eas-cli 20.0.0 → 20.2.0

package/build/commands/update/embedded/view.js

@@ -0,0 +1,75 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.formatEmbeddedUpdate = formatEmbeddedUpdate;
+const tslib_1 = require("tslib");
+const core_1 = require("@oclif/core");
+const chalk_1 = tslib_1.__importDefault(require("chalk"));
+const EasCommand_1 = tslib_1.__importDefault(require("../../../commandUtils/EasCommand"));
+const flags_1 = require("../../../commandUtils/flags");
+const EmbeddedUpdateQuery_1 = require("../../../graphql/queries/EmbeddedUpdateQuery");
+const log_1 = tslib_1.__importDefault(require("../../../log"));
+const date_1 = require("../../../utils/date");
+const files_1 = require("../../../utils/files");
+const formatFields_1 = tslib_1.__importDefault(require("../../../utils/formatFields"));
+const json_1 = require("../../../utils/json");
+class UpdateEmbeddedView extends EasCommand_1.default {
+    static description = 'view details of an embedded update registered with EAS Update';
+    static args = {
+        id: core_1.Args.string({
+            required: true,
+            description: 'The ID of the embedded update (manifest UUID from app.manifest).',
+        }),
+    };
+    static flags = {
+        ...flags_1.EasJsonOnlyFlag,
+    };
+    static contextDefinition = {
+        ...this.ContextOptions.ProjectId,
+        ...this.ContextOptions.LoggedIn,
+    };
+    async runAsync() {
+        const { args: { id: embeddedUpdateId }, flags: { json: jsonFlag }, } = await this.parse(UpdateEmbeddedView);
+        const { projectId, loggedIn: { graphqlClient }, } = await this.getContextAsync(UpdateEmbeddedView, { nonInteractive: true });
+        if (jsonFlag) {
+            (0, json_1.enableJsonOutput)();
+        }
+        let embeddedUpdate;
+        try {
+            embeddedUpdate = await EmbeddedUpdateQuery_1.EmbeddedUpdateQuery.viewByIdAsync(graphqlClient, {
+                embeddedUpdateId,
+                appId: projectId,
+            });
+        }
+        catch (e) {
+            if ((0, EmbeddedUpdateQuery_1.isEmbeddedUpdateNotFoundError)(e)) {
+                core_1.Errors.error(`No embedded update found with id "${embeddedUpdateId}" for this project. ` +
+                    `Run "eas update:embedded:list" to see the embedded updates registered for this app.`, { exit: 1 });
+            }
+            throw e;
+        }
+        if (jsonFlag) {
+            (0, json_1.printJsonOnlyOutput)(embeddedUpdate);
+            return;
+        }
+        log_1.default.addNewLineIfNone();
+        log_1.default.log(chalk_1.default.bold('Embedded update:'));
+        log_1.default.log(formatEmbeddedUpdate(embeddedUpdate));
+    }
+}
+exports.default = UpdateEmbeddedView;
+function formatEmbeddedUpdate(embeddedUpdate) {
+    const createdAt = new Date(embeddedUpdate.createdAt);
+    const bundleSize = embeddedUpdate.launchAsset.finalFileSize ?? embeddedUpdate.launchAsset.fileSize;
+    return (0, formatFields_1.default)([
+        { label: 'ID', value: embeddedUpdate.id },
+        { label: 'Platform', value: embeddedUpdate.platform.toLowerCase() },
+        { label: 'Runtime version', value: embeddedUpdate.runtimeVersion },
+        { label: 'Channel', value: embeddedUpdate.channel },
+        { label: 'Bundle size', value: (0, files_1.formatBytes)(bundleSize) },
+        { label: 'Bundle SHA-256', value: embeddedUpdate.launchAsset.fileSHA256 },
+        {
+            label: 'Created at',
+            value: `${createdAt.toLocaleString()} (${(0, date_1.fromNow)(createdAt)} ago)`,
+        },
+    ]);
+}

package/build/commands/update/rollback.d.ts

@@ -1,8 +1,19 @@
 import EasCommand from '../../commandUtils/EasCommand';
 export default class UpdateRollback extends EasCommand {
     static description: string;
+    static args: {
+        groupId: import("@oclif/core/lib/interfaces").Arg<string | undefined, Record<string, unknown>>;
+    };
     static flags: {
+        json: import("@oclif/core/lib/interfaces").BooleanFlag<boolean>;
+        'non-interactive': import("@oclif/core/lib/interfaces").BooleanFlag<boolean>;
+        message: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
+        platform: import("@oclif/core/lib/interfaces").OptionFlag<"android" | "ios" | "all", import("@oclif/core/lib/interfaces").CustomOptions>;
         'private-key-path': import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
     };
+    static contextDefinition: {
+        loggedIn: import("../../commandUtils/context/LoggedInContextField").default;
+        privateProjectConfig: import("../../commandUtils/context/PrivateProjectConfigContextField").PrivateProjectConfigContextField;
+    };
     runAsync(): Promise<void>;
 }

package/build/commands/update/rollback.js

@@ -5,35 +5,138 @@ const core_1 = require("@oclif/core");
 const republish_1 = tslib_1.__importDefault(require("./republish"));
 const roll_back_to_embedded_1 = tslib_1.__importDefault(require("./roll-back-to-embedded"));
 const EasCommand_1 = tslib_1.__importDefault(require("../../commandUtils/EasCommand"));
+const flags_1 = require("../../commandUtils/flags");
+const UpdateQuery_1 = require("../../graphql/queries/UpdateQuery");
 const prompts_1 = require("../../prompts");
+const defaultRollbackPlatforms = ['android', 'ios'];
 class UpdateRollback extends EasCommand_1.default {
-    static description = 'Roll back to an embedded update or an existing update. Users wishing to run this command non-interactively should instead execute "eas update:republish" or "eas update:roll-back-to-embedded".';
+    static description = 'roll back to an embedded update or an existing update';
+    static args = {
+        groupId: core_1.Args.string({
+            description: 'The ID of the update group to roll back. Must be the latest update for its branch and runtime version. The update group published before it is republished; if there is none, a roll back to the embedded update is published. Required in non-interactive mode.',
+            required: false,
+        }),
+    };
     static flags = {
+        message: core_1.Flags.string({
+            char: 'm',
+            description: 'Short message describing the rollback update',
+            required: false,
+        }),
+        platform: core_1.Flags.option({
+            char: 'p',
+            options: [...defaultRollbackPlatforms, 'all'],
+            default: 'all',
+            required: false,
+        })(),
         'private-key-path': core_1.Flags.string({
             description: `File containing the PEM-encoded private key corresponding to the certificate in expo-updates' configuration. Defaults to a file named "private-key.pem" in the certificate's directory. Only relevant if you are using code signing: https://docs.expo.dev/eas-update/code-signing/`,
             required: false,
         }),
+        ...flags_1.EasNonInteractiveAndJsonFlags,
+    };
+    static contextDefinition = {
+        ...this.ContextOptions.ProjectConfig,
+        ...this.ContextOptions.LoggedIn,
     };
     async runAsync() {
-        const { flags } = await this.parse(UpdateRollback);
-        const { choice } = await (0, prompts_1.promptAsync)({
-            type: 'select',
-            message: 'Which type of update would you like to roll back to?',
-            name: 'choice',
-            choices: [
-                { title: 'Published Update', value: 'published' },
-                { title: 'Embedded Update', value: 'embedded' },
-            ],
-        });
+        const { args, flags } = await this.parse(UpdateRollback);
+        const { json, nonInteractive } = (0, flags_1.resolveNonInteractiveAndJsonFlags)(flags);
+        const groupId = args.groupId;
+        const platform = flags.platform;
+        const messageArg = flags.message;
         const privateKeyPathArg = flags['private-key-path']
             ? ['--private-key-path', flags['private-key-path']]
             : [];
-        if (choice === 'published') {
-            await republish_1.default.run(privateKeyPathArg);
+        if (!groupId) {
+            if (nonInteractive) {
+                throw new Error('The update group ID argument is required in non-interactive mode.');
+            }
+            const { choice } = await (0, prompts_1.promptAsync)({
+                type: 'select',
+                message: 'Which type of update would you like to roll back to?',
+                name: 'choice',
+                choices: [
+                    { title: 'Published Update', value: 'published' },
+                    { title: 'Embedded Update', value: 'embedded' },
+                ],
+            });
+            if (choice === 'published') {
+                await republish_1.default.run(privateKeyPathArg);
+            }
+            else {
+                await roll_back_to_embedded_1.default.run(privateKeyPathArg);
+            }
+            return;
+        }
+        const { loggedIn: { graphqlClient }, privateProjectConfig: { projectId }, } = await this.getContextAsync(UpdateRollback, {
+            nonInteractive,
+            withServerSideEnvironment: null,
+        });
+        const sourceGroup = await getSourceUpdateGroupAsync(graphqlClient, groupId);
+        const previousGroup = await getPreviousUpdateGroupAsync(graphqlClient, projectId, sourceGroup);
+        const commonArgs = [
+            '--non-interactive',
+            '--platform',
+            platform,
+            ...privateKeyPathArg,
+            ...(json ? ['--json'] : []),
+        ];
+        if (previousGroup) {
+            const message = messageArg ??
+                `Roll back to "${previousGroup.message ?? ''}" (group: ${previousGroup.groupId})`;
+            await republish_1.default.run([
+                '--group',
+                previousGroup.groupId,
+                '--message',
+                message,
+                ...commonArgs,
+            ]);
         }
         else {
-            await roll_back_to_embedded_1.default.run(privateKeyPathArg);
+            const message = messageArg ?? 'Roll back to embedded';
+            await roll_back_to_embedded_1.default.run([
+                '--branch',
+                sourceGroup.branchName,
+                '--runtime-version',
+                sourceGroup.runtimeVersion,
+                '--message',
+                message,
+                ...commonArgs,
+            ]);
         }
     }
 }
 exports.default = UpdateRollback;
+async function getSourceUpdateGroupAsync(graphqlClient, groupId) {
+    // viewUpdateGroupAsync throws if no updates are found for the group ID.
+    const updateGroup = await UpdateQuery_1.UpdateQuery.viewUpdateGroupAsync(graphqlClient, { groupId });
+    const arbitraryUpdate = updateGroup[0];
+    return {
+        groupId,
+        branchName: arbitraryUpdate.branch.name,
+        runtimeVersion: arbitraryUpdate.runtimeVersion,
+    };
+}
+async function getPreviousUpdateGroupAsync(graphqlClient, projectId, sourceGroup) {
+    // Clients on a given runtime version are served the latest update group on the branch,
+    // so a rollback is only meaningful when the source group is that latest group. Fetch the
+    // two most recent groups for the runtime version (returned most-recent-first): the first
+    // must be the source group, and the second (if any) is the update to roll back to.
+    const latestGroups = await UpdateQuery_1.UpdateQuery.viewUpdateGroupsPaginatedOnBranchAsync(graphqlClient, {
+        appId: projectId,
+        branchName: sourceGroup.branchName,
+        first: 2,
+        filter: { runtimeVersions: [sourceGroup.runtimeVersion] },
+    });
+    const latestGroup = latestGroups[0];
+    if (!latestGroup?.length || latestGroup[0].group !== sourceGroup.groupId) {
+        throw new Error(`Update group "${sourceGroup.groupId}" is not the latest update on branch "${sourceGroup.branchName}" for runtime version "${sourceGroup.runtimeVersion}"${latestGroup?.length ? ` (the latest is "${latestGroup[0].group}")` : ''}. Only the latest update can be rolled back.`);
+    }
+    // Source group is the only update for this runtime version: roll back to embedded.
+    const previousGroup = latestGroups[1];
+    if (!previousGroup?.length) {
+        return null;
+    }
+    return { groupId: previousGroup[0].group, message: previousGroup[0].message ?? null };
+}

package/build/credentials/ios/actions/AscApiKeyUtils.d.ts

@@ -1,6 +1,9 @@
+import { ExpoGraphqlClient } from '../../../commandUtils/context/contextUtils/createGraphqlClient';
 import { AccountFragment, AppStoreConnectApiKeyFragment } from '../../../graphql/generated';
 import { CredentialsContext } from '../../context';
+import { AppLookupParams } from '../api/graphql/types/AppLookupParams';
 import { AscApiKey } from '../appstore/Credentials.types';
+import { AppleTeamType } from '../appstore/authenticateTypes';
 import { AscApiKeyPath, MinimalAscApiKey } from '../credentials';
 export declare enum AppStoreApiKeyPurpose {
     SUBMISSION_SERVICE = "EAS Submit",
@@ -19,3 +22,20 @@ export declare function selectAscApiKeysFromAccountAsync(ctx: CredentialsContext
 }): Promise<AppStoreConnectApiKeyFragment | null>;
 export declare function sortAscApiKeysByUpdatedAtDesc(keys: AppStoreConnectApiKeyFragment[]): AppStoreConnectApiKeyFragment[];
 export declare function formatAscApiKey(ascApiKey: AppStoreConnectApiKeyFragment): string;
+export declare function resolveAscApiKeyForAppCredentialsAsync({ graphqlClient, app, }: {
+    graphqlClient: ExpoGraphqlClient;
+    app: AppLookupParams;
+}): Promise<{
+    ascApiKey: MinimalAscApiKey;
+    teamId?: string;
+    teamName?: string;
+} | null>;
+/**
+ * Best-effort helper that populates `ctx.appStore.authCtx` in non-interactive mode
+ * by loading an App Store Connect API key (from env vars, or by fetching the app's
+ * stored key from the www GraphQL API).
+ *
+ * Returns true if `ctx.appStore.authCtx` is set after the call, false otherwise.
+ * Never throws.
+ */
+export declare function tryAuthenticateAppStoreWithEasAscApiKeyAsync(ctx: CredentialsContext, app: AppLookupParams, teamType: AppleTeamType): Promise<boolean>;

package/build/credentials/ios/actions/AscApiKeyUtils.js

@@ -10,6 +10,8 @@ exports.getAscApiKeysFromAccountAsync = getAscApiKeysFromAccountAsync;
 exports.selectAscApiKeysFromAccountAsync = selectAscApiKeysFromAccountAsync;
 exports.sortAscApiKeysByUpdatedAtDesc = sortAscApiKeysByUpdatedAtDesc;
 exports.formatAscApiKey = formatAscApiKey;
+exports.resolveAscApiKeyForAppCredentialsAsync = resolveAscApiKeyForAppCredentialsAsync;
+exports.tryAuthenticateAppStoreWithEasAscApiKeyAsync = tryAuthenticateAppStoreWithEasAscApiKeyAsync;
 const tslib_1 = require("tslib");
 const chalk_1 = tslib_1.__importDefault(require("chalk"));
 const fs_extra_1 = tslib_1.__importDefault(require("fs-extra"));
@@ -17,10 +19,14 @@ const nanoid_1 = require("nanoid");
 const path_1 = tslib_1.__importDefault(require("path"));
 const apple_utils_1 = require("@expo/apple-utils");
 const AppleTeamFormatting_1 = require("./AppleTeamFormatting");
+const AppStoreConnectApiKeyQuery_1 = require("../../../graphql/queries/AppStoreConnectApiKeyQuery");
 const log_1 = tslib_1.__importStar(require("../../../log"));
 const prompts_1 = require("../../../prompts");
 const date_1 = require("../../../utils/date");
 const promptForCredentials_1 = require("../../utils/promptForCredentials");
+const GraphqlClient_1 = require("../api/GraphqlClient");
+const authenticateTypes_1 = require("../appstore/authenticateTypes");
+const resolveCredentials_1 = require("../appstore/resolveCredentials");
 const credentials_1 = require("../credentials");
 const validateAscApiKey_1 = require("../validators/validateAscApiKey");
 var AppStoreApiKeyPurpose;
@@ -210,3 +216,61 @@ function formatAscApiKey(ascApiKey) {
     line += chalk_1.default.gray(`\n    Updated: ${(0, date_1.fromNow)(new Date(updatedAt))} ago`);
     return line;
 }
+async function resolveAscApiKeyForAppCredentialsAsync({ graphqlClient, app, }) {
+    const ascKeyFragment = await (0, GraphqlClient_1.getAscApiKeyForAppSubmissionsAsync)(graphqlClient, app);
+    if (!ascKeyFragment) {
+        return null;
+    }
+    const fullKey = await AppStoreConnectApiKeyQuery_1.AppStoreConnectApiKeyQuery.getByIdAsync(graphqlClient, ascKeyFragment.id);
+    return {
+        ascApiKey: {
+            keyP8: fullKey.keyP8,
+            keyId: fullKey.keyIdentifier,
+            issuerId: fullKey.issuerIdentifier,
+        },
+        teamId: ascKeyFragment.appleTeam?.appleTeamIdentifier,
+        teamName: ascKeyFragment.appleTeam?.appleTeamName ?? undefined,
+    };
+}
+/**
+ * Best-effort helper that populates `ctx.appStore.authCtx` in non-interactive mode
+ * by loading an App Store Connect API key (from env vars, or by fetching the app's
+ * stored key from the www GraphQL API).
+ *
+ * Returns true if `ctx.appStore.authCtx` is set after the call, false otherwise.
+ * Never throws.
+ */
+async function tryAuthenticateAppStoreWithEasAscApiKeyAsync(ctx, app, teamType) {
+    if (ctx.appStore.authCtx) {
+        return true;
+    }
+    try {
+        if ((0, resolveCredentials_1.hasAscEnvVars)()) {
+            await ctx.appStore.ensureAuthenticatedAsync({
+                mode: authenticateTypes_1.AuthenticationMode.API_KEY,
+                teamType,
+            });
+            return !!ctx.appStore.authCtx;
+        }
+        const resolvedKey = await resolveAscApiKeyForAppCredentialsAsync({
+            graphqlClient: ctx.graphqlClient,
+            app,
+        });
+        if (!resolvedKey) {
+            return false;
+        }
+        log_1.default.log('Using App Store Connect API Key from EAS credentials service.');
+        await ctx.appStore.ensureAuthenticatedAsync({
+            mode: authenticateTypes_1.AuthenticationMode.API_KEY,
+            ascApiKey: resolvedKey.ascApiKey,
+            teamId: resolvedKey.teamId,
+            teamName: resolvedKey.teamName,
+            teamType,
+        });
+        return !!ctx.appStore.authCtx;
+    }
+    catch (err) {
+        log_1.default.warn(`Failed to authenticate with the App Store Connect API key from EAS credentials service: ${err.message ?? err}`);
+        return false;
+    }
+}

package/build/credentials/ios/actions/ConfigureProvisioningProfile.js

@@ -8,7 +8,6 @@ const log_1 = tslib_1.__importStar(require("../../../log"));
 const ora_1 = require("../../../ora");
 const target_1 = require("../../../project/ios/target");
 const errors_1 = require("../../errors");
-const authenticateTypes_1 = require("../appstore/authenticateTypes");
 class ConfigureProvisioningProfile {
     app;
     target;
@@ -24,9 +23,8 @@ class ConfigureProvisioningProfile {
         if (ctx.freezeCredentials) {
             throw new errors_1.ForbidCredentialModificationError('Remove the --freeze-credentials flag to configure a Provisioning Profile.');
         }
-        else if (ctx.nonInteractive &&
-            ctx.appStore.defaultAuthenticationMode !== authenticateTypes_1.AuthenticationMode.API_KEY) {
-            throw new errors_1.InsufficientAuthenticationNonInteractiveError(`In order to configure your Provisioning Profile, authentication with an ASC API key is required in non-interactive mode. ${(0, log_1.learnMore)('https://docs.expo.dev/build/building-on-ci/#optional-provide-an-asc-api-token-for-your-apple-team')}`);
+        else if (ctx.nonInteractive && !ctx.appStore.authCtx) {
+            throw new errors_1.InsufficientAuthenticationNonInteractiveError(`In order to configure your Provisioning Profile, authentication with an ASC API key is required in non-interactive mode. Either set the EXPO_ASC_API_KEY_PATH/EXPO_ASC_KEY_ID/EXPO_ASC_ISSUER_ID environment variables, or configure an App Store Connect API Key for submissions for bundle identifier ${this.app.bundleIdentifier} on EAS. ${(0, log_1.learnMore)('https://docs.expo.dev/build/building-on-ci/#optional-provide-an-asc-api-token-for-your-apple-team')}`);
         }
         const { developerPortalIdentifier, provisioningProfile } = this.originalProvisioningProfile;
         if (!developerPortalIdentifier && !provisioningProfile) {

package/build/credentials/ios/actions/CreateProvisioningProfile.js

@@ -9,7 +9,6 @@ const ProvisioningProfileUtils_1 = require("./ProvisioningProfileUtils");
 const log_1 = tslib_1.__importStar(require("../../../log"));
 const errors_1 = require("../../errors");
 const promptForCredentials_1 = require("../../utils/promptForCredentials");
-const authenticateTypes_1 = require("../appstore/authenticateTypes");
 const credentials_1 = require("../credentials");
 class CreateProvisioningProfile {
     app;
@@ -24,9 +23,8 @@ class CreateProvisioningProfile {
         if (ctx.freezeCredentials) {
             throw new errors_1.ForbidCredentialModificationError('Run this command again without the --freeze-credentials flag in order to generate a new Provisioning Profile.');
         }
-        else if (ctx.nonInteractive &&
-            ctx.appStore.defaultAuthenticationMode !== authenticateTypes_1.AuthenticationMode.API_KEY) {
-            throw new errors_1.InsufficientAuthenticationNonInteractiveError(`In order to generate a new Provisioning Profile, authentication with an ASC API key is required in non-interactive mode. ${(0, log_1.learnMore)('https://docs.expo.dev/build/building-on-ci/#optional-provide-an-asc-api-token-for-your-apple-team')}`);
+        else if (ctx.nonInteractive && !ctx.appStore.authCtx) {
+            throw new errors_1.InsufficientAuthenticationNonInteractiveError(`In order to generate a new Provisioning Profile, authentication with an ASC API key is required in non-interactive mode. Either set the EXPO_ASC_API_KEY_PATH/EXPO_ASC_KEY_ID/EXPO_ASC_ISSUER_ID environment variables, or configure an App Store Connect API Key for submissions for bundle identifier ${this.app.bundleIdentifier} on EAS. ${(0, log_1.learnMore)('https://docs.expo.dev/build/building-on-ci/#optional-provide-an-asc-api-token-for-your-apple-team')}`);
         }
         const appleAuthCtx = await ctx.appStore.ensureAuthenticatedAsync();
         const provisioningProfile = await this.provideOrGenerateAsync(ctx, appleAuthCtx);

package/build/credentials/ios/actions/SetUpAdhocProvisioningProfile.js

@@ -11,16 +11,15 @@ const nullthrows_1 = tslib_1.__importDefault(require("nullthrows"));
 const AppleTeamUtils_1 = require("./AppleTeamUtils");
 const BuildCredentialsUtils_1 = require("./BuildCredentialsUtils");
 const DeviceUtils_1 = require("./DeviceUtils");
+const AscApiKeyUtils_1 = require("./AscApiKeyUtils");
 const SetUpDistributionCertificate_1 = require("./SetUpDistributionCertificate");
 const action_1 = tslib_1.__importStar(require("../../../devices/actions/create/action"));
 const generated_1 = require("../../../graphql/generated");
-const AppStoreConnectApiKeyQuery_1 = require("../../../graphql/queries/AppStoreConnectApiKeyQuery");
 const log_1 = tslib_1.__importDefault(require("../../../log"));
 const target_1 = require("../../../project/ios/target");
 const prompts_1 = require("../../../prompts");
 const differenceBy_1 = tslib_1.__importDefault(require("../../../utils/expodash/differenceBy"));
 const errors_1 = require("../../errors");
-const GraphqlClient_1 = require("../api/GraphqlClient");
 const authenticateTypes_1 = require("../appstore/authenticateTypes");
 const constants_1 = require("../appstore/constants");
 const resolveCredentials_1 = require("../appstore/resolveCredentials");
@@ -263,7 +262,7 @@ class SetUpAdhocProvisioningProfile {
             await ctx.appStore.ensureAuthenticatedAsync({ mode: authenticateTypes_1.AuthenticationMode.API_KEY });
             return;
         }
-        const resolvedKey = await resolveAscApiKeyForAppCredentialsAsync({
+        const resolvedKey = await (0, AscApiKeyUtils_1.resolveAscApiKeyForAppCredentialsAsync)({
             graphqlClient: ctx.graphqlClient,
             app,
         });
@@ -272,6 +271,7 @@ class SetUpAdhocProvisioningProfile {
                 '  - Environment variables: EXPO_ASC_API_KEY_PATH, EXPO_ASC_KEY_ID, EXPO_ASC_ISSUER_ID\n' +
                 '  - EAS credentials service: configure an App Store Connect API Key for submissions on this app');
         }
+        log_1.default.log('Using App Store Connect API Key from EAS credentials service.');
         await ctx.appStore.ensureAuthenticatedAsync({
             mode: authenticateTypes_1.AuthenticationMode.API_KEY,
             ascApiKey: resolvedKey.ascApiKey,
@@ -284,23 +284,6 @@ class SetUpAdhocProvisioningProfile {
     }
 }
 exports.SetUpAdhocProvisioningProfile = SetUpAdhocProvisioningProfile;
-async function resolveAscApiKeyForAppCredentialsAsync({ graphqlClient, app, }) {
-    const ascKeyFragment = await (0, GraphqlClient_1.getAscApiKeyForAppSubmissionsAsync)(graphqlClient, app);
-    if (!ascKeyFragment) {
-        return null;
-    }
-    log_1.default.log('Using App Store Connect API Key from EAS credentials service.');
-    const fullKey = await AppStoreConnectApiKeyQuery_1.AppStoreConnectApiKeyQuery.getByIdAsync(graphqlClient, ascKeyFragment.id);
-    return {
-        ascApiKey: {
-            keyP8: fullKey.keyP8,
-            keyId: fullKey.keyIdentifier,
-            issuerId: fullKey.issuerIdentifier,
-        },
-        teamId: ascKeyFragment.appleTeam?.appleTeamIdentifier,
-        teamName: ascKeyFragment.appleTeam?.appleTeamName ?? undefined,
-    };
-}
 function doUDIDsMatch(udidsA, udidsB) {
     const setA = new Set(udidsA);
     const setB = new Set(udidsB);

package/build/credentials/ios/actions/SetUpProvisioningProfile.d.ts

@@ -15,5 +15,15 @@ export declare class SetUpProvisioningProfile {
     createAndAssignProfileAsync(ctx: CredentialsContext, distCert: AppleDistributionCertificateFragment): Promise<IosAppBuildCredentialsFragment>;
     configureAndAssignProfileAsync(ctx: CredentialsContext, distCert: AppleDistributionCertificateFragment, originalProvisioningProfile: AppleProvisioningProfileFragment): Promise<IosAppBuildCredentialsFragment | null>;
     runAsync(ctx: CredentialsContext): Promise<IosAppBuildCredentialsFragment>;
+    /**
+     * The team type determines `team.inHouse`, which in turn selects the Apple profile
+     * type used for every subsequent profile lookup and creation (IOS_APP_INHOUSE for
+     * enterprise vs IOS_APP_STORE otherwise). We derive it from the distribution
+     * type, which is exactly what the requested operation needs: enterprise
+     * builds require an in-house team, other distribution types don't.
+     * A genuine team/distribution mismatch is rejected by Apple regardless of this value.
+     */
+    private getDerivedTeamTypeForAuthentication;
+    private resolveTeamTypeForAuthentication;
     private getCurrentProfileStoreInfo;
 }

package/build/credentials/ios/actions/SetUpProvisioningProfile.js

@@ -3,15 +3,18 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.SetUpProvisioningProfile = void 0;
 const tslib_1 = require("tslib");
 const nullthrows_1 = tslib_1.__importDefault(require("nullthrows"));
+const AscApiKeyUtils_1 = require("./AscApiKeyUtils");
 const BuildCredentialsUtils_1 = require("./BuildCredentialsUtils");
 const ConfigureProvisioningProfile_1 = require("./ConfigureProvisioningProfile");
 const CreateProvisioningProfile_1 = require("./CreateProvisioningProfile");
 const ProvisioningProfileUtils_1 = require("./ProvisioningProfileUtils");
 const SetUpDistributionCertificate_1 = require("./SetUpDistributionCertificate");
-const log_1 = require("../../../log");
+const generated_1 = require("../../../graphql/generated");
+const log_1 = tslib_1.__importStar(require("../../../log"));
 const target_1 = require("../../../project/ios/target");
 const prompts_1 = require("../../../prompts");
 const errors_1 = require("../../errors");
+const resolveCredentials_1 = require("../appstore/resolveCredentials");
 const authenticateTypes_1 = require("../appstore/authenticateTypes");
 const validateProvisioningProfile_1 = require("../validators/validateProvisioningProfile");
 /**
@@ -50,16 +53,31 @@ class SetUpProvisioningProfile {
     }
     async runAsync(ctx) {
         const distCert = await new SetUpDistributionCertificate_1.SetUpDistributionCertificate(this.app, this.distributionType).runAsync(ctx);
-        const areBuildCredentialsSetup = await this.areBuildCredentialsSetupAsync(ctx);
+        if (ctx.nonInteractive && !ctx.appStore.authCtx) {
+            await (0, AscApiKeyUtils_1.tryAuthenticateAppStoreWithEasAscApiKeyAsync)(ctx, this.app, this.resolveTeamTypeForAuthentication());
+        }
+        let areBuildCredentialsSetup;
+        try {
+            areBuildCredentialsSetup = await this.areBuildCredentialsSetupAsync(ctx);
+        }
+        catch (error) {
+            if (ctx.nonInteractive) {
+                log_1.default.warn('Skipping Provisioning Profile validation on Apple servers due to an unexpected validation error. Continuing with local validation result.');
+                log_1.default.debug('Provisioning profile validation on Apple servers failed:', error);
+                areBuildCredentialsSetup = true;
+            }
+            else {
+                throw error;
+            }
+        }
         if (areBuildCredentialsSetup) {
             return (0, nullthrows_1.default)(await (0, BuildCredentialsUtils_1.getBuildCredentialsAsync)(ctx, this.app, this.distributionType));
         }
         if (ctx.freezeCredentials) {
             throw new errors_1.ForbidCredentialModificationError('Provisioning profile is not configured correctly. Remove the --freeze-credentials flag to configure it.');
         }
-        else if (ctx.nonInteractive &&
-            ctx.appStore.defaultAuthenticationMode !== authenticateTypes_1.AuthenticationMode.API_KEY) {
-            throw new errors_1.InsufficientAuthenticationNonInteractiveError(`In order to configure your Provisioning Profile, authentication with an ASC API key is required in non-interactive mode. ${(0, log_1.learnMore)('https://docs.expo.dev/build/building-on-ci/#optional-provide-an-asc-api-token-for-your-apple-team')}`);
+        if (ctx.nonInteractive && !ctx.appStore.authCtx) {
+            throw new errors_1.InsufficientAuthenticationNonInteractiveError(`In order to configure your Provisioning Profile, authentication with an ASC API key is required in non-interactive mode. Either set the EXPO_ASC_API_KEY_PATH/EXPO_ASC_KEY_ID/EXPO_ASC_ISSUER_ID environment variables, or configure an App Store Connect API Key for submissions for bundle identifier ${this.app.bundleIdentifier} on EAS. ${(0, log_1.learnMore)('https://docs.expo.dev/build/building-on-ci/#optional-provide-an-asc-api-token-for-your-apple-team')}`);
         }
         const currentProfile = await (0, BuildCredentialsUtils_1.getProvisioningProfileAsync)(ctx, this.app, this.distributionType);
         if (!currentProfile) {
@@ -93,6 +111,22 @@ class SetUpProvisioningProfile {
         }
         return updatedProfile;
     }
+    /**
+     * The team type determines `team.inHouse`, which in turn selects the Apple profile
+     * type used for every subsequent profile lookup and creation (IOS_APP_INHOUSE for
+     * enterprise vs IOS_APP_STORE otherwise). We derive it from the distribution
+     * type, which is exactly what the requested operation needs: enterprise
+     * builds require an in-house team, other distribution types don't.
+     * A genuine team/distribution mismatch is rejected by Apple regardless of this value.
+     */
+    getDerivedTeamTypeForAuthentication() {
+        return this.distributionType === generated_1.IosDistributionType.Enterprise
+            ? authenticateTypes_1.AppleTeamType.IN_HOUSE
+            : authenticateTypes_1.AppleTeamType.COMPANY_OR_ORGANIZATION;
+    }
+    resolveTeamTypeForAuthentication() {
+        return (0, resolveCredentials_1.resolveAppleTeamTypeFromEnvironment)() ?? this.getDerivedTeamTypeForAuthentication();
+    }
     getCurrentProfileStoreInfo(profiles, currentProfile) {
         return (profiles.find(profile => currentProfile.developerPortalIdentifier
             ? currentProfile.developerPortalIdentifier === profile.provisioningProfileId

package/build/credentials/ios/appstore/resolveCredentials.d.ts

@@ -10,6 +10,7 @@ import { MinimalAscApiKey } from '../credentials';
 export declare function resolveUserCredentialsAsync(options: Partial<Auth.UserCredentials>): Promise<Partial<Auth.UserCredentials>>;
 export declare function hasAscEnvVars(): boolean;
 export declare function resolveAscApiKeyAsync(ascApiKey?: MinimalAscApiKey): Promise<MinimalAscApiKey>;
+export declare function resolveAppleTeamTypeFromEnvironment(): AppleTeamType | undefined;
 export declare function resolveAppleTeamAsync(options?: {
     teamId?: string;
     teamName?: string;

package/build/credentials/ios/appstore/resolveCredentials.js

@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.resolveUserCredentialsAsync = resolveUserCredentialsAsync;
 exports.hasAscEnvVars = hasAscEnvVars;
 exports.resolveAscApiKeyAsync = resolveAscApiKeyAsync;
+exports.resolveAppleTeamTypeFromEnvironment = resolveAppleTeamTypeFromEnvironment;
 exports.resolveAppleTeamAsync = resolveAppleTeamAsync;
 exports.promptPasswordAsync = promptPasswordAsync;
 exports.deletePasswordAsync = deletePasswordAsync;