@daemux/store-automator 0.7.1 → 0.9.0

package/templates/github/workflows/codemagic-trigger.yml

@@ -4,6 +4,11 @@ on:
   push:
     branches: [main]
 
+# Cancel in-progress runs when a newer build is triggered
+concurrency:
+  group: codemagic-trigger-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   trigger:
     runs-on: ubuntu-latest
@@ -52,11 +57,12 @@ jobs:
           APP_ID: ${{ steps.config.outputs.app_id }}
           BRANCH: ${{ github.ref_name }}
         run: |
-          echo "${{ steps.config.outputs.workflows }}" | while IFS= read -r workflow; do
+          FAILED=0
+          while IFS= read -r workflow; do
             [ -z "$workflow" ] && continue
             if ! echo "$workflow" | grep -Eq '^[a-zA-Z0-9_-]+$'; then
-              echo "ERROR: Invalid workflow name: $workflow"
-              continue
+              echo "ERROR: Invalid workflow name: $workflow" >&2
+              exit 1
             fi
             echo "Triggering: $workflow"
             curl --max-time 30 --retry 2 -sf -X POST https://api.codemagic.io/builds \
@@ -64,5 +70,9 @@ jobs:
               -H "x-auth-token: $CM_TOKEN" \
               -d "{\"appId\": \"$APP_ID\", \"workflowId\": \"$workflow\", \"branch\": \"$BRANCH\"}" \
               && echo " -> success" \
-              || echo " -> failed"
-          done
+              || { echo " -> FAILED"; FAILED=1; }
+          done <<< "${{ steps.config.outputs.workflows }}"
+          if [ "$FAILED" -ne 0 ]; then
+            echo "ERROR: One or more Codemagic workflow triggers failed" >&2
+            exit 1
+          fi

package/templates/github/workflows/ios-release.yml

@@ -0,0 +1,119 @@
+name: iOS Release
+# POST-MIGRATION CLEANUP (after GitHub Actions workflows are verified in production):
+#   - Remove .github/workflows/codemagic-trigger.yml
+#   - Remove any Codemagic-specific configuration files
+#   - Update README/docs to reference GitHub Actions instead of Codemagic
+on:
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+# Cancel in-progress runs when a newer build is triggered
+concurrency:
+  group: ios-release-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  metadata:
+    name: Upload iOS Metadata
+    runs-on: macos-latest
+    timeout-minutes: 30
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.3'
+
+      - name: Cache .ci-state
+        uses: actions/cache@v4
+        with:
+          path: .ci-state
+          key: ci-state-ios-metadata-${{ hashFiles('fastlane/metadata/**', 'fastlane/screenshots/ios/**') }}
+          restore-keys: ci-state-ios-metadata-
+
+      - name: Install yq
+        run: brew install yq
+
+      - name: Link Fastlane
+        run: scripts/ci/common/link-fastlane.sh ios
+
+      - name: Install Fastlane
+        run: scripts/ci/common/install-fastlane.sh ios
+
+      - name: Upload Metadata & Screenshots
+        run: scripts/ci/ios/upload-metadata.sh
+
+      - name: Sync IAP
+        run: scripts/ci/ios/sync-iap.sh
+
+      - name: Save .ci-state
+        if: success()
+        uses: actions/cache/save@v4
+        with:
+          path: .ci-state
+          key: ci-state-ios-metadata-${{ hashFiles('fastlane/metadata/**', 'fastlane/screenshots/ios/**') }}
+
+  build:
+    name: Build & Upload iOS
+    needs: [metadata]
+    runs-on: macos-latest
+    timeout-minutes: 60
+    env:
+      MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.3'
+
+      - name: Setup Flutter
+        uses: subosito/flutter-action@v2
+        with:
+          channel: stable
+
+      - name: Install yq
+        run: brew install yq
+
+      - name: Link Fastlane
+        run: scripts/ci/common/link-fastlane.sh ios
+
+      - name: Install Fastlane
+        run: scripts/ci/common/install-fastlane.sh ios
+
+      - name: Setup Signing (Match)
+        run: scripts/ci/ios/setup-signing.sh
+
+      - name: Install Python dependencies
+        run: pip3 install --break-system-packages PyJWT
+
+      - name: Manage Version
+        run: scripts/ci/ios/manage-version.sh
+
+      - name: Set Build Number
+        run: scripts/ci/ios/set-build-number.sh
+
+      - name: Flutter Packages
+        run: scripts/ci/common/flutter-setup.sh
+
+      - name: Build IPA
+        run: scripts/ci/ios/build.sh
+
+      - name: Upload Artifacts
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: ios-ipa
+          path: app/build/ios/ipa/*.ipa
+
+      - name: Upload to App Store
+        run: scripts/ci/ios/upload-binary.sh

package/templates/scripts/check_google_play.py

@@ -25,7 +25,7 @@ except ImportError:
     print("Installing dependencies...", file=sys.stderr)
     import subprocess
     subprocess.check_call(
-        [sys.executable, "-m", "pip", "install", "PyJWT", "cryptography", "requests"],
+        [sys.executable, "-m", "pip", "install", "--break-system-packages", "PyJWT", "cryptography", "requests"],
         stdout=subprocess.DEVNULL,
     )
     import jwt

package/templates/scripts/ci/android/build.sh

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "$SCRIPT_DIR/../common/read-config.sh"
+
+# --- Validate prerequisites ---
+if [ -z "${CM_KEYSTORE_PATH:-}" ]; then
+  echo "ERROR: CM_KEYSTORE_PATH not set. Run setup-keystore.sh first." >&2
+  exit 1
+fi
+if [ ! -f "$CM_KEYSTORE_PATH" ]; then
+  echo "ERROR: Keystore not found at $CM_KEYSTORE_PATH" >&2
+  exit 1
+fi
+if ! command -v flutter &>/dev/null; then
+  echo "ERROR: Flutter SDK not found in PATH" >&2
+  exit 1
+fi
+
+echo "Building Android AAB..."
+echo "  APP_ROOT: $APP_ROOT"
+echo "  CM_KEYSTORE_PATH: $CM_KEYSTORE_PATH"
+echo "  CM_KEY_ALIAS: ${CM_KEY_ALIAS:-not set}"
+
+# --- Build AAB ---
+cd "$APP_ROOT"
+flutter build appbundle --release
+
+# --- Locate AAB ---
+AAB_DIR="$APP_ROOT/build/app/outputs/bundle/release"
+AAB_FILE=$(find "$AAB_DIR" -name "*.aab" -type f 2>/dev/null | head -1)
+
+if [ -z "${AAB_FILE:-}" ]; then
+  echo "ERROR: No .aab file found in $AAB_DIR" >&2
+  ls -la "$AAB_DIR" >&2 2>/dev/null || true
+  exit 1
+fi
+
+echo "AAB built: $AAB_FILE ($(du -h "$AAB_FILE" | cut -f1))"
+
+# --- Export ---
+export AAB_PATH="$AAB_FILE"
+
+if [ -n "${GITHUB_ENV:-}" ]; then
+  echo "AAB_PATH=$AAB_FILE" >> "$GITHUB_ENV"
+  echo "Exported AAB_PATH to GITHUB_ENV"
+fi
+
+echo "Android build complete: $AAB_PATH"

package/templates/scripts/ci/android/check-readiness.sh

@@ -0,0 +1,93 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "$SCRIPT_DIR/../common/read-config.sh"
+
+# --- Helpers ---
+
+# Export GOOGLE_PLAY_READY and persist to $GITHUB_ENV when in CI.
+set_play_ready() {
+  local value="$1"
+  export GOOGLE_PLAY_READY="$value"
+  if [ -n "${GITHUB_ENV:-}" ]; then
+    echo "GOOGLE_PLAY_READY=$value" >> "$GITHUB_ENV"
+  fi
+}
+
+# Log an error, mark not-ready, and hard-fail.
+fail_not_ready() {
+  echo "ERROR: $1" >&2
+  set_play_ready "false"
+  exit 1
+}
+
+# --- Validate required config ---
+if [ -z "${GOOGLE_SA_JSON_PATH:-}" ]; then
+  fail_not_ready "GOOGLE_SA_JSON_PATH not set in ci.config.yaml"
+fi
+
+SA_FULL_PATH="$PROJECT_ROOT/$GOOGLE_SA_JSON_PATH"
+if [ ! -f "$SA_FULL_PATH" ]; then
+  fail_not_ready "Service account JSON not found at $SA_FULL_PATH"
+fi
+
+if [ -z "${PACKAGE_NAME:-}" ]; then
+  fail_not_ready "PACKAGE_NAME not set in ci.config.yaml"
+fi
+
+# --- Set env vars for the Python script ---
+export SA_JSON="$SA_FULL_PATH"
+export PACKAGE_NAME
+
+# --- Run the existing Python script ---
+echo "Checking Google Play readiness for $PACKAGE_NAME..."
+READINESS_JSON=$(python3 "$PROJECT_ROOT/scripts/check_google_play.py")
+
+if [ -z "$READINESS_JSON" ]; then
+  fail_not_ready "check_google_play.py returned empty output"
+fi
+
+echo "Readiness info: $READINESS_JSON"
+
+# --- Parse JSON output (single invocation for both fields) ---
+# Expected format: {"ready": true/false, "missing_steps": [...]}
+PARSED=$(echo "$READINESS_JSON" | python3 -c "
+import sys, json
+data = json.load(sys.stdin)
+ready = str(data.get('ready', False)).lower()
+steps = data.get('missing_steps', [])
+print(ready)
+for s in steps:
+    print(f'  - {s}')
+")
+
+# First line is the ready status; remaining lines are missing steps.
+READY=$(echo "$PARSED" | head -n 1)
+MISSING_STEPS=$(echo "$PARSED" | tail -n +2)
+
+# --- Export result ---
+set_play_ready "$READY"
+
+# --- Print guidance if not ready ---
+if [ "$READY" != "true" ]; then
+  echo ""
+  echo "============================================="
+  echo "  Google Play is NOT ready for automation"
+  echo "============================================="
+  echo ""
+  echo "Missing steps:"
+  echo "$MISSING_STEPS"
+  echo ""
+  echo "To fix:"
+  echo "  1. Go to Google Play Console: https://play.google.com/console"
+  echo "  2. Ensure the app ($PACKAGE_NAME) has been manually created"
+  echo "  3. Complete the store listing, content rating, and pricing"
+  echo "  4. Upload at least one AAB manually for the first release"
+  echo "  5. Grant the service account access to the app"
+  echo ""
+  echo "Google Play is NOT ready. CI cannot proceed."
+  exit 1
+else
+  echo "Google Play is ready for automated publishing"
+fi

package/templates/scripts/ci/android/manage-version.sh

@@ -0,0 +1,134 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "$SCRIPT_DIR/../common/read-config.sh"
+
+PUBSPEC="$APP_ROOT/pubspec.yaml"
+
+# --- Step 1: Get iOS version (for cross-platform consistency) ---
+
+echo "Getting iOS version for cross-platform consistency..."
+
+P8_FULL_PATH="$PROJECT_ROOT/$P8_KEY_PATH"
+if [ ! -f "$P8_FULL_PATH" ]; then
+  echo "ERROR: P8 key file not found at $P8_FULL_PATH" >&2
+  exit 1
+fi
+
+export APP_STORE_CONNECT_KEY_IDENTIFIER="$APPLE_KEY_ID"
+export APP_STORE_CONNECT_ISSUER_ID="$APPLE_ISSUER_ID"
+export APP_STORE_CONNECT_PRIVATE_KEY
+APP_STORE_CONNECT_PRIVATE_KEY=$(cat "$P8_FULL_PATH")
+
+VERSION_JSON=$(python3 "$PROJECT_ROOT/scripts/manage_version_ios.py")
+if [ -z "$VERSION_JSON" ]; then
+  echo "ERROR: manage_version_ios.py returned empty output" >&2
+  exit 1
+fi
+
+APP_VERSION=$(echo "$VERSION_JSON" \
+  | python3 -c "import sys,json; print(json.load(sys.stdin)['version'])")
+echo "iOS version: $APP_VERSION"
+
+# --- Step 2: Get latest Android version code ---
+
+echo "Getting latest Android version code..."
+
+LATEST_CODE="0"
+
+if [ "${GOOGLE_PLAY_READY:-false}" != "true" ]; then
+  echo "Google Play not ready. Reading version code from pubspec.yaml or default."
+  if [ -f "$PUBSPEC" ]; then
+    CURRENT_VERSION=$(grep '^version:' "$PUBSPEC" | head -1 | sed 's/version: //')
+    if [[ "$CURRENT_VERSION" == *"+"* ]]; then
+      LATEST_CODE="${CURRENT_VERSION#*+}"
+      echo "Current version code from pubspec.yaml: $LATEST_CODE"
+    fi
+  fi
+elif [ ! -f "$PROJECT_ROOT/$GOOGLE_SA_JSON_PATH" ]; then
+  echo "ERROR: Service account JSON not found at $PROJECT_ROOT/$GOOGLE_SA_JSON_PATH" >&2
+  exit 1
+else
+  SA_FULL_PATH="$PROJECT_ROOT/$GOOGLE_SA_JSON_PATH"
+  cd "$APP_ROOT/android"
+
+  if ! bundle exec fastlane --version >/dev/null 2>&1; then
+    "$SCRIPT_DIR/../common/install-fastlane.sh" android
+  fi
+
+  export PACKAGE_NAME
+  export GOOGLE_PLAY_SERVICE_ACCOUNT_JSON_PATH="$SA_FULL_PATH"
+  export TRACK="${TRACK:-internal}"
+
+  # Primary: Fastlane action
+  LATEST_CODE=$(bundle exec fastlane run google_play_track_version_codes \
+    package_name:"$PACKAGE_NAME" \
+    json_key:"$SA_FULL_PATH" \
+    track:"$TRACK" 2>&1 \
+    | grep -oE '[0-9]+' | sort -n | tail -1)
+
+  # Fallback: direct Ruby Supply::Client API
+  if [ -z "$LATEST_CODE" ] || [ "$LATEST_CODE" = "0" ]; then
+    LATEST_CODE=$(bundle exec ruby -e "
+require 'supply'
+require 'supply/client'
+
+Supply.config = FastlaneCore::Configuration.create(
+  Supply::Options.available_options,
+  {
+    package_name: ENV['PACKAGE_NAME'],
+    json_key: ENV['GOOGLE_PLAY_SERVICE_ACCOUNT_JSON_PATH'],
+    track: ENV.fetch('TRACK', 'internal')
+  }
+)
+
+client = Supply::Client.make_from_config
+all_codes = []
+['internal', 'alpha', 'beta', 'production'].each do |track|
+  begin
+    track_codes = client.track_version_codes(track)
+    all_codes.concat(track_codes) if track_codes
+  rescue => e
+    # Track may not exist yet
+  end
+end
+puts all_codes.max || 0
+")
+  fi
+
+  if [ -z "$LATEST_CODE" ]; then
+    echo "ERROR: Failed to fetch version codes from Google Play" >&2
+    exit 1
+  fi
+
+  echo "Latest version code from Google Play: $LATEST_CODE"
+fi
+
+# --- Step 3: Increment and write ---
+
+BUILD_NUMBER=$((LATEST_CODE + 1))
+ANDROID_VERSION_CODE="$BUILD_NUMBER"
+
+echo "New Android version code: $BUILD_NUMBER"
+
+if [ ! -f "$PUBSPEC" ]; then
+  echo "ERROR: pubspec.yaml not found at $PUBSPEC" >&2
+  exit 1
+fi
+
+sed -i '' "s/^version: .*/version: ${APP_VERSION}+${BUILD_NUMBER}/" "$PUBSPEC"
+echo "Updated pubspec.yaml: $(grep '^version:' "$PUBSPEC" | head -1)"
+
+# --- Step 4: Export ---
+
+export APP_VERSION BUILD_NUMBER ANDROID_VERSION_CODE
+
+if [ -n "${GITHUB_ENV:-}" ]; then
+  echo "APP_VERSION=$APP_VERSION" >> "$GITHUB_ENV"
+  echo "BUILD_NUMBER=$BUILD_NUMBER" >> "$GITHUB_ENV"
+  echo "ANDROID_VERSION_CODE=$ANDROID_VERSION_CODE" >> "$GITHUB_ENV"
+  echo "Exported version vars to GITHUB_ENV"
+fi
+
+echo "Android version management complete: ${APP_VERSION}+${BUILD_NUMBER}"

package/templates/scripts/ci/android/setup-keystore.sh

@@ -0,0 +1,80 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "$SCRIPT_DIR/../common/read-config.sh"
+
+# --- Helper: write key=value to $GITHUB_ENV when running in CI ---
+persist_to_github_env() {
+  if [ -n "${GITHUB_ENV:-}" ]; then
+    for pair in "$@"; do
+      echo "$pair" >> "$GITHUB_ENV"
+    done
+  fi
+}
+
+# --- Require keystore password (needed for generation AND validation) ---
+if [ -z "${KEYSTORE_PASSWORD:-}" ]; then
+  echo "ERROR: KEYSTORE_PASSWORD not set in ci.config.yaml (credentials.keystore_password)" >&2
+  exit 1
+fi
+
+ANDROID_DIR="$APP_ROOT/android"
+KEYSTORE_TARGET="$ANDROID_DIR/upload.keystore"
+CREDS_KEYSTORE="$PROJECT_ROOT/creds/android_upload.keystore"
+
+# --- Locate or create keystore ---
+if [ -f "$KEYSTORE_TARGET" ]; then
+  echo "Keystore found at $KEYSTORE_TARGET"
+elif [ -f "$CREDS_KEYSTORE" ]; then
+  echo "Keystore found in creds/, copying to $KEYSTORE_TARGET"
+  cp "$CREDS_KEYSTORE" "$KEYSTORE_TARGET"
+else
+  echo "No keystore found. Generating a new upload keystore..."
+
+  keytool -genkey -v \
+    -keystore "$KEYSTORE_TARGET" \
+    -keyalg RSA \
+    -keysize 2048 \
+    -validity 10000 \
+    -alias upload \
+    -storepass "$KEYSTORE_PASSWORD" \
+    -keypass "$KEYSTORE_PASSWORD" \
+    -dname "CN=Upload Key, O=${APP_NAME:-App}"
+
+  echo "New keystore generated at $KEYSTORE_TARGET"
+
+  # Backup to creds/ for local development persistence.
+  # In CI the workspace is ephemeral, so the keystore should already exist
+  # in creds/ (committed or restored from a secret/artifact).
+  mkdir -p "$PROJECT_ROOT/creds"
+  cp "$KEYSTORE_TARGET" "$CREDS_KEYSTORE"
+  echo "Backed up keystore to $CREDS_KEYSTORE"
+fi
+
+# --- Resolve absolute path ---
+KEYSTORE_ABS_PATH="$(cd "$(dirname "$KEYSTORE_TARGET")" && pwd)/$(basename "$KEYSTORE_TARGET")"
+
+# --- Validate keystore ---
+echo "Validating keystore..."
+if ! keytool -list -keystore "$KEYSTORE_ABS_PATH" -storepass "$KEYSTORE_PASSWORD" -alias upload >/dev/null 2>&1; then
+  echo "ERROR: Keystore validation failed. Check password and alias." >&2
+  exit 1
+fi
+echo "Keystore validated successfully"
+
+# --- Set Gradle signing env vars (matches build.gradle.kts) ---
+export CM_KEYSTORE_PATH="$KEYSTORE_ABS_PATH"
+export CM_KEYSTORE_PASSWORD="$KEYSTORE_PASSWORD"
+export CM_KEY_ALIAS="upload"
+export CM_KEY_PASSWORD="$KEYSTORE_PASSWORD"
+
+persist_to_github_env \
+  "CM_KEYSTORE_PATH=$CM_KEYSTORE_PATH" \
+  "CM_KEYSTORE_PASSWORD=$CM_KEYSTORE_PASSWORD" \
+  "CM_KEY_ALIAS=$CM_KEY_ALIAS" \
+  "CM_KEY_PASSWORD=$CM_KEY_PASSWORD"
+
+echo "Android keystore setup complete"
+echo "  CM_KEYSTORE_PATH=$CM_KEYSTORE_PATH"
+echo "  CM_KEY_ALIAS=$CM_KEY_ALIAS"

package/templates/scripts/ci/android/sync-iap.sh

@@ -0,0 +1,63 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "$SCRIPT_DIR/../common/read-config.sh"
+
+# --- Check Google Play readiness ---
+if [ "${GOOGLE_PLAY_READY:-false}" != "true" ]; then
+  echo "ERROR: Google Play not ready. Cannot sync IAPs." >&2
+  exit 1
+fi
+
+# --- Check if IAP config exists ---
+IAP_CONFIG="$PROJECT_ROOT/fastlane/iap_config.json"
+if [ ! -f "$IAP_CONFIG" ]; then
+  echo "No iap_config.json found at $IAP_CONFIG. Skipping IAP sync."
+  exit 0
+fi
+
+# --- Check if IAP plugin is available ---
+cd "$APP_ROOT/android"
+if ! bundle exec gem list fastlane-plugin-iap --installed; then
+  echo "ERROR: fastlane-plugin-iap not installed." >&2
+  echo "To enable: add it to app/android/Pluginfile and run 'bundle install'." >&2
+  exit 1
+fi
+
+# --- Hash-based change detection ---
+STATE_DIR="$PROJECT_ROOT/.ci-state"
+mkdir -p "$STATE_DIR"
+
+HASH=$(shasum -a 256 "$IAP_CONFIG" | cut -d' ' -f1)
+STATE_FILE="$STATE_DIR/android-iap-hash"
+
+if [ -f "$STATE_FILE" ]; then
+  STORED_HASH=$(cat "$STATE_FILE")
+  if [ "$HASH" = "$STORED_HASH" ]; then
+    echo "No changes in iap_config.json (hash: ${HASH:0:12}...). Skipping."
+    exit 0
+  fi
+fi
+
+echo "Changes detected in IAP config (hash: ${HASH:0:12}...)"
+
+# --- Resolve service account path ---
+SA_FULL_PATH="$PROJECT_ROOT/$GOOGLE_SA_JSON_PATH"
+if [ ! -f "$SA_FULL_PATH" ]; then
+  echo "ERROR: Service account JSON not found at $SA_FULL_PATH" >&2
+  exit 1
+fi
+
+# --- Sync IAP via Fastlane ---
+echo "Syncing Android IAP configuration..."
+
+PACKAGE_NAME="$PACKAGE_NAME" \
+GOOGLE_PLAY_SERVICE_ACCOUNT_JSON_PATH="$SA_FULL_PATH" \
+bundle exec fastlane sync_google_iap
+
+echo "Android IAP sync complete"
+
+# --- Update hash on success ---
+echo "$HASH" > "$STATE_FILE"
+echo "Updated state hash: ${HASH:0:12}..."

package/templates/scripts/ci/android/update-data-safety.sh

@@ -0,0 +1,65 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "$SCRIPT_DIR/../common/read-config.sh"
+
+# --- Check Google Play readiness ---
+if [ "${GOOGLE_PLAY_READY:-false}" != "true" ]; then
+  echo "ERROR: Google Play not ready. Cannot update data safety." >&2
+  exit 1
+fi
+
+# --- Check if data safety CSV exists ---
+DATA_SAFETY_CSV="$PROJECT_ROOT/fastlane/data_safety.csv"
+if [ ! -f "$DATA_SAFETY_CSV" ]; then
+  echo "No data_safety.csv found at $DATA_SAFETY_CSV. Skipping."
+  exit 0
+fi
+
+# --- Hash-based change detection ---
+STATE_DIR="$PROJECT_ROOT/.ci-state"
+mkdir -p "$STATE_DIR"
+
+HASH=$(shasum -a 256 "$DATA_SAFETY_CSV" | cut -d' ' -f1)
+STATE_FILE="$STATE_DIR/android-data-safety-hash"
+
+if [ -f "$STATE_FILE" ]; then
+  STORED_HASH=$(cat "$STATE_FILE")
+  if [ "$HASH" = "$STORED_HASH" ]; then
+    echo "No changes in data_safety.csv (hash: ${HASH:0:12}...). Skipping."
+    exit 0
+  fi
+fi
+
+echo "Changes detected in data safety config (hash: ${HASH:0:12}...)"
+
+# --- Link fastlane directories ---
+"$SCRIPT_DIR/../common/link-fastlane.sh" android
+
+# --- Ensure fastlane is installed ---
+cd "$APP_ROOT/android"
+if ! bundle exec fastlane --version >/dev/null 2>&1; then
+  "$SCRIPT_DIR/../common/install-fastlane.sh" android
+fi
+
+# --- Resolve service account path ---
+SA_FULL_PATH="$PROJECT_ROOT/$GOOGLE_SA_JSON_PATH"
+if [ ! -f "$SA_FULL_PATH" ]; then
+  echo "ERROR: Service account JSON not found at $SA_FULL_PATH" >&2
+  exit 1
+fi
+
+# --- Update data safety via Fastlane ---
+echo "Updating Android data safety..."
+
+PACKAGE_NAME="$PACKAGE_NAME" \
+GOOGLE_PLAY_SERVICE_ACCOUNT_JSON_PATH="$SA_FULL_PATH" \
+DATA_SAFETY_CSV_PATH="$DATA_SAFETY_CSV" \
+bundle exec fastlane update_data_safety
+
+echo "Android data safety update complete"
+
+# --- Update hash on success ---
+echo "$HASH" > "$STATE_FILE"
+echo "Updated state hash: ${HASH:0:12}..."