[GH-ISSUE #734] feat(signing): Phase 2 create-missing profile reconciliation + write-back #200

New issue

Closed

opened 2026-02-26 21:33:59 +03:00 by kerem · 1 comment

kerem commented 2026-02-26 21:33:59 +03:00

Owner

Copy link

Originally created by @rudrankriyam on GitHub (Feb 23, 2026).
Original GitHub issue: https://github.com/rudrankriyam/App-Store-Connect-CLI/issues/734

Depends on

• #PHASE1

Problem

Phase 1 enables readonly bootstrap from a pre-populated signing repo, but teams still need a write path to keep profiles current.

Phase 2 Goal

Extend asc signing sync with profile reconciliation and create-missing write-back (still Git-only backend), while keeping operations deterministic and non-interactive.

Proposed CLI (Phase 2)

asc signing sync \
  --bundle-id com.example.app \
  --profile-type IOS_APP_DEVELOPMENT \
  --git-url "git@github.com:org/signing.git" \
  --git-branch main \
  --create-missing \
  --device "UDID1,UDID2" \
  --passphrase-env ASC_SIGNING_PASSPHRASE \
  --output ./signing

New behavior flags

• --create-missing (create profile if no active matching profile exists)
• --device (required for development-style profiles when creating)
• optional: --commit-message override for write-back commit

Scope

1. Add profile reconciliation logic against current ASC state.
2. Detect active matching profile by bundle ID + profile type.
3. If missing and --create-missing set, create profile with selected certificates/devices.
4. Store newly created/updated profile in encrypted Git store and push commit.
5. Preserve readonly behavior when --readonly is set.

Implementation Notes

• Reuse existing client methods and validation patterns from profiles and signing fetch.
• Ensure pagination is handled consistently for profile/certificate lookups.
• Keep deterministic repo layout and commit payloads.
• No silent mutation: write path must be explicit (--create-missing) and auditable.

Test Plan (TDD)

• Validation tests:
  • --create-missing + development profile without --device -> exit code 2
  • readonly + create-missing combination should error clearly
• Reconciliation tests:
  • existing active profile found -> no create, no push
  • missing profile + create-missing -> create + push path
• API interaction tests:
  • certificate/profile pagination correctness
• Git write tests:
  • deterministic commit content
  • push failure handling with actionable errors

Always run:

• make format
• make lint
• ASC_BYPASS_KEYCHAIN=1 make test

Acceptance Criteria

• --create-missing write path works for profiles.
• Readonly mode never creates/pushes.
• Device requirements for development profiles are validated.
• Deterministic, test-covered write-back behavior.
• Tests and lint/format pass.

Out of Scope (Phase 3+)

• Certificate creation/renewal lifecycle.
• .p12 keychain import/install flow.
• Password rotation/import/migration commands.

Originally created by @rudrankriyam on GitHub (Feb 23, 2026). Original GitHub issue: https://github.com/rudrankriyam/App-Store-Connect-CLI/issues/734 ## Depends on - #PHASE1 ## Problem Phase 1 enables readonly bootstrap from a pre-populated signing repo, but teams still need a write path to keep profiles current. ## Phase 2 Goal Extend `asc signing sync` with **profile reconciliation and create-missing write-back** (still Git-only backend), while keeping operations deterministic and non-interactive. ## Proposed CLI (Phase 2) ~~~bash asc signing sync \ --bundle-id com.example.app \ --profile-type IOS_APP_DEVELOPMENT \ --git-url "git@github.com:org/signing.git" \ --git-branch main \ --create-missing \ --device "UDID1,UDID2" \ --passphrase-env ASC_SIGNING_PASSPHRASE \ --output ./signing ~~~ ### New behavior flags - `--create-missing` (create profile if no active matching profile exists) - `--device` (required for development-style profiles when creating) - optional: `--commit-message` override for write-back commit ## Scope 1. Add profile reconciliation logic against current ASC state. 2. Detect active matching profile by bundle ID + profile type. 3. If missing and `--create-missing` set, create profile with selected certificates/devices. 4. Store newly created/updated profile in encrypted Git store and push commit. 5. Preserve readonly behavior when `--readonly` is set. ## Implementation Notes - Reuse existing client methods and validation patterns from `profiles` and `signing fetch`. - Ensure pagination is handled consistently for profile/certificate lookups. - Keep deterministic repo layout and commit payloads. - No silent mutation: write path must be explicit (`--create-missing`) and auditable. ## Test Plan (TDD) - Validation tests: - `--create-missing` + development profile without `--device` -> exit code `2` - readonly + create-missing combination should error clearly - Reconciliation tests: - existing active profile found -> no create, no push - missing profile + create-missing -> create + push path - API interaction tests: - certificate/profile pagination correctness - Git write tests: - deterministic commit content - push failure handling with actionable errors Always run: - `make format` - `make lint` - `ASC_BYPASS_KEYCHAIN=1 make test` ## Acceptance Criteria - [ ] `--create-missing` write path works for profiles. - [ ] Readonly mode never creates/pushes. - [ ] Device requirements for development profiles are validated. - [ ] Deterministic, test-covered write-back behavior. - [ ] Tests and lint/format pass. ## Out of Scope (Phase 3+) - Certificate creation/renewal lifecycle. - `.p12` keychain import/install flow. - Password rotation/import/migration commands.

kerem 2026-02-26 21:33:59 +03:00

• closed this issue
• added the
  enhancement
  label

kerem commented 2026-02-26 21:33:59 +03:00

Author

Owner

Copy link

@rudrankriyam commented on GitHub (Feb 26, 2026):

Closing for now due scope/priority. We can reopen when this work is prioritized again.

<!-- gh-comment-id:3964494587 --> @rudrankriyam commented on GitHub (Feb 26, 2026): Closing for now due scope/priority. We can reopen when this work is prioritized again.

kerem referenced this issue 2026-02-26 21:34:45 +03:00

[PR #212] [MERGED] App Store version promotions CLI #355

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

1.2.6

1.2.5

1.2.4

1.2.3

1.2.2

1.2.1

1.2.0

1.1.1

1.1.0

1.0.1

1.0.0

0.49.1

0.49.0

0.48.1

0.48.0

0.47.1

0.47.0

0.46.2

0.46.1

0.46.0

0.45.4

0.45.3

0.45.2

0.45.1

0.45.0

0.44.2

0.44.1

0.44.0

0.43.0

0.42.0

0.41.4

0.41.3

0.41.2

0.41.1

0.41.0

0.40.1

0.40.0

0.39.1

0.39.0

0.38.3

0.38.2

0.38.1

0.38.0

0.37.3

0.37.2

0.37.1

0.37.0

0.36.3

0.36.2

0.36.1

0.36.0

0.35.3

0.35.2

0.35.1

0.35.0

0.34.1

0.34.0

0.33.2

0.33.1

0.33.0

0.32.0

0.31.3

0.31.2

0.31.1

0.31.0

0.30.0

0.29.3

0.29.2

0.29.1

0.29.0

0.28.14

0.28.13

0.28.12

0.28.11

0.28.10

0.28.9

0.28.8

0.28.7

0.28.6

0.28.5

0.28.4

0.28.3

0.28.2

0.28.1

0.28.0

0.27.0

0.26.4

0.26.3

0.26.2

0.26.1

0.26.0

0.25.4

0.25.3

0.25.1

0.25.0

0.24.3

0.24.2

0.24.1

0.24.0

0.23.5

0.23.4

0.23.3

0.23.2

0.23.1

0.23.0

0.22.1

0.22.0

0.21.0

0.20.2

0.20.1

0.20.0

0.19.3

0.19.2

0.19.1

0.19.0

0.18.2

0.18.1

0.18.0

0.17.0

0.16.0

0.15.0

0.14.0

0.13.0

0.12.4

0.12.3

0.12.2

0.12.1

0.12.0

0.11.0

0.10.2

0.10.1

0.10.0

0.9.0

0.8.1

0.8.0

0.7.0

0.6.0

0.5.0

0.3.1

0.3.0

0.2.0

0.1.6

0.1.5

0.1.4

0.1.3

0.1.2

0.1.1

0.1.0

Labels

Clear labels   

bug

  

bug

  

documentation

  

enhancement

  

pull-request

Mirrored from GitHub Pull Request

No labels

bug

bug

documentation

enhancement

pull-request

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/App-Store-Connect-CLI#200

No description provided.