Skip to content

mob.provision: App Store Connect API key for headless / unattended provisioning#31

Merged
GenericJam merged 1 commit into
masterfrom
feat/provision-asc-api-key
Jul 5, 2026
Merged

mob.provision: App Store Connect API key for headless / unattended provisioning#31
GenericJam merged 1 commit into
masterfrom
feat/provision-asc-api-key

Conversation

@GenericJam

Copy link
Copy Markdown
Owner

Why

mix mob.provision authenticates xcodebuild -allowProvisioningUpdates via the signed-in Xcode Apple ID account (Xcode → Settings → Accounts). That account is per-macOS-user and GUI-only, so an unattended user — a CI runner, or an isolated headless agent account with no GUI login — can register the signing identity but cannot provision (create/refresh profiles, register devices). The concrete driver: enabling a headless claude agent user to provision iOS apps, which today only the GUI kevin account can do.

What

Add an App Store Connect API key auth path, selected by env vars:

  • MOB_ASC_KEY_ID, MOB_ASC_ISSUER_ID, MOB_ASC_KEY_PATHxcodebuild -authenticationKeyID / -authenticationKeyIssuerID / -authenticationKeyPath

asc_auth_args/1 is pure + @doc false + tested:

  • none set[] — falls back to the signed-in Xcode account (existing behavior, unchanged for interactive users).
  • all three → the three flags, in order.
  • partial → raises, naming what's set vs missing (a half-set key silently reverting to account auth is a confusing "why is it still asking for Xcode?").
  • empty-string values count as unset.

Plus an early .p8-existence check (clear error vs an opaque xcodebuild failure).

Scoped to mob.provision only — the native device build signs directly with codesign + an existing profile (no -allowProvisioningUpdates), so it needs the keychain + profile, not the API key.

Docs / tests / decision

  • moduledoc: new "Headless / unattended provisioning (App Store Connect API key)" section.
  • 4 new tests on asc_auth_args/1 (none/all/empty/partial). Full provision suite green (13); format / credo --strict / compile clean.
  • ADR: decisions/2026-07-05-asc-api-key-provisioning.md.

Note

This is the framework half. Using it on a headless account also requires the signing identity in an unlocked keychain (the API key only authorizes the Apple-contact step, not codesign) — that's environment setup, out of scope for this PR.

🤖 Generated with Claude Code

mix mob.provision authenticated xcodebuild -allowProvisioningUpdates via the
signed-in Xcode Apple ID account, which is per-user + GUI-only — so an unattended
user (CI, or a headless agent account with no GUI login) could register the
signing identity but never provision.

Add an App Store Connect API key path selected by env: MOB_ASC_KEY_ID /
MOB_ASC_ISSUER_ID / MOB_ASC_KEY_PATH → xcodebuild -authenticationKeyID /
-authenticationKeyIssuerID / -authenticationKeyPath. Pure asc_auth_args/1
(tested): none set => [] (account auth, unchanged); all three => the flags;
partial => raises naming what's missing; empty string counts as unset. Early
.p8 existence check for a clear error. Scoped to mob.provision only — the device
build signs directly with codesign + an existing profile, so it needs no key.

Docs: moduledoc "Headless / unattended provisioning" section. ADR:
decisions/2026-07-05-asc-api-key-provisioning.md.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@GenericJam GenericJam merged commit 1016b0d into master Jul 5, 2026
3 checks passed
GenericJam added a commit that referenced this pull request Jul 5, 2026
Ships the mob.provision ASC-API-key path (#31) so a headless/agent account can
provision without an interactive Xcode Apple ID account.

Also renames the env vars from MOB_ASC_* to the standard App Store Connect
naming before the feature's first release (MOB_ASC_* never shipped):
  APP_STORE_CONNECT_KEY_ID / APP_STORE_CONNECT_ISSUER_ID / APP_STORE_CONNECT_API_KEY_PATH

Bumps mix.exs 0.6.17 -> 0.6.18 and adds the CHANGELOG section.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant