From f48df2a96823c3b8f8812fcb4f01f7bcaa9c9d56 Mon Sep 17 00:00:00 2001
From: chahinebrini <chahinebrini@gmail.com>
Date: Sat, 30 May 2026 09:46:38 +0200
Subject: [PATCH] chore(deploy): require ASC API-Key, drop
 app-specific-password fallback, brew-style spinner with live build action
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- removes APPLE_APP_SPECIFIC_PASSWORD legacy branches (it never worked for xcodebuild -exportArchive anyway, only altool-upload)
- ASC API-Key now hard-required via require_asc_api_key preflight (fails fast with clear msg + path hint)
- run_quiet: spinner now tails the build log and shows current action (Compiling X.swift, Linking, CodeSign, etc.) as live subtitle — feels like brew/homebrew progress
- .env.deploy.local.example: drop unused fallback section
---
 apps/rebreak-native/.env.deploy.local.example |   7 --
 apps/rebreak-native/deploy.sh                 | 113 ++++++++----------
 2 files changed, 51 insertions(+), 69 deletions(-)

diff --git a/apps/rebreak-native/.env.deploy.local.example b/apps/rebreak-native/.env.deploy.local.example
index 29be1a3..936c137 100644
--- a/apps/rebreak-native/.env.deploy.local.example
+++ b/apps/rebreak-native/.env.deploy.local.example
@@ -22,13 +22,6 @@ export ASC_API_KEY_ID="ABCDE12345"
 export ASC_API_KEY_ISSUER="69a6de70-XXXX-XXXX-XXXX-5bc36a4XXXXX"
 export ASC_API_KEY_PATH="$HOME/.appstoreconnect/private_keys/AuthKey_${ASC_API_KEY_ID}.p8"
 
-# ──────────────────────────────────────────────────────────────────────────
-# iOS — Fallback: App-Specific-Password (NUR für altool-Upload, NICHT für exportArchive)
-# ──────────────────────────────────────────────────────────────────────────
-# Generieren: https://appleid.apple.com → Sign-In and Security → App-Specific Passwords
-# export APPLE_ID_EMAIL="chahinebrini@gmail.com"
-# export APPLE_APP_SPECIFIC_PASSWORD="xxxx-xxxx-xxxx-xxxx"
-
 # ──────────────────────────────────────────────────────────────────────────
 # Android — Play Console Service Account
 # ──────────────────────────────────────────────────────────────────────────
diff --git a/apps/rebreak-native/deploy.sh b/apps/rebreak-native/deploy.sh
index b2b8ecb..70a6a35 100755
--- a/apps/rebreak-native/deploy.sh
+++ b/apps/rebreak-native/deploy.sh
@@ -39,9 +39,8 @@
 #     cp .env.deploy.local.example .env.deploy.local   # gitignored
 #     # einmalig editieren — deploy.sh source'd das automatisch
 #
-#   iOS TestFlight / Ad-Hoc (ein Weg reicht):
-#     - ASC_API_KEY_PATH + ASC_API_KEY_ID + ASC_API_KEY_ISSUER  (Pflicht für exportArchive)
-#     - APPLE_APP_SPECIFIC_PASSWORD                              (nur Fallback für altool-Upload)
+#   iOS TestFlight / Ad-Hoc:
+#     - ASC_API_KEY_PATH + ASC_API_KEY_ID + ASC_API_KEY_ISSUER (Pflicht)
 #   iOS MDM:
 #     - SSH-Access zu rebreak-mdm Server
 #   Android:
@@ -111,17 +110,30 @@ run_quiet() {
   fi
   local start=$SECONDS
   local spin='⠋⠙⠹⠸⠼⠴⠦⠧⠇⠏'
-  local i=0 pid elapsed frame
+  local i=0 pid elapsed frame subtitle
   ( "$@" >"$logfile" 2>&1 ) &
   pid=$!
   while kill -0 "$pid" 2>/dev/null; do
     elapsed=$((SECONDS - start))
     frame="${spin:i%10:1}"
     i=$((i + 1))
-    # \r + \033[K = carriage return + clear line to end
-    printf '\r\033[K%s %s==>%s %s %s(%ds)%s' \
-      "$frame" "$BLUE" "$RESET" "$label" "$YELLOW" "$elapsed" "$RESET" >&2
-    sleep 0.1
+    # Pull latest meaningful build action from log (last 20 lines, filtered)
+    subtitle=""
+    if [[ -f "$logfile" ]]; then
+      subtitle=$(tail -20 "$logfile" 2>/dev/null \
+        | grep -aE '^(Compiling|CompileSwift|CompileC|Linking|Ld|Touch|CodeSign|ProcessProductPackaging|ExtractAppIntentsMetadata|Validate|Archive|GenerateAssetSymbols|CopySwiftLibs|PhaseScriptExecution|> Task|BUILD|\[CP|\[Pods)' \
+        | tail -1 \
+        | sed -E 's|.*/||; s|\(.*||' \
+        | cut -c1-60)
+    fi
+    if [[ -n "$subtitle" ]]; then
+      printf '\r\033[K%s %s==>%s %s %s(%ds)%s  ↳ %s' \
+        "$frame" "$BLUE" "$RESET" "$label" "$YELLOW" "$elapsed" "$RESET" "$subtitle" >&2
+    else
+      printf '\r\033[K%s %s==>%s %s %s(%ds)%s' \
+        "$frame" "$BLUE" "$RESET" "$label" "$YELLOW" "$elapsed" "$RESET" >&2
+    fi
+    sleep 0.2
   done
   wait "$pid"
   local rc=$?
@@ -247,7 +259,6 @@ WORKSPACE="$IOS_DIR/ReBreak.xcworkspace"
 SCHEME="ReBreak"
 
 APPLE_ID_EMAIL="${APPLE_ID_EMAIL:-chahinebrini@gmail.com}"
-APPLE_APP_SPECIFIC_PASSWORD="${APPLE_APP_SPECIFIC_PASSWORD:-}"
 ASC_API_KEY_PATH="${ASC_API_KEY_PATH:-}"
 ASC_API_KEY_ID="${ASC_API_KEY_ID:-}"
 ASC_API_KEY_ISSUER="${ASC_API_KEY_ISSUER:-}"
@@ -259,6 +270,23 @@ xcodebuild_auth_args() {
   fi
 }
 
+# Preflight check for ASC API-Key — fails fast with clear message before xcodebuild starts
+require_asc_api_key() {
+  local missing=()
+  [[ -n "$ASC_API_KEY_ID" ]]     || missing+=("ASC_API_KEY_ID")
+  [[ -n "$ASC_API_KEY_ISSUER" ]] || missing+=("ASC_API_KEY_ISSUER")
+  [[ -n "$ASC_API_KEY_PATH" ]]   || missing+=("ASC_API_KEY_PATH")
+  if (( ${#missing[@]} > 0 )); then
+    die "iOS Signing braucht ASC API-Key. Fehlt: ${missing[*]}
+→ Editiere apps/rebreak-native/.env.deploy.local (siehe .env.deploy.local.example)"
+  fi
+  if [[ ! -f "$ASC_API_KEY_PATH" ]]; then
+    die "ASC API-Key Datei existiert nicht: $ASC_API_KEY_PATH
+→ Lade .p8 von https://appstoreconnect.apple.com/access/integrations/api
+→ Lege ab unter: $ASC_API_KEY_PATH"
+  fi
+}
+
 PLAY_SERVICE_ACCOUNT_JSON="${PLAY_SERVICE_ACCOUNT_JSON:-$HOME/secrets/rebreak-play-service-account.json}"
 
 mkdir -p "$LOG_DIR" 2>/dev/null || true
@@ -467,6 +495,7 @@ deploy_mdm() {
   command -v scp >/dev/null 2>&1 || die "scp nicht gefunden"
   [[ -f "$ADHOC_EXPORT_OPTIONS" ]] || die "ExportOptions nicht gefunden: $ADHOC_EXPORT_OPTIONS"
   [[ -d "$IOS_DIR" ]] || die "ios/ nicht gefunden — expo prebuild zuerst ausführen"
+  require_asc_api_key
   
   log "Prüfe SSH-Verbindung zu $MDM_SERVER..."
   if ! ssh -o ConnectTimeout=10 -o BatchMode=yes "$MDM_SERVER" "echo ok" >/dev/null 2>&1; then
@@ -530,32 +559,10 @@ deploy_testflight() {
   command -v xcodebuild >/dev/null 2>&1 || die "xcodebuild nicht gefunden"
   command -v xcrun >/dev/null 2>&1 || die "xcrun nicht gefunden"
   [[ -f "$TF_EXPORT_OPTIONS" ]] || die "ExportOptions nicht gefunden: $TF_EXPORT_OPTIONS"
+  require_asc_api_key
   
-  # Auth
-  local AUTH_MODE=""
-  if [[ -n "$ASC_API_KEY_PATH" && -n "$ASC_API_KEY_ID" && -n "$ASC_API_KEY_ISSUER" ]]; then
-    AUTH_MODE="api-key"
-    [[ -f "$ASC_API_KEY_PATH" ]] || die "ASC API-Key nicht gefunden: $ASC_API_KEY_PATH"
-    log "Auth: ASC API-Key ($ASC_API_KEY_ID)"
-  elif [[ -n "$APPLE_APP_SPECIFIC_PASSWORD" ]]; then
-    AUTH_MODE="app-specific-password"
-    log "Auth: App-Specific-Password ($APPLE_ID_EMAIL)"
-  else
-    die "Kein Auth konfiguriert.
-
-Benötigt einen der folgenden Auth-Wege:
-
-Option A — App-Specific-Password:
-  export APPLE_ID_EMAIL=chahinebrini@gmail.com
-  export APPLE_APP_SPECIFIC_PASSWORD=xxxx-xxxx-xxxx-xxxx
-  Passwort generieren: https://appleid.apple.com → Sicherheit
-
-Option B — ASC API-Key (besser für CI):
-  export ASC_API_KEY_PATH=/pfad/zu/AuthKey_ABCDE12345.p8
-  export ASC_API_KEY_ID=ABCDE12345
-  export ASC_API_KEY_ISSUER=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
-  Key erstellen: https://appstoreconnect.apple.com → Users → Integrations"
-  fi
+  # Auth — require_asc_api_key bereits im Preflight oben gelaufen
+  log "Auth: ASC API-Key ($ASC_API_KEY_ID)"
   
   # Archive lokalisieren
   local USED_ARCHIVE="$ARCHIVE_PATH"
@@ -589,40 +596,22 @@ Entweder:
   
   # Validate
   if ! $SKIP_VALIDATE; then
-    if [[ "$AUTH_MODE" == "api-key" ]]; then
-      run_quiet "Validating IPA (App-Store Connect)" "$LOG_DIR/tf-validate-$TIMESTAMP.log" \
-        xcrun altool --validate-app \
-        -f "$TF_IPA" \
-        -t ios \
-        --apiKey "$ASC_API_KEY_ID" \
-        --apiIssuer "$ASC_API_KEY_ISSUER"
-    else
-      run_quiet "Validating IPA (App-Store Connect)" "$LOG_DIR/tf-validate-$TIMESTAMP.log" \
-        xcrun altool --validate-app \
-        -f "$TF_IPA" \
-        -t ios \
-        -u "$APPLE_ID_EMAIL" \
-        -p "$APPLE_APP_SPECIFIC_PASSWORD"
-    fi
-  fi
-  
-  # Upload
-  if [[ "$AUTH_MODE" == "api-key" ]]; then
-    run_quiet "Uploading zu App-Store Connect (TestFlight)" "$LOG_DIR/tf-upload-$TIMESTAMP.log" \
-      xcrun altool --upload-app \
+    run_quiet "Validating IPA (App-Store Connect)" "$LOG_DIR/tf-validate-$TIMESTAMP.log" \
+      xcrun altool --validate-app \
       -f "$TF_IPA" \
       -t ios \
       --apiKey "$ASC_API_KEY_ID" \
       --apiIssuer "$ASC_API_KEY_ISSUER"
-  else
-    run_quiet "Uploading zu App-Store Connect (TestFlight)" "$LOG_DIR/tf-upload-$TIMESTAMP.log" \
-      xcrun altool --upload-app \
-      -f "$TF_IPA" \
-      -t ios \
-      -u "$APPLE_ID_EMAIL" \
-      -p "$APPLE_APP_SPECIFIC_PASSWORD"
   fi
   
+  # Upload
+  run_quiet "Uploading zu App-Store Connect (TestFlight)" "$LOG_DIR/tf-upload-$TIMESTAMP.log" \
+    xcrun altool --upload-app \
+    -f "$TF_IPA" \
+    -t ios \
+    --apiKey "$ASC_API_KEY_ID" \
+    --apiIssuer "$ASC_API_KEY_ISSUER"
+  
   ok "TestFlight-Deploy abgeschlossen"
   echo ""
   echo "  IPA erscheint automatisch in Internal Testing"