY_PATH")
+    app_id = env("APP_STORE_APPLE_ID")
+
+    with open(key_path) as f:
+        key = f.read()
+
+    now = int(time.time())
+    token = jwt.encode(
+        {"iss": issuer_id, "iat": now, "exp": now + 600, "aud": "appstoreconnect-v1"},
+        key,
+        algorithm="ES256",
+        headers={"kid": key_id, "typ": "JWT"},
+    )
+
+    # Sort by -version requests highest version first; limit 200 is plenty.
+    url = (
+        "https://api.appstoreconnect.apple.com/v1/builds"
+        f"?filter[app]={app_id}&sort=-version&limit=200"
+    )
+    resp = requests.get(url, headers={"Authorization": f"Bearer {token}"})
+    if resp.status_code >= 400:
+        print(f"ASC builds list failed: {resp.status_code}\n{resp.text[:500]}", file=sys.stderr)
+        raise SystemExit(1)
+
+    highest = 0
+    for b in resp.json().get("data", []):
+        ver = b.get("attributes", {}).get("version")
+        try:
+            n = int(ver)
+        except (TypeError, ValueError):
+            continue
+        if n > highest:
+            highest = n
+
+    print(highest + 1)
+
+
+if __name__ == "__main__":
+    main()

package/templates/scripts/ci/ios-native/next_marketing_version.py

@@ -0,0 +1,93 @@
+#!/usr/bin/env python3
+"""
+Compute the next CFBundleShortVersionString for this app.
+
+Strategy:
+  * Look at all existing pre-release (TestFlight) and App Store versions.
+  * Take the highest semantic-version triple and bump its patch component.
+  * If no versions exist yet, return 1.0.0.
+
+Prints the chosen version to stdout.
+
+Environment:
+  ASC_KEY_ID, ASC_ISSUER_ID, ASC_KEY_PATH, APP_STORE_APPLE_ID
+"""
+
+from __future__ import annotations
+
+import os
+import re
+import sys
+import time
+
+import jwt
+import requests
+
+
+def env(name: str) -> str:
+    v = os.environ.get(name)
+    if not v:
+        raise SystemExit(f"missing env var: {name}")
+    return v
+
+
+SEM_RE = re.compile(r"^(\d+)\.(\d+)(?:\.(\d+))?$")
+
+
+def parse_sem(v: str) -> tuple[int, int, int] | None:
+    m = SEM_RE.match(v or "")
+    if not m:
+        return None
+    major = int(m.group(1))
+    minor = int(m.group(2))
+    patch = int(m.group(3) or 0)
+    return major, minor, patch
+
+
+def main() -> None:
+    key_id = env("ASC_KEY_ID")
+    issuer_id = env("ASC_ISSUER_ID")
+    key_path = env("ASC_KEY_PATH")
+    app_id = env("APP_STORE_APPLE_ID")
+
+    with open(key_path) as f:
+        key = f.read()
+    now = int(time.time())
+    token = jwt.encode(
+        {"iss": issuer_id, "iat": now, "exp": now + 600, "aud": "appstoreconnect-v1"},
+        key,
+        algorithm="ES256",
+        headers={"kid": key_id, "typ": "JWT"},
+    )
+    headers = {"Authorization": f"Bearer {token}"}
+
+    highest: tuple[int, int, int] = (0, 0, 0)
+
+    for endpoint, field in (
+        (f"/v1/apps/{app_id}/preReleaseVersions?limit=200", "version"),
+        (f"/v1/apps/{app_id}/appStoreVersions?limit=200", "versionString"),
+    ):
+        url = f"https://api.appstoreconnect.apple.com{endpoint}"
+        resp = requests.get(url, headers=headers)
+        if resp.status_code >= 400:
+            print(
+                f"ASC GET {endpoint} failed: {resp.status_code}\n{resp.text[:500]}",
+                file=sys.stderr,
+            )
+            raise SystemExit(1)
+        for item in resp.json().get("data", []):
+            v = item.get("attributes", {}).get(field)
+            parsed = parse_sem(v)
+            if parsed and parsed > highest:
+                highest = parsed
+
+    if highest == (0, 0, 0):
+        print("1.0.0")
+        return
+
+    major, minor, patch = highest
+    print(f"{major}.{minor}.{patch + 1}")
+
+
+if __name__ == "__main__":
+    main()

package/templates/scripts/ci/ios-native/prepare_signing.py

@@ -0,0 +1,361 @@
+#!/usr/bin/env python3
+"""
+Prepare iOS code signing on a fresh CI runner.
+
+Uses the App Store Connect API (auth via P8 key) to:
+  1. Generate an RSA private key + CSR
+  2. Revoke any previously-created CI Apple Distribution certs (marker match)
+  3. Create a new Apple Distribution certificate from the CSR
+  4. Ensure a provisioning profile with a known name exists for the bundle ID,
+     linked to the new cert. If it exists, delete+recreate to refresh it.
+  5. Install the profile into ~/Library/MobileDevice/Provisioning Profiles/
+  6. Import cert + private key into a dedicated temporary keychain and put
+     that keychain on the search list so codesign / xcodebuild can find it.
+
+Environment inputs:
+  ASC_KEY_ID        - App Store Connect API key ID
+  ASC_ISSUER_ID     - App Store Connect API issuer ID
+  ASC_KEY_PATH      - Path to the .p8 private key file
+  TEAM_ID           - Apple developer team ID
+  BUNDLE_ID         - App bundle identifier
+  PROFILE_NAME      - Desired provisioning profile name
+  RUNNER_TEMP       - GitHub Actions temp dir (for keychain + intermediates)
+
+Writes nothing to stdout that would leak secrets.
+"""
+
+from __future__ import annotations
+
+import base64
+import json
+import os
+import subprocess
+import sys
+import time
+from pathlib import Path
+
+import jwt
+import requests
+from cryptography import x509
+from cryptography.hazmat.primitives import hashes, serialization
+from cryptography.hazmat.primitives.asymmetric import rsa
+from cryptography.x509.oid import NameOID
+
+
+ASC_BASE = "https://api.appstoreconnect.apple.com/v1"
+CERT_MARKER = "ScudoVPN-CI"
+
+
+def env(name: str) -> str:
+    val = os.environ.get(name)
+    if not val:
+        raise SystemExit(f"missing env var: {name}")
+    return val
+
+
+def make_jwt(key_id: str, issuer_id: str, key_path: str) -> str:
+    with open(key_path, "r") as f:
+        key = f.read()
+    now = int(time.time())
+    payload = {
+        "iss": issuer_id,
+        "iat": now,
+        "exp": now + 600,
+        "aud": "appstoreconnect-v1",
+    }
+    return jwt.encode(
+        payload, key, algorithm="ES256", headers={"kid": key_id, "typ": "JWT"}
+    )
+
+
+def api(method: str, path: str, token: str, **kwargs) -> requests.Response:
+    url = path if path.startswith("http") else f"{ASC_BASE}{path}"
+    headers = kwargs.pop("headers", {})
+    headers["Authorization"] = f"Bearer {token}"
+    if "json" in kwargs:
+        headers["Content-Type"] = "application/json"
+    resp = requests.request(method, url, headers=headers, **kwargs)
+    if resp.status_code >= 400:
+        raise SystemExit(
+            f"ASC API {method} {path} failed: {resp.status_code}\n{resp.text[:2000]}"
+        )
+    return resp
+
+
+def generate_key_and_csr() -> tuple[rsa.RSAPrivateKey, bytes, bytes]:
+    """Return (private_key, private_key_pem, csr_der)."""
+    private_key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
+    csr = (
+        x509.CertificateSigningRequestBuilder()
+        .subject_name(
+            x509.Name(
+                [
+                    x509.NameAttribute(NameOID.COMMON_NAME, "ScudoVPN CI"),
+                    x509.NameAttribute(NameOID.COUNTRY_NAME, "US"),
+                ]
+            )
+        )
+        .sign(private_key, hashes.SHA256())
+    )
+    priv_pem = private_key.private_bytes(
+        encoding=serialization.Encoding.PEM,
+        format=serialization.PrivateFormat.PKCS8,
+        encryption_algorithm=serialization.NoEncryption(),
+    )
+    # Apple wants the CSR PEM base64 (without headers)
+    csr_pem = csr.public_bytes(serialization.Encoding.PEM)
+    csr_payload = b"".join(
+        line for line in csr_pem.splitlines() if not line.startswith(b"-----")
+    )
+    return private_key, priv_pem, csr_payload
+
+
+def newest_distribution_cert_id(token: str) -> str | None:
+    """Return the ID of the most-recently-created DISTRIBUTION cert, or None."""
+    resp = api(
+        "GET",
+        "/certificates?limit=200&sort=-id&filter[certificateType]=DISTRIBUTION",
+        token,
+    )
+    newest_id = None
+    newest_exp = ""
+    for cert in resp.json().get("data", []):
+        attrs = cert.get("attributes") or {}
+        # Use expirationDate as a proxy for creation time (cert expiration
+        # is exactly creation + 1 year for Apple Distribution certs).
+        exp = attrs.get("expirationDate") or ""
+        if exp > newest_exp:
+            newest_exp = exp
+            newest_id = cert["id"]
+    return newest_id
+
+
+def revoke_cert(token: str, cert_id: str) -> None:
+    print(f"Revoking distribution cert {cert_id}")
+    api("DELETE", f"/certificates/{cert_id}", token)
+
+
+def create_distribution_cert(token: str, csr_b64: str) -> tuple[str, bytes]:
+    """Return (certificate_id, DER-encoded certificate bytes).
+
+    Apple enforces a per-team cap on active Distribution certs. If the POST
+    comes back 409 (already have one or pending), revoke the newest existing
+    one and retry once. This is the CI-owned cert from a prior run.
+    """
+    body = {
+        "data": {
+            "type": "certificates",
+            "attributes": {
+                "csrContent": csr_b64,
+                "certificateType": "DISTRIBUTION",
+            },
+        }
+    }
+    url = f"{ASC_BASE}/certificates"
+    headers = {
+        "Authorization": f"Bearer {token}",
+        "Content-Type": "application/json",
+    }
+    resp = requests.post(url, headers=headers, json=body)
+    if resp.status_code == 409:
+        print("Distribution cert cap hit; revoking newest existing cert")
+        target = newest_distribution_cert_id(token)
+        if not target:
+            raise SystemExit(
+                "409 from cert create but no existing DISTRIBUTION cert "
+                "found to revoke"
+            )
+        revoke_cert(token, target)
+        resp = requests.post(url, headers=headers, json=body)
+    if resp.status_code >= 400:
+        raise SystemExit(
+            f"ASC API POST /certificates failed: {resp.status_code}\n"
+            f"{resp.text[:2000]}"
+        )
+    data = resp.json()["data"]
+    cert_id = data["id"]
+    cert_content_b64 = data["attributes"]["certificateContent"]
+    cert_der = base64.b64decode(cert_content_b64)
+    print(f"Created DISTRIBUTION cert {cert_id}")
+    return cert_id, cert_der
+
+
+def find_bundle_id(token: str, identifier: str) -> str:
+    resp = api(
+        "GET", f"/bundleIds?filter[identifier]={identifier}&limit=5", token
+    )
+    for item in resp.json().get("data", []):
+        if item["attributes"]["identifier"] == identifier:
+            return item["id"]
+    raise SystemExit(f"bundle id {identifier!r} not found in ASC")
+
+
+def delete_profile_by_name(token: str, name: str) -> None:
+    resp = api("GET", "/profiles?limit=200", token)
+    for p in resp.json().get("data", []):
+        if (p["attributes"].get("name") or "") == name:
+            pid = p["id"]
+            print(f"Deleting existing profile {pid} ({name})")
+            api("DELETE", f"/profiles/{pid}", token)
+
+
+def create_profile(
+    token: str, name: str, bundle_id_pk: str, cert_id: str
+) -> bytes:
+    body = {
+        "data": {
+            "type": "profiles",
+            "attributes": {
+                "name": name,
+                "profileType": "IOS_APP_STORE",
+            },
+            "relationships": {
+                "bundleId": {"data": {"type": "bundleIds", "id": bundle_id_pk}},
+                "certificates": {
+                    "data": [{"type": "certificates", "id": cert_id}]
+                },
+            },
+        }
+    }
+    resp = api("POST", "/profiles", token, json=body)
+    data = resp.json()["data"]
+    profile_content_b64 = data["attributes"]["profileContent"]
+    return base64.b64decode(profile_content_b64)
+
+
+def install_profile(profile_der: bytes) -> str:
+    """Write the .mobileprovision file and return its uuid."""
+    # Extract UUID from profile (it's CMS-signed plist)
+    # Use `security cms -D -i <path>` to decode.
+    profiles_dir = Path.home() / "Library/MobileDevice/Provisioning Profiles"
+    profiles_dir.mkdir(parents=True, exist_ok=True)
+    tmp_path = profiles_dir / "tmp.mobileprovision"
+    tmp_path.write_bytes(profile_der)
+    decoded = subprocess.check_output(
+        ["security", "cms", "-D", "-i", str(tmp_path)]
+    )
+    import plistlib
+
+    plist = plistlib.loads(decoded)
+    uuid = plist["UUID"]
+    final_path = profiles_dir / f"{uuid}.mobileprovision"
+    tmp_path.rename(final_path)
+    print(f"Installed provisioning profile {uuid} at {final_path}")
+    return uuid
+
+
+def write_p12(
+    private_key: rsa.RSAPrivateKey, cert_der: bytes, out_path: Path, passwd: str
+) -> None:
+    cert = x509.load_der_x509_certificate(cert_der)
+    from cryptography.hazmat.primitives.serialization import pkcs12
+
+    p12 = pkcs12.serialize_key_and_certificates(
+        name=b"ScudoVPN CI",
+        key=private_key,
+        cert=cert,
+        cas=None,
+        encryption_algorithm=serialization.BestAvailableEncryption(
+            passwd.encode()
+        ),
+    )
+    out_path.write_bytes(p12)
+
+
+def setup_keychain(p12_path: Path, p12_pass: str) -> str:
+    runner_temp = env("RUNNER_TEMP")
+    keychain_path = os.path.join(runner_temp, "ci.keychain-db")
+    keychain_pass = "ci"
+    # Remove stale
+    subprocess.run(
+        ["security", "delete-keychain", keychain_path],
+        check=False,
+        capture_output=True,
+    )
+    subprocess.check_call(
+        ["security", "create-keychain", "-p", keychain_pass, keychain_path]
+    )
+    subprocess.check_call(
+        ["security", "set-keychain-settings", "-lut", "21600", keychain_path]
+    )
+    subprocess.check_call(
+        ["security", "unlock-keychain", "-p", keychain_pass, keychain_path]
+    )
+    # Import the p12
+    subprocess.check_call(
+        [
+            "security",
+            "import",
+            str(p12_path),
+            "-P",
+            p12_pass,
+            "-A",  # allow any app to read (simplest for CI)
+            "-t",
+            "cert",
+            "-f",
+            "pkcs12",
+            "-k",
+            keychain_path,
+        ]
+    )
+    # Allow codesign to use the key without prompts (modern macOS)
+    subprocess.check_call(
+        [
+            "security",
+            "set-key-partition-list",
+            "-S",
+            "apple-tool:,apple:,codesign:",
+            "-s",
+            "-k",
+            keychain_pass,
+            keychain_path,
+        ]
+    )
+    # Add to default search list (in addition to login + System)
+    existing = subprocess.check_output(
+        ["security", "list-keychains", "-d", "user"]
+    ).decode()
+    existing_list = [
+        line.strip().strip('"')
+        for line in existing.splitlines()
+        if line.strip()
+    ]
+    new_list = [keychain_path] + [
+        k for k in existing_list if k != keychain_path
+    ]
+    subprocess.check_call(
+        ["security", "list-keychains", "-d", "user", "-s", *new_list]
+    )
+    subprocess.check_call(
+        ["security", "default-keychain", "-s", keychain_path]
+    )
+    print(f"Keychain ready: {keychain_path}")
+    return keychain_path
+
+
+def main() -> None:
+    key_id = env("ASC_KEY_ID")
+    issuer_id = env("ASC_ISSUER_ID")
+    asc_key_path = env("ASC_KEY_PATH")
+    bundle_id = env("BUNDLE_ID")
+    profile_name = env("PROFILE_NAME")
+    runner_temp = env("RUNNER_TEMP")
+
+    token = make_jwt(key_id, issuer_id, asc_key_path)
+
+    private_key, priv_pem, csr_b64 = generate_key_and_csr()
+    cert_id, cert_der = create_distribution_cert(token, csr_b64.decode())
+
+    bundle_pk = find_bundle_id(token, bundle_id)
+    delete_profile_by_name(token, profile_name)
+    profile_der = create_profile(token, profile_name, bundle_pk, cert_id)
+    install_profile(profile_der)
+
+    p12_pass = "ci"
+    p12_path = Path(runner_temp) / "cert.p12"
+    write_p12(private_key, cert_der, p12_path, p12_pass)
+    setup_keychain(p12_path, p12_pass)
+
+
+if __name__ == "__main__":
+    main()