Skip to content

[eas-cli] Validate/regenerate/create provisioning profile in non-interactive iOS builds using submission ASC API key when present#3805

Open
sswrk wants to merge 1 commit into
mainfrom
szymonswierk/non-interactive-build-provisioning-profile-validationa-and-refresh-best-effort
Open

[eas-cli] Validate/regenerate/create provisioning profile in non-interactive iOS builds using submission ASC API key when present#3805
sswrk wants to merge 1 commit into
mainfrom
szymonswierk/non-interactive-build-provisioning-profile-validationa-and-refresh-best-effort

Conversation

@sswrk
Copy link
Copy Markdown
Contributor

@sswrk sswrk commented May 29, 2026
edited
Loading

Why

Many projects already configure an App Store Connect API key in EAS credentials for submissions, but non-interactive iOS App Store and Enterprise builds (eas build --non-interactive) could not use that key when validating or repairing provisioning profiles on Apple servers. Instead, CI had to provide EXPO_ASC_* environment variables separately, even when a usable key was already stored on EAS.

This makes non-interactive credential setup more convenient by reusing the EAS-stored submission ASC API key for App Store and Enterprise profile validation and repair.

How

  • Added tryAuthenticateAppStoreWithEasAscApiKeyAsync in AscApiKeyUtils.ts — a best-effort, non-throwing helper that authenticates ctx.appStore in non-interactive mode using:
    1. EXPO_ASC_API_KEY_PATH / EXPO_ASC_KEY_ID / EXPO_ASC_ISSUER_ID environment variables, or
    2. The App Store Connect API key configured for submissions on the app in EAS credentials.
  • In SetUpProvisioningProfile.runAsync, call this helper before Apple-side validation when running non-interactively without an existing auth context.
  • Use actual authentication state (ctx.appStore.authCtx) instead of startup defaultAuthenticationMode when deciding whether Apple authentication is available in SetUpProvisioningProfile, CreateProvisioningProfile, and ConfigureProvisioningProfile.
  • In non-interactive mode, treat unexpected Apple validation errors as best-effort: log a warning and continue rather than failing the build.
  • Extracted shared resolveAscApiKeyForAppCredentialsAsync (previously duplicated in SetUpAdhocProvisioningProfile) for reuse across credential flows.
  • Derive the AppleTeamType for profile operations from the distribution type (IN_HOUSE for enterprise, COMPANY_OR_ORGANIZATION otherwise), with EXPO_APPLE_TEAM_TYPE override.
  • Updated error messages to mention both EXPO_ASC_* environment variables and EAS-stored ASC API keys.

Out of scope: ad-hoc provisioning profile refresh (opt-in, handled separately via --refresh-ad-hoc-provisioning-profile).

Test Plan

  • Added unit tests for auto-authentication, team type resolution, best-effort validation skip, and missing-auth paths in SetUpProvisioningProfile-test.ts.
  • Tested manually:
    • Run an interactive iOS production build and create a provisioning profile
    • Confirm non-interactive build works with that profile
    • Revoke the provisioning profile in the Apple Developer portal
    • Confirm non-interactive build succeeds and the profile is repaired when the submission ASC API key is configured in app credentials (easd build --platform ios --profile production --non-interactive)

@codecov
Copy link
Copy Markdown

codecov Bot commented May 29, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 83.63636% with 9 lines in your changes missing coverage. Please review.
✅ Project coverage is 57.42%. Comparing base (b5592e1) to head (15311b5).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
...-cli/src/credentials/ios/actions/AscApiKeyUtils.ts 68.97% 8 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3805      +/-   ##
==========================================
+ Coverage   57.39%   57.42%   +0.04%     
==========================================
  Files         909      909              
  Lines       39386    39417      +31     
  Branches     8247     8251       +4     
==========================================
+ Hits        22603    22633      +30     
  Misses      15316    15316              
- Partials     1467     1468       +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@sswrk sswrk force-pushed the szymonswierk/non-interactive-build-provisioning-profile-validationa-and-refresh-best-effort branch from 7f69e93 to 622d427 Compare May 29, 2026 15:41
@sswrk sswrk changed the title [eas-cli] Best-effort provisioning profile refresh with ASC API key in non-interactive iOS build [eas-cli] Best-effort provisioning profile validation/refresh with ASC API key in non-interactive iOS build May 29, 2026
@sswrk sswrk changed the title [eas-cli] Best-effort provisioning profile validation/refresh with ASC API key in non-interactive iOS build [eas-cli] Validate/regenerate/create provisioning profile in non-interactive iOS builds using submission ASC API key when present May 29, 2026
@sswrk sswrk force-pushed the szymonswierk/non-interactive-build-provisioning-profile-validationa-and-refresh-best-effort branch from 622d427 to 012e745 Compare May 29, 2026 16:53
@sswrk sswrk force-pushed the szymonswierk/non-interactive-build-provisioning-profile-validationa-and-refresh-best-effort branch from 012e745 to 15311b5 Compare May 29, 2026 16:59
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 29, 2026

✅ Thank you for adding the changelog entry!

sswrk
sswrk commented May 29, 2026
View reviewed changes
Comment thread packages/eas-cli/src/credentials/ios/actions/SetUpProvisioningProfile.ts
Comment on lines +191 to +203
/**
* The team type determines `team.inHouse`, which in turn selects the Apple profile
* type used for every subsequent profile lookup and creation (IOS_APP_INHOUSE for
* enterprise vs IOS_APP_STORE otherwise). We derive it from the distribution
* type, which is exactly what the requested operation needs: enterprise
* builds require an in-house team, other distribution types don't.
* A genuine team/distribution mismatch is rejected by Apple regardless of this value.
*/
private getDerivedTeamTypeForAuthentication(): AppleTeamType {
return this.distributionType === IosDistributionType.Enterprise
? AppleTeamType.IN_HOUSE
: AppleTeamType.COMPANY_OR_ORGANIZATION;
}
Copy link
Copy Markdown
Contributor Author

@sswrk sswrk May 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ideally, I would prefer to load the apple team type along the ASC API key from the www API. However, this would be unreliable as more then 95% apple team records don't have it specified.

@sswrk sswrk marked this pull request as ready for review May 29, 2026 17:22
@sswrk sswrk requested review from quinlanj and sjchmiela May 29, 2026 17:22
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 29, 2026

Subscribed to pull request

File Patterns Mentions
**/* @douglowder

Generated by CodeMention

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sjchmiela sjchmiela Awaiting requested review from sjchmiela

@quinlanj quinlanj Awaiting requested review from quinlanj

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sswrk