@daemux/store-automator 0.10.66 → 0.10.67

package/.claude-plugin/marketplace.json

@@ -5,14 +5,14 @@
   },
   "metadata": {
     "description": "App Store & Google Play automation for Flutter apps",
-    "version": "0.10.66"
+    "version": "0.10.67"
   },
   "plugins": [
     {
       "name": "store-automator",
       "source": "./plugins/store-automator",
       "description": "3 agents for app store publishing: reviewer, meta-creator, media-designer",
-      "version": "0.10.66",
+      "version": "0.10.67",
       "keywords": [
         "flutter",
         "app-store",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@daemux/store-automator",
-  "version": "0.10.66",
+  "version": "0.10.67",
   "description": "Full App Store & Google Play automation for Flutter apps with Claude Code agents",
   "type": "module",
   "bin": {

package/plugins/store-automator/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "store-automator",
-  "version": "0.10.66",
+  "version": "0.10.67",
   "description": "App Store & Google Play automation agents for Flutter app publishing",
   "author": {
     "name": "Daemux"

package/templates/scripts/ci/ios-native/asc_common.py

@@ -0,0 +1,143 @@
+#!/usr/bin/env python3
+"""
+Shared helpers for App Store Connect API calls.
+
+Provides JWT generation, a retrying HTTP client, and state-classification
+constants used by multiple scripts in this action.
+"""
+
+from __future__ import annotations
+
+import sys
+import time
+from typing import Any
+
+import jwt
+import requests
+
+
+ASC_BASE = "https://api.appstoreconnect.apple.com/v1"
+
+# App Store version states that allow editing the current draft.
+EDITABLE_STATES = {
+    "PREPARE_FOR_SUBMISSION",
+    "WAITING_FOR_REVIEW",
+    "IN_REVIEW",
+    "REJECTED",
+    "METADATA_REJECTED",
+    "INVALID_BINARY",
+    "DEVELOPER_REJECTED",
+}
+
+# Terminal states: the version is locked and a new one must be created.
+TERMINAL_STATES = {
+    "READY_FOR_SALE",
+    "PROCESSING_FOR_APP_STORE",
+    "PENDING_APPLE_RELEASE",
+    "REPLACED_WITH_NEW_VERSION",
+    "REMOVED_FROM_SALE",
+    "NOT_APPLICABLE",
+}
+
+# Blocking states: the version is approved but awaiting developer action.
+BLOCKING_STATES = {"PENDING_DEVELOPER_RELEASE"}
+
+
+# Retry policy for App Store Connect API calls.
+#
+# Apple's API intermittently returns 5xx under load and uses 429 for throttling.
+# These are retryable; non-listed 4xx responses are not (retrying just produces
+# the same failure).
+_RETRY_STATUSES = {429, 500, 502, 503, 504}
+_RETRY_BACKOFFS = (2, 8, 30)  # seconds
+
+
+def make_jwt(key_id: str, issuer_id: str, key_path: str) -> str:
+    """Return an ES256 JWT valid for 20 minutes, audience appstoreconnect-v1."""
+    with open(key_path, "r") as f:
+        key = f.read()
+    now = int(time.time())
+    payload = {
+        "iss": issuer_id,
+        "iat": now,
+        "exp": now + 1200,
+        "aud": "appstoreconnect-v1",
+    }
+    return jwt.encode(
+        payload, key, algorithm="ES256", headers={"kid": key_id, "typ": "JWT"}
+    )
+
+
+def request(
+    method: str,
+    path: str,
+    token: str,
+    *,
+    json_body: Any = None,
+    params: dict | None = None,
+    allow_status: set[int] | None = None,
+    max_attempts: int = 3,
+) -> requests.Response:
+    """HTTP request with retry on 429/5xx.
+
+    `path` is the portion after `/v1` (e.g. "/apps/123/appStoreVersions").
+    `allow_status` lists non-2xx statuses the caller wants returned without
+    raising (useful for 409 conflict handling).
+    Raises SystemExit(1) on non-retryable failure with a clear stderr message.
+    """
+    url = f"{ASC_BASE}{path}"
+    headers = {"Authorization": f"Bearer {token}"}
+    if json_body is not None:
+        headers["Content-Type"] = "application/json"
+
+    backoffs = _RETRY_BACKOFFS[: max(0, max_attempts - 1)]
+    total_attempts = len(backoffs) + 1
+    resp: requests.Response | None = None
+
+    for attempt in range(total_attempts):
+        try:
+            resp = requests.request(
+                method, url, headers=headers, params=params, json=json_body
+            )
+        except requests.RequestException as exc:
+            if attempt < total_attempts - 1:
+                delay = backoffs[attempt]
+                print(
+                    f"ASC {method} {path} network error ({exc!r}); "
+                    f"retrying in {delay}s ({attempt + 1}/{total_attempts - 1})",
+                    file=sys.stderr,
+                )
+                time.sleep(delay)
+                continue
+            raise SystemExit(
+                f"ASC {method} {path} network error after {total_attempts} "
+                f"attempts: {exc!r}"
+            )
+
+        if resp.status_code < 400:
+            return resp
+
+        if allow_status and resp.status_code in allow_status:
+            return resp
+
+        if resp.status_code in _RETRY_STATUSES and attempt < total_attempts - 1:
+            delay = backoffs[attempt]
+            print(
+                f"ASC {method} {path} returned {resp.status_code}; "
+                f"retrying in {delay}s ({attempt + 1}/{total_attempts - 1})",
+                file=sys.stderr,
+            )
+            time.sleep(delay)
+            continue
+
+        break
+
+    assert resp is not None
+    raise SystemExit(
+        f"ASC {method} {path} failed: {resp.status_code}\n{resp.text[:2000]}"
+    )
+
+
+def get_json(path: str, token: str, *, params: dict | None = None) -> dict:
+    """GET `path` and return the decoded JSON body."""
+    return request("GET", path, token, params=params).json()

package/templates/scripts/ci/ios-native/manage_marketing_version.py

@@ -0,0 +1,231 @@
+#!/usr/bin/env python3
+"""
+Resolve the App Store Connect version slot for this run.
+
+Reads MARKETING_VERSION from the Xcode project (via env) and decides whether
+to REUSE an existing editable draft on ASC or CREATE a new one. Never
+auto-bumps the version — the developer pins intent in Xcode, CI honours it.
+
+Environment:
+  ASC_KEY_ID, ASC_ISSUER_ID, ASC_KEY_PATH, APP_STORE_APPLE_ID
+  PROJECT_MARKETING_VERSION  — e.g. "1.2.3" or "1.2" (normalized to 3-part)
+
+Stdout: single-line JSON
+  {"decision":"REUSE|CREATE","versionString":"...","appStoreVersionId":"..."}
+
+Stderr: human-readable log + ::error:: lines for GitHub Actions.
+"""
+
+from __future__ import annotations
+
+import json
+import os
+import re
+import sys
+
+from asc_common import (
+    BLOCKING_STATES,
+    EDITABLE_STATES,
+    TERMINAL_STATES,
+    get_json,
+    make_jwt,
+    request,
+)
+
+
+SEM_RE = re.compile(r"^(\d+)\.(\d+)(?:\.(\d+))?$")
+
+
+def env(name: str) -> str:
+    val = os.environ.get(name)
+    if not val:
+        print(f"::error::Missing required env var: {name}", file=sys.stderr)
+        raise SystemExit(1)
+    return val
+
+
+def normalize(v: str) -> str:
+    m = SEM_RE.match(v)
+    if not m:
+        print(
+            f"::error::PROJECT_MARKETING_VERSION ({v!r}) is not a valid "
+            f"semantic version (expected MAJOR.MINOR[.PATCH]).",
+            file=sys.stderr,
+        )
+        raise SystemExit(1)
+    major, minor, patch = m.group(1), m.group(2), m.group(3) or "0"
+    return f"{major}.{minor}.{patch}"
+
+
+def to_tuple(v: str) -> tuple[int, int, int]:
+    parts = v.split(".")
+    while len(parts) < 3:
+        parts.append("0")
+    return int(parts[0]), int(parts[1]), int(parts[2])
+
+
+def fetch_versions(app_id: str, token: str) -> list[dict]:
+    """Return list of {'versionString','state','id'} for IOS versions."""
+    data = get_json(
+        f"/apps/{app_id}/appStoreVersions",
+        token,
+        params={
+            "limit": 200,
+            "sort": "-createdDate",
+            "filter[platform]": "IOS",
+        },
+    )
+    out: list[dict] = []
+    for item in data.get("data", []):
+        attrs = item.get("attributes") or {}
+        out.append(
+            {
+                "versionString": attrs.get("versionString") or "",
+                "state": attrs.get("appStoreState") or "",
+                "id": item.get("id") or "",
+            }
+        )
+    return out
+
+
+def highest_terminal(versions: list[dict]) -> tuple[int, int, int] | None:
+    best: tuple[int, int, int] | None = None
+    for v in versions:
+        if v["state"] not in TERMINAL_STATES:
+            continue
+        parsed = SEM_RE.match(v["versionString"])
+        if not parsed:
+            continue
+        t = to_tuple(v["versionString"])
+        if best is None or t > best:
+            best = t
+    return best
+
+
+def fail_terminal(v: str, state: str) -> None:
+    print(
+        f"::error::Version {v} is already {state} on App Store Connect. "
+        f"Bump MARKETING_VERSION in the Xcode project to publish a new "
+        f"release.",
+        file=sys.stderr,
+    )
+    raise SystemExit(1)
+
+
+def fail_blocking(v: str) -> None:
+    print(
+        f"::error::Version {v} is PENDING_DEVELOPER_RELEASE on App Store "
+        f"Connect. Release it manually (or bump MARKETING_VERSION in the "
+        f"Xcode project), then retry.",
+        file=sys.stderr,
+    )
+    raise SystemExit(1)
+
+
+def fail_not_higher(v: str, published: tuple[int, int, int]) -> None:
+    p = ".".join(str(x) for x in published)
+    print(
+        f"::error::MARKETING_VERSION ({v}) is not higher than the published "
+        f"version ({p}) on App Store Connect. Bump MARKETING_VERSION in the "
+        f"Xcode project.",
+        file=sys.stderr,
+    )
+    raise SystemExit(1)
+
+
+def create_version(app_id: str, version: str, token: str) -> str:
+    body = {
+        "data": {
+            "type": "appStoreVersions",
+            "attributes": {
+                "platform": "IOS",
+                "versionString": version,
+                "releaseType": "AFTER_APPROVAL",
+            },
+            "relationships": {
+                "app": {"data": {"type": "apps", "id": app_id}},
+            },
+        }
+    }
+    resp = request(
+        "POST",
+        "/appStoreVersions",
+        token,
+        json_body=body,
+        allow_status={409},
+    )
+    if resp.status_code == 409:
+        # Race / eventual consistency: re-query and treat as REUSE if editable.
+        versions = fetch_versions(app_id, token)
+        match = next(
+            (v for v in versions if v["versionString"] == version), None
+        )
+        if match and match["state"] in EDITABLE_STATES:
+            print(
+                f"[decision] REUSE {version} (state={match['state']}, "
+                f"id={match['id']}) — recovered from 409 on create",
+                file=sys.stderr,
+            )
+            return match["id"]
+        if match and match["state"] in BLOCKING_STATES:
+            fail_blocking(version)
+        if match:
+            fail_terminal(version, match["state"])
+        raise SystemExit(
+            f"POST /appStoreVersions returned 409 but no matching version "
+            f"{version} was found on re-query:\n{resp.text[:500]}"
+        )
+    new_id = resp.json()["data"]["id"]
+    print(
+        f"[decision] CREATE {version} -> appStoreVersion id={new_id}",
+        file=sys.stderr,
+    )
+    return new_id
+
+
+def main() -> None:
+    key_id = env("ASC_KEY_ID")
+    issuer_id = env("ASC_ISSUER_ID")
+    key_path = env("ASC_KEY_PATH")
+    app_id = env("APP_STORE_APPLE_ID")
+    project_version = normalize(env("PROJECT_MARKETING_VERSION"))
+
+    token = make_jwt(key_id, issuer_id, key_path)
+    versions = fetch_versions(app_id, token)
+    match = next(
+        (v for v in versions if v["versionString"] == project_version), None
+    )
+
+    if match and match["state"] in EDITABLE_STATES:
+        print(
+            f"[decision] REUSE {project_version} (state={match['state']}, "
+            f"id={match['id']})",
+            file=sys.stderr,
+        )
+        result = {
+            "decision": "REUSE",
+            "versionString": project_version,
+            "appStoreVersionId": match["id"],
+        }
+    elif match and match["state"] in BLOCKING_STATES:
+        fail_blocking(project_version)
+        return  # unreachable
+    elif match and match["state"] in TERMINAL_STATES:
+        fail_terminal(project_version, match["state"])
+        return  # unreachable
+    else:
+        top = highest_terminal(versions)
+        if top is not None and to_tuple(project_version) <= top:
+            fail_not_higher(project_version, top)
+        new_id = create_version(app_id, project_version, token)
+        result = {
+            "decision": "CREATE",
+            "versionString": project_version,
+            "appStoreVersionId": new_id,
+        }
+
+    print(json.dumps(result))
+
+
+if __name__ == "__main__":
+    main()

package/templates/scripts/ci/ios-native/next_build_number.py

@@ -15,11 +15,8 @@ Environment:
 from __future__ import annotations
 
 import os
-import sys
-import time
 
-import jwt
-import requests
+from asc_common import get_json, make_jwt
 
 
 def env(name: str) -> str:
@@ -29,44 +26,27 @@ def env(name: str) -> str:
     return val
 
 
-def main() -> None:
-    key_id = env("ASC_KEY_ID")
-    issuer_id = env("ASC_ISSUER_ID")
-    key_path = env("ASC_KEY_PATH")
-    app_id = env("APP_STORE_APPLE_ID")
-
-    with open(key_path) as f:
-        key = f.read()
+def _build_version_int(build: dict) -> int | None:
+    try:
+        return int(build.get("attributes", {}).get("version"))
+    except (TypeError, ValueError):
+        return None
 
-    now = int(time.time())
-    token = jwt.encode(
-        {"iss": issuer_id, "iat": now, "exp": now + 600, "aud": "appstoreconnect-v1"},
-        key,
-        algorithm="ES256",
-        headers={"kid": key_id, "typ": "JWT"},
-    )
 
+def main() -> None:
+    token = make_jwt(env("ASC_KEY_ID"), env("ASC_ISSUER_ID"), env("ASC_KEY_PATH"))
     # Sort by -version requests highest version first; limit 200 is plenty.
-    url = (
-        "https://api.appstoreconnect.apple.com/v1/builds"
-        f"?filter[app]={app_id}&sort=-version&limit=200"
+    data = get_json(
+        "/builds",
+        token,
+        params={
+            "filter[app]": env("APP_STORE_APPLE_ID"),
+            "sort": "-version",
+            "limit": "200",
+        },
     )
-    resp = requests.get(url, headers={"Authorization": f"Bearer {token}"})
-    if resp.status_code >= 400:
-        print(f"ASC builds list failed: {resp.status_code}\n{resp.text[:500]}", file=sys.stderr)
-        raise SystemExit(1)
-
-    highest = 0
-    for b in resp.json().get("data", []):
-        ver = b.get("attributes", {}).get("version")
-        try:
-            n = int(ver)
-        except (TypeError, ValueError):
-            continue
-        if n > highest:
-            highest = n
-
-    print(highest + 1)
+    versions = (n for n in map(_build_version_int, data.get("data", [])) if n is not None)
+    print(max(versions, default=0) + 1)
 
 
 if __name__ == "__main__":

package/templates/scripts/ci/ios-native/prepare_signing.py

@@ -4,12 +4,12 @@ Prepare iOS code signing on a fresh CI runner.
 
 Uses the App Store Connect API (auth via P8 key) to:
   1. Generate an RSA private key + CSR
-  2. Revoke any previously-created CI Apple Distribution certs (marker match)
-  3. Create a new Apple Distribution certificate from the CSR
-  4. Ensure a provisioning profile with a known name exists for the bundle ID,
+  2. Create a new Apple Distribution certificate from the CSR; if the per-team
+     cap is hit (409), revoke the newest existing DISTRIBUTION cert and retry.
+  3. Ensure a provisioning profile with a known name exists for the bundle ID,
      linked to the new cert. If it exists, delete+recreate to refresh it.
-  5. Install the profile into ~/Library/MobileDevice/Provisioning Profiles/
-  6. Import cert + private key into a dedicated temporary keychain and put
+  4. Install the profile into ~/Library/MobileDevice/Provisioning Profiles/
+  5. Import cert + private key into a dedicated temporary keychain and put
      that keychain on the search list so codesign / xcodebuild can find it.
 
 Environment inputs:
@@ -27,25 +27,19 @@ Writes nothing to stdout that would leak secrets.
 from __future__ import annotations
 
 import base64
-import json
 import os
+import plistlib
 import subprocess
-import sys
-import time
 from pathlib import Path
 
-import jwt
-import requests
+from asc_common import get_json, make_jwt, request
 from cryptography import x509
 from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import rsa
+from cryptography.hazmat.primitives.serialization import pkcs12
 from cryptography.x509.oid import NameOID
 
 
-ASC_BASE = "https://api.appstoreconnect.apple.com/v1"
-CERT_MARKER = "ScudoVPN-CI"
-
-
 def env(name: str) -> str:
     val = os.environ.get(name)
     if not val:
@@ -53,37 +47,8 @@ def env(name: str) -> str:
     return val
 
 
-def make_jwt(key_id: str, issuer_id: str, key_path: str) -> str:
-    with open(key_path, "r") as f:
-        key = f.read()
-    now = int(time.time())
-    payload = {
-        "iss": issuer_id,
-        "iat": now,
-        "exp": now + 600,
-        "aud": "appstoreconnect-v1",
-    }
-    return jwt.encode(
-        payload, key, algorithm="ES256", headers={"kid": key_id, "typ": "JWT"}
-    )
-
-
-def api(method: str, path: str, token: str, **kwargs) -> requests.Response:
-    url = path if path.startswith("http") else f"{ASC_BASE}{path}"
-    headers = kwargs.pop("headers", {})
-    headers["Authorization"] = f"Bearer {token}"
-    if "json" in kwargs:
-        headers["Content-Type"] = "application/json"
-    resp = requests.request(method, url, headers=headers, **kwargs)
-    if resp.status_code >= 400:
-        raise SystemExit(
-            f"ASC API {method} {path} failed: {resp.status_code}\n{resp.text[:2000]}"
-        )
-    return resp
-
-
-def generate_key_and_csr() -> tuple[rsa.RSAPrivateKey, bytes, bytes]:
-    """Return (private_key, private_key_pem, csr_der)."""
+def generate_key_and_csr() -> tuple[rsa.RSAPrivateKey, bytes]:
+    """Return (private_key, csr_payload_b64_bytes)."""
     private_key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
     csr = (
         x509.CertificateSigningRequestBuilder()
@@ -97,29 +62,28 @@ def generate_key_and_csr() -> tuple[rsa.RSAPrivateKey, bytes, bytes]:
         )
         .sign(private_key, hashes.SHA256())
     )
-    priv_pem = private_key.private_bytes(
-        encoding=serialization.Encoding.PEM,
-        format=serialization.PrivateFormat.PKCS8,
-        encryption_algorithm=serialization.NoEncryption(),
-    )
     # Apple wants the CSR PEM base64 (without headers)
     csr_pem = csr.public_bytes(serialization.Encoding.PEM)
     csr_payload = b"".join(
         line for line in csr_pem.splitlines() if not line.startswith(b"-----")
     )
-    return private_key, priv_pem, csr_payload
+    return private_key, csr_payload
 
 
 def newest_distribution_cert_id(token: str) -> str | None:
     """Return the ID of the most-recently-created DISTRIBUTION cert, or None."""
-    resp = api(
-        "GET",
-        "/certificates?limit=200&sort=-id&filter[certificateType]=DISTRIBUTION",
+    data = get_json(
+        "/certificates",
         token,
+        params={
+            "limit": "200",
+            "sort": "-id",
+            "filter[certificateType]": "DISTRIBUTION",
+        },
     )
     newest_id = None
     newest_exp = ""
-    for cert in resp.json().get("data", []):
+    for cert in data.get("data", []):
         attrs = cert.get("attributes") or {}
         # Use expirationDate as a proxy for creation time (cert expiration
         # is exactly creation + 1 year for Apple Distribution certs).
@@ -132,7 +96,7 @@ def newest_distribution_cert_id(token: str) -> str | None:
 
 def revoke_cert(token: str, cert_id: str) -> None:
     print(f"Revoking distribution cert {cert_id}")
-    api("DELETE", f"/certificates/{cert_id}", token)
+    request("DELETE", f"/certificates/{cert_id}", token)
 
 
 def create_distribution_cert(token: str, csr_b64: str) -> tuple[str, bytes]:
@@ -151,12 +115,9 @@ def create_distribution_cert(token: str, csr_b64: str) -> tuple[str, bytes]:
             },
         }
     }
-    url = f"{ASC_BASE}/certificates"
-    headers = {
-        "Authorization": f"Bearer {token}",
-        "Content-Type": "application/json",
-    }
-    resp = requests.post(url, headers=headers, json=body)
+    resp = request(
+        "POST", "/certificates", token, json_body=body, allow_status={409}
+    )
     if resp.status_code == 409:
         print("Distribution cert cap hit; revoking newest existing cert")
         target = newest_distribution_cert_id(token)
@@ -166,12 +127,7 @@ def create_distribution_cert(token: str, csr_b64: str) -> tuple[str, bytes]:
                 "found to revoke"
             )
         revoke_cert(token, target)
-        resp = requests.post(url, headers=headers, json=body)
-    if resp.status_code >= 400:
-        raise SystemExit(
-            f"ASC API POST /certificates failed: {resp.status_code}\n"
-            f"{resp.text[:2000]}"
-        )
+        resp = request("POST", "/certificates", token, json_body=body)
     data = resp.json()["data"]
     cert_id = data["id"]
     cert_content_b64 = data["attributes"]["certificateContent"]
@@ -181,22 +137,24 @@ def create_distribution_cert(token: str, csr_b64: str) -> tuple[str, bytes]:
 
 
 def find_bundle_id(token: str, identifier: str) -> str:
-    resp = api(
-        "GET", f"/bundleIds?filter[identifier]={identifier}&limit=5", token
+    data = get_json(
+        "/bundleIds",
+        token,
+        params={"filter[identifier]": identifier, "limit": "5"},
     )
-    for item in resp.json().get("data", []):
+    for item in data.get("data", []):
         if item["attributes"]["identifier"] == identifier:
             return item["id"]
     raise SystemExit(f"bundle id {identifier!r} not found in ASC")
 
 
 def delete_profile_by_name(token: str, name: str) -> None:
-    resp = api("GET", "/profiles?limit=200", token)
-    for p in resp.json().get("data", []):
+    data = get_json("/profiles", token, params={"limit": "200"})
+    for p in data.get("data", []):
         if (p["attributes"].get("name") or "") == name:
             pid = p["id"]
             print(f"Deleting existing profile {pid} ({name})")
-            api("DELETE", f"/profiles/{pid}", token)
+            request("DELETE", f"/profiles/{pid}", token)
 
 
 def create_profile(
@@ -217,7 +175,7 @@ def create_profile(
             },
         }
     }
-    resp = api("POST", "/profiles", token, json=body)
+    resp = request("POST", "/profiles", token, json_body=body)
     data = resp.json()["data"]
     profile_content_b64 = data["attributes"]["profileContent"]
     return base64.b64decode(profile_content_b64)
@@ -225,8 +183,7 @@ def create_profile(
 
 def install_profile(profile_der: bytes) -> str:
     """Write the .mobileprovision file and return its uuid."""
-    # Extract UUID from profile (it's CMS-signed plist)
-    # Use `security cms -D -i <path>` to decode.
+    # Profile is CMS-signed plist; decode with `security cms` to read UUID.
     profiles_dir = Path.home() / "Library/MobileDevice/Provisioning Profiles"
     profiles_dir.mkdir(parents=True, exist_ok=True)
     tmp_path = profiles_dir / "tmp.mobileprovision"
@@ -234,10 +191,7 @@ def install_profile(profile_der: bytes) -> str:
     decoded = subprocess.check_output(
         ["security", "cms", "-D", "-i", str(tmp_path)]
     )
-    import plistlib
-
-    plist = plistlib.loads(decoded)
-    uuid = plist["UUID"]
+    uuid = plistlib.loads(decoded)["UUID"]
     final_path = profiles_dir / f"{uuid}.mobileprovision"
     tmp_path.rename(final_path)
     print(f"Installed provisioning profile {uuid} at {final_path}")
@@ -248,8 +202,6 @@ def write_p12(
     private_key: rsa.RSAPrivateKey, cert_der: bytes, out_path: Path, passwd: str
 ) -> None:
     cert = x509.load_der_x509_certificate(cert_der)
-    from cryptography.hazmat.primitives.serialization import pkcs12
-
     p12 = pkcs12.serialize_key_and_certificates(
         name=b"ScudoVPN CI",
         key=private_key,
@@ -262,11 +214,8 @@ def write_p12(
     out_path.write_bytes(p12)
 
 
-def setup_keychain(p12_path: Path, p12_pass: str) -> str:
-    runner_temp = env("RUNNER_TEMP")
-    keychain_path = os.path.join(runner_temp, "ci.keychain-db")
-    keychain_pass = "ci"
-    # Remove stale
+def _create_keychain(keychain_path: str, keychain_pass: str) -> None:
+    """Delete any stale keychain at this path, then create + unlock a fresh one."""
     subprocess.run(
         ["security", "delete-keychain", keychain_path],
         check=False,
@@ -281,37 +230,36 @@ def setup_keychain(p12_path: Path, p12_pass: str) -> str:
     subprocess.check_call(
         ["security", "unlock-keychain", "-p", keychain_pass, keychain_path]
     )
-    # Import the p12
+
+
+def _import_p12(
+    keychain_path: str, keychain_pass: str, p12_path: Path, p12_pass: str
+) -> None:
+    """Import p12 into the keychain and authorize codesign to use the key."""
     subprocess.check_call(
         [
-            "security",
-            "import",
-            str(p12_path),
-            "-P",
-            p12_pass,
+            "security", "import", str(p12_path),
+            "-P", p12_pass,
             "-A",  # allow any app to read (simplest for CI)
-            "-t",
-            "cert",
-            "-f",
-            "pkcs12",
-            "-k",
-            keychain_path,
+            "-t", "cert",
+            "-f", "pkcs12",
+            "-k", keychain_path,
         ]
     )
     # Allow codesign to use the key without prompts (modern macOS)
     subprocess.check_call(
         [
-            "security",
-            "set-key-partition-list",
-            "-S",
-            "apple-tool:,apple:,codesign:",
+            "security", "set-key-partition-list",
+            "-S", "apple-tool:,apple:,codesign:",
             "-s",
-            "-k",
-            keychain_pass,
+            "-k", keychain_pass,
             keychain_path,
         ]
     )
-    # Add to default search list (in addition to login + System)
+
+
+def _prepend_to_user_search_list(keychain_path: str) -> None:
+    """Put `keychain_path` at the head of the user search list + make it default."""
     existing = subprocess.check_output(
         ["security", "list-keychains", "-d", "user"]
     ).decode()
@@ -329,6 +277,14 @@ def setup_keychain(p12_path: Path, p12_pass: str) -> str:
     subprocess.check_call(
         ["security", "default-keychain", "-s", keychain_path]
     )
+
+
+def setup_keychain(p12_path: Path, p12_pass: str) -> str:
+    keychain_path = os.path.join(env("RUNNER_TEMP"), "ci.keychain-db")
+    keychain_pass = "ci"
+    _create_keychain(keychain_path, keychain_pass)
+    _import_p12(keychain_path, keychain_pass, p12_path, p12_pass)
+    _prepend_to_user_search_list(keychain_path)
     print(f"Keychain ready: {keychain_path}")
     return keychain_path
 
@@ -343,7 +299,7 @@ def main() -> None:
 
     token = make_jwt(key_id, issuer_id, asc_key_path)
 
-    private_key, priv_pem, csr_b64 = generate_key_and_csr()
+    private_key, csr_b64 = generate_key_and_csr()
     cert_id, cert_der = create_distribution_cert(token, csr_b64.decode())
 
     bundle_pk = find_bundle_id(token, bundle_id)

package/templates/scripts/ci/ios-native/next_marketing_version.py

@@ -1,93 +0,0 @@
-#!/usr/bin/env python3
-"""
-Compute the next CFBundleShortVersionString for this app.
-
-Strategy:
-  * Look at all existing pre-release (TestFlight) and App Store versions.
-  * Take the highest semantic-version triple and bump its patch component.
-  * If no versions exist yet, return 1.0.0.
-
-Prints the chosen version to stdout.
-
-Environment:
-  ASC_KEY_ID, ASC_ISSUER_ID, ASC_KEY_PATH, APP_STORE_APPLE_ID
-"""
-
-from __future__ import annotations
-
-import os
-import re
-import sys
-import time
-
-import jwt
-import requests
-
-
-def env(name: str) -> str:
-    v = os.environ.get(name)
-    if not v:
-        raise SystemExit(f"missing env var: {name}")
-    return v
-
-
-SEM_RE = re.compile(r"^(\d+)\.(\d+)(?:\.(\d+))?$")
-
-
-def parse_sem(v: str) -> tuple[int, int, int] | None:
-    m = SEM_RE.match(v or "")
-    if not m:
-        return None
-    major = int(m.group(1))
-    minor = int(m.group(2))
-    patch = int(m.group(3) or 0)
-    return major, minor, patch
-
-
-def main() -> None:
-    key_id = env("ASC_KEY_ID")
-    issuer_id = env("ASC_ISSUER_ID")
-    key_path = env("ASC_KEY_PATH")
-    app_id = env("APP_STORE_APPLE_ID")
-
-    with open(key_path) as f:
-        key = f.read()
-    now = int(time.time())
-    token = jwt.encode(
-        {"iss": issuer_id, "iat": now, "exp": now + 600, "aud": "appstoreconnect-v1"},
-        key,
-        algorithm="ES256",
-        headers={"kid": key_id, "typ": "JWT"},
-    )
-    headers = {"Authorization": f"Bearer {token}"}
-
-    highest: tuple[int, int, int] = (0, 0, 0)
-
-    for endpoint, field in (
-        (f"/v1/apps/{app_id}/preReleaseVersions?limit=200", "version"),
-        (f"/v1/apps/{app_id}/appStoreVersions?limit=200", "versionString"),
-    ):
-        url = f"https://api.appstoreconnect.apple.com{endpoint}"
-        resp = requests.get(url, headers=headers)
-        if resp.status_code >= 400:
-            print(
-                f"ASC GET {endpoint} failed: {resp.status_code}\n{resp.text[:500]}",
-                file=sys.stderr,
-            )
-            raise SystemExit(1)
-        for item in resp.json().get("data", []):
-            v = item.get("attributes", {}).get(field)
-            parsed = parse_sem(v)
-            if parsed and parsed > highest:
-                highest = parsed
-
-    if highest == (0, 0, 0):
-        print("1.0.0")
-        return
-
-    major, minor, patch = highest
-    print(f"{major}.{minor}.{patch + 1}")
-
-
-if __name__ == "__main__":
-    main()