[eas-cli] Add --refresh-distribution-certificate for non-intractive builds#3739
Open
sswrk wants to merge 2 commits into
Conversation
Contributor
Author
This stack of pull requests is managed by Graphite. Learn more about stacking. |
sswrk
changed the title
--refresh-distribution-certificate for non-intractive builds
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## szymonswierk/eng-7041-allow-including-all-eas-registered-devices-automatically-in #3739 +/- ##
=====================================================================================================================
+ Coverage 56.88% 57.00% +0.12%
=====================================================================================================================
Files 904 904
Lines 39177 39217 +40
Branches 8202 8215 +13
=====================================================================================================================
+ Hits 22283 22352 +69
+ Misses 15422 15395 -27
+ Partials 1472 1470 -2 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
Subscribed to pull request
Generated by CodeMention |
sswrk
force-pushed
the
szymonswierk/eng-21330-make-it-possible-to-refresh-a-distribution-certificate-in
branch
from
763d237 to
1e21106
Compare
sswrk
force-pushed
the
szymonswierk/eng-7041-allow-including-all-eas-registered-devices-automatically-in
branch
2 times, most recently
from
701b7d7 to
4c939d9
Compare
sswrk
force-pushed
the
szymonswierk/eng-21330-make-it-possible-to-refresh-a-distribution-certificate-in
branch
2 times, most recently
from
354509c to
e1e9a7e
Compare
quinlanj
approved these changes
May 21, 2026
Member
quinlanj
left a comment
quinlanj
left a comment
There was a problem hiding this comment.
lgtm. I'm surprised this was a feature people asked for because the number of dist certs apple lets you have in your account is very low (2-3 max)
| return currentCertificate; | ||
| } | ||
|
|
||
| Log.warn('Current distribution certificate is invalid. Creating a new one...'); |
Member
There was a problem hiding this comment.
move this log.warn to when we actually create a new cert, since it's possible we could reuse
Suggested change
| Log.warn('Current distribution certificate is invalid. Creating a new one...'); |
| Log.log(`Reusing distribution certificate with serial number ${cert.serialNumber}`); | ||
| return cert; | ||
| } | ||
| return await this.createNewDistCertAsync(ctx); |
Member
There was a problem hiding this comment.
Suggested change
| return await this.createNewDistCertAsync(ctx); | |
| Log.warn('Current distribution certificate is invalid. Creating a new one...'); | |
| return await this.createNewDistCertAsync(ctx); |
sswrk
force-pushed
the
szymonswierk/eng-7041-allow-including-all-eas-registered-devices-automatically-in
branch
from
d20291d to
d4b4bf6
Compare
sswrk
force-pushed
the
szymonswierk/eng-21330-make-it-possible-to-refresh-a-distribution-certificate-in
branch
from
e1e9a7e to
6436e27
Compare
|
✅ Thank you for adding the changelog entry! |
sswrk
changed the base branch from
szymonswierk/eng-7041-allow-including-all-eas-registered-devices-automatically-in
to
graphite-base/3739
This was referenced May 21, 2026
sjchmiela
approved these changes
May 22, 2026
| throw new Error( | ||
| 'No App Store Connect API Key found for distribution certificate refresh. In non-interactive mode, provide one via:\n' + | ||
| ' - Environment variables: EXPO_ASC_API_KEY_PATH, EXPO_ASC_KEY_ID, EXPO_ASC_ISSUER_ID\n' + | ||
| ' - EAS credentials service: configure an App Store Connect API Key for submissions on this app' |
Contributor
There was a problem hiding this comment.
ugh it's still weird to me we're saying to use key for submissions to generate certificates
Comment on lines
+94
to
+95
| if (await this.isCurrentCertificateValidAsync(ctx, currentCertificate)) { | ||
| assert(currentCertificate, 'currentCertificate is defined here'); |
Contributor
There was a problem hiding this comment.
Suggested change
| if (await this.isCurrentCertificateValidAsync(ctx, currentCertificate)) { | |
| assert(currentCertificate, 'currentCertificate is defined here'); | |
| if (currentCertificate && await this.isCurrentCertificateValidAsync(ctx, currentCertificate)) { |
this makes more sense to me?
| Log.log(`Reusing distribution certificate with serial number ${cert.serialNumber}`); | ||
| return cert; | ||
| } | ||
| return await this.createNewDistCertAsync(ctx); |
Contributor
There was a problem hiding this comment.
how likely is that we're going to hit
often? can we do something about it?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
When there's no valid distribution certificate associated with an app, and a non-interactive development build is run (e.g. invoked by CI or by a workflow job), even without the freeze-credentials flag, the distribution certificate is not validated or refreshed, which may fail the internal build and require doing manual
eas buildto create a new certificate. See the Linear issue: https://linear.app/expo/issue/ENG-21330/make-it-possible-to-refresh-a-distribution-certificate-in-nonHow
Added an opt-in distribution certificate refresh to non-interactive builds with flag
--refresh-distribution-certificate.When the flag is present, we hit www GQL API to get the ASC API key (the submission key), and we distribution certificate validation or set-up if needed.
packages/eas-cli/src/credentials/ios/actions/SetUpDistributionCertificate.tsis where this logic happens.The flag mustn't be present when
--freeze-credentialsis present, these are conflicting flags.I'm leaning towards an opt-in flag instead of extending the default behavior because of the extra credentials configuration requirements and side effects of the distribution certificate refresh logic.
Test Plan
Added unit tests.
Manual verification:
easd build --platform ios --profile development --non-interactive --refresh-distribution-certificatein the following scenarios, verified it works:easd build --platform ios --profile development --non-interactive --refresh-distribution-certificate --refresh-ad-hoc-provisioning-profile, verified the ASC API key got resolved just once.