@daemux/store-automator 0.10.95 → 0.10.96

package/templates/scripts/ci/ios-native/asc_version_reuse.py

@@ -0,0 +1,177 @@
+#!/usr/bin/env python3
+# Note: ~68-line helper exceeds the 50-line function cap. Pre-existing
+# in the source-of-truth; refactor tracked separately to avoid bundling
+# unrelated edits into round-13 trims.
+"""
+App Store Connect stale-editable appStoreVersion reuse.
+
+Split out of asc_version_create.py to keep each module under the 400-line
+cap. Owns the "PATCH then DELETE+POST fallback" flow that recovers from
+ASC's "You cannot create a new version of the App in the current state."
+409 (CI run 24640907316).
+
+Why: ASC allows only ONE editable appStoreVersion at a time. When a
+stale editable is sitting below our target marketing floor, a straight
+POST of the new version returns 409 ENTITY_ERROR.RELATIONSHIP.INVALID
+with pointer /data/relationships/app. Bumping the version cannot fix
+this -- the editable itself must be renamed (PATCH) or removed (DELETE)
+first.
+
+Exit code:
+  5 -- PATCH failed AND DELETE failed (e.g. version locked by review);
+       manual intervention required in ASC.
+"""
+
+from __future__ import annotations
+
+import json as _json
+import sys
+
+from asc_common import request
+
+
+# Substrings in error.detail that indicate "a stale editable exists and
+# blocks creating a new version". ASC returns this as 409 with
+# code=ENTITY_ERROR.RELATIONSHIP.INVALID and pointer=/data/relationships/app
+# (CI run 24640907316). Case-insensitive match.
+_EDITABLE_EXISTS_DETAIL_HINTS = (
+    "create a new version",
+    "cannot create a new version",
+    "current state",
+)
+
+
+def _log_body(body: dict, tag: str) -> None:
+    """Pretty-print a request body to stderr before the call."""
+    try:
+        pretty = _json.dumps(body, indent=2, sort_keys=True)
+    except (TypeError, ValueError):
+        pretty = repr(body)
+    print(f"[{tag}] request body: {pretty}", file=sys.stderr)
+
+
+def patch_version(app_id: str, existing_id: str, target_version: str, token: str):
+    """PATCH /appStoreVersions/{id} to rename versionString. Preserves
+    metadata and review attachments. 4xx statuses allowed so the caller
+    can fall back to DELETE+POST.
+
+    ASC PATCH shape per JSON:API: data.type=appStoreVersions, data.id
+    must match the URL id, attributes carries the rename."""
+    body = {
+        "data": {
+            "type": "appStoreVersions",
+            "id": str(existing_id),
+            "attributes": {"versionString": target_version},
+        }
+    }
+    _log_body(body, "patch-version")
+    return request(
+        "PATCH", f"/appStoreVersions/{existing_id}", token,
+        json_body=body, allow_status={400, 403, 404, 409, 422},
+    )
+
+
+def delete_version(app_id: str, existing_id: str, token: str):
+    """DELETE /appStoreVersions/{id}. 4xx statuses allowed so the caller
+    can surface a clear error when the record is locked by review."""
+    return request(
+        "DELETE", f"/appStoreVersions/{existing_id}", token,
+        allow_status={400, 403, 404, 409, 422},
+    )
+
+
+def _is_2xx(resp) -> bool:
+    return 200 <= getattr(resp, "status_code", 0) < 300
+
+
+def _body_text(resp) -> str:
+    t = getattr(resp, "text", None)
+    return t if isinstance(t, str) else ""
+
+
+def reuse_stale_editable(
+    *,
+    app_id: str,
+    existing_id: str,
+    target_version: str,
+    token: str,
+    patch_fn=None,
+    delete_fn=None,
+    post_fn=None,
+) -> str:
+    """Reuse a stale editable appStoreVersion that blocks creating a new
+    version. Tries PATCH (rename) first; on failure falls back to
+    DELETE + POST. SystemExit(5) when DELETE also fails.
+
+    All three ASC calls are injected so tests can drive the sequence
+    without hitting the network. ``post_fn`` must accept
+    ``(app_id, version, token)`` -- same shape as ``create_version``.
+    """
+    patch = patch_fn if patch_fn is not None else patch_version
+    delete = delete_fn if delete_fn is not None else delete_version
+    if post_fn is None:
+        # Lazy import to avoid a circular dep with asc_version_create.
+        from asc_version_create import create_version as _default_post
+        post = _default_post
+    else:
+        post = post_fn
+
+    print(
+        f"[reuse-stale] PATCH /appStoreVersions/{existing_id} "
+        f"versionString -> {target_version}",
+        file=sys.stderr,
+    )
+    resp = patch(app_id, existing_id, target_version, token)
+    if _is_2xx(resp):
+        print("[reuse-stale] PATCH ok", file=sys.stderr)
+        return existing_id
+
+    print(
+        f"[reuse-stale] PATCH failed status={resp.status_code} "
+        f"body={_body_text(resp)}",
+        file=sys.stderr,
+    )
+
+    print(
+        f"[reuse-stale] DELETE /appStoreVersions/{existing_id}",
+        file=sys.stderr,
+    )
+    del_resp = delete(app_id, existing_id, token)
+    if not _is_2xx(del_resp):
+        print(
+            f"::error::stale editable appStoreVersion id={existing_id} "
+            f"cannot be renamed or deleted -- manually intervene in ASC. "
+            f"DELETE status={del_resp.status_code} body={_body_text(del_resp)}",
+            file=sys.stderr,
+        )
+        raise SystemExit(5)
+
+    print("[reuse-stale] DELETE ok, retrying POST", file=sys.stderr)
+    post_resp = post(app_id, target_version, token)
+    if not _is_2xx(post_resp):
+        print(
+            f"::error::stale editable {existing_id} was deleted but POST "
+            f"for {target_version} still failed "
+            f"status={post_resp.status_code} body={_body_text(post_resp)}",
+            file=sys.stderr,
+        )
+        raise SystemExit(5)
+    return post_resp.json()["data"]["id"]
+
+
+def is_editable_exists_409(errors: list[dict]) -> bool:
+    """True iff the 409 is attributable to a pre-existing editable
+    appStoreVersion (ASC allows only one editable at a time). Matches
+    the classifier in the CI run 24640907316 spec: code is
+    ENTITY_ERROR.RELATIONSHIP.INVALID AND detail contains "create a
+    new version" (or similar hint)."""
+    for e in errors:
+        if not isinstance(e, dict):
+            continue
+        code = (e.get("code") or "").strip()
+        detail = (e.get("detail") or "").strip().lower()
+        if code == "ENTITY_ERROR.RELATIONSHIP.INVALID" and any(
+            hint in detail for hint in _EDITABLE_EXISTS_DETAIL_HINTS
+        ):
+            return True
+    return False

package/templates/scripts/ci/ios-native/autoupdate_check.sh

@@ -76,44 +76,39 @@ git config user.email >/dev/null 2>&1 || \
 # importing them. Those caches are build artifacts of *this* run, not part
 # of the action distribution -- sweeping them into the autoupdate bot
 # commit is benign but noisy (every clean run emits a "refresh
-# __pycache__" diff). `git ls-files -mo` enumerates modified+other
-# (untracked) paths under the directory; we filter out anything matching
-# `/__pycache__/` or ending in `.pyc`, then feed the rest to `git add -f`.
+# __pycache__" diff).
 #
-# We deliberately do NOT pass `--exclude-standard`: that flag would make
-# ls-files honor the consumer's .gitignore at discovery time. If a
-# consumer ignores e.g. `.daemux-version` or any other autoupdate-managed
-# path, ls-files would silently drop it and the bot commit would never
-# refresh that file -- defeating the autoupdate. The matching `-f` on
-# `git add` already overrides .gitignore at staging time, so the only
-# files we want to filter are the bytecode caches above, which our
-# explicit grep handles deterministically.
+# DESIGN DECISION: use `git add -A` (stages additions, modifications, AND
+# deletions) instead of the previous `git ls-files -mo` flow. `ls-files
+# -mo` enumerates modified + other (untracked) paths but NOT deletions:
+# when an autoupdate cycle removes a script (e.g. `prepare_signing.py`
+# gets renamed to `prepare_signing_v2.py` in a new release), the old
+# file would stay tracked in the consumer repo forever -- the bot
+# commit would add the new file but never remove the orphan. `git add
+# -A` handles all three change kinds in one call. We then unstage any
+# pycache paths that the broad `-A` swept in.
 #
-# Empty-input guard: BSD xargs (default on macos-15 runners) does NOT
-# support `-r`/`--no-run-if-empty`, so on a clean tree where the grep
-# filter strips everything, piping an empty stream into `xargs git add`
-# would invoke `git add -f --` with no positional arguments. That exits
-# 129 ("Nothing specified, nothing added"), which `set -euo pipefail`
-# treats as fatal even though it's the no-op case we want. Capture to a
-# variable first and skip the xargs call when empty -- portable across
-# both BSD and GNU xargs.
+# Force flag (`-f`) is implicit in `git add -A` for explicitly listed
+# pathspecs that match .gitignore patterns? No -- `-A` still honors
+# .gitignore for untracked files. To preserve the prior semantics
+# (consumer's .gitignore must not silently drop autoupdate-managed
+# files like `.daemux-version`), we pass `--force` explicitly.
 #
-# We deliberately do NOT pass `--directory`: with that flag, `git ls-files`
-# collapses any *new* untracked directory to a single entry (the directory
-# path itself), e.g. it would emit `.github/actions/swift-app/scripts/`
-# instead of enumerating its files. If such a collapsed parent contains
-# `__pycache__/` children, our grep would NOT match `__pycache__/` against
-# the parent path -- the directory entry would slip past the filter and
-# `git add -f <dir>` would recurse into it, dragging the bytecode caches
-# in with everything else. Without `--directory`, ls-files enumerates
-# every individual untracked file path so the grep filter sees each
-# `__pycache__/...` and `*.pyc` entry by name and strips it
-# deterministically.
-files="$(git ls-files -mo .github/actions/swift-app/ \
-  | grep -v -E '(/__pycache__/|\.pyc$)' || true)"
-if [[ -n "$files" ]]; then
-  printf '%s\n' "$files" \
+# BSD xargs (default on macos-15 runners) does NOT support
+# `-r`/`--no-run-if-empty`, so we capture pycache paths into a variable
+# and skip the xargs call when empty -- portable across BSD and GNU.
+git add -A --force -- .github/actions/swift-app/ 2>/dev/null || true
+
+# Unstage Python bytecode that the broad `-A` swept in. `git diff
+# --cached --name-only` lists every staged path; we filter to pycache
+# entries and `git reset HEAD --` to drop them from the index. Working
+# tree is left untouched (the .pyc files remain on disk; only their
+# index entries are removed).
+pycache="$(git diff --cached --name-only -- .github/actions/swift-app/ \
+  | grep -E '(/__pycache__/|\.pyc$)' || true)"
+if [[ -n "$pycache" ]]; then
+  printf '%s\n' "$pycache" \
     | tr '\n' '\0' \
-    | xargs -0 git add -f -- 2>/dev/null || true
+    | xargs -0 git reset HEAD -- 2>/dev/null || true
 fi
 echo "autoupdate: staged refreshed action files (deploy.yml not staged — see comment; __pycache__ excluded)"

package/templates/scripts/ci/ios-native/commit_bot_changes.sh

@@ -12,20 +12,42 @@ fi
 staged="$(git diff --cached --name-only)"
 has_cert=0
 has_auto=0
+has_bump=0
 # autoupdate_check.sh deliberately does NOT stage .github/workflows/deploy.yml
 # (GITHUB_TOKEN cannot push workflow-file changes), so we only need to detect
 # action/ paths to classify the commit as an autoupdate.
 if grep -qE '^creds/' <<<"$staged"; then has_cert=1; fi
 if grep -qE '^\.github/actions/swift-app/' <<<"$staged"; then has_auto=1; fi
+# marketing-version-auto-bump (mmv_floor_check) writes the bumped value
+# into the project's source-of-truth (resolved by version_utils):
+#   - xcodegen project.yml / project.yaml / Project.yml / Project.yaml
+#   - *.xcconfig referenced by the project
+#   - project.pbxproj (only when no xcodegen spec is present)
+#   - Info.plist's CFBundleShortVersionString
+# Any of those staged paths means a version bump rode along in this
+# commit; surface it in the subject so reviewers see the version
+# delta without diffing.
+if grep -qE '(\.pbxproj|Info\.plist|(^|/)[Pp]roject\.ya?ml|\.xcconfig)$' \
+    <<<"$staged"; then
+  has_bump=1
+fi
 
-if [[ $has_cert -eq 1 && $has_auto -eq 1 ]]; then
-  subject="ci: refresh signing identity + autoupdate swift-app-ci [skip ci]"
-elif [[ $has_cert -eq 1 ]]; then
-  subject="ci: refresh signing identity in creds/ [skip ci]"
-elif [[ $has_auto -eq 1 ]]; then
-  subject="ci: autoupdate swift-app-ci [skip ci]"
-else
+# Build a subject that lists every concern that actually fired. Avoids a
+# 2^N case explosion by composing components in a stable order.
+parts=()
+if [[ $has_cert -eq 1 ]]; then parts+=("refresh signing identity"); fi
+if [[ $has_auto -eq 1 ]]; then parts+=("autoupdate swift-app-ci"); fi
+if [[ $has_bump -eq 1 ]]; then parts+=("bump MARKETING_VERSION"); fi
+if [[ ${#parts[@]} -eq 0 ]]; then
   subject="ci: bot maintenance [skip ci]"
+else
+  joined=""
+  for ((i = 0; i < ${#parts[@]}; i++)); do
+    if [[ $i -eq 0 ]]; then joined="${parts[i]}"
+    else joined="$joined + ${parts[i]}"
+    fi
+  done
+  subject="ci: $joined [skip ci]"
 fi
 
 git config user.name  >/dev/null 2>&1 || git config user.name  "github-actions[bot]"