@daemux/store-automator 0.10.93 → 0.10.95

package/templates/scripts/ci/ios-native/profile_manager.py

@@ -11,6 +11,27 @@ Talks to the App Store Connect API to:
 * Install the resulting ``.mobileprovision`` into every Xcode profile
   directory (Xcode 15 and Xcode 16+ use different paths).
 
+Caching
+-------
+
+``provision_all_bundles`` is now cache-aware. Callers pass the workspace
+``creds_dir`` and a ``cache_hit`` flag indicating whether the cert was
+itself reused from cache. The function:
+
+  * If the manifest's cached cert_id matches the current cert_id AND the
+    cert was reused, it tries to reuse each bundle's profile from disk
+    (``find_reusable_profile``) before falling back to a fresh
+    ``create_profile`` round-trip. Profile create on Apple's side is
+    rate-limited and disturbs the team's profile-list view, so caching
+    is worth it.
+  * If the cert changed (cap rotation, expiry, manual revoke) it forces
+    a full regen — Apple invalidates a profile the moment its leaf cert
+    goes away, so reusing the on-disk file would archive an unsigned
+    binary.
+  * After the loop it GCs orphan ``.mobileprovision`` files whose bundle
+    is no longer in ``bundle_ids`` (e.g. an extension was deleted from
+    the target list) and rewrites the manifest with the current set.
+
 Xcode pbxproj editing lives in ``pbxproj_editor.py``; this file is
 ASC-facing only.
 """
@@ -18,12 +39,14 @@ ASC-facing only.
 from __future__ import annotations
 
 import base64
-import plistlib
 import subprocess
+from datetime import datetime
 from pathlib import Path
 
+import creds_store
 from asc_common import get_json, request
 from pbxproj_editor import PROFILE_PREFIX
+from profile_io import decode_profile_plist, ensure_utc
 
 
 # Xcode 16+ moved the canonical profile directory. Older Xcode releases
@@ -121,65 +144,164 @@ def create_profile(
     return base64.b64decode(payload)
 
 
-def install_profile(profile_der: bytes) -> tuple[str, str]:
+def install_profile(profile_der: bytes) -> tuple[str, str, datetime]:
     """Install the raw profile into every Xcode-visible directory.
 
-    Returns ``(uuid, team_id)``. ``team_id`` is the team Apple assigned to
-    the profile — the effective team that Xcode expects to find in
-    ``DEVELOPMENT_TEAM``. It may differ from any team value in
-    ci.config.yaml; the ASC API key is bound to exactly one team and every
-    profile it issues inherits that team.
+    Returns ``(uuid, team_id, expiration)``. ``team_id`` is the team
+    Apple assigned to the profile — the effective team that Xcode
+    expects to find in ``DEVELOPMENT_TEAM``. ``expiration`` is the
+    profile's ``ExpirationDate`` normalised to UTC; the caller persists
+    it in the cache manifest.
     """
-    primary = _PROFILE_DIRS[0]
-    primary.mkdir(parents=True, exist_ok=True)
-    tmp_path = primary / "tmp.mobileprovision"
-    tmp_path.write_bytes(profile_der)
-    decoded = subprocess.check_output(
-        ["security", "cms", "-D", "-i", str(tmp_path)]
-    )
-    plist = plistlib.loads(decoded)
+    plist = decode_profile_plist(profile_der, _PROFILE_DIRS[0])
     uuid = plist["UUID"]
     team_ids = plist.get("TeamIdentifier") or []
     team_id = team_ids[0] if team_ids else ""
     profile_name = plist.get("Name") or "<unknown>"
+    expiration = ensure_utc(plist.get("ExpirationDate"))
     final_name = f"{uuid}.mobileprovision"
     for directory in _PROFILE_DIRS:
         directory.mkdir(parents=True, exist_ok=True)
         (directory / final_name).write_bytes(profile_der)
-    tmp_path.unlink(missing_ok=True)
     print(
         f"  profile {profile_name!r}: uuid={uuid} team={team_id} "
-        f"dirs={[str(d) for d in _PROFILE_DIRS]}"
+        f"exp={expiration.isoformat()} dirs={[str(d) for d in _PROFILE_DIRS]}"
     )
-    return uuid, team_id
+    return uuid, team_id, expiration
 
 
 # --------------------------------------------------------------------------- #
 # Orchestration                                                               #
 # --------------------------------------------------------------------------- #
 
+def _try_reuse_cached(
+    bid: str,
+    name: str,
+    cert_id: str,
+    creds_dir: Path,
+    manifest: dict,
+) -> tuple[str, str, dict] | None:
+    """Return ``(uuid, team, entry)`` if a cached profile reinstalls cleanly.
+
+    A corrupt .mobileprovision (truncated, manually edited, ``security
+    cms`` decode failure) must NEVER abort the build — log and return
+    ``None`` so the caller falls through to the fresh-create path.
+    """
+    cached = creds_store.find_reusable_profile(manifest, bid, cert_id, creds_dir)
+    if cached is None:
+        return None
+    try:
+        der = creds_store.profile_path(creds_dir, cached.uuid).read_bytes()
+        uuid, team_id, _ = install_profile(der)
+    except (OSError, subprocess.CalledProcessError, ValueError, KeyError) as exc:
+        print(
+            f"::warning::cached profile {cached.filename!r} unusable "
+            f"({exc!r}); regenerating"
+        )
+        return None
+    # cached.expiration is already UTC-aware (load_profile_manifest routes
+    # it through _parse_iso); no astimezone needed.
+    entry = {
+        "bundle_id": bid,
+        "name": cached.name or name,
+        "uuid": uuid,
+        "filename": f"{uuid}.mobileprovision",
+        "expiration": cached.expiration.isoformat(),
+    }
+    print(f"Reused cached profile {name} -> {uuid} ({bid})")
+    return uuid, team_id, entry
+
+
+def _provision_bundle(
+    token: str,
+    bid: str,
+    cert_id: str,
+    creds_dir: Path,
+    manifest: dict,
+    can_reuse: bool,
+) -> tuple[str, str, str, dict]:
+    """Provision one bundle; return ``(name, uuid, team, manifest_entry)``."""
+    name = profile_name_for(bid)
+    if can_reuse:
+        reused = _try_reuse_cached(bid, name, cert_id, creds_dir, manifest)
+        if reused is not None:
+            uuid, team_id, entry = reused
+            return name, uuid, team_id, entry
+
+    bundle_pk = ensure_bundle_id(token, bid)
+    delete_profile_by_name(token, name)
+    profile_der = create_profile(token, name, bundle_pk, cert_id)
+    uuid, team_id, expiration = install_profile(profile_der)
+    creds_store.write_cached_profile(creds_dir, uuid, profile_der)
+    entry = {
+        "bundle_id": bid,
+        "name": name,
+        "uuid": uuid,
+        "filename": f"{uuid}.mobileprovision",
+        "expiration": expiration.isoformat(),
+    }
+    print(f"Installed fresh profile {name} -> {uuid} ({bid})")
+    return name, uuid, team_id, entry
+
+
+def _gc_orphan_profiles(
+    creds_dir: Path, old_manifest: dict, new_entries: list[dict]
+) -> None:
+    """Remove cached .mobileprovision files for bundles no longer present."""
+    new_uuids = {e["uuid"] for e in new_entries}
+    for raw in old_manifest.get("profiles", []):
+        uuid = raw.get("uuid")
+        if not uuid or uuid in new_uuids:
+            continue
+        path = creds_store.profile_path(creds_dir, uuid)
+        if path.exists():
+            path.unlink(missing_ok=True)
+            print(f"GC'd orphan profile {uuid} ({raw.get('bundle_id')!r})")
+
+
 def provision_all_bundles(
     token: str,
     bundle_ids: list[str],
     cert_id: str,
+    *,
+    creds_dir: Path,
+    cache_hit: bool,
 ) -> tuple[list[tuple[str, str, str]], str]:
-    """Create + install a CI profile for each bundle id.
+    """Create + install a CI profile for each bundle id, with caching.
 
     Returns ``(mappings, team_id)`` where mappings is a list of
     ``(bundle_id, profile_name, uuid)`` tuples and ``team_id`` is the
     team Apple assigned to the profiles (shared — the ASC API key binds
     every profile it issues to a single team).
+
+    ``cache_hit`` says whether the cert came from cache. ``creds_dir``
+    is the workspace ``creds/`` root. When the manifest's cert_id
+    differs from ``cert_id`` we force a full regen — Apple invalidates
+    every profile bound to the prior cert the moment that cert is
+    revoked, so reusing on-disk profiles would archive unsigned bits.
     """
+    manifest = creds_store.load_profile_manifest(creds_dir)
+    can_reuse = cache_hit and manifest.get("cert_id") == cert_id
+    if cache_hit and not can_reuse:
+        print(
+            f"Manifest cert_id {manifest.get('cert_id')!r} differs from "
+            f"current {cert_id!r}; regenerating all profiles"
+        )
+
     results: list[tuple[str, str, str]] = []
+    new_entries: list[dict] = []
     effective_team = ""
     for bid in bundle_ids:
-        name = profile_name_for(bid)
-        bundle_pk = ensure_bundle_id(token, bid)
-        delete_profile_by_name(token, name)
-        profile_der = create_profile(token, name, bundle_pk, cert_id)
-        uuid, team_id = install_profile(profile_der)
+        name, uuid, team_id, entry = _provision_bundle(
+            token, bid, cert_id, creds_dir, manifest, can_reuse
+        )
         if team_id:
             effective_team = team_id
-        print(f"Installed provisioning profile {name} -> {uuid} ({bid})")
         results.append((bid, name, uuid))
+        new_entries.append(entry)
+
+    _gc_orphan_profiles(creds_dir, manifest, new_entries)
+    creds_store.write_profile_manifest(
+        creds_dir, {"cert_id": cert_id, "profiles": new_entries}
+    )
     return results, effective_team

package/templates/scripts/ci/ios-native/set_app_store_whats_new.py

@@ -78,29 +78,24 @@ def _log(msg: str) -> None:
     print(msg, file=sys.stderr)
 
 
+# Apple's 409 STATE_ERROR detail string for the known-benign case where
+# the per-localization slot is locked because the parent version is
+# transitioning between states. Substring match (not regex / equality) so
+# we don't break if Apple appends or reformats surrounding context.
+_WHATSNEW_LOCKED_DETAIL = "cannot be edited at this time"
+
+
 def _patch_localization(
     token: str, localization_id: str, whats_new: str
 ) -> bool:
     """PATCH a single localization's whatsNew. Returns True on success,
     False when Apple reports the localization is locked (409 STATE_ERROR).
 
-    Apple returns 409 STATE_ERROR ("Attribute 'whatsNew' cannot be edited
-    at this time") on individual localizations even when the parent
-    appStoreVersion's appStoreState is in the editable allow-list checked
-    upstream. This happens when the per-localization state is locked
-    independently (e.g. submitted, in-review at the localization level,
-    or transitioning) -- a race the version-level state check at the top
-    of main() cannot see.
-
-    Without this allow-list, asc_common.request() raises SystemExit on
-    the 409, which the script's top-level try/except cannot swallow
-    (SystemExit is explicitly re-raised). The whole CI run then fails
-    at exit code 1 even though the IPA upload already succeeded.
-
-    Other non-2xx statuses (auth, 5xx, malformed payloads, real ASC
-    outages) are NOT in the allow-list and continue to fail loud --
-    asc_common.request() retries 5xx automatically and SystemExits on
-    everything else.
+    See _handle_localization_409 for the rationale behind allow_status={409}
+    and the benign-lock vs unexpected-409 routing. Other non-2xx statuses
+    (auth, 5xx, malformed payloads, real ASC outages) are NOT in the
+    allow-list and continue to fail loud -- asc_common.request() retries
+    5xx automatically and SystemExits on everything else.
     """
     resp = request(
         "PATCH",
@@ -116,16 +111,75 @@ def _patch_localization(
         allow_status={409},
     )
     if resp.status_code == 409:
-        _warn(
-            f"appStoreVersionLocalization {localization_id} returned 409 "
-            f"STATE_ERROR (locked); whatsNew not patched for this "
-            f"localization. Other localizations and the rest of the run "
-            f"continue."
-        )
+        _handle_localization_409(localization_id, resp)
         return False
     return True
 
 
+def _handle_localization_409(localization_id: str, resp) -> None:
+    """Route an ASC 409 STATE_ERROR on a localization PATCH to the right
+    log channel based on the response detail.
+
+    Apple returns 409 STATE_ERROR ("Attribute 'whatsNew' cannot be edited
+    at this time") on individual localizations even when the parent
+    appStoreVersion's appStoreState is in the editable allow-list checked
+    upstream. This happens when the per-localization state is locked
+    independently (e.g. submitted, in-review at the localization level,
+    or transitioning) -- a race the version-level state check at the top
+    of main() cannot see.
+
+    Without an allow_status={409} entry in the request, asc_common.request()
+    raises SystemExit on the 409, which the script's top-level try/except
+    cannot swallow (SystemExit is explicitly re-raised). The whole CI run
+    then fails at exit code 1 even though the IPA upload already succeeded.
+
+    The benign-lock detail is logged plain -- it's the expected,
+    non-actionable case and emitting `::warning::` annotations every clean
+    run produces noise in the GH workflow summary. Any OTHER 409 detail
+    (genuinely unexpected) is still surfaced as `::warning::`.
+    """
+    detail = _extract_409_detail(resp)
+    if _WHATSNEW_LOCKED_DETAIL in detail:
+        _log(
+            f"[whatsNew] localization {localization_id} is currently "
+            f"locked, skipping (detail: {detail!r})"
+        )
+        return
+    _warn(
+        f"appStoreVersionLocalization {localization_id} returned 409 "
+        f"with unexpected detail {detail!r}; whatsNew not patched for "
+        f"this localization. Other localizations and the rest of the "
+        f"run continue."
+    )
+
+
+def _extract_409_detail(resp) -> str:
+    """Pull the human-readable detail string out of an ASC 409 response.
+
+    ASC error envelope: {"errors": [{"status": "409", "code": "STATE_ERROR",
+    "title": "...", "detail": "Attribute 'whatsNew' cannot be edited at this
+    time"}]}. We collapse all error details into a single string so the
+    benign-lock substring match survives Apple returning multiple errors
+    in one response. Falls back to raw response text if JSON parsing fails
+    (defensive -- Apple's error envelopes have been stable for years but
+    the network layer occasionally returns HTML on infrastructure faults).
+    """
+    try:
+        body = resp.json()
+    except ValueError:
+        return resp.text or ""
+    errors = body.get("errors") if isinstance(body, dict) else None
+    if not errors:
+        return ""
+    parts = []
+    for err in errors:
+        if isinstance(err, dict):
+            detail = err.get("detail") or err.get("title") or ""
+            if detail:
+                parts.append(detail)
+    return " | ".join(parts)
+
+
 def _create_localization(
     token: str, version_id: str, locale: str, whats_new: str
 ) -> str:
@@ -204,10 +258,13 @@ def _update_all_localizations(
         else:
             skipped += 1
     if skipped:
-        _log(
-            f"whatsNew skipped for {skipped} locked localization(s) "
-            f"(see warnings above)"
-        )
+        # Per-localization detail (lock state, unexpected 409, etc.) was
+        # already emitted above by _patch_localization -- this is just the
+        # rollup count so the workflow log shows a single summary line.
+        # We deliberately avoid "see warnings above": for the benign-lock
+        # case _patch_localization emits plain _log entries (no ::warning::),
+        # so a "warnings above" pointer would mislead the reader.
+        _log(f"whatsNew skipped for {skipped} locked localization(s)")
     return count