@daemux/store-automator 0.7.1 → 0.8.0

package/templates/scripts/ci/common/flutter-setup.sh

@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Runs Flutter pub get and verifies the SDK is available.
+# Usage: scripts/ci/common/flutter-setup.sh
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "$SCRIPT_DIR/read-config.sh"
+
+if ! command -v flutter &>/dev/null; then
+  echo "ERROR: Flutter SDK not found in PATH" >&2
+  exit 1
+fi
+
+echo "Flutter version:"
+flutter --version
+
+echo "Running flutter pub get in $APP_ROOT..."
+cd "$APP_ROOT"
+flutter pub get
+
+echo "Flutter setup complete"

package/templates/scripts/ci/common/install-fastlane.sh

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Installs Fastlane and its dependencies for the given platform.
+# Usage: scripts/ci/common/install-fastlane.sh <ios|android>
+
+PLATFORM="${1:?Usage: install-fastlane.sh <ios|android>}"
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "$SCRIPT_DIR/read-config.sh"
+
+PLATFORM_DIR="$APP_ROOT/$PLATFORM"
+
+if [ ! -d "$PLATFORM_DIR" ]; then
+  echo "ERROR: Platform directory not found: $PLATFORM_DIR" >&2
+  exit 1
+fi
+
+GEMFILE="$PLATFORM_DIR/Gemfile"
+if [ ! -f "$GEMFILE" ]; then
+  echo "ERROR: Gemfile not found at $GEMFILE" >&2
+  exit 1
+fi
+
+echo "Installing Fastlane for $PLATFORM..."
+cd "$PLATFORM_DIR"
+
+if ! command -v bundle &>/dev/null; then
+  echo "Installing bundler..."
+  gem install bundler --no-document --user-install
+fi
+
+export BUNDLE_PATH="${BUNDLE_PATH:-vendor/bundle}"
+bundle install --jobs 4 --retry 3
+
+echo "Verifying Fastlane installation..."
+bundle exec fastlane --version
+
+echo "Fastlane installed successfully for $PLATFORM"

package/templates/scripts/ci/common/link-fastlane.sh

@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Creates symlinks so that `cd app/ios && bundle exec fastlane` (or android)
+# can find the Fastfile. Fastlane config lives at project root under fastlane/ios/
+# and fastlane/android/. This script links them into the platform directories.
+#
+# Usage: scripts/ci/common/link-fastlane.sh <ios|android>
+
+PLATFORM="${1:?Usage: link-fastlane.sh <ios|android>}"
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "$SCRIPT_DIR/read-config.sh"
+
+create_symlink() {
+  local target="$1"
+  local link="$2"
+
+  if [ -e "$link" ] && [ ! -L "$link" ]; then
+    echo "WARNING: $link exists and is not a symlink. Skipping." >&2
+    return 1
+  fi
+
+  ln -sfn "$target" "$link"
+  echo "Linked: $link -> $target"
+
+  if [ ! -e "$link" ]; then
+    echo "ERROR: Symlink target does not exist: $target" >&2
+    return 1
+  fi
+}
+
+echo "Linking Fastlane directories for $PLATFORM..."
+
+FASTLANE_ROOT="$PROJECT_ROOT/fastlane"
+PLATFORM_DIR="$APP_ROOT/$PLATFORM"
+
+if [ ! -d "$FASTLANE_ROOT/$PLATFORM" ]; then
+  echo "ERROR: Fastlane config not found at $FASTLANE_ROOT/$PLATFORM" >&2
+  exit 1
+fi
+
+if [ ! -d "$PLATFORM_DIR" ]; then
+  echo "ERROR: Platform directory not found at $PLATFORM_DIR" >&2
+  exit 1
+fi
+
+# Create symlink: app/ios/fastlane -> ../../fastlane/ios
+# Create symlink: app/android/fastlane -> ../../fastlane/android
+RELATIVE_TARGET="../../fastlane/$PLATFORM"
+LINK_PATH="$PLATFORM_DIR/fastlane"
+
+create_symlink "$RELATIVE_TARGET" "$LINK_PATH"
+
+echo "Fastlane linking complete for $PLATFORM"
+ls -la "$LINK_PATH"

package/templates/scripts/ci/common/read-config.sh

@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Reads values from ci.config.yaml using yq and exports them as environment variables.
+# Usage: source scripts/ci/common/read-config.sh
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/../../.." && pwd)"
+export PROJECT_ROOT
+
+CONFIG="$PROJECT_ROOT/ci.config.yaml"
+
+if [ ! -f "$CONFIG" ]; then
+  echo "ERROR: ci.config.yaml not found at $CONFIG" >&2
+  exit 1
+fi
+
+if ! command -v yq &>/dev/null; then
+  echo "ERROR: yq is not installed. Install with: brew install yq" >&2
+  exit 1
+fi
+
+# App root
+export FLUTTER_ROOT=$(yq '.flutter_root // "."' "$CONFIG")
+export APP_ROOT="$PROJECT_ROOT/$FLUTTER_ROOT"
+
+# App identity
+export BUNDLE_ID=$(yq '.app.bundle_id // ""' "$CONFIG")
+export PACKAGE_NAME=$(yq '.app.package_name // ""' "$CONFIG")
+export APP_NAME=$(yq '.app.name // ""' "$CONFIG")
+export SKU=$(yq '.app.sku // ""' "$CONFIG")
+export APPLE_ID=$(yq '.app.apple_id // ""' "$CONFIG")
+
+# Credentials - Apple
+export P8_KEY_PATH=$(yq '.credentials.apple.p8_key_path // ""' "$CONFIG")
+export APPLE_KEY_ID=$(yq '.credentials.apple.key_id // ""' "$CONFIG")
+export APPLE_ISSUER_ID=$(yq '.credentials.apple.issuer_id // ""' "$CONFIG")
+
+# Credentials - Google
+export GOOGLE_SA_JSON_PATH=$(yq '.credentials.google.service_account_json_path // ""' "$CONFIG")
+
+# Credentials - Android signing
+export KEYSTORE_PASSWORD=$(yq '.credentials.android.keystore_password // ""' "$CONFIG")
+
+# Credentials - Match (iOS code signing)
+export MATCH_GIT_URL=$(yq '.credentials.match.git_url // ""' "$CONFIG")
+export MATCH_DEPLOY_KEY_PATH=$(yq '.credentials.match.deploy_key_path // ""' "$CONFIG")
+
+# iOS App Store settings
+export PRIMARY_CATEGORY=$(yq '.ios.primary_category // ""' "$CONFIG")
+export SECONDARY_CATEGORY=$(yq '.ios.secondary_category // ""' "$CONFIG")
+export PRICE_TIER=$(yq '.ios.price_tier // ""' "$CONFIG")
+export SUBMIT_FOR_REVIEW=$(yq '.ios.submit_for_review // "false"' "$CONFIG")
+export AUTOMATIC_RELEASE=$(yq '.ios.automatic_release // "false"' "$CONFIG")
+
+# Android Play Store settings
+export TRACK=$(yq '.android.track // "internal"' "$CONFIG")
+export ROLLOUT_FRACTION=$(yq '.android.rollout_fraction // ""' "$CONFIG")
+export IN_APP_UPDATE_PRIORITY=$(yq '.android.in_app_update_priority // "0"' "$CONFIG")
+
+# Codemagic CI/CD
+export CODEMAGIC_APP_ID=$(yq '.codemagic.app_id // ""' "$CONFIG")
+export CODEMAGIC_TEAM_ID=$(yq '.codemagic.team_id // ""' "$CONFIG")
+
+# Web
+export WEB_DOMAIN=$(yq '.web.domain // ""' "$CONFIG")
+
+echo "Config loaded from $CONFIG"
+echo "  APP_ROOT=$APP_ROOT"
+echo "  BUNDLE_ID=$BUNDLE_ID"
+echo "  PACKAGE_NAME=$PACKAGE_NAME"

package/templates/scripts/ci/ios/build.sh

@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "$SCRIPT_DIR/../common/read-config.sh"
+
+# --- Validate prerequisites ---
+if [ -z "${EXPORT_OPTIONS_PLIST:-}" ]; then
+  echo "ERROR: EXPORT_OPTIONS_PLIST not set. Run setup-signing.sh first (TASK_3)." >&2
+  exit 1
+fi
+
+if [ ! -f "$EXPORT_OPTIONS_PLIST" ]; then
+  echo "ERROR: Export options plist not found at $EXPORT_OPTIONS_PLIST" >&2
+  exit 1
+fi
+
+if ! command -v flutter &>/dev/null; then
+  echo "ERROR: Flutter SDK not found in PATH" >&2
+  exit 1
+fi
+
+# --- Build IPA ---
+echo "Building IPA..."
+echo "  APP_ROOT: $APP_ROOT"
+echo "  EXPORT_OPTIONS_PLIST: $EXPORT_OPTIONS_PLIST"
+
+cd "$APP_ROOT"
+flutter build ipa \
+  --release \
+  --export-options-plist="$EXPORT_OPTIONS_PLIST"
+
+# --- Verify IPA exists ---
+IPA_DIR="$APP_ROOT/build/ios/ipa"
+IPA_FILE=$(find "$IPA_DIR" -name "*.ipa" -type f 2>/dev/null | head -1)
+if [ -z "$IPA_FILE" ]; then
+  echo "ERROR: No .ipa file found in $IPA_DIR" >&2
+  exit 1
+fi
+
+echo "IPA built successfully: $IPA_FILE"
+echo "IPA size: $(du -h "$IPA_FILE" | cut -f1)"
+
+# --- Export ---
+export IPA_PATH="$IPA_FILE"
+
+if [ -n "${GITHUB_ENV:-}" ]; then
+  echo "IPA_PATH=$IPA_FILE" >> "$GITHUB_ENV"
+  echo "Exported IPA_PATH to GITHUB_ENV"
+fi
+
+echo "iOS build complete: $IPA_PATH"

package/templates/scripts/ci/ios/manage-version.sh

@@ -0,0 +1,64 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "$SCRIPT_DIR/../common/read-config.sh"
+
+# --- Validate required config ---
+if [ -z "$APPLE_KEY_ID" ] || [ -z "$APPLE_ISSUER_ID" ] || [ -z "$P8_KEY_PATH" ]; then
+  echo "ERROR: Missing Apple credentials in ci.config.yaml (APPLE_KEY_ID, APPLE_ISSUER_ID, or P8_KEY_PATH)" >&2
+  exit 1
+fi
+
+P8_FULL_PATH="$PROJECT_ROOT/$P8_KEY_PATH"
+if [ ! -f "$P8_FULL_PATH" ]; then
+  echo "ERROR: P8 key file not found at $P8_FULL_PATH" >&2
+  exit 1
+fi
+
+# --- Set ASC API env vars for manage_version_ios.py ---
+export APP_STORE_CONNECT_KEY_IDENTIFIER="$APPLE_KEY_ID"
+export APP_STORE_CONNECT_ISSUER_ID="$APPLE_ISSUER_ID"
+export APP_STORE_CONNECT_PRIVATE_KEY
+APP_STORE_CONNECT_PRIVATE_KEY=$(cat "$P8_FULL_PATH")
+
+# --- Export BUNDLE_ID for manage_version_ios.py ---
+export BUNDLE_ID
+
+# --- Run the existing Python script ---
+echo "Running manage_version_ios.py..."
+VERSION_JSON=$(python3 "$PROJECT_ROOT/scripts/manage_version_ios.py")
+
+if [ -z "$VERSION_JSON" ]; then
+  echo "ERROR: manage_version_ios.py returned empty output" >&2
+  exit 1
+fi
+
+echo "Version info: $VERSION_JSON"
+
+# --- Parse JSON output ---
+# Expected format: {"version": "X.Y.Z", "version_id": "...", "state": "..."}
+read -r APP_VERSION APP_VERSION_ID APP_STATUS < <(
+  echo "$VERSION_JSON" | python3 -c "
+import sys, json
+d = json.load(sys.stdin)
+print(d['version'], d.get('version_id',''), d.get('state',''))
+"
+)
+
+echo "Parsed version: $APP_VERSION (id: $APP_VERSION_ID, status: $APP_STATUS)"
+
+# --- Export to environment ---
+export APP_VERSION
+export APP_VERSION_ID
+export APP_STATUS
+
+# Write to $GITHUB_ENV for inter-step communication in CI
+if [ -n "${GITHUB_ENV:-}" ]; then
+  echo "APP_VERSION=$APP_VERSION" >> "$GITHUB_ENV"
+  echo "APP_VERSION_ID=$APP_VERSION_ID" >> "$GITHUB_ENV"
+  echo "APP_STATUS=$APP_STATUS" >> "$GITHUB_ENV"
+  echo "Exported to GITHUB_ENV"
+fi
+
+echo "iOS version management complete: $APP_VERSION"

package/templates/scripts/ci/ios/set-build-number.sh

@@ -0,0 +1,95 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "$SCRIPT_DIR/../common/read-config.sh"
+
+# --- Validate prerequisites ---
+if [ -z "${APP_VERSION:-}" ]; then
+  echo "ERROR: APP_VERSION not set. Run manage-version.sh first." >&2
+  exit 1
+fi
+
+if [ -z "$BUNDLE_ID" ]; then
+  echo "ERROR: BUNDLE_ID not set in ci.config.yaml" >&2
+  exit 1
+fi
+
+# --- Ensure ASC API env vars are set ---
+if [ -z "${APP_STORE_CONNECT_KEY_IDENTIFIER:-}" ]; then
+  P8_FULL_PATH="$PROJECT_ROOT/$P8_KEY_PATH"
+  export APP_STORE_CONNECT_KEY_IDENTIFIER="$APPLE_KEY_ID"
+  export APP_STORE_CONNECT_ISSUER_ID="$APPLE_ISSUER_ID"
+  export APP_STORE_CONNECT_PRIVATE_KEY
+  APP_STORE_CONNECT_PRIVATE_KEY=$(cat "$P8_FULL_PATH")
+fi
+
+# --- Ensure PyJWT is installed ---
+pip3 install PyJWT >/dev/null 2>&1 || true
+
+# --- Fetch latest build number from ASC ---
+echo "Fetching latest build number from App Store Connect..."
+
+LATEST_BUILD=$(python3 -c "
+import os, json, time, jwt, urllib.request
+
+key_id = os.environ['APP_STORE_CONNECT_KEY_IDENTIFIER']
+issuer_id = os.environ['APP_STORE_CONNECT_ISSUER_ID']
+private_key = os.environ['APP_STORE_CONNECT_PRIVATE_KEY']
+bundle_id = os.environ.get('BUNDLE_ID', '')
+
+# Generate JWT token
+now = int(time.time())
+payload = {'iss': issuer_id, 'iat': now, 'exp': now + 1200, 'aud': 'appstoreconnect-v1'}
+token = jwt.encode(payload, private_key, algorithm='ES256', headers={'kid': key_id})
+headers = {'Authorization': f'Bearer {token}'}
+
+try:
+    # Resolve app ID from bundle ID
+    req = urllib.request.Request(
+        f'https://api.appstoreconnect.apple.com/v1/apps?filter[bundleId]={bundle_id}',
+        headers=headers)
+    with urllib.request.urlopen(req) as resp:
+        app_id = json.loads(resp.read())['data'][0]['id']
+
+    # Fetch latest build
+    req = urllib.request.Request(
+        f'https://api.appstoreconnect.apple.com/v1/builds?filter[app]={app_id}&sort=-version&limit=1',
+        headers=headers)
+    with urllib.request.urlopen(req) as resp:
+        builds = json.loads(resp.read())['data']
+
+    print(builds[0]['attributes']['version'] if builds else '0')
+except Exception:
+    print('0')
+" 2>/dev/null || echo "0")
+
+echo "Latest build number from ASC: $LATEST_BUILD"
+
+# --- Increment build number ---
+BUILD_NUMBER=$((LATEST_BUILD + 1))
+echo "New build number: $BUILD_NUMBER"
+
+# --- Write to pubspec.yaml ---
+PUBSPEC="$APP_ROOT/pubspec.yaml"
+if [ ! -f "$PUBSPEC" ]; then
+  echo "ERROR: pubspec.yaml not found at $PUBSPEC" >&2
+  exit 1
+fi
+
+echo "Updating pubspec.yaml: version: ${APP_VERSION}+${BUILD_NUMBER}"
+sed -i '' "s/^version: .*/version: ${APP_VERSION}+${BUILD_NUMBER}/" "$PUBSPEC"
+
+# Verify the write
+WRITTEN_VERSION=$(grep '^version:' "$PUBSPEC" | head -1)
+echo "Written to pubspec.yaml: $WRITTEN_VERSION"
+
+# --- Export ---
+export BUILD_NUMBER
+
+if [ -n "${GITHUB_ENV:-}" ]; then
+  echo "BUILD_NUMBER=$BUILD_NUMBER" >> "$GITHUB_ENV"
+  echo "Exported BUILD_NUMBER to GITHUB_ENV"
+fi
+
+echo "Build number set: $BUILD_NUMBER"

package/templates/scripts/ci/ios/setup-signing.sh

@@ -0,0 +1,242 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+COMMON_DIR="$SCRIPT_DIR/../common"
+source "$COMMON_DIR/read-config.sh"
+
+echo "=== iOS Signing Setup (Fastlane Match) ==="
+
+# --- Step 1: Validate config (read-config.sh already exported vars) ---
+validate_config() {
+  local match_key="$PROJECT_ROOT/$MATCH_DEPLOY_KEY_PATH"
+  if [ ! -f "$match_key" ]; then
+    echo "ERROR: Match deploy key not found at $match_key" >&2
+    exit 1
+  fi
+
+  if [ -z "$MATCH_GIT_URL" ]; then
+    echo "ERROR: MATCH_GIT_URL not configured in ci.config.yaml" >&2
+    exit 1
+  fi
+
+  if [ -z "${MATCH_PASSWORD:-}" ]; then
+    echo "ERROR: MATCH_PASSWORD env var is required (encryption password for Match repo)" >&2
+    exit 1
+  fi
+
+  local p8_key="$PROJECT_ROOT/$P8_KEY_PATH"
+  if [ ! -f "$p8_key" ]; then
+    echo "ERROR: P8 key file not found at $p8_key" >&2
+    exit 1
+  fi
+}
+
+# --- Step 2: Set up SSH agent with deploy key ---
+setup_ssh_agent() {
+  echo "Setting up SSH agent..."
+  local match_key="$PROJECT_ROOT/$MATCH_DEPLOY_KEY_PATH"
+
+  eval "$(ssh-agent -s)"
+  chmod 600 "$match_key"
+  ssh-add "$match_key"
+
+  mkdir -p ~/.ssh
+  ssh-keyscan github.com >> ~/.ssh/known_hosts 2>/dev/null
+
+  echo "SSH agent configured with deploy key"
+}
+
+# --- Step 3: Set up App Store Connect API key ---
+setup_api_key() {
+  local p8_full_path="$PROJECT_ROOT/$P8_KEY_PATH"
+
+  # Env vars for Match and Fastlane built-in api_key resolution
+  export APP_STORE_CONNECT_API_KEY_KEY_ID="$APPLE_KEY_ID"
+  export APP_STORE_CONNECT_API_KEY_ISSUER_ID="$APPLE_ISSUER_ID"
+  export APP_STORE_CONNECT_API_KEY_KEY="$(cat "$p8_full_path")"
+  export APP_STORE_CONNECT_API_KEY_IS_KEY_CONTENT_BASE64="false"
+
+  # Aliases for existing Fastfile helpers
+  export APP_STORE_CONNECT_KEY_IDENTIFIER="$APPLE_KEY_ID"
+  cp "$p8_full_path" /tmp/AuthKey.p8
+  chmod 600 /tmp/AuthKey.p8
+  export FASTLANE_API_KEY_PATH="/tmp/AuthKey.p8"
+
+  echo "App Store Connect API key configured (Key ID: $APPLE_KEY_ID)"
+}
+
+# --- Step 4: Create temporary keychain ---
+KEYCHAIN_NAME="fastlane_tmp"
+KEYCHAIN_DB="$KEYCHAIN_NAME.keychain-db"
+KEYCHAIN_PASSWORD=""
+
+setup_keychain() {
+  KEYCHAIN_PASSWORD=$(openssl rand -base64 32)
+
+  echo "Creating temporary keychain: $KEYCHAIN_DB"
+
+  # Remove existing keychain if present (idempotent)
+  security delete-keychain "$KEYCHAIN_DB" 2>/dev/null || true
+
+  security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_DB"
+  security set-keychain-settings -lut 21600 "$KEYCHAIN_DB"
+  security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_DB"
+
+  # Add to search list while preserving existing keychains
+  local existing_keychains
+  existing_keychains=$(security list-keychains -d user | tr -d '"' | tr '\n' ' ')
+  security list-keychains -d user -s "$KEYCHAIN_DB" $existing_keychains
+  security default-keychain -s "$KEYCHAIN_DB"
+
+  echo "Keychain created and unlocked"
+}
+
+# --- Step 5: Install Fastlane if needed ---
+install_fastlane() {
+  "$COMMON_DIR/install-fastlane.sh" ios
+}
+
+# --- Step 6: Run Fastlane Match ---
+run_match() {
+  echo "Running Fastlane Match..."
+  cd "$APP_ROOT/ios"
+
+  MATCH_READONLY="${MATCH_READONLY:-false}"
+
+  bundle exec fastlane match appstore \
+    --git_url "$MATCH_GIT_URL" \
+    --app_identifier "$BUNDLE_ID" \
+    --keychain_name "$KEYCHAIN_DB" \
+    --keychain_password "$KEYCHAIN_PASSWORD" \
+    --readonly "$MATCH_READONLY"
+
+  echo "Match completed successfully"
+}
+
+# --- Step 7: Find provisioning profile UUID ---
+PROFILE_UUID=""
+TEAM_ID=""
+
+find_profile_uuid() {
+  local profiles_dir="$HOME/Library/MobileDevice/Provisioning Profiles"
+
+  if [ ! -d "$profiles_dir" ]; then
+    echo "ERROR: Provisioning Profiles directory not found" >&2
+    exit 1
+  fi
+
+  for profile in "$profiles_dir"/*.mobileprovision; do
+    [ -f "$profile" ] || continue
+    local plist
+    plist=$(security cms -D -i "$profile" 2>/dev/null) || continue
+    local profile_app_id
+    profile_app_id=$(/usr/libexec/PlistBuddy -c "Print :Entitlements:application-identifier" \
+      /dev/stdin <<< "$plist" 2>/dev/null || echo "")
+    if [[ "$profile_app_id" == *"$BUNDLE_ID" ]]; then
+      PROFILE_UUID=$(/usr/libexec/PlistBuddy -c "Print :UUID" \
+        /dev/stdin <<< "$plist" 2>/dev/null || echo "")
+      if [ -n "$PROFILE_UUID" ]; then
+        echo "Found provisioning profile: $PROFILE_UUID"
+        break
+      fi
+    fi
+  done
+
+  if [ -z "$PROFILE_UUID" ]; then
+    echo "ERROR: Could not find provisioning profile for $BUNDLE_ID" >&2
+    echo "Installed profiles:" >&2
+    ls -la "$profiles_dir/" 2>/dev/null || echo "(directory not found)" >&2
+    exit 1
+  fi
+}
+
+find_team_id() {
+  # Try extracting from signing identity
+  TEAM_ID=$(security find-identity -v -p codesigning "$KEYCHAIN_DB" \
+    | grep "Apple Distribution" \
+    | head -1 \
+    | sed 's/.*(\([A-Z0-9]*\))"/\1/' || echo "")
+
+  if [ -n "$TEAM_ID" ]; then
+    return
+  fi
+
+  # Fallback: extract from provisioning profile
+  local profiles_dir="$HOME/Library/MobileDevice/Provisioning Profiles"
+  TEAM_ID=$(/usr/libexec/PlistBuddy -c "Print :TeamIdentifier:0" \
+    /dev/stdin <<< "$(security cms -D -i "$profiles_dir/$PROFILE_UUID.mobileprovision" 2>/dev/null)" \
+    2>/dev/null || echo "")
+}
+
+# --- Step 8: Generate ExportOptions.plist ---
+generate_export_options() {
+  echo "Generating ExportOptions.plist..."
+  local export_options="$PROJECT_ROOT/ios_export_options.plist"
+  local profile_name="match AppStore $BUNDLE_ID"
+
+  cat > "$export_options" <<PLIST
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>method</key>
+    <string>app-store</string>
+    <key>signingStyle</key>
+    <string>manual</string>
+    <key>teamID</key>
+    <string>${TEAM_ID}</string>
+    <key>provisioningProfiles</key>
+    <dict>
+        <key>${BUNDLE_ID}</key>
+        <string>${profile_name}</string>
+    </dict>
+    <key>uploadBitcode</key>
+    <false/>
+    <key>uploadSymbols</key>
+    <true/>
+</dict>
+</plist>
+PLIST
+
+  echo "ExportOptions.plist written to $export_options"
+}
+
+# --- Step 9: Export outputs ---
+export_outputs() {
+  local export_options="$PROJECT_ROOT/ios_export_options.plist"
+  local -a outputs=(
+    "EXPORT_OPTIONS_PLIST=$export_options"
+    "KEYCHAIN_NAME=$KEYCHAIN_DB"
+    "PROFILE_UUID=$PROFILE_UUID"
+    "TEAM_ID=$TEAM_ID"
+  )
+
+  if [ -n "${GITHUB_ENV:-}" ]; then
+    printf '%s\n' "${outputs[@]}" >> "$GITHUB_ENV"
+    echo "Outputs written to GITHUB_ENV"
+  else
+    echo ""
+    echo "=== Local Mode Outputs ==="
+    printf '%s\n' "${outputs[@]}"
+  fi
+
+  echo ""
+  echo "=== Signing Verification ==="
+  echo "Installed identities:"
+  security find-identity -v -p codesigning "$KEYCHAIN_DB"
+  echo ""
+  echo "iOS signing setup complete"
+}
+
+# --- Main ---
+validate_config
+setup_ssh_agent
+setup_api_key
+setup_keychain
+install_fastlane
+run_match
+find_profile_uuid
+find_team_id
+generate_export_options
+export_outputs