npm - @daemux/store-automator - Versions diffs - 0.10.94 → 0.10.96 - Mend

@daemux/store-automator 0.10.94 → 0.10.96

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/.claude-plugin/marketplace.json CHANGED Viewed

@@ -5,14 +5,14 @@
   },
   "metadata": {
     "description": "App Store & Google Play automation for Flutter apps",
-    "version": "0.10.94"
+    "version": "0.10.96"
   },
   "plugins": [
     {
       "name": "store-automator",
       "source": "./plugins/store-automator",
       "description": "3 agents for app store publishing: reviewer, meta-creator, media-designer",
-      "version": "0.10.94",
+      "version": "0.10.96",
       "keywords": [
         "flutter",
         "app-store",

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@daemux/store-automator",
-  "version": "0.10.94",
+  "version": "0.10.96",
   "description": "Full App Store & Google Play automation for Flutter apps with Claude Code agents",
   "type": "module",
   "bin": {

package/plugins/store-automator/.claude-plugin/plugin.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "store-automator",
-  "version": "0.10.94",
+  "version": "0.10.96",
   "description": "App Store & Google Play automation agents for Flutter app publishing",
   "author": {
     "name": "Daemux"

package/templates/github/IOS_NATIVE_CI_SETUP.md CHANGED Viewed

@@ -45,6 +45,55 @@ Subsequent builds need neither — the ASC API key handles everything.
 Leave your Xcode project's `MARKETING_VERSION` at `1.0` initially. CI auto-rolls the marketing version forward (patch bump) whenever the prior version hits `READY_FOR_SALE` in App Store Connect. Until then, the pipeline keeps bumping the build number against the current marketing version.
+### Auto-bumping MARKETING_VERSION
+When the ASC combined floor (max of pending review, `preReleaseVersions`,
+or builds-via-`preReleaseVersion`) exceeds your project's
+`MARKETING_VERSION`, the action auto-bumps and commits the new value as
+part of the same bot commit that handles cert refresh / autoupdate.
+Default policy is `patch` — bumps the patch component.
+**Opt out** via the action input:
+```yaml
+- uses: ./.github/actions/swift-app
+  with:
+    marketing-version-auto-bump: 'none'
+```
+In `'none'` mode, the floor check fails the build and you must bump
+`MARKETING_VERSION` manually before retrying.
+**Policy `'minor'`** bumps the minor component (e.g. `1.0.5` → `1.1.0`)
+when floor exceeds project. Useful for projects where every release
+is a minor.
+**Side effect:** the bot commit subject reflects what was changed,
+e.g. `ci: refresh signing identity + bump MARKETING_VERSION [skip ci]`.
+**Source-of-truth resolution.** The auto-bump writes the new value
+into the file your project actually reads from, in this order:
+1. **xcodegen `project.yml`** (preferred when present): regex-rewrite
+   of the `MARKETING_VERSION:` key, preserving formatting. The
+   generated `*.xcodeproj` is regenerated on every build, so editing
+   it directly would lose the bump.
+2. **`*.xcconfig`** sitting alongside the project (top level or one
+   subdirectory deep): handles non-xcodegen projects that hoist
+   `MARKETING_VERSION` into xcconfig.
+3. **`*.xcodeproj/project.pbxproj`**: only when no xcodegen spec is
+   present. Edits every `MARKETING_VERSION = X.Y.Z;` build setting
+   in place.
+4. **`Info.plist` `CFBundleShortVersionString`**: last-ditch fallback
+   for projects that hardcode the version literal.
+If your project uses xcodegen but `MARKETING_VERSION` is not in
+`project.yml` or any `.xcconfig`, the auto-bump emits a `::warning::`
+and the build fails (refusing to silently edit the generated pbxproj
+that xcodegen would wipe). Either move `MARKETING_VERSION` under
+`settings.base` in `project.yml`, or pin `marketing-version-auto-bump:
+'none'` and bump manually.
 ## Step 5 — Push to `main`
 ```bash
@@ -233,11 +282,17 @@ is NEVER auto-committed — see "deploy.yml is not auto-updated" below.
 | Combined commit | One commit when cert refresh + autoupdate fire in the same run (subjects below) |
 | Failure mode | Non-fatal: a failed `npm view` or `npx` emits `::warning::` and the build continues |
-Commit subjects (all carry `[skip ci]`):
+Commit subjects (all carry `[skip ci]`; multiple components are joined
+by ` + ` in the order shown):
-- `ci: refresh signing identity in creds/` — cert/profile refresh only
+- `ci: refresh signing identity` — cert/profile refresh only
 - `ci: autoupdate swift-app-ci` — vendored action update only
-- `ci: refresh signing identity + autoupdate swift-app-ci` — both in one run
+- `ci: bump MARKETING_VERSION` — auto-bump only (rare; floor moved
+  ahead between cert / autoupdate cycles)
+- `ci: refresh signing identity + autoupdate swift-app-ci` — both
+- `ci: refresh signing identity + bump MARKETING_VERSION` — cert + bump
+- `ci: autoupdate swift-app-ci + bump MARKETING_VERSION` — autoupdate + bump
+- `ci: refresh signing identity + autoupdate swift-app-ci + bump MARKETING_VERSION` — all three
 ### `paths-ignore` requirement

package/templates/scripts/ci/ios-native/asc_build_history.py ADDED Viewed

@@ -0,0 +1,284 @@
+#!/usr/bin/env python3
+# Note: fetch_prerelease_versions (~58 lines) and
+# fetch_builds_prerelease_versions (~59 lines) exceed the 50-line
+# function cap. Pre-existing in the source-of-truth; refactor tracked
+# separately to avoid bundling unrelated edits into round-13 trims.
+"""
+App Store Connect pre-release-version history fetcher.
+Split out of asc_version_fetch.py so each module stays focused and under
+the 400-line cap. This module owns:
+  - `fetch_prerelease_versions`: paginated list of every TestFlight train
+    versionString (/v1/apps/{id}/preReleaseVersions -> attributes.version).
+    TestFlight trains persist across app updates and feed ASC's upload
+    validator's "previously approved version" floor.
+Why NOT /v1/apps/{id}/builds? Two reasons, both learned the hard way:
+  1. The app-scoped /builds relationship rejects
+     ``filter[preReleaseVersion.platform]`` with HTTP 400 ("parameter is
+     not permitted on this endpoint"). That filter is only valid on the
+     top-level /v1/builds collection, not the relationship view.
+  2. Even if the filter worked, /builds.attributes.version is the INTEGER
+     build number (CFBundleVersion), NOT the marketing versionString.
+     Empirical proof from CI run 24640182161:
+         ASC /builds: scanning 6 builds -> v='3','2','1'
+     Those '3','2','1' are build numbers. Marketing versions on the same
+     app looked like 1.0, 1.0.1, 1.0.4.
+So /v1/apps/{id}/builds is unfit for marketing-version discovery.
+/v1/apps/{id}/preReleaseVersions is the authoritative source:
+``attributes.version`` there IS the marketing versionString.
+Why no ``filter[platform]`` on the request? CI run 24640348572 proved
+the app-scoped ``/apps/{id}/preReleaseVersions`` relationship endpoint
+rejects ``filter[platform]`` with HTTP 400 ("parameter is not permitted
+on this endpoint"). The filter is only valid on the top-level
+``/preReleaseVersions`` collection. So we fetch unfiltered and filter
+client-side.
+Defensive-inclusion rule (CI run 24640430898): records with an EXPLICIT
+non-iOS platform (``MAC_OS``, ``TV_OS``, ``VISION_OS``) are excluded;
+records with iOS OR null/missing platform are INCLUDED. Rationale: the
+409 failure proved ASC can hide preReleaseVersion records that still
+collide with a POST to /appStoreVersions. Better to overbump one patch
+than to miss a hidden collision.
+Also in this module (CI run 24640430898): ``fetch_builds_prerelease_versions``
+queries ``/v1/builds?filter[app]={id}&include=preReleaseVersion``,
+cross-references the ``included`` array, and extracts each build's
+preReleaseVersion.attributes.version (the marketing version, not the
+build number). This reveals preReleaseVersions that the direct
+/preReleaseVersions query might miss (pagination truncation or state
+filtering). The build's own ``attributes.version`` is the INTEGER build
+number (CFBundleVersion) and is NOT used.
+Why the TOP-LEVEL ``/v1/builds`` collection (not ``/v1/apps/{id}/builds``)?
+CI run 24640675162 proved the app-scoped relationship endpoint rejects
+``include=preReleaseVersion`` with HTTP 400 PARAMETER_ERROR.ILLEGAL
+(`"The parameter 'include' can not be used with this request"`). The
+top-level ``/v1/builds`` collection DOES accept both ``filter[app]``
+and ``include``, so we query that instead and scope by ``filter[app]``.
+(``next_build_number.py`` still uses /builds -- but it needs build
+numbers, not marketing versions, so that usage is correct.)
+"""
+from __future__ import annotations
+import sys
+from asc_common import request
+def _iter_pages(path: str, token: str, params: dict):
+    """Generator over `.data` lists across paginated ASC responses.
+    Follows `links.next` verbatim (stripping the `/v1` prefix so we stay
+    on the retrying client). Yields each record; callers decide what to
+    extract and how to log.
+    """
+    resp = request("GET", path, token, params=params)
+    while True:
+        data = resp.json()
+        for item in data.get("data", []):
+            yield item
+        next_url = ((data.get("links") or {}).get("next")) or ""
+        if not next_url:
+            return
+        next_path = next_url.split("/v1", 1)[-1] if "/v1" in next_url else next_url
+        resp = request("GET", next_path, token)
+_EXPLICIT_NON_IOS_PLATFORMS = {"MAC_OS", "TV_OS", "VISION_OS"}
+def _platform_is_counted(platform: str | None) -> bool:
+    """Defensive inclusion rule: include iOS and null/missing platform;
+    exclude only explicit known-wrong platforms. Keeps hidden records
+    from slipping past the floor (CI run 24640430898)."""
+    if platform in _EXPLICIT_NON_IOS_PLATFORMS:
+        return False
+    return True
+def fetch_prerelease_versions(app_id: str, token: str) -> list[str]:
+    """Return every TestFlight train's versionString for the app.
+    Paginates through links.next so mature apps with >200 trains are not
+    truncated. Filters client-side -- the app-scoped
+    ``/apps/{id}/preReleaseVersions`` relationship endpoint rejects
+    ``filter[platform]`` with HTTP 400 (CI run 24640348572), so we drop
+    the server-side filter and evaluate ``attributes.platform`` on each
+    returned record instead.
+    Defensive inclusion (CI run 24640430898): iOS records AND records
+    with null/missing platform are INCLUDED; only explicit MAC_OS /
+    TV_OS / VISION_OS are excluded. Records with missing/null version
+    are skipped regardless.
+    """
+    path = f"/apps/{app_id}/preReleaseVersions"
+    params = {"limit": 200}
+    out: list[str] = []
+    skipped = 0
+    for item in _iter_pages(path, token, params):
+        attrs = item.get("attributes") or {}
+        version = attrs.get("version")
+        platform = attrs.get("platform")
+        record_id = item.get("id", "")
+        if not version:
+            print(
+                f"[prerelease-history] skip id={record_id} "
+                f"platform={platform or '<null>'} reason=missing-version",
+                file=sys.stderr,
+            )
+            skipped += 1
+            continue
+        if not _platform_is_counted(platform):
+            print(
+                f"[prerelease-history] skip id={record_id} version={version} "
+                f"platform={platform or '<null>'} reason=not-ios",
+                file=sys.stderr,
+            )
+            skipped += 1
+            continue
+        out.append(version)
+        if platform == "IOS":
+            log_msg = (
+                f"[prerelease-history] version={version} "
+                f"platform=IOS id={record_id}"
+            )
+        else:
+            log_msg = (
+                f"[prerelease-history] version={version} "
+                f"platform=<null> id={record_id} "
+                f"reason=included-defensively"
+            )
+        print(log_msg, file=sys.stderr)
+    print(
+        f"[prerelease-history] done: trains={len(out)} skipped={skipped}",
+        file=sys.stderr,
+    )
+    return out
+def fetch_builds_prerelease_versions(app_id: str, token: str) -> list[str]:
+    """Return every build's referenced preReleaseVersion marketing version.
+    Queries the TOP-LEVEL
+    ``/v1/builds?filter[app]={id}&include=preReleaseVersion`` collection
+    and cross-references the ``included`` array to resolve each build's
+    ``relationships.preReleaseVersion.data.id`` -> the corresponding
+    ``included`` record's ``attributes.version`` (marketing version,
+    NOT the build number).
+    The app-scoped relationship endpoint ``/v1/apps/{id}/builds`` rejects
+    the ``include`` parameter with HTTP 400 PARAMETER_ERROR.ILLEGAL
+    (`"The parameter 'include' can not be used with this request"`,
+    CI run 24640675162). The top-level collection accepts both
+    ``filter[app]`` and ``include``, so we query that and scope by app.
+    Paginates through links.next. Same defensive platform rule as
+    fetch_prerelease_versions: iOS / null included, explicit non-iOS
+    excluded. Each cross-reference is logged.
+    Rationale: CI run 24640430898 exposed a hidden preReleaseVersion
+    that the direct /preReleaseVersions query did not surface, yet a
+    POST to /appStoreVersions for that version returned 409. The
+    builds->preReleaseVersion path is a second, independent view of
+    those same records and catches ones missed by the direct query.
+    """
+    path = "/builds"
+    params = {
+        "filter[app]": app_id,
+        "include": "preReleaseVersion",
+        "limit": 200,
+    }
+    out: list[str] = []
+    counters = {"builds_scanned": 0, "skipped": 0}
+    resp = request("GET", path, token, params=params)
+    while True:
+        data = resp.json()
+        included_by_id = _index_included(data.get("included") or [])
+        for build in data.get("data", []):
+            counters["builds_scanned"] += 1
+            version = _extract_build_prerelease_version(
+                build, included_by_id, counters,
+            )
+            if version is not None:
+                out.append(version)
+        next_url = ((data.get("links") or {}).get("next")) or ""
+        if not next_url:
+            break
+        next_path = next_url.split("/v1", 1)[-1] if "/v1" in next_url else next_url
+        resp = request("GET", next_path, token)
+    print(
+        f"[builds-prerelease] done: builds={counters['builds_scanned']} "
+        f"versions={len(out)} skipped={counters['skipped']}",
+        file=sys.stderr,
+    )
+    return out
+def _extract_build_prerelease_version(
+    build: dict, included_by_id: dict[str, dict], counters: dict,
+) -> str | None:
+    """Return the build's referenced preReleaseVersion marketing version
+    if it passes the defensive platform filter; else None. ``counters``
+    is mutated to track skips for the done-line summary."""
+    rel_id = _prerelease_ref_id(build)
+    if not rel_id:
+        return None
+    ref = included_by_id.get(rel_id)
+    if ref is None:
+        return None
+    attrs = ref.get("attributes") or {}
+    version = attrs.get("version")
+    platform = attrs.get("platform")
+    if not version:
+        counters["skipped"] += 1
+        return None
+    if not _platform_is_counted(platform):
+        print(
+            f"[builds-prerelease] skip build={build.get('id', '')} "
+            f"prerelease_id={rel_id} version={version} "
+            f"platform={platform or '<null>'} reason=not-ios",
+            file=sys.stderr,
+        )
+        counters["skipped"] += 1
+        return None
+    print(
+        f"[builds-prerelease] build={build.get('id', '')} "
+        f"prerelease_id={rel_id} version={version} "
+        f"platform={platform or '<null>'}",
+        file=sys.stderr,
+    )
+    return version
+def _index_included(included: list[dict]) -> dict[str, dict]:
+    """Build {id: record} map restricted to preReleaseVersions for O(1)
+    cross-reference from a build's relationships.preReleaseVersion.data.id."""
+    out: dict[str, dict] = {}
+    for rec in included:
+        if rec.get("type") != "preReleaseVersions":
+            continue
+        rid = rec.get("id")
+        if rid:
+            out[rid] = rec
+    return out
+def _prerelease_ref_id(build: dict) -> str | None:
+    """Return the preReleaseVersion id referenced by a build, or None
+    if the relationship is absent/empty."""
+    rels = build.get("relationships") or {}
+    pre = rels.get("preReleaseVersion") or {}
+    data = pre.get("data") or {}
+    rid = data.get("id")
+    return rid if rid else None

package/templates/scripts/ci/ios-native/asc_common.py CHANGED Viewed

@@ -8,6 +8,7 @@ constants used by multiple scripts in this action.
 from __future__ import annotations
+import os
 import sys
 import time
 from typing import Any
@@ -18,6 +19,37 @@ import requests
 ASC_BASE = "https://api.appstoreconnect.apple.com/v1"
+# ----------------------------------------------------------------------
+# ASC version-state taxonomy (consumed by manage_marketing_version's
+# ``_classify_match_at_target``):
+#
+#   terminal  -- READY_FOR_SALE / PROCESSING_FOR_APP_STORE /
+#                PENDING_APPLE_RELEASE / archived (REPLACED_WITH_NEW_VERSION,
+#                REMOVED_FROM_SALE, NOT_APPLICABLE). Slot is locked; auto-roll
+#                may advance the project's MARKETING_VERSION to the next
+#                patch instead of rejecting.
+#   in_review -- WAITING_FOR_REVIEW / IN_REVIEW (Apple is actively reviewing)
+#                OR PENDING_DEVELOPER_RELEASE (Apple approved; awaiting the
+#                developer's manual release click). Auto-roll is forbidden:
+#                advancing past either state would race the review process or
+#                bypass the developer's release decision.
+#   editable  -- PREPARE_FOR_SUBMISSION / REJECTED / METADATA_REJECTED /
+#                DEVELOPER_REJECTED / INVALID_BINARY. REUSE the row's id
+#                (developer-actionable; mutating is safe).
+#   unknown   -- any state in NONE of the above. Round-12 fail-closed: the
+#                classifier rejects rather than guessing, so a future ASC
+#                state cannot silently 409 on CREATE or interfere with
+#                whatever Apple is doing with the row.
+#
+# Round-11 design decision: the classifier uses POSITIVE allowlists below
+# rather than ``not in EDITABLE_STATES``. The negative test misclassified
+# PENDING_DEVELOPER_RELEASE as terminal -- it's NOT editable, but it's also
+# NOT auto-rollable (the developer has an approved build awaiting their
+# manual release). Positive allowlists make the taxonomy explicit and
+# prevent future ASC states from silently falling into the auto-roll
+# bucket.
+# ----------------------------------------------------------------------
 # App Store version states that allow editing the current draft.
 EDITABLE_STATES = {
     "PREPARE_FOR_SUBMISSION",
@@ -29,6 +61,28 @@ EDITABLE_STATES = {
     "DEVELOPER_REJECTED",
 }
+# Subset of EDITABLE_STATES safe to mutate (attach a build, rename via PATCH)
+# without going through Apple Review. WAITING_FOR_REVIEW and IN_REVIEW are
+# editable in the broad ASC sense (developer can withdraw), but Apple is
+# actively reviewing them: attaching a TestFlight build or PATCH-renaming
+# such a row would silently interfere with App Review. REJECTED /
+# METADATA_REJECTED / INVALID_BINARY come back from Apple Review and are
+# explicitly developer-actionable, so mutating them is safe.
+REUSABLE_STATES = {
+    "PREPARE_FOR_SUBMISSION",
+    "DEVELOPER_REJECTED",
+    "REJECTED",
+    "METADATA_REJECTED",
+    "INVALID_BINARY",
+}
+# Editable states that are currently under Apple Review. Mutating these
+# would interfere with the review process.
+IN_REVIEW_STATES = {
+    "WAITING_FOR_REVIEW",
+    "IN_REVIEW",
+}
 # Terminal states: the version is locked and a new one must be created.
 TERMINAL_STATES = {
     "READY_FOR_SALE",
@@ -51,6 +105,17 @@ BLOCKING_STATES = {"PENDING_DEVELOPER_RELEASE"}
 _RETRY_STATUSES = {429, 500, 502, 503, 504}
 _RETRY_BACKOFFS = (2, 8, 30)  # seconds
+# Per-request timeouts (seconds). Splitting connect vs read so a slow TLS
+# handshake can't masquerade as a slow API response (and vice versa).
+# Without these, ``requests.request(...)`` would block the CI runner
+# indefinitely on a hung TCP socket -- the runner only kills the job at
+# its 6h hard limit, by which point the on-call has already paged.
+_DEFAULT_TIMEOUT_CONNECT_SEC = 10.0
+_DEFAULT_TIMEOUT_READ_SEC = 30.0
+# Env overrides for slow networks / unusually large ASC responses.
+_TIMEOUT_CONNECT_ENV = "ASC_REQUEST_TIMEOUT_CONNECT_SEC"
+_TIMEOUT_READ_ENV = "ASC_REQUEST_TIMEOUT_READ_SEC"
 def make_jwt(key_id: str, issuer_id: str, key_path: str) -> str:
     """Return an ES256 JWT valid for 20 minutes, audience appstoreconnect-v1."""
@@ -68,6 +133,64 @@ def make_jwt(key_id: str, issuer_id: str, key_path: str) -> str:
     )
+def _request_timeouts() -> tuple[float, float]:
+    """Return ``(connect, read)`` timeouts in seconds. Both env-overridable
+    for slow networks (``ASC_REQUEST_TIMEOUT_CONNECT_SEC`` /
+    ``ASC_REQUEST_TIMEOUT_READ_SEC``); invalid or non-positive values
+    fall back to the defaults so a typo can't disable the timeout."""
+    def read(env_name: str, default: float) -> float:
+        raw = (os.environ.get(env_name) or "").strip()
+        if not raw:
+            return default
+        try:
+            value = float(raw)
+        except ValueError:
+            return default
+        return value if value > 0 else default
+    return (
+        read(_TIMEOUT_CONNECT_ENV, _DEFAULT_TIMEOUT_CONNECT_SEC),
+        read(_TIMEOUT_READ_ENV, _DEFAULT_TIMEOUT_READ_SEC),
+    )
+def _retry_network_error(
+    method: str, path: str, attempt: int, total: int,
+    backoffs: tuple[int, ...], exc: BaseException,
+) -> None:
+    """Network error path: sleep and return when retries remain, else
+    raise SystemExit (terminal). Caller ``continue``s after return."""
+    if attempt >= total - 1:
+        raise SystemExit(
+            f"ASC {method} {path} network error after {total} "
+            f"attempts: {exc!r}"
+        )
+    delay = backoffs[attempt]
+    print(
+        f"ASC {method} {path} network error ({exc!r}); "
+        f"retrying in {delay}s ({attempt + 1}/{total - 1})",
+        file=sys.stderr,
+    )
+    time.sleep(delay)
+def _retry_status(
+    method: str, path: str, attempt: int, total: int,
+    backoffs: tuple[int, ...], status: int,
+) -> bool:
+    """Retryable status code: sleep and return True when retries remain,
+    else return False so the caller breaks to the final SystemExit."""
+    if attempt >= total - 1:
+        return False
+    delay = backoffs[attempt]
+    print(
+        f"ASC {method} {path} returned {status}; "
+        f"retrying in {delay}s ({attempt + 1}/{total - 1})",
+        file=sys.stderr,
+    )
+    time.sleep(delay)
+    return True
 def request(
     method: str,
     path: str,
@@ -78,60 +201,40 @@ def request(
     allow_status: set[int] | None = None,
     max_attempts: int = 3,
 ) -> requests.Response:
-    """HTTP request with retry on 429/5xx.
+    """HTTP request with retry on 429/5xx and explicit connect/read timeouts.
     `path` is the portion after `/v1` (e.g. "/apps/123/appStoreVersions").
     `allow_status` lists non-2xx statuses the caller wants returned without
-    raising (useful for 409 conflict handling).
-    Raises SystemExit(1) on non-retryable failure with a clear stderr message.
+    raising (useful for 409 conflict handling). Per-request timeouts come
+    from ``_request_timeouts()`` (env-overridable); without them a hung
+    TCP socket would block the CI runner indefinitely.
+    Raises SystemExit on non-retryable failure with a clear stderr message.
     """
     url = f"{ASC_BASE}{path}"
     headers = {"Authorization": f"Bearer {token}"}
     if json_body is not None:
         headers["Content-Type"] = "application/json"
     backoffs = _RETRY_BACKOFFS[: max(0, max_attempts - 1)]
-    total_attempts = len(backoffs) + 1
+    total = len(backoffs) + 1
+    timeout = _request_timeouts()
     resp: requests.Response | None = None
-    for attempt in range(total_attempts):
+    for attempt in range(total):
         try:
             resp = requests.request(
-                method, url, headers=headers, params=params, json=json_body
+                method, url, headers=headers, params=params,
+                json=json_body, timeout=timeout,
             )
         except requests.RequestException as exc:
-            if attempt < total_attempts - 1:
-                delay = backoffs[attempt]
-                print(
-                    f"ASC {method} {path} network error ({exc!r}); "
-                    f"retrying in {delay}s ({attempt + 1}/{total_attempts - 1})",
-                    file=sys.stderr,
-                )
-                time.sleep(delay)
-                continue
-            raise SystemExit(
-                f"ASC {method} {path} network error after {total_attempts} "
-                f"attempts: {exc!r}"
-            )
+            _retry_network_error(method, path, attempt, total, backoffs, exc)
+            continue
         if resp.status_code < 400:
             return resp
         if allow_status and resp.status_code in allow_status:
             return resp
-        if resp.status_code in _RETRY_STATUSES and attempt < total_attempts - 1:
-            delay = backoffs[attempt]
-            print(
-                f"ASC {method} {path} returned {resp.status_code}; "
-                f"retrying in {delay}s ({attempt + 1}/{total_attempts - 1})",
-                file=sys.stderr,
-            )
-            time.sleep(delay)
+        if resp.status_code in _RETRY_STATUSES and _retry_status(
+                method, path, attempt, total, backoffs, resp.status_code):
             continue
         break
     assert resp is not None
     raise SystemExit(
         f"ASC {method} {path} failed: {resp.status_code}\n{resp.text[:2000]}"