Skip to content

feat(ios): automate App Store release build, signing, and upload#1165

Merged
aaylward merged 1 commit into
mainfrom
claude/grpc-1.82-upgrade-oy0edw
Jul 4, 2026
Merged

feat(ios): automate App Store release build, signing, and upload#1165
aaylward merged 1 commit into
mainfrom
claude/grpc-1.82-upgrade-oy0edw

Conversation

@aaylward

@aaylward aaylward commented Jul 4, 2026

Copy link
Copy Markdown
Collaborator

Summary

Follow-up to #1164. Makes the wordchains-ios release pipeline produce an App-Store-valid artifact the moment the Apple account secrets are configured — until then everything degrades gracefully with warnings.

  • Device build: the release previously shipped an arm64 simulator app (bazel-out/ios_sim_arm64-...) zipped as an "IPA", which App Store Connect would reject. With signing available, the build now uses --ios_multi_cpus=arm64.
  • Code-signing scaffolding: when IOS_DISTRIBUTION_CERT_P12 / IOS_DISTRIBUTION_CERT_PASSWORD / IOS_PROVISIONING_PROFILE are set, the workflow imports the cert into a throwaway keychain (cleaned up in an always() step) and decodes the profile to wordchains_ios/WordChains.mobileprovision, where a new :provisioning_profile filegroup feeds ios_application behind --define=ios_release_signing=true. *.mobileprovision is gitignored. Without the secrets, the workflow falls back to the previous unsigned simulator build so releases stay green pre-setup.
  • Bazel-produced IPA: the release artifact is now the signed WordChains.ipa that rules_apple emits, replacing the hand-zipped Payload/ (which broke the code signature).
  • Modern upload: xcrun altool --upload-app (deprecated) → fastlane pilot upload (preinstalled on GitHub macOS runners), with the App Store Connect API key JSON assembled from the existing three secrets. Uploads land in TestFlight; review submission stays manual for now.
  • Docs: docs/RELEASE.md refreshed — Bazel 9 supported (no USE_BAZEL_VERSION=8.2.1), the real reason for the manual tags, the signing wiring, and the TestFlight flow.

What still needs a human

Apple Developer enrollment, the App Store Connect app record + metadata + icon, and generating the certificates/API key (RELEASE.md TODOs 1–5). Once those secrets exist, the pipeline is end-to-end automatic through TestFlight.

Testing

CI exercises the simulator path (test-ios builds/tests the same targets). The signed device path can't be exercised until the secrets exist — flagged in RELEASE.md as a first-release check, including possible explicit entitlements if profile-derived entitlements aren't enough.

🤖 Generated with Claude Code

https://claude.ai/code/session_01Jw99o89a2UYe9NKLE9zGUx


Generated by Claude Code

Fixes the release pipeline so it produces an App-Store-valid artifact
once the Apple account secrets are configured:

- Device build: release now builds --ios_multi_cpus=arm64 when signing
  is available; the previous pipeline shipped an arm64 *simulator* app
  (bazel-out/ios_sim_arm64-...), which App Store Connect rejects.
- Code signing scaffolding: the workflow imports the distribution cert
  (IOS_DISTRIBUTION_CERT_P12/_PASSWORD) into a throwaway keychain and
  decodes IOS_PROVISIONING_PROFILE next to the BUILD file, where a new
  :provisioning_profile filegroup picks it up behind
  --define=ios_release_signing=true. Without secrets it falls back to
  the unsigned simulator build with a warning, so releases stay green
  pre-setup. *.mobileprovision is gitignored.
- Use the signed IPA that rules_apple emits instead of hand-zipping the
  .app into a Payload (which broke the code signature).
- Upload via fastlane pilot (preinstalled on GitHub macOS runners)
  using an App Store Connect API key JSON assembled from the existing
  secrets; altool --upload-app is deprecated.
- Refresh docs/RELEASE.md: Bazel 9 is supported now (no more
  USE_BAZEL_VERSION=8.2.1), document the real reason for the manual
  tags, the signing wiring, and the TestFlight flow.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Jw99o89a2UYe9NKLE9zGUx
@cloudflare-workers-and-pages

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs
1d4-web b1c6cef Commit Preview URL

Branch Preview URL
Jul 04 2026, 07:29 PM

@aaylward aaylward merged commit 87dfd70 into main Jul 4, 2026
12 checks passed
@aaylward aaylward deleted the claude/grpc-1.82-upgrade-oy0edw branch July 4, 2026 19:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants