Auto build number from App Store Connect

[evgeniyChepelev]

Summary:
• Query App Store Connect API before each build to get the latest uploaded build number for the current version
• Set new build number to latest + 1 automatically (starts from 1 if no builds exist yet)
• On merge to main, post a comment on the merge commit with version, build number, and iOS/tvOS build status
• Fixed CodeQL code injection warning — step outputs are passed via env: instead of being interpolated directly into • JavaScript

Summary by CodeRabbit

• Chores
  • Added manual triggering support to the TestFlight build workflow.
  • Implemented automatic detection and management of build numbers using the latest App Store Connect upload when available.
  • Added notifications on merges that include TestFlight version/build info and iOS/tvOS status badges.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a5e6a879-0ae4-43b2-a102-0277613ccb76

📥 Commits

Reviewing files that changed from the base of the PR and between ba6dcdd and ea5013a.

📒 Files selected for processing (1)

• .github/workflows/testflight.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/testflight.yml

---

📝 Walkthrough

Walkthrough

Adds manual workflow dispatch, fetches the latest App Store Connect build to compute/increment build numbers (with override support), and adds a job that comments merge commits with TestFlight version/build info and platform badges.

Changes

Cohort / File(s)	Summary
TestFlight workflow .github/workflows/testflight.yml	Add workflow_dispatch trigger; treat workflow_dispatch like push in pre-step; query App Store Connect for latest uploaded pre-release build and export latest-build; robustly compute build-number (override → increment latest → '1'); add notify-merge job to post merge comments with version/build and iOS/tvOS badges.

Sequence Diagram(s)

sequenceDiagram
  participant GH as GitHub Actions
  participant Runner as CI Runner
  participant ASC as App Store Connect API
  participant Repo as GitHub Repo (Comments)

  GH->>Runner: trigger job (push or workflow_dispatch)
  Runner->>Runner: determine ref/version, enable uploads
  Runner->>ASC: GET latest uploaded build for pre-release version
  ASC-->>Runner: 200 + latest build OR non-200 (abort)
  alt latest build available
    Runner->>Runner: compute build-number (override? use override : increment latest)
  else no latest build
    Runner->>Runner: compute build-number = '1' or override
  end
  Runner->>Repo: if push merge commit -> post comment with version/build and badges
  Repo-->>Runner: comment posted

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

Possibly related PRs

• Derive marketing version from git tags instead of Xcode project #89: Modifies the TestFlight workflow's ref/version derivation and pre-step handling for different trigger types.
• Ci/cd scripts #69: Updates the same workflow's gate/build/notify logic and interacts with build-number/version resolution.
• ci: add widget build, tvOS TestFlight, and issue_comment trigger #97: Touches finalize/pre steps and notification/commenting logic in the TestFlight workflow.

Suggested reviewers

• pappz
• mlsmaycon

Poem

🐰 I hopped into CI with a curious twitch,
Pulled the latest build from App Store's ditch,
Counted the numbers, bumped them with care,
Left a badge on the merge for all to share. 🥕

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: automatically determining build numbers from App Store Connect, which is the primary feature added in this pull request.
Description check	✅ Passed	The pull request description provides substantive details about the changes including API queries, build number logic, merge commit notifications, and a CodeQL fix, though it lacks the formal template structure.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/cicd-build-number

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[pappz]

/testflight

[github-actions]

TestFlight builds uploaded 0.1.6 (184) for 2933e12 — iOS + tvOS

View workflow run

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/testflight.yml (1)

3-28: ⚠️ Potential issue | 🟠 Major

workflow_dispatch is handled in gate.if and pre but not declared in on: — dead branch.

Line 25 (github.event_name == 'workflow_dispatch') and line 56 (treating workflow_dispatch like push in the pre script) will never fire because workflow_dispatch is not listed under on: (lines 3-10). The PR description advertises manual triggering, so either the trigger declaration is missing or the conditionals are dead code.

🛠 Proposed fix — add the trigger declaration

 on:
   push:
     branches: [main]
   pull_request:
     branches: [main]
     types: [opened, edited]
   issue_comment:
     types: [created]
+  workflow_dispatch:

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/testflight.yml around lines 3 - 28, The workflow currently
evaluates github.event_name == 'workflow_dispatch' in the gate job (and the pre
script) but never declares workflow_dispatch under the on: triggers, so those
branches are dead; update the top-level triggers by adding workflow_dispatch to
the on: section (so manual triggers are allowed) or remove the workflow_dispatch
checks from the gate and pre logic—specifically modify the on: block that
declares push, pull_request, and issue_comment to include workflow_dispatch so
the gate job and the pre script's workflow_dispatch checks can actually fire.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/testflight.yml:
- Around line 161-193: Set a shell trap to always remove /tmp/AuthKey.p8 on exit
so the key is cleaned up even when the script exits early (e.g., after the
HTTP_STATUS check); specifically, add a line like trap 'rm -f /tmp/AuthKey.p8'
EXIT near the start of this run block (before creating JWT and calling curl),
then you can remove the final explicit rm -f /tmp/AuthKey.p8 at the end—this
ensures the temporary key is deleted regardless of whether HTTP_STATUS, JWT, or
curl causes an exit.
- Around line 183-227: The workflow can produce "null" for LATEST_BUILD and
parseInt can yield NaN or truncate dotted CFBundleVersion strings; update the
earlier jq assignment for LATEST_BUILD (symbol LATEST_BUILD / ASC_LATEST_BUILD)
to map null to "none" (so jq emits "none" not "null"), and in the finalize
step's script validate latestBuild before using parseInt: check that latestBuild
matches an integer regexp (e.g. /^\d+$/) or that parsed = parseInt(latestBuild,
10) is a finite number, otherwise treat it as absent; then compute buildNumber
using overrideBuild fallback, validated parsed latestBuild + 1, or '1' as a safe
default (refer to variables overrideBuild, latestBuild, runNumber, and
buildNumber in the finalize script).
- Line 166: The workflow step that runs the inline Python JWT generator (the
JWT=$(python3 -c "import ... cryptography.hazmat.primitives ...") command) uses
the cryptography package which is not available by default on ubuntu-latest;
before that command either add a step to run pip install cryptography (and any
build deps) or move the Python logic into a separate script and ensure that
script's step installs cryptography first; make sure the installation step runs
prior to the JWT generation step and references the same KEY_ID/ISSUER_ID
environment usage.

---

Outside diff comments:
In @.github/workflows/testflight.yml:
- Around line 3-28: The workflow currently evaluates github.event_name ==
'workflow_dispatch' in the gate job (and the pre script) but never declares
workflow_dispatch under the on: triggers, so those branches are dead; update the
top-level triggers by adding workflow_dispatch to the on: section (so manual
triggers are allowed) or remove the workflow_dispatch checks from the gate and
pre logic—specifically modify the on: block that declares push, pull_request,
and issue_comment to include workflow_dispatch so the gate job and the pre
script's workflow_dispatch checks can actually fire.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: bf05d7bd-b3c5-439b-95c3-77f8068ba5a3

📥 Commits

Reviewing files that changed from the base of the PR and between f82e687 and ba6dcdd.

📒 Files selected for processing (1)

• .github/workflows/testflight.yml