@daemux/store-automator 0.7.1 → 0.9.0

package/templates/scripts/ci/android/upload-binary.sh

@@ -0,0 +1,62 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "$SCRIPT_DIR/../common/read-config.sh"
+
+# --- Check Google Play readiness ---
+if [ "${GOOGLE_PLAY_READY:-false}" != "true" ]; then
+  echo ""
+  echo "============================================="
+  echo "  Google Play is NOT ready for automation"
+  echo "============================================="
+  echo ""
+  echo "This is likely the first release. You must upload the AAB manually."
+
+  AAB_DIR="$APP_ROOT/build/app/outputs/bundle/release"
+  AAB_FILE=$(find "$AAB_DIR" -name "*.aab" -type f 2>/dev/null | head -1)
+  if [ -n "$AAB_FILE" ]; then
+    echo ""
+    echo "Built AAB: $AAB_FILE ($(du -h "$AAB_FILE" | cut -f1))"
+  else
+    echo ""
+    echo "No AAB found. Run build.sh first."
+  fi
+
+  echo ""
+  echo "Manual upload steps:"
+  echo "  1. Go to Google Play Console: https://play.google.com/console"
+  echo "  2. Select your app ($PACKAGE_NAME)"
+  echo "  3. Go to Release > Testing > Internal testing (or your target track)"
+  echo "  4. Create a new release and upload the AAB file"
+  echo "  5. Complete the release form and roll out"
+  echo ""
+  echo "After the first manual upload, subsequent releases will be automated."
+  exit 1
+fi
+
+# --- Validate prerequisites ---
+SA_FULL_PATH="$PROJECT_ROOT/$GOOGLE_SA_JSON_PATH"
+if [ ! -f "$SA_FULL_PATH" ]; then
+  echo "ERROR: Service account JSON not found at $SA_FULL_PATH" >&2
+  exit 1
+fi
+
+# --- Link fastlane directories and ensure installed ---
+"$SCRIPT_DIR/../common/link-fastlane.sh" android
+cd "$APP_ROOT/android"
+if ! bundle exec fastlane --version >/dev/null 2>&1; then
+  "$SCRIPT_DIR/../common/install-fastlane.sh" android
+fi
+
+# --- Upload via Fastlane ---
+echo "Uploading AAB to Google Play (track: ${TRACK:-internal}, package: $PACKAGE_NAME)..."
+
+PACKAGE_NAME="$PACKAGE_NAME" \
+GOOGLE_PLAY_SERVICE_ACCOUNT_JSON_PATH="$SA_FULL_PATH" \
+TRACK="${TRACK:-internal}" \
+ROLLOUT_FRACTION="${ROLLOUT_FRACTION:-}" \
+IN_APP_UPDATE_PRIORITY="${IN_APP_UPDATE_PRIORITY:-0}" \
+bundle exec fastlane upload_binary_android
+
+echo "Android binary upload complete"

package/templates/scripts/ci/android/upload-metadata.sh

@@ -0,0 +1,77 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "$SCRIPT_DIR/../common/read-config.sh"
+
+# --- Check Google Play readiness ---
+if [ "${GOOGLE_PLAY_READY:-false}" != "true" ]; then
+  echo "ERROR: Google Play not ready. Cannot upload metadata." >&2
+  echo "Run check-readiness.sh for details." >&2
+  exit 1
+fi
+
+# --- Hash-based change detection ---
+STATE_DIR="$PROJECT_ROOT/.ci-state"
+mkdir -p "$STATE_DIR"
+
+HASH=$(find "$PROJECT_ROOT/fastlane/metadata" "$PROJECT_ROOT/fastlane/screenshots/android" \
+  -type f 2>/dev/null | sort | xargs shasum -a 256 2>/dev/null | shasum -a 256 | cut -d' ' -f1)
+STATE_FILE="$STATE_DIR/android-metadata-hash"
+
+if [ -f "$STATE_FILE" ]; then
+  STORED_HASH=$(cat "$STATE_FILE")
+  if [ "$HASH" = "$STORED_HASH" ]; then
+    echo "No changes in Android metadata or screenshots (hash: ${HASH:0:12}...). Skipping."
+    exit 0
+  fi
+fi
+
+echo "Changes detected in Android metadata (hash: ${HASH:0:12}...)"
+
+# --- Link fastlane directories ---
+"$SCRIPT_DIR/../common/link-fastlane.sh" android
+
+# --- Ensure fastlane is installed ---
+cd "$APP_ROOT/android"
+if ! bundle exec fastlane --version >/dev/null 2>&1; then
+  "$SCRIPT_DIR/../common/install-fastlane.sh" android
+fi
+
+# --- Resolve service account path ---
+SA_FULL_PATH="$PROJECT_ROOT/$GOOGLE_SA_JSON_PATH"
+if [ ! -f "$SA_FULL_PATH" ]; then
+  echo "ERROR: Service account JSON not found at $SA_FULL_PATH" >&2
+  exit 1
+fi
+
+# --- Upload metadata via Fastlane ---
+echo "Uploading Android metadata..."
+
+set +e
+FASTLANE_OUTPUT=$(PACKAGE_NAME="$PACKAGE_NAME" \
+GOOGLE_PLAY_SERVICE_ACCOUNT_JSON_PATH="$SA_FULL_PATH" \
+bundle exec fastlane upload_metadata_android 2>&1)
+FASTLANE_EXIT=$?
+set -e
+
+echo "$FASTLANE_OUTPUT"
+
+if [ $FASTLANE_EXIT -ne 0 ]; then
+  # Google Play API rejects non-draft edits on apps that have never been
+  # published.  This resolves after the first manual release via the Play
+  # Console.  Hard-fail so the CI run surfaces the issue immediately.
+  if echo "$FASTLANE_OUTPUT" | grep -qi "draft app"; then
+    echo "ERROR: Metadata upload failed because the app is still in draft" >&2
+    echo "       state on Google Play.  Complete the first release manually" >&2
+    echo "       via the Play Console, then re-run this workflow." >&2
+    exit 1
+  fi
+  exit $FASTLANE_EXIT
+fi
+
+echo "Android metadata uploaded successfully"
+
+# --- Update hash on success ---
+echo "$HASH" > "$STATE_FILE"
+echo "Updated state hash: ${HASH:0:12}..."

package/templates/scripts/ci/common/check-changed.sh

@@ -0,0 +1,74 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Content-based change detection using SHA256 hashes.
+# Stores hashes in .ci-state/ directory (gitignored).
+# Exit 0 = changed (or first run) -> proceed with work
+# Exit 1 = unchanged -> skip work
+#
+# Usage: scripts/ci/common/check-changed.sh <directory-path> [--use-cache]
+#
+# Hash update pattern:
+#   1. Call check-changed.sh <path> -- if exit 1, skip.
+#   2. Do the work (upload, sync, etc.)
+#   3. On success: mv .ci-state/<key>.hash.pending .ci-state/<key>.hash
+#   4. On failure: leave .pending file (next run will see change again)
+
+USE_CACHE=false
+TARGET=""
+while [ $# -gt 0 ]; do
+  case "$1" in
+    --use-cache) USE_CACHE=true ;;
+    *) TARGET="$1" ;;
+  esac
+  shift
+done
+
+if [ -z "$TARGET" ]; then
+  echo "Usage: check-changed.sh <directory-path> [--use-cache]" >&2
+  exit 1
+fi
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/../../.." && pwd)"
+
+STATE_DIR="$PROJECT_ROOT/.ci-state"
+mkdir -p "$STATE_DIR"
+
+# When running locally without --use-cache, always report changed
+if [ -z "${CI:-}" ] && [ "$USE_CACHE" = "false" ]; then
+  echo "Local mode (no --use-cache): reporting changed"
+  exit 0
+fi
+
+# Generate a safe filename from the target path
+STATE_KEY=$(echo "$TARGET" | sed 's/[^a-zA-Z0-9]/_/g')
+STATE_FILE="$STATE_DIR/$STATE_KEY.hash"
+
+# Check if any files exist before hashing
+FILE_COUNT=$(find "$PROJECT_ROOT/$TARGET" -type f 2>/dev/null | wc -l | tr -d ' ')
+if [ "$FILE_COUNT" -eq 0 ]; then
+  echo "No files found matching '$TARGET'. Reporting changed (first run)."
+  exit 0
+fi
+
+# Compute current content hash using a direct pipeline.
+# NOTE: Using `while read` to safely handle filenames with spaces.
+CURRENT_HASH=$(
+  find "$PROJECT_ROOT/$TARGET" -type f 2>/dev/null | sort \
+    | while IFS= read -r file; do shasum -a 256 "$file"; done \
+    | shasum -a 256 | cut -d' ' -f1
+)
+
+# Compare with stored hash
+if [ -f "$STATE_FILE" ]; then
+  STORED_HASH=$(cat "$STATE_FILE")
+  if [ "$CURRENT_HASH" = "$STORED_HASH" ]; then
+    echo "No changes detected for '$TARGET' (hash: ${CURRENT_HASH:0:12}...)"
+    exit 1
+  fi
+fi
+
+echo "Changes detected for '$TARGET' (hash: ${CURRENT_HASH:0:12}...)"
+echo "$CURRENT_HASH" > "$STATE_FILE.pending"
+exit 0

package/templates/scripts/ci/common/flutter-setup.sh

@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Runs Flutter pub get and verifies the SDK is available.
+# Usage: scripts/ci/common/flutter-setup.sh
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "$SCRIPT_DIR/read-config.sh"
+
+if ! command -v flutter &>/dev/null; then
+  echo "ERROR: Flutter SDK not found in PATH" >&2
+  exit 1
+fi
+
+echo "Flutter version:"
+flutter --version
+
+echo "Running flutter pub get in $APP_ROOT..."
+cd "$APP_ROOT"
+flutter pub get
+
+echo "Flutter setup complete"

package/templates/scripts/ci/common/install-fastlane.sh

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Installs Fastlane and its dependencies for the given platform.
+# Usage: scripts/ci/common/install-fastlane.sh <ios|android>
+
+PLATFORM="${1:?Usage: install-fastlane.sh <ios|android>}"
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "$SCRIPT_DIR/read-config.sh"
+
+PLATFORM_DIR="$APP_ROOT/$PLATFORM"
+
+if [ ! -d "$PLATFORM_DIR" ]; then
+  echo "ERROR: Platform directory not found: $PLATFORM_DIR" >&2
+  exit 1
+fi
+
+GEMFILE="$PLATFORM_DIR/Gemfile"
+if [ ! -f "$GEMFILE" ]; then
+  echo "ERROR: Gemfile not found at $GEMFILE" >&2
+  exit 1
+fi
+
+echo "Installing Fastlane for $PLATFORM..."
+cd "$PLATFORM_DIR"
+
+if ! command -v bundle &>/dev/null; then
+  echo "Installing bundler..."
+  gem install bundler --no-document --user-install
+fi
+
+bundle config set --local path vendor/bundle
+bundle install --jobs 4 --retry 3
+
+echo "Verifying Fastlane installation..."
+bundle exec fastlane --version
+
+echo "Fastlane installed successfully for $PLATFORM"

package/templates/scripts/ci/common/link-fastlane.sh

@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Creates symlinks so that `cd app/ios && bundle exec fastlane` (or android)
+# can find the Fastfile. Fastlane config lives at project root under fastlane/ios/
+# and fastlane/android/. This script links them into the platform directories.
+#
+# Usage: scripts/ci/common/link-fastlane.sh <ios|android>
+
+PLATFORM="${1:?Usage: link-fastlane.sh <ios|android>}"
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "$SCRIPT_DIR/read-config.sh"
+
+create_symlink() {
+  local target="$1"
+  local link="$2"
+
+  if [ -e "$link" ] && [ ! -L "$link" ]; then
+    echo "ERROR: $link exists and is not a symlink. Cannot create link." >&2
+    return 1
+  fi
+
+  ln -sfn "$target" "$link"
+  echo "Linked: $link -> $target"
+
+  if [ ! -e "$link" ]; then
+    echo "ERROR: Symlink target does not exist: $target" >&2
+    return 1
+  fi
+}
+
+echo "Linking Fastlane directories for $PLATFORM..."
+
+FASTLANE_ROOT="$PROJECT_ROOT/fastlane"
+PLATFORM_DIR="$APP_ROOT/$PLATFORM"
+
+if [ ! -d "$FASTLANE_ROOT/$PLATFORM" ]; then
+  echo "ERROR: Fastlane config not found at $FASTLANE_ROOT/$PLATFORM" >&2
+  exit 1
+fi
+
+if [ ! -d "$PLATFORM_DIR" ]; then
+  echo "ERROR: Platform directory not found at $PLATFORM_DIR" >&2
+  exit 1
+fi
+
+# Create symlink: app/ios/fastlane -> ../../fastlane/ios
+# Create symlink: app/android/fastlane -> ../../fastlane/android
+RELATIVE_TARGET="../../fastlane/$PLATFORM"
+LINK_PATH="$PLATFORM_DIR/fastlane"
+
+create_symlink "$RELATIVE_TARGET" "$LINK_PATH"
+
+echo "Fastlane linking complete for $PLATFORM"
+ls -la "$LINK_PATH"

package/templates/scripts/ci/common/read-config.sh

@@ -0,0 +1,74 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Reads values from ci.config.yaml using yq and exports them as environment variables.
+# Usage: source scripts/ci/common/read-config.sh
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/../../.." && pwd)"
+export PROJECT_ROOT
+
+CONFIG="$PROJECT_ROOT/ci.config.yaml"
+
+if [ ! -f "$CONFIG" ]; then
+  echo "ERROR: ci.config.yaml not found at $CONFIG" >&2
+  exit 1
+fi
+
+if ! command -v yq &>/dev/null; then
+  echo "ERROR: yq is not installed. Install with: brew install yq" >&2
+  exit 1
+fi
+
+# App root
+export FLUTTER_ROOT=$(yq '.flutter_root // "."' "$CONFIG")
+export APP_ROOT="$PROJECT_ROOT/$FLUTTER_ROOT"
+
+# Fastlane expects CM_BUILD_DIR for absolute path resolution in Fastfiles
+export CM_BUILD_DIR="$PROJECT_ROOT"
+
+# App identity
+export BUNDLE_ID=$(yq '.app.bundle_id // ""' "$CONFIG")
+export PACKAGE_NAME=$(yq '.app.package_name // ""' "$CONFIG")
+export APP_NAME=$(yq '.app.name // ""' "$CONFIG")
+export SKU=$(yq '.app.sku // ""' "$CONFIG")
+export APPLE_ID=$(yq '.app.apple_id // ""' "$CONFIG")
+
+# Credentials - Apple
+export P8_KEY_PATH=$(yq '.credentials.apple.p8_key_path // ""' "$CONFIG")
+export APPLE_KEY_ID=$(yq '.credentials.apple.key_id // ""' "$CONFIG")
+export APPLE_ISSUER_ID=$(yq '.credentials.apple.issuer_id // ""' "$CONFIG")
+
+# Credentials - Google
+export GOOGLE_SA_JSON_PATH=$(yq '.credentials.google.service_account_json_path // ""' "$CONFIG")
+
+# Credentials - Android signing
+export KEYSTORE_PASSWORD=$(yq '.credentials.android.keystore_password // ""' "$CONFIG")
+
+# Credentials - Match (iOS code signing)
+export MATCH_GIT_URL=$(yq '.credentials.match.git_url // ""' "$CONFIG")
+export MATCH_DEPLOY_KEY_PATH=$(yq '.credentials.match.deploy_key_path // ""' "$CONFIG")
+
+# iOS App Store settings
+export PRIMARY_CATEGORY=$(yq '.ios.primary_category // ""' "$CONFIG")
+export SECONDARY_CATEGORY=$(yq '.ios.secondary_category // ""' "$CONFIG")
+export PRICE_TIER=$(yq '.ios.price_tier // ""' "$CONFIG")
+export SUBMIT_FOR_REVIEW=$(yq '.ios.submit_for_review // "false"' "$CONFIG")
+export AUTOMATIC_RELEASE=$(yq '.ios.automatic_release // "false"' "$CONFIG")
+
+# Android Play Store settings
+export TRACK=$(yq '.android.track // "internal"' "$CONFIG")
+export ROLLOUT_FRACTION=$(yq '.android.rollout_fraction // ""' "$CONFIG")
+export IN_APP_UPDATE_PRIORITY=$(yq '.android.in_app_update_priority // "0"' "$CONFIG")
+
+# Codemagic CI/CD
+export CODEMAGIC_APP_ID=$(yq '.codemagic.app_id // ""' "$CONFIG")
+export CODEMAGIC_TEAM_ID=$(yq '.codemagic.team_id // ""' "$CONFIG")
+
+# Web
+export WEB_DOMAIN=$(yq '.web.domain // ""' "$CONFIG")
+
+echo "Config loaded from $CONFIG"
+echo "  APP_ROOT=$APP_ROOT"
+echo "  BUNDLE_ID=$BUNDLE_ID"
+echo "  PACKAGE_NAME=$PACKAGE_NAME"

package/templates/scripts/ci/ios/build.sh

@@ -0,0 +1,91 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "$SCRIPT_DIR/../common/read-config.sh"
+
+# --- Validate prerequisites ---
+if [ -z "${EXPORT_OPTIONS_PLIST:-}" ]; then
+  echo "ERROR: EXPORT_OPTIONS_PLIST not set. Run setup-signing.sh first (TASK_3)." >&2
+  exit 1
+fi
+
+if [ ! -f "$EXPORT_OPTIONS_PLIST" ]; then
+  echo "ERROR: Export options plist not found at $EXPORT_OPTIONS_PLIST" >&2
+  exit 1
+fi
+
+if ! command -v flutter &>/dev/null; then
+  echo "ERROR: Flutter SDK not found in PATH" >&2
+  exit 1
+fi
+
+# --- Patch Xcode project for manual signing in CI ---
+# flutter build ipa runs xcodebuild archive before applying ExportOptions.plist.
+# The archive step uses the project's build settings, so we must set manual signing
+# with the correct team ID and provisioning profile from setup-signing.sh.
+PBXPROJ="$APP_ROOT/ios/Runner.xcodeproj/project.pbxproj"
+PROFILE_NAME="match AppStore $BUNDLE_ID"
+
+if [ -f "$PBXPROJ" ]; then
+  echo "Patching Xcode project for CI signing..."
+
+  # Ensure all configurations use manual signing
+  sed -i '' 's/CODE_SIGN_STYLE = Automatic/CODE_SIGN_STYLE = Manual/g' "$PBXPROJ"
+
+  # Set the team ID discovered by setup-signing.sh
+  if [ -n "${TEAM_ID:-}" ]; then
+    sed -i '' "s/DEVELOPMENT_TEAM = \"[^\"]*\"/DEVELOPMENT_TEAM = \"$TEAM_ID\"/g" "$PBXPROJ"
+    sed -i '' "s/DEVELOPMENT_TEAM = ;/DEVELOPMENT_TEAM = \"$TEAM_ID\";/g" "$PBXPROJ"
+    echo "  DEVELOPMENT_TEAM = $TEAM_ID"
+  fi
+
+  # Set the provisioning profile specifier for the Runner target
+  if [ -n "$PROFILE_NAME" ]; then
+    PKEY="PROVISIONING_PROFILE_SPECIFIER"
+    sed -i '' \
+      "s/$PKEY = \"[^\"]*\"/$PKEY = \"$PROFILE_NAME\"/g" "$PBXPROJ"
+    sed -i '' \
+      "s/$PKEY = ;/$PKEY = \"$PROFILE_NAME\";/g" "$PBXPROJ"
+    echo "  $PKEY = $PROFILE_NAME"
+  fi
+
+  # Set the code sign identity for distribution
+  sed -i '' \
+    's/"CODE_SIGN_IDENTITY\[sdk=iphoneos\*\]" = "iPhone Developer"/'\
+'"CODE_SIGN_IDENTITY[sdk=iphoneos*]" = "iPhone Distribution"/g' \
+    "$PBXPROJ"
+
+  echo "Xcode project patched for CI signing"
+fi
+
+# --- Build IPA ---
+echo "Building IPA..."
+echo "  APP_ROOT: $APP_ROOT"
+echo "  EXPORT_OPTIONS_PLIST: $EXPORT_OPTIONS_PLIST"
+
+cd "$APP_ROOT"
+flutter build ipa \
+  --release \
+  --export-options-plist="$EXPORT_OPTIONS_PLIST"
+
+# --- Verify IPA exists ---
+IPA_DIR="$APP_ROOT/build/ios/ipa"
+IPA_FILE=$(find "$IPA_DIR" -name "*.ipa" -type f 2>/dev/null | head -1)
+if [ -z "$IPA_FILE" ]; then
+  echo "ERROR: No .ipa file found in $IPA_DIR" >&2
+  exit 1
+fi
+
+echo "IPA built successfully: $IPA_FILE"
+echo "IPA size: $(du -h "$IPA_FILE" | cut -f1)"
+
+# --- Export ---
+export IPA_PATH="$IPA_FILE"
+
+if [ -n "${GITHUB_ENV:-}" ]; then
+  echo "IPA_PATH=$IPA_FILE" >> "$GITHUB_ENV"
+  echo "Exported IPA_PATH to GITHUB_ENV"
+fi
+
+echo "iOS build complete: $IPA_PATH"

package/templates/scripts/ci/ios/manage-version.sh

@@ -0,0 +1,64 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "$SCRIPT_DIR/../common/read-config.sh"
+
+# --- Validate required config ---
+if [ -z "$APPLE_KEY_ID" ] || [ -z "$APPLE_ISSUER_ID" ] || [ -z "$P8_KEY_PATH" ]; then
+  echo "ERROR: Missing Apple credentials in ci.config.yaml (APPLE_KEY_ID, APPLE_ISSUER_ID, or P8_KEY_PATH)" >&2
+  exit 1
+fi
+
+P8_FULL_PATH="$PROJECT_ROOT/$P8_KEY_PATH"
+if [ ! -f "$P8_FULL_PATH" ]; then
+  echo "ERROR: P8 key file not found at $P8_FULL_PATH" >&2
+  exit 1
+fi
+
+# --- Set ASC API env vars for manage_version_ios.py ---
+export APP_STORE_CONNECT_KEY_IDENTIFIER="$APPLE_KEY_ID"
+export APP_STORE_CONNECT_ISSUER_ID="$APPLE_ISSUER_ID"
+export APP_STORE_CONNECT_PRIVATE_KEY
+APP_STORE_CONNECT_PRIVATE_KEY=$(cat "$P8_FULL_PATH")
+
+# --- Export BUNDLE_ID for manage_version_ios.py ---
+export BUNDLE_ID
+
+# --- Run the existing Python script ---
+echo "Running manage_version_ios.py..."
+VERSION_JSON=$(python3 "$PROJECT_ROOT/scripts/manage_version_ios.py")
+
+if [ -z "$VERSION_JSON" ]; then
+  echo "ERROR: manage_version_ios.py returned empty output" >&2
+  exit 1
+fi
+
+echo "Version info: $VERSION_JSON"
+
+# --- Parse JSON output ---
+# Expected format: {"version": "X.Y.Z", "version_id": "...", "state": "..."}
+read -r APP_VERSION APP_VERSION_ID APP_STATUS < <(
+  echo "$VERSION_JSON" | python3 -c "
+import sys, json
+d = json.load(sys.stdin)
+print(d['version'], d.get('version_id',''), d.get('state',''))
+"
+)
+
+echo "Parsed version: $APP_VERSION (id: $APP_VERSION_ID, status: $APP_STATUS)"
+
+# --- Export to environment ---
+export APP_VERSION
+export APP_VERSION_ID
+export APP_STATUS
+
+# Write to $GITHUB_ENV for inter-step communication in CI
+if [ -n "${GITHUB_ENV:-}" ]; then
+  echo "APP_VERSION=$APP_VERSION" >> "$GITHUB_ENV"
+  echo "APP_VERSION_ID=$APP_VERSION_ID" >> "$GITHUB_ENV"
+  echo "APP_STATUS=$APP_STATUS" >> "$GITHUB_ENV"
+  echo "Exported to GITHUB_ENV"
+fi
+
+echo "iOS version management complete: $APP_VERSION"

package/templates/scripts/ci/ios/set-build-number.sh

@@ -0,0 +1,92 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "$SCRIPT_DIR/../common/read-config.sh"
+
+# --- Validate prerequisites ---
+if [ -z "${APP_VERSION:-}" ]; then
+  echo "ERROR: APP_VERSION not set. Run manage-version.sh first." >&2
+  exit 1
+fi
+
+if [ -z "$BUNDLE_ID" ]; then
+  echo "ERROR: BUNDLE_ID not set in ci.config.yaml" >&2
+  exit 1
+fi
+
+# --- Ensure ASC API env vars are set ---
+if [ -z "${APP_STORE_CONNECT_KEY_IDENTIFIER:-}" ]; then
+  P8_FULL_PATH="$PROJECT_ROOT/$P8_KEY_PATH"
+  export APP_STORE_CONNECT_KEY_IDENTIFIER="$APPLE_KEY_ID"
+  export APP_STORE_CONNECT_ISSUER_ID="$APPLE_ISSUER_ID"
+  export APP_STORE_CONNECT_PRIVATE_KEY
+  APP_STORE_CONNECT_PRIVATE_KEY=$(cat "$P8_FULL_PATH")
+fi
+
+# --- Ensure PyJWT is installed ---
+pip3 install --break-system-packages PyJWT
+
+# --- Fetch latest build number from ASC ---
+echo "Fetching latest build number from App Store Connect..."
+
+LATEST_BUILD=$(python3 -c "
+import os, json, time, jwt, urllib.request
+
+key_id = os.environ['APP_STORE_CONNECT_KEY_IDENTIFIER']
+issuer_id = os.environ['APP_STORE_CONNECT_ISSUER_ID']
+private_key = os.environ['APP_STORE_CONNECT_PRIVATE_KEY']
+bundle_id = os.environ.get('BUNDLE_ID', '')
+
+# Generate JWT token
+now = int(time.time())
+payload = {'iss': issuer_id, 'iat': now, 'exp': now + 1200, 'aud': 'appstoreconnect-v1'}
+token = jwt.encode(payload, private_key, algorithm='ES256', headers={'kid': key_id})
+headers = {'Authorization': f'Bearer {token}'}
+
+# Resolve app ID from bundle ID
+req = urllib.request.Request(
+    f'https://api.appstoreconnect.apple.com/v1/apps?filter[bundleId]={bundle_id}',
+    headers=headers)
+with urllib.request.urlopen(req) as resp:
+    app_id = json.loads(resp.read())['data'][0]['id']
+
+# Fetch latest build
+req = urllib.request.Request(
+    f'https://api.appstoreconnect.apple.com/v1/builds?filter[app]={app_id}&sort=-version&limit=1',
+    headers=headers)
+with urllib.request.urlopen(req) as resp:
+    builds = json.loads(resp.read())['data']
+
+print(builds[0]['attributes']['version'] if builds else '0')
+")
+
+echo "Latest build number from ASC: $LATEST_BUILD"
+
+# --- Increment build number ---
+BUILD_NUMBER=$((LATEST_BUILD + 1))
+echo "New build number: $BUILD_NUMBER"
+
+# --- Write to pubspec.yaml ---
+PUBSPEC="$APP_ROOT/pubspec.yaml"
+if [ ! -f "$PUBSPEC" ]; then
+  echo "ERROR: pubspec.yaml not found at $PUBSPEC" >&2
+  exit 1
+fi
+
+echo "Updating pubspec.yaml: version: ${APP_VERSION}+${BUILD_NUMBER}"
+sed -i '' "s/^version: .*/version: ${APP_VERSION}+${BUILD_NUMBER}/" "$PUBSPEC"
+
+# Verify the write
+WRITTEN_VERSION=$(grep '^version:' "$PUBSPEC" | head -1)
+echo "Written to pubspec.yaml: $WRITTEN_VERSION"
+
+# --- Export ---
+export BUILD_NUMBER
+
+if [ -n "${GITHUB_ENV:-}" ]; then
+  echo "BUILD_NUMBER=$BUILD_NUMBER" >> "$GITHUB_ENV"
+  echo "Exported BUILD_NUMBER to GITHUB_ENV"
+fi
+
+echo "Build number set: $BUILD_NUMBER"