[eas-cli] Validate/regenerate/create distribution certificate in non-interactive iOS builds using submission ASC API key when present

[sswrk]

Why

When a non-interactive build runs (e.g. from CI or a workflow job) and the app's distribution certificate is invalid or out of sync with Apple, the build can fail even without --freeze-credentials, because the certificate was not validated or refreshed against App Store Connect. That often forces a manual interactive eas build to repair credentials.

See the Linear issue: https://linear.app/expo/issue/ENG-21330/make-it-possible-to-refresh-a-distribution-certificate-in-non

How

In SetUpDistributionCertificate.runNonInteractiveAsync:

1. If no distribution certificate is configured → throw MissingCredentialsNonInteractiveError (unchanged).
2. Best-effort ASC authentication via env vars (EXPO_ASC_*) or the submission ASC API key from EAS credentials (same as provisioning profile repair).
3. If the current certificate is valid (local date check; Apple portal check when authenticated) → use it.
4. If invalid and repair is needed:
   • With --freeze-credentials → error.
   • Without ASC auth → error with guidance to configure env vars or a submission API key.
   • With ASC auth → reuse an existing valid cert from Apple or create a new one.

When ASC auth is unavailable but the certificate is still locally valid (dates OK), the build continues without Apple-side validation (existing skip behavior).

Test Plan

Added/updated unit tests in SetUpDistributionCertificate-test.ts and IosCredentialsProvider-test.ts.

Manual verification (non-interactive iOS development builds, no extra flags):

• Current distribution certificate is valid → build proceeds, cert reused.
• Current distribution certificate is invalid → cert validated/refreshed when ASC API key is available (env vars or EAS submission key).
• No distribution certificate configured → Credentials are not set up error.
• --freeze-credentials with invalid cert → blocked from repair.
• Combined with --refresh-ad-hoc-provisioning-profile → ASC API key resolved once (shared best-effort auth).

[linear]

ENG-21330

[sswrk]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• [eas-cli] Validate/regenerate/create distribution certificate in non-interactive iOS builds using submission ASC API key when present #3739 👈 (View in Graphite)
• [eas-cli] Validate/regenerate/create provisioning profile in non-interactive iOS builds using submission ASC API key when present #3805
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[codecov]

Codecov Report

❌ Patch coverage is 86.95652% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 57.99%. Comparing base (dc5b262) to head (1b2f5cf).

Files with missing lines	Patch %	Lines
...ntials/ios/actions/SetUpDistributionCertificate.ts	86.96%	2 Missing and 1 partial ⚠️

Additional details and impacted files

@@                                                       Coverage Diff                                                       @@
##           szymonswierk/non-interactive-build-provisioning-profile-validationa-and-refresh-best-effort    #3739      +/-   ##
===============================================================================================================================
+ Coverage                                                                                        57.86%   57.99%   +0.13%     
===============================================================================================================================
  Files                                                                                              913      913              
  Lines                                                                                            39622    39638      +16     
  Branches                                                                                          8296     8304       +8     
===============================================================================================================================
+ Hits                                                                                             22925    22985      +60     
+ Misses                                                                                           15242    15204      -38     
+ Partials                                                                                          1455     1449       -6     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Subscribed to pull request

File Patterns	Mentions
**/*	@douglowder

Generated by CodeMention

[quinlanj]

lgtm. I'm surprised this was a feature people asked for because the number of dist certs apple lets you have in your account is very low (2-3 max)

[sjchmiela]

ugh it's still weird to me we're saying to use key for submissions to generate certificates

[sjchmiela]

how likely is that we're going to hit

eas-cli/packages/eas-cli/src/credentials/ios/actions/DistributionCertificateUtils.ts

Lines 219 to 223 in 62ab329

	if (ctx.nonInteractive) {
	throw new Error(
	"Start the CLI without the '--non-interactive' flag to revoke existing certificates."
	);
	}

often? can we do something about it?

[sswrk]

We're going to hit this when a new certificate needs to be created and there are already 3 (non-matching, e.g. for different teams) certificates in the Apple account. I don't think we should do anything automatically in this case, as this would involve revoking unrelated certs. We could make an opt-in flag to "force override" a cert.

[github-actions]

✅ Thank you for adding the changelog entry!

[sswrk]

Changed this to follow the "best effort" approach like provisioning profiles in #3805 instead of being opt-in with a flag, as I don't see any downsides of just attempting to do the validation when an ASC API key is available in EAS. If we were to do something like "force setup dist cert even if some other unrelated (other apple team) cert needs to be revoked", that would be an opt-in flag for special use cases.

@quinlanj Apologies, re-requesting review.