@daemux/store-automator 0.10.82 → 0.10.84

package/.claude-plugin/marketplace.json

@@ -5,14 +5,14 @@
   },
   "metadata": {
     "description": "App Store & Google Play automation for Flutter apps",
-    "version": "0.10.82"
+    "version": "0.10.84"
   },
   "plugins": [
     {
       "name": "store-automator",
       "source": "./plugins/store-automator",
       "description": "3 agents for app store publishing: reviewer, meta-creator, media-designer",
-      "version": "0.10.82",
+      "version": "0.10.84",
       "keywords": [
         "flutter",
         "app-store",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@daemux/store-automator",
-  "version": "0.10.82",
+  "version": "0.10.84",
   "description": "Full App Store & Google Play automation for Flutter apps with Claude Code agents",
   "type": "module",
   "bin": {

package/plugins/store-automator/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "store-automator",
-  "version": "0.10.82",
+  "version": "0.10.84",
   "description": "App Store & Google Play automation agents for Flutter app publishing",
   "author": {
     "name": "Daemux"

package/templates/scripts/ci/ios-native/manage_marketing_version.py

@@ -2,22 +2,33 @@
 """
 Resolve the App Store Connect version slot for this run.
 
-Faithful port of gowalk-step/manage_version.py. The CI -- not the Xcode
-project -- decides the marketing version. The archive step overrides the
-pbxproj MARKETING_VERSION at build time via `MARKETING_VERSION=...` on the
-xcodebuild command line.
-
-Algorithm:
-  1. Fetch all appStoreVersions for the app (no sort, no filter).
-  2. No versions at all -> first release: CREATE "1.0.0".
-  3. Pick latest by createdDate.
-     - state == PENDING_DEVELOPER_RELEASE -> fail (must be released first).
-     - state == READY_FOR_SALE             -> auto-bump and CREATE the next
-       version with rollover (patch<10 -> +1; patch>=10 -> reset, minor+1;
-       minor>=10 -> reset, major+1).
-     - anything else (PREPARE_FOR_SUBMISSION, WAITING_FOR_REVIEW, IN_REVIEW,
-       REJECTED, ...) -> REUSE it.
-  4. 409 on CREATE (race) -> re-fetch, match by versionString, REUSE that id.
+CI -- not the Xcode project -- decides the marketing version. The archive
+step overrides the pbxproj MARKETING_VERSION at build time via
+`MARKETING_VERSION=...` on the xcodebuild command line.
+
+Algorithm (improvement over gowalk-step's "latest by createdDate"):
+  1. Fetch all appStoreVersions for the app.
+  2. Partition by state:
+       editable  (PREPARE_FOR_SUBMISSION, REJECTED, METADATA_REJECTED,
+                  DEVELOPER_REJECTED, INVALID_BINARY, WAITING_FOR_REVIEW,
+                  IN_REVIEW)
+       blocking  (PENDING_DEVELOPER_RELEASE)
+       terminal  (READY_FOR_SALE, PROCESSING_FOR_APP_STORE,
+                  PENDING_APPLE_RELEASE, REPLACED_WITH_NEW_VERSION,
+                  REMOVED_FROM_SALE, NOT_APPLICABLE)
+  3. If editable: REUSE the HIGHEST SEMVER among editable. Picking the
+     highest semver (not the latest createdDate) matches how Apple's UI
+     presents the "next" version and avoids the "later version closed"
+     error Apple returns on uploads to a lower editable version when a
+     higher one already exists.
+  4. Elif blocking: fail with a clear error -- a human must release the
+     pending version manually before CI can proceed.
+  5. Elif terminal: pick the highest-semver terminal version.
+       - READY_FOR_SALE -> CREATE the next version via rollover bump.
+       - anything else  -> fail (manual intervention required; state is
+         neither editable nor live).
+  6. No versions at all -> first release, CREATE "1.0.0".
+  7. 409 on CREATE (race) -> re-fetch, match by versionString, REUSE.
 
 Env: ASC_KEY_ID, ASC_ISSUER_ID, ASC_KEY_PATH, APP_STORE_APPLE_ID.
 Stdout: {"decision":"REUSE|CREATE","versionString":"...","appStoreVersionId":"..."}
@@ -31,7 +42,14 @@ import os
 import re
 import sys
 
-from asc_common import get_json, make_jwt, request
+from asc_common import (
+    BLOCKING_STATES,
+    EDITABLE_STATES,
+    TERMINAL_STATES,
+    get_json,
+    make_jwt,
+    request,
+)
 
 
 SEM_RE = re.compile(r"^(\d+)\.(\d+)(?:\.(\d+))?$")
@@ -57,14 +75,23 @@ def env(name: str) -> str:
     return val
 
 
+def semver_tuple(version_string: str) -> tuple[int, int, int]:
+    """Parse 'M.m[.p]' -> (M, m, p). Non-semver returns (-1,-1,-1) so it
+    sorts below any real version."""
+    m = SEM_RE.match(version_string or "")
+    if not m:
+        return (-1, -1, -1)
+    return (int(m.group(1)), int(m.group(2)), int(m.group(3) or "0"))
+
+
 def calculate_next_version(current_version: str) -> str:
     """Rollover bump: patch+1; patch>=10 resets to 0 and minor+1;
-    minor>=10 resets both to 0 and major+1. Accepts "M.m" or "M.m.p"."""
+    minor>=10 resets both to 0 and major+1. Accepts 'M.m' or 'M.m.p'."""
     m = SEM_RE.match(current_version or "")
     if not m:
         raise SystemExit(
-            f"::error::Latest App Store versionString {current_version!r} is "
-            f"not a valid semantic version (expected MAJOR.MINOR[.PATCH])."
+            f"::error::App Store versionString {current_version!r} is not a "
+            f"valid semantic version (expected MAJOR.MINOR[.PATCH])."
         )
     major = int(m.group(1))
     minor = int(m.group(2))
@@ -86,8 +113,7 @@ def calculate_next_version(current_version: str) -> str:
 
 
 def fetch_versions(app_id: str, token: str) -> list[dict]:
-    """All appStoreVersions for the app. Mirrors gowalk-step: no sort, no
-    limit, no platform filter -- we do client-side selection."""
+    """All appStoreVersions for the app (no sort/limit/filter)."""
     data = get_json(f"/apps/{app_id}/appStoreVersions", token)
     out: list[dict] = []
     for item in data.get("data", []):
@@ -122,13 +148,11 @@ def create_version(app_id: str, version: str, token: str):
 
 
 def create_or_reuse(app_id: str, version: str, token: str) -> str:
-    """POST a new version; on 409 race, re-fetch and return existing id.
-    Returns the appStoreVersion id."""
+    """POST a new version; on 409 race, re-fetch and return existing id."""
     resp = create_version(app_id, version, token)
     if resp.status_code != 409:
         return resp.json()["data"]["id"]
 
-    # Race: someone else created it between our GET and POST. Find by name.
     print(
         f"POST /appStoreVersions returned 409 for {version}; "
         "re-fetching to locate the existing slot.",
@@ -143,53 +167,93 @@ def create_or_reuse(app_id: str, version: str, token: str) -> str:
     )
 
 
-def main() -> None:
-    key_id = env("ASC_KEY_ID")
-    issuer_id = env("ASC_ISSUER_ID")
-    key_path = env("ASC_KEY_PATH")
-    app_id = env("APP_STORE_APPLE_ID")
+def _summarize(versions: list[dict]) -> str:
+    return ", ".join(
+        f"{v['versionString']}({v['state']})" for v in versions
+    ) or "<none>"
 
-    token = make_jwt(key_id, issuer_id, key_path)
-    versions = fetch_versions(app_id, token)
 
-    # 1. First ever release.
+def _pick_highest_semver(versions: list[dict]) -> dict:
+    """Tiebreak by createdDate (newer wins) when semvers collide."""
+    return max(
+        versions,
+        key=lambda v: (semver_tuple(v["versionString"]), v.get("createdDate", "")),
+    )
+
+
+def decide(versions: list[dict], app_id: str, token: str) -> dict:
     if not versions:
         new_version = "1.0.0"
         new_id = create_or_reuse(app_id, new_version, token)
         _log(f"CREATE {new_version} (first release) -> appStoreVersion id={new_id}")
-        print(json.dumps(_result("CREATE", new_version, new_id)))
-        return
+        return _result("CREATE", new_version, new_id)
+
+    editable = [v for v in versions if v["state"] in EDITABLE_STATES]
+    blocking = [v for v in versions if v["state"] in BLOCKING_STATES]
+    terminal = [v for v in versions if v["state"] in TERMINAL_STATES]
+    _log(
+        f"editable=[{_summarize(editable)}] "
+        f"blocking=[{_summarize(blocking)}] "
+        f"terminal=[{_summarize(terminal)}]"
+    )
 
-    # 2. Pick the latest by Apple's createdDate.
-    latest = max(versions, key=lambda v: v.get("createdDate", ""))
-    state = latest["state"]
-    version_string = latest["versionString"]
-    version_id = latest["id"]
+    if editable:
+        target = _pick_highest_semver(editable)
+        _log(
+            f"REUSE {target['versionString']} (highest-semver editable, "
+            f"state={target['state']}, id={target['id']})"
+        )
+        return _result("REUSE", target["versionString"], target["id"])
 
-    # 3. Blocking: pending developer release.
-    if state == "PENDING_DEVELOPER_RELEASE":
+    if blocking:
+        target = _pick_highest_semver(blocking)
         print(
-            f"::error::Latest App Store version {version_string} is "
-            f"PENDING_DEVELOPER_RELEASE. Release it in App Store Connect, "
-            f"then retry.",
+            f"::error::App Store version {target['versionString']} is "
+            f"{target['state']}. Release it in App Store Connect, then retry.",
             file=sys.stderr,
         )
         raise SystemExit(1)
 
-    # 4. Live: auto-bump to next version.
-    if state == "READY_FOR_SALE":
-        new_version = calculate_next_version(version_string)
+    if terminal:
+        target = _pick_highest_semver(terminal)
+        if target["state"] != "READY_FOR_SALE":
+            print(
+                f"::error::Highest App Store version {target['versionString']} "
+                f"is {target['state']}; neither editable nor live. Manual "
+                f"intervention required in App Store Connect.",
+                file=sys.stderr,
+            )
+            raise SystemExit(1)
+        new_version = calculate_next_version(target["versionString"])
         new_id = create_or_reuse(app_id, new_version, token)
         _log(
-            f"CREATE {new_version} (previous={version_string}, "
-            f"previous_state={state}) -> appStoreVersion id={new_id}"
+            f"CREATE {new_version} (previous={target['versionString']}, "
+            f"previous_state={target['state']}) -> appStoreVersion id={new_id}"
         )
-        print(json.dumps(_result("CREATE", new_version, new_id)))
-        return
+        return _result("CREATE", new_version, new_id)
+
+    # Unknown state (not editable, not blocking, not terminal) -- refuse to
+    # guess. Lists both states in the error so ops can update the classifier.
+    unknown = ", ".join(f"{v['versionString']}({v['state']})" for v in versions)
+    print(
+        f"::error::No editable/blocking/terminal App Store versions found; "
+        f"all versions have unrecognized states: {unknown}. Update "
+        f"asc_common.EDITABLE_STATES / TERMINAL_STATES / BLOCKING_STATES.",
+        file=sys.stderr,
+    )
+    raise SystemExit(1)
+
+
+def main() -> None:
+    key_id = env("ASC_KEY_ID")
+    issuer_id = env("ASC_ISSUER_ID")
+    key_path = env("ASC_KEY_PATH")
+    app_id = env("APP_STORE_APPLE_ID")
 
-    # 5. Editable/in-review/rejected/etc: reuse as-is.
-    _log(f"REUSE {version_string} (state={state}, id={version_id})")
-    print(json.dumps(_result("REUSE", version_string, version_id)))
+    token = make_jwt(key_id, issuer_id, key_path)
+    versions = fetch_versions(app_id, token)
+    result = decide(versions, app_id, token)
+    print(json.dumps(result))
 
 
 if __name__ == "__main__":

package/templates/scripts/ci/ios-native/pbxproj_editor.py

@@ -0,0 +1,218 @@
+#!/usr/bin/env python3
+"""
+Xcode ``project.pbxproj`` helpers.
+
+Parses native targets and patches their XCBuildConfiguration buildSettings
+blocks with manual signing values, while keeping the file's original
+OpenStep format (comments, ordering, the !$*UTF8*$! header) intact. SwiftPM
+and other non-native targets are ignored so their build settings stay on
+whatever defaults Xcode / SwiftPM picked.
+"""
+
+from __future__ import annotations
+
+import json
+import re
+import subprocess
+from pathlib import Path
+
+
+PROFILE_PREFIX = "CI-"
+
+# Product types that must be signed with a provisioning profile. App
+# extensions share the common ``com.apple.product-type.app-extension``
+# prefix (Message Filter, Widgets, NetworkExtension, WatchKit, etc).
+_SIGNABLE_PRODUCT_TYPES = {
+    "com.apple.product-type.application",
+    "com.apple.product-type.application.on-demand-install-capable",
+    "com.apple.product-type.application.watchapp2",
+    "com.apple.product-type.watchkit2-extension",
+}
+_SIGNABLE_PRODUCT_PREFIXES = (
+    "com.apple.product-type.app-extension",
+)
+
+_SIGNING_KEYS = {
+    "CODE_SIGN_STYLE": "Manual",
+    "CODE_SIGN_IDENTITY": '"Apple Distribution"',
+}
+_STRIP_KEYS = ("PROVISIONING_PROFILE",)
+
+_SETTING_LINE = re.compile(r"^(\s*)([A-Z_][A-Z0-9_]*)\s*=\s*(.+);\s*$")
+
+
+# --------------------------------------------------------------------------- #
+# Parsing                                                                     #
+# --------------------------------------------------------------------------- #
+
+def _load_pbxproj(project_path: str) -> dict:
+    pbx = Path(project_path) / "project.pbxproj"
+    out = subprocess.check_output(
+        ["plutil", "-convert", "json", "-o", "-", str(pbx)]
+    )
+    return json.loads(out)
+
+
+def _is_signable_product_type(product_type: str) -> bool:
+    if product_type in _SIGNABLE_PRODUCT_TYPES:
+        return True
+    return any(product_type.startswith(p) for p in _SIGNABLE_PRODUCT_PREFIXES)
+
+
+def _bundle_id_from_configs(objects: dict, config_ids: list[str]) -> str:
+    """Return the first non-empty bundle id across the given configs."""
+    for cid in config_ids:
+        cfg = objects.get(cid) or {}
+        settings = cfg.get("buildSettings") or {}
+        bid = (settings.get("PRODUCT_BUNDLE_IDENTIFIER") or "").strip()
+        if bid and "$(" not in bid and "${" not in bid:
+            return bid
+    return ""
+
+
+def discover_signable_targets(project_path: str) -> list[dict]:
+    """Return one entry per signable native target.
+
+    Each entry: ``{"name": str, "bundle_id": str, "config_ids": [str,...]}``
+    where ``config_ids`` is the list of XCBuildConfiguration UUIDs whose
+    ``buildSettings`` dict we need to patch (typically Debug + Release).
+    """
+    pbx = _load_pbxproj(project_path)
+    objects = pbx["objects"]
+    targets: list[dict] = []
+    for obj in objects.values():
+        if obj.get("isa") != "PBXNativeTarget":
+            continue
+        if not _is_signable_product_type(obj.get("productType") or ""):
+            continue
+        name = obj.get("name") or "<unknown>"
+        config_list = objects.get(obj.get("buildConfigurationList")) or {}
+        config_ids = list(config_list.get("buildConfigurations") or [])
+        bundle_id = _bundle_id_from_configs(objects, config_ids)
+        if not bundle_id:
+            print(f"skip target {name!r}: no PRODUCT_BUNDLE_IDENTIFIER")
+            continue
+        targets.append(
+            {"name": name, "bundle_id": bundle_id, "config_ids": config_ids}
+        )
+    if not targets:
+        raise SystemExit(
+            f"discover_signable_targets: no signable targets found in "
+            f"{project_path}"
+        )
+    return targets
+
+
+# --------------------------------------------------------------------------- #
+# Mutation                                                                    #
+# --------------------------------------------------------------------------- #
+
+def patch_project_signing(
+    project_path: str,
+    targets: list[dict],
+    team_id: str,
+) -> None:
+    """Set manual signing + per-target profile name for every target.
+
+    Edits the pbxproj as text so formatting (comments, ordering, header)
+    survives. Scope is strictly the XCBuildConfiguration blocks referenced
+    by the ``targets`` list. SwiftPM / resource-bundle configs stay put.
+    """
+    pbx_path = Path(project_path) / "project.pbxproj"
+    text = pbx_path.read_text(encoding="utf-8")
+    for target in targets:
+        profile_name = f"{PROFILE_PREFIX}{target['bundle_id']}"
+        for cid in target["config_ids"]:
+            text = _apply_signing_to_config(text, cid, team_id, profile_name)
+        print(
+            f"Patched {target['name']!r} -> {profile_name} "
+            f"(configs={len(target['config_ids'])})"
+        )
+    pbx_path.write_text(text, encoding="utf-8")
+    subprocess.check_call(["plutil", "-lint", str(pbx_path)])
+
+
+def _apply_signing_to_config(
+    text: str, config_id: str, team_id: str, profile_name: str
+) -> str:
+    start = text.find(f"\t\t{config_id} ")
+    if start < 0:
+        start = text.find(f"\t\t{config_id}\t")
+    if start < 0:
+        start = text.find(f"{config_id} = {{")
+    if start < 0:
+        raise SystemExit(
+            f"patch_project_signing: config {config_id} not found"
+        )
+    key = "buildSettings = {"
+    s_idx = text.find(key, start)
+    if s_idx < 0:
+        raise SystemExit(
+            f"patch_project_signing: buildSettings not found for {config_id}"
+        )
+    end = _match_brace(text, s_idx + len(key) - 1)
+    if end < 0:
+        raise SystemExit(
+            f"patch_project_signing: unbalanced buildSettings for {config_id}"
+        )
+    inner = text[s_idx + len(key): end]
+    patched = _patch_inner_settings(inner, team_id, profile_name)
+    return text[: s_idx + len(key)] + patched + text[end:]
+
+
+def _match_brace(text: str, open_idx: int) -> int:
+    """Return the index of the ``}`` that closes the ``{`` at ``open_idx``."""
+    depth = 0
+    i = open_idx
+    while i < len(text):
+        ch = text[i]
+        if ch == "{":
+            depth += 1
+        elif ch == "}":
+            depth -= 1
+            if depth == 0:
+                return i
+        i += 1
+    return -1
+
+
+def _patch_inner_settings(
+    inner: str, team_id: str, profile_name: str
+) -> str:
+    """Rewrite build-setting lines inside one buildSettings block."""
+    values = dict(_SIGNING_KEYS)
+    values["DEVELOPMENT_TEAM"] = team_id
+    values["PROVISIONING_PROFILE_SPECIFIER"] = f'"{profile_name}"'
+
+    lines = inner.splitlines(keepends=True)
+    emitted: set[str] = set()
+    out: list[str] = []
+    for line in lines:
+        m = _SETTING_LINE.match(line)
+        if not m:
+            out.append(line)
+            continue
+        indent, key_name = m.group(1), m.group(2)
+        if key_name in _STRIP_KEYS:
+            continue
+        if key_name in values:
+            out.append(f"{indent}{key_name} = {values[key_name]};\n")
+            emitted.add(key_name)
+            continue
+        out.append(line)
+
+    missing = [k for k in values if k not in emitted]
+    if missing:
+        indent = "\t\t\t\t"
+        for line in lines:
+            m = _SETTING_LINE.match(line)
+            if m:
+                indent = m.group(1)
+                break
+        tail = out[-1] if out else ""
+        new_lines = [f"{indent}{k} = {values[k]};\n" for k in missing]
+        if tail.strip() == "":
+            out = out[:-1] + new_lines + [tail]
+        else:
+            out = out + new_lines
+    return "".join(out)

package/templates/scripts/ci/ios-native/prepare_signing.py

@@ -44,11 +44,8 @@ from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import rsa
 from cryptography.hazmat.primitives.serialization import pkcs12
 from cryptography.x509.oid import NameOID
-from profile_manager import (
-    discover_signable_targets,
-    patch_project_signing,
-    provision_all_bundles,
-)
+from pbxproj_editor import discover_signable_targets, patch_project_signing
+from profile_manager import provision_all_bundles
 
 
 def env(name: str) -> str:
@@ -250,18 +247,37 @@ def main() -> None:
     private_key, csr_b64 = generate_key_and_csr()
     cert_id, cert_der = create_distribution_cert(token, csr_b64.decode())
 
-    mappings = provision_all_bundles(token, bundle_ids, cert_id)
+    mappings, effective_team = provision_all_bundles(token, bundle_ids, cert_id)
     print("Profile map:")
     for bid, pname, uuid in mappings:
         print(f"  {bid} -> {pname} ({uuid})")
 
-    patch_project_signing(project, targets, team_id)
+    # The ASC API key is bound to a single developer team. Every profile it
+    # issues lives in THAT team, so Xcode's DEVELOPMENT_TEAM setting must
+    # match it exactly — otherwise the profile can't be matched to the
+    # target at archive time. If the ci.config.yaml team differs, warn and
+    # use the profile's team as the source of truth.
+    pbx_team = effective_team or team_id
+    if effective_team and effective_team != team_id:
+        print(
+            f"::warning::Config team {team_id} differs from ASC API key's "
+            f"team {effective_team}; patching pbxproj with {effective_team} "
+            "(the team that actually issued the provisioning profiles)."
+        )
+    patch_project_signing(project, targets, pbx_team)
 
     # Persist mapping for downstream Export IPA step (ExportOptions.plist
-    # provisioningProfiles dict).
+    # provisioningProfiles dict). Store the effective team alongside so
+    # Export uses the same team Apple assigned to the profiles.
     map_path = Path(runner_temp) / "signing_map.json"
     map_path.write_text(
-        json.dumps({bid: pname for bid, pname, _ in mappings}, indent=2)
+        json.dumps(
+            {
+                "team_id": pbx_team,
+                "profiles": {bid: pname for bid, pname, _ in mappings},
+            },
+            indent=2,
+        )
     )
     print(f"Wrote signing map to {map_path}")
 

package/templates/scripts/ci/ios-native/profile_manager.py

@@ -1,274 +1,46 @@
 #!/usr/bin/env python3
 """
-Provisioning profile + bundleId helpers for multi-target iOS projects.
+Provisioning profile lifecycle helpers for the iOS native TestFlight action.
 
-Handles:
+Talks to the App Store Connect API to:
 
-* Enumerating every PRODUCT_BUNDLE_IDENTIFIER used by signable targets in an
-  Xcode project. We parse ``project.pbxproj`` directly (via ``plutil -convert
-  json``) rather than rely on ``xcodebuild -showBuildSettings``, which only
-  covers what a given scheme builds. Parsing the pbxproj lets us find every
-  native app + extension target without tripping over SwiftPM resource
-  bundles (whose product types are not signable).
-* Ensuring each bundle ID is registered on App Store Connect.
-* Creating one IOS_APP_STORE provisioning profile per bundle ID, named
-  ``CI-<bundle_id>``, linked to the just-issued distribution cert. If a
-  profile with that name already exists, it is deleted first so we always
-  end up with a profile that references the fresh cert.
-* Installing every profile into the standard Xcode profile directory.
-* Patching the pbxproj in place so each signable target's build settings use
-  manual signing + the freshly-created profile. SwiftPM / resource bundle
-  targets (which cannot carry provisioning profiles) are left untouched.
+* Register a bundle ID if it doesn't exist yet (``ensure_bundle_id``).
+* Delete any stale profile with the same name and create a fresh one that
+  references the just-issued distribution cert (``delete_profile_by_name``,
+  ``create_profile``).
+* Install the resulting ``.mobileprovision`` into every Xcode profile
+  directory (Xcode 15 and Xcode 16+ use different paths).
 
-Kept separate from ``prepare_signing.py`` so both files stay well under the
-400-line cap.
+Xcode pbxproj editing lives in ``pbxproj_editor.py``; this file is
+ASC-facing only.
 """
 
 from __future__ import annotations
 
 import base64
-import json
 import plistlib
-import re
 import subprocess
 from pathlib import Path
 
 from asc_common import get_json, request
+from pbxproj_editor import PROFILE_PREFIX
 
 
-PROFILE_PREFIX = "CI-"
-
-# Xcode 16+ moved the canonical profile directory. Older Xcode releases used
-# ~/Library/MobileDevice/Provisioning Profiles/. We write to BOTH so the same
-# script works on macos-14 (Xcode 15) and macos-15 (Xcode 26).
+# Xcode 16+ moved the canonical profile directory. Older Xcode releases
+# used ~/Library/MobileDevice/Provisioning Profiles/. Write to BOTH so the
+# same script works on macos-14 (Xcode 15) and macos-15 (Xcode 26).
 _PROFILE_DIRS = [
     Path.home() / "Library/Developer/Xcode/UserData/Provisioning Profiles",
     Path.home() / "Library/MobileDevice/Provisioning Profiles",
 ]
 
-# Product types that must be signed with a provisioning profile. App
-# extensions share the common ``com.apple.product-type.app-extension`` prefix
-# (messages, widgets, NetworkExtension, WatchKit, etc).
-_SIGNABLE_PRODUCT_TYPES = {
-    "com.apple.product-type.application",
-    "com.apple.product-type.application.on-demand-install-capable",
-    "com.apple.product-type.application.watchapp2",
-    "com.apple.product-type.watchkit2-extension",
-}
-_SIGNABLE_PRODUCT_PREFIXES = (
-    "com.apple.product-type.app-extension",
-)
-
-
-# --------------------------------------------------------------------------- #
-# pbxproj parsing                                                             #
-# --------------------------------------------------------------------------- #
-
-def _load_pbxproj(project_path: str) -> dict:
-    pbx = Path(project_path) / "project.pbxproj"
-    out = subprocess.check_output(["plutil", "-convert", "json", "-o", "-", str(pbx)])
-    return json.loads(out)
-
-
-def _is_signable_product_type(product_type: str) -> bool:
-    if product_type in _SIGNABLE_PRODUCT_TYPES:
-        return True
-    return any(product_type.startswith(p) for p in _SIGNABLE_PRODUCT_PREFIXES)
-
-
-def discover_signable_targets(project_path: str) -> list[dict]:
-    """Return one entry per signable native target.
-
-    Each entry: ``{"name": str, "bundle_id": str, "config_ids": [str,...]}``
-    where ``config_ids`` is the list of XCBuildConfiguration UUIDs whose
-    ``buildSettings`` dict we need to patch (one per build configuration —
-    typically Debug + Release).
-    """
-    pbx = _load_pbxproj(project_path)
-    objects = pbx["objects"]
-    targets: list[dict] = []
-    for _obj_id, obj in objects.items():
-        if obj.get("isa") != "PBXNativeTarget":
-            continue
-        product_type = obj.get("productType") or ""
-        if not _is_signable_product_type(product_type):
-            continue
-        name = obj.get("name") or "<unknown>"
-        config_list_id = obj.get("buildConfigurationList")
-        config_list = objects.get(config_list_id) or {}
-        config_ids = list(config_list.get("buildConfigurations") or [])
-        bundle_id = _bundle_id_from_configs(objects, config_ids)
-        if not bundle_id:
-            print(f"skip target {name!r}: no PRODUCT_BUNDLE_IDENTIFIER")
-            continue
-        targets.append(
-            {"name": name, "bundle_id": bundle_id, "config_ids": config_ids}
-        )
-    if not targets:
-        raise SystemExit(
-            f"discover_signable_targets: no signable targets found in {project_path}"
-        )
-    return targets
-
-
-def _bundle_id_from_configs(objects: dict, config_ids: list[str]) -> str:
-    """Return the first non-empty bundle id across the given configs."""
-    for cid in config_ids:
-        cfg = objects.get(cid) or {}
-        settings = cfg.get("buildSettings") or {}
-        bid = (settings.get("PRODUCT_BUNDLE_IDENTIFIER") or "").strip()
-        if bid and "$(" not in bid and "${" not in bid:
-            return bid
-    return ""
-
-
-# --------------------------------------------------------------------------- #
-# pbxproj mutation                                                            #
-# --------------------------------------------------------------------------- #
-
-def patch_project_signing(
-    project_path: str,
-    targets: list[dict],
-    team_id: str,
-) -> None:
-    """Set manual signing + per-target profile name for every signable target.
-
-    The pbxproj stays in its original OpenStep format — Xcode is very
-    opinionated about that file and any conversion (to XML/JSON) risks
-    re-ordering keys or dropping comments. Instead, we edit the specific
-    ``XCBuildConfiguration`` blocks by their UUID and inject/replace the
-    handful of keys we care about. Targets outside ``targets`` (most
-    importantly SwiftPM / resource-bundle configs) are untouched.
-    """
-    pbx_path = Path(project_path) / "project.pbxproj"
-    text = pbx_path.read_text(encoding="utf-8")
-
-    for target in targets:
-        profile_name = f"{PROFILE_PREFIX}{target['bundle_id']}"
-        for cid in target["config_ids"]:
-            text = _apply_signing_to_config(text, cid, team_id, profile_name)
-        print(
-            f"Patched {target['name']!r} -> {profile_name} "
-            f"(configs={len(target['config_ids'])})"
-        )
-
-    pbx_path.write_text(text, encoding="utf-8")
-    # Sanity check — plutil -lint rejects malformed output so CI fails
-    # fast before ``xcodebuild`` tries (and mangles) the file.
-    subprocess.check_call(["plutil", "-lint", str(pbx_path)])
-
-
-def _apply_signing_to_config(
-    text: str, config_id: str, team_id: str, profile_name: str
-) -> str:
-    """Return ``text`` with the given XCBuildConfiguration's buildSettings
-    patched for manual signing. Raises ``SystemExit`` if the config block
-    can't be located (indicates a pbxproj format we don't understand).
-    """
-    start = text.find(f"\t\t{config_id} ")
-    if start < 0:
-        start = text.find(f"\t\t{config_id}\t")
-    if start < 0:
-        start = text.find(f"{config_id} = {{")
-    if start < 0:
-        raise SystemExit(
-            f"patch_project_signing: config {config_id} not found in pbxproj"
-        )
-    settings_key = "buildSettings = {"
-    s_idx = text.find(settings_key, start)
-    if s_idx < 0:
-        raise SystemExit(
-            f"patch_project_signing: buildSettings not found for {config_id}"
-        )
-    # Find matching closing '};' for buildSettings — brace-balance forward.
-    depth = 0
-    i = s_idx + len(settings_key) - 1  # position at the opening '{'
-    end = -1
-    while i < len(text):
-        ch = text[i]
-        if ch == "{":
-            depth += 1
-        elif ch == "}":
-            depth -= 1
-            if depth == 0:
-                end = i
-                break
-        i += 1
-    if end < 0:
-        raise SystemExit(
-            f"patch_project_signing: unbalanced buildSettings for {config_id}"
-        )
-    inner = text[s_idx + len(settings_key): end]
-    patched = _patch_inner_settings(inner, team_id, profile_name)
-    return text[: s_idx + len(settings_key)] + patched + text[end:]
-
-
-_SIGNING_KEYS = {
-    "CODE_SIGN_STYLE": "Manual",
-    "CODE_SIGN_IDENTITY": '"Apple Distribution"',
-}
-
-_STRIP_KEYS = ("PROVISIONING_PROFILE",)
-
-
-def _patch_inner_settings(
-    inner: str, team_id: str, profile_name: str
-) -> str:
-    """Rewrite build setting key/value lines inside one buildSettings block."""
-    # Always-set values
-    values = dict(_SIGNING_KEYS)
-    values["DEVELOPMENT_TEAM"] = team_id
-    values["PROVISIONING_PROFILE_SPECIFIER"] = f'"{profile_name}"'
-
-    lines = inner.splitlines(keepends=True)
-    emitted_keys: set[str] = set()
-    out: list[str] = []
-    # Each setting line looks like (whitespace-prefixed):
-    #   KEY = VALUE;
-    # We match leading indent, the key, `= `, the rest.
-    pattern = re.compile(r"^(\s*)([A-Z_][A-Z0-9_]*)\s*=\s*(.+);\s*$")
-
-    for line in lines:
-        m = pattern.match(line)
-        if not m:
-            out.append(line)
-            continue
-        indent, key, _old_value = m.group(1), m.group(2), m.group(3)
-        if key in _STRIP_KEYS:
-            # Drop these keys entirely.
-            continue
-        if key in values:
-            out.append(f"{indent}{key} = {values[key]};\n")
-            emitted_keys.add(key)
-            continue
-        out.append(line)
-
-    # Any key we wanted to set but didn't find — append just before close.
-    missing = [k for k in values if k not in emitted_keys]
-    if missing:
-        # Determine indent from the first KEY= line we can find, else use
-        # two tabs (the pbxproj default).
-        indent = "\t\t\t\t"
-        for line in lines:
-            m = pattern.match(line)
-            if m:
-                indent = m.group(1)
-                break
-        tail = out[-1] if out else ""
-        # Ensure we inject before the trailing whitespace on the last line.
-        new_lines = [f"{indent}{k} = {values[k]};\n" for k in missing]
-        if tail.strip() == "":
-            out = out[:-1] + new_lines + [tail]
-        else:
-            out = out + new_lines
-    return "".join(out)
-
 
 # --------------------------------------------------------------------------- #
 # ASC bundle ID registration                                                  #
 # --------------------------------------------------------------------------- #
 
 def ensure_bundle_id(token: str, identifier: str) -> str:
+    """Return the ASC primary key for ``identifier``; register if missing."""
     data = get_json(
         "/bundleIds",
         token,
@@ -306,6 +78,7 @@ def profile_name_for(bundle_id: str) -> str:
 
 
 def delete_profile_by_name(token: str, name: str) -> None:
+    """Delete every existing profile with the given name (paginated scan)."""
     deleted_any = False
     next_path: str | None = "/profiles?limit=200"
     while next_path:
@@ -348,7 +121,15 @@ def create_profile(
     return base64.b64decode(payload)
 
 
-def install_profile(profile_der: bytes) -> str:
+def install_profile(profile_der: bytes) -> tuple[str, str]:
+    """Install the raw profile into every Xcode-visible directory.
+
+    Returns ``(uuid, team_id)``. ``team_id`` is the team Apple assigned to
+    the profile — the effective team that Xcode expects to find in
+    ``DEVELOPMENT_TEAM``. It may differ from any team value in
+    ci.config.yaml; the ASC API key is bound to exactly one team and every
+    profile it issues inherits that team.
+    """
     primary = _PROFILE_DIRS[0]
     primary.mkdir(parents=True, exist_ok=True)
     tmp_path = primary / "tmp.mobileprovision"
@@ -359,6 +140,7 @@ def install_profile(profile_der: bytes) -> str:
     plist = plistlib.loads(decoded)
     uuid = plist["UUID"]
     team_ids = plist.get("TeamIdentifier") or []
+    team_id = team_ids[0] if team_ids else ""
     profile_name = plist.get("Name") or "<unknown>"
     final_name = f"{uuid}.mobileprovision"
     for directory in _PROFILE_DIRS:
@@ -366,10 +148,10 @@ def install_profile(profile_der: bytes) -> str:
         (directory / final_name).write_bytes(profile_der)
     tmp_path.unlink(missing_ok=True)
     print(
-        f"  profile {profile_name!r}: uuid={uuid} team={team_ids} "
+        f"  profile {profile_name!r}: uuid={uuid} team={team_id} "
         f"dirs={[str(d) for d in _PROFILE_DIRS]}"
     )
-    return uuid
+    return uuid, team_id
 
 
 # --------------------------------------------------------------------------- #
@@ -380,18 +162,24 @@ def provision_all_bundles(
     token: str,
     bundle_ids: list[str],
     cert_id: str,
-) -> list[tuple[str, str, str]]:
+) -> tuple[list[tuple[str, str, str]], str]:
     """Create + install a CI profile for each bundle id.
 
-    Returns a list of ``(bundle_id, profile_name, uuid)`` tuples.
+    Returns ``(mappings, team_id)`` where mappings is a list of
+    ``(bundle_id, profile_name, uuid)`` tuples and ``team_id`` is the
+    team Apple assigned to the profiles (shared — the ASC API key binds
+    every profile it issues to a single team).
     """
     results: list[tuple[str, str, str]] = []
+    effective_team = ""
     for bid in bundle_ids:
         name = profile_name_for(bid)
         bundle_pk = ensure_bundle_id(token, bid)
         delete_profile_by_name(token, name)
         profile_der = create_profile(token, name, bundle_pk, cert_id)
-        uuid = install_profile(profile_der)
+        uuid, team_id = install_profile(profile_der)
+        if team_id:
+            effective_team = team_id
         print(f"Installed provisioning profile {name} -> {uuid} ({bid})")
         results.append((bid, name, uuid))
-    return results
+    return results, effective_team

package/templates/scripts/ci/ios-native/read_config.py

@@ -38,8 +38,14 @@ Writes to $GITHUB_ENV:
     ASC_KEY_ID, ASC_ISSUER_ID, ASC_KEY_P8_PATH, ASC_KEY_P8,
     CFG_PROJECT, CFG_WORKSPACE, CFG_SCHEME, CFG_CONFIGURATION,
     CFG_BUNDLE_ID, CFG_TEAM_ID, CFG_APP_STORE_APPLE_ID, CFG_PROFILE_NAME,
-    CFG_USES_NON_EXEMPT, CFG_WHATS_NEW, CFG_LOCALE,
+    CFG_USES_NON_EXEMPT, CFG_WHATS_NEW, CFG_WHATS_NEW_FILE, CFG_LOCALE,
     CFG_RUN_TESTS, CFG_TEST_COMMAND, CFG_TEST_DESTINATION
+
+CFG_WHATS_NEW_FILE points at a file under $RUNNER_TEMP holding the raw
+multi-line release notes. Downstream steps MUST prefer the file over the
+env-var copy: GitHub Actions YAML's `${{ }}` substitution serializes
+multi-line strings in ways that can mangle embedded newlines, while a file
+path is a single-line string that survives interpolation untouched.
 """
 
 from __future__ import annotations
@@ -284,6 +290,22 @@ def main() -> None:
         shown = value if name != "CFG_WHATS_NEW" else value.replace("\n", " / ")
         log(f"{name}={shown!r} (source: {src})")
 
+    # Persist whatsNew to a file under $RUNNER_TEMP so downstream steps can
+    # read raw multi-line content without any GitHub Actions ${{ }} YAML
+    # interpolation mangling embedded newlines. CFG_WHATS_NEW still carries
+    # the same content for backward compatibility; the file is the source
+    # of truth.
+    whats_new_value = tf["whats_new"][0]
+    runner_temp = os.environ.get("RUNNER_TEMP") or str(workspace)
+    whats_new_path = Path(runner_temp) / "whats_new.txt"
+    whats_new_path.write_text(whats_new_value)
+    emit(env_file, "CFG_WHATS_NEW_FILE", str(whats_new_path))
+    log(
+        f"CFG_WHATS_NEW_FILE={whats_new_path} "
+        f"(length={len(whats_new_value)}, "
+        f"newlines={whats_new_value.count(chr(10))})"
+    )
+
 
 if __name__ == "__main__":
     main()

package/templates/scripts/ci/ios-native/set_app_store_whats_new.py

@@ -21,7 +21,12 @@ Environment:
   ASC_KEY_ID, ASC_ISSUER_ID, ASC_KEY_PATH  -- App Store Connect API credentials
   MARKETING_VERSION                        -- e.g. "1.2.3"
   APP_STORE_VERSION_ID                     -- appStoreVersion id (REUSE or CREATE)
-  APP_STORE_WHATS_NEW                      -- release notes text (empty = skip)
+  APP_STORE_WHATS_NEW_FILE                 -- path to file holding release notes
+                                              (preferred; sidesteps any YAML env
+                                              interpolation that may mangle
+                                              multi-line content)
+  APP_STORE_WHATS_NEW                      -- release notes text (fallback when
+                                              _FILE is unset / unreadable)
   APP_STORE_LOCALE                         -- locale code, default "en-US"
 """
 
@@ -29,6 +34,7 @@ from __future__ import annotations
 
 import os
 import sys
+from pathlib import Path
 
 from asc_common import get_json, make_jwt, request
 
@@ -101,10 +107,34 @@ def _create_localization(
     return resp.json()["data"]["id"]
 
 
+def _read_whats_new() -> tuple[str, str]:
+    """Return (content, source). Prefer a file path (no env interpolation
+    risk). Fall back to APP_STORE_WHATS_NEW env var. Returns ("", "<empty>")
+    when neither is populated."""
+    path = os.environ.get("APP_STORE_WHATS_NEW_FILE", "").strip()
+    if path:
+        try:
+            content = Path(path).read_text()
+            return content, f"file:{path}"
+        except OSError as exc:
+            _warn(
+                f"APP_STORE_WHATS_NEW_FILE={path} unreadable ({exc!r}); "
+                f"falling back to APP_STORE_WHATS_NEW env var."
+            )
+    content = os.environ.get("APP_STORE_WHATS_NEW", "")
+    if content:
+        return content, "env:APP_STORE_WHATS_NEW"
+    return "", "<empty>"
+
+
 def main() -> int:
-    whats_new = os.environ.get("APP_STORE_WHATS_NEW", "")
+    whats_new, source = _read_whats_new()
+    _log(
+        f"whatsNew source={source} length={len(whats_new)} "
+        f"newlines={whats_new.count(chr(10))}"
+    )
     if not whats_new.strip():
-        _log("APP_STORE_WHATS_NEW empty; skipping.")
+        _log("whatsNew empty; skipping.")
         return 0
 
     version = _require_env("MARKETING_VERSION")