feat(cli): accept CAPGO_IOS_PROVISIONING_MAP_BASE64 as alternative env var

[WcaleNieWolny]

Summary

• Accept CAPGO_IOS_PROVISIONING_MAP_BASE64 (base64-encoded JSON) anywhere CAPGO_IOS_PROVISIONING_MAP (raw JSON) is read in the CLI.
• Decoding happens at the env-loading boundary, so downstream code paths and the credentials blob sent to the builder remain unchanged.
• Raw CAPGO_IOS_PROVISIONING_MAP takes precedence if both are set — fully backwards compatible.

Why

The provisioning map is a stringified JSON value ('{"com.example":{"profile":"...","name":"..."}}'). Storing that verbatim in CI secret stores is fragile — quotes, newlines, and shell escaping all conspire to corrupt it on the way through the runner. A base64 wrapper turns the secret into a single opaque blob that round-trips cleanly through GitHub Actions, GitLab CI, and similar.

Companion PR in capgo_builder mirrors the same fallback in the Fastlane template so users hitting the worker API directly (without the CLI) get the same convenience: https://github.com/Cap-go/capgo_builder/pull/new/feat/provisioning-map-base64

Test plan

• bun run typecheck
• bun run test:credentials — all 17 tests pass, including 2 new ones:
  • CAPGO_IOS_PROVISIONING_MAP_BASE64 is base64-decoded to the JSON form
  • CAPGO_IOS_PROVISIONING_MAP takes precedence over the BASE64 form

Follow-up

• Update cli/cloud-build/credentials.mdx and cli/cloud-build/configuration.mdx on the website to document the new var. Happy to do this in a separate PR once this lands.

Summary by CodeRabbit

• New Features
  • Added support for base64-encoded iOS provisioning map input as an alternative configuration method, with fallback to raw JSON format.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d1ed46b0-03ea-4913-a7a8-19f06c36a7dc

📥 Commits

Reviewing files that changed from the base of the PR and between 21c4c38 and 9e8f3b0.

📒 Files selected for processing (2)

• cli/src/build/credentials.ts
• cli/test/test-credentials.mjs

---

📝 Walkthrough

Walkthrough

The PR adds base64-decoding support for iOS provisioning map credentials. The loadCredentialsFromEnv() function now checks for a base64-encoded environment variable (CAPGO_IOS_PROVISIONING_MAP_BASE64) as a fallback when the raw JSON form is not provided, with the raw form taking precedence when both are set.

Changes

iOS Provisioning Map Base64 Support

Layer / File(s)	Summary
Core Implementation cli/src/build/credentials.ts	Imports Buffer and updates loadCredentialsFromEnv() to decode CAPGO_IOS_PROVISIONING_MAP_BASE64 from base64 to UTF-8 when CAPGO_IOS_PROVISIONING_MAP is not present.
Test Infrastructure cli/test/test-credentials.mjs (lines 34–37)	Adds CAPGO_IOS_PROVISIONING_MAP_BASE64 to the credential environment variable cleanup list.
Tests cli/test/test-credentials.mjs (lines 477–511)	Adds two test cases: one verifying base64 decoding produces the correct provisioning map, and another confirming raw JSON takes precedence over base64-decoded values.

Estimated Code Review Effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A carrot-coded secret, base64-disguised,
No more plaintext provisioning—cleverly prized!
When raw JSON sleeps, the decoded bytes rise,
iOS apps sign smoothly under our watchful eyes. ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely describes the main feature: accepting an alternative base64-encoded environment variable for iOS provisioning map configuration.
Description check	✅ Passed	The description includes a comprehensive summary, clear rationale, detailed test plan with passing results, and notes follow-up documentation work. All key sections are well-populated.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/provisioning-map-base64

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Review rate limit: 4/5 reviews remaining, refill in 12 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codspeed-hq]

Merging this PR will not alter performance

✅ 28 untouched benchmarks

---

_{Comparing feat/provisioning-map-base64 (9e8f3b0) with main (21c4c38)}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud