From 7a2625222d0485bf3622240f56ffda2a3605dae0 Mon Sep 17 00:00:00 2001
From: Antonis Lilis <antonis.lilis@sentry.io>
Date: Mon, 27 Apr 2026 10:07:41 +0200
Subject: [PATCH 1/2] fix(core): Restore tarball script permissions and missing
 EAS build hook

The npm pack -> yarn pack switch in #6037 introduced two regressions:

1. yarn pack stores files with mode 0644. scripts/sentry-xcode.sh,
   invoked directly by Xcode's build phase, fails with "Permission
   denied" (#6047). Re-pack the tarball after yarn pack to restore 0755
   on shell scripts and bin entrypoints.

2. yarn pack does not auto-include files referenced from the bin field.
   scripts/eas-build-hook.js was never in the .npmignore allowlist, so
   the three sentry-eas-build-* bin commands silently stopped working
   in the tarball (#6048 follow-up). Add it to the allowlist.

Add a job_validate_tarball CI job that installs the produced tarball
into a fresh project and asserts script modes, bin links, post-install
executability, and that workspace:* specs were resolved.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/buildandtest.yml     | 74 ++++++++++++++++++++++++++
 packages/core/.npmignore               |  1 +
 packages/core/scripts/build-tarball.sh | 14 ++++-
 3 files changed, 88 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/buildandtest.yml b/.github/workflows/buildandtest.yml
index 0264ba07da..25c6e8d048 100644
--- a/.github/workflows/buildandtest.yml
+++ b/.github/workflows/buildandtest.yml
@@ -168,6 +168,80 @@ jobs:
             ${{ github.workspace }}/packages/core/*.tgz
             ${{ github.workspace }}/packages/expo-upload-sourcemaps/*.tgz
 
+  job_validate_tarball:
+    name: Validate tarball
+    runs-on: ["ghcr.io/cirruslabs/ubuntu-runner-amd64:24.04", "runner_group_id:10"]
+    needs: [job_build, diff_check]
+    if: ${{ needs.diff_check.outputs.skip_ci != 'true' }}
+    timeout-minutes: 5
+    steps:
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+        with:
+          node-version: 18
+      - name: Download tarball artifacts
+        uses: actions/download-artifact@v8
+        with:
+          name: ${{ github.sha }}
+          path: artifacts
+      - name: Verify executable bits in tarball
+        run: |
+          set -e
+          TARBALL=$(find artifacts -name 'sentry-react-native-*.tgz' -print -quit)
+          [ -n "$TARBALL" ] || { echo "::error::tarball not found in artifacts/"; exit 1; }
+          echo "Tarball: $TARBALL"
+          FAILED=0
+          for entry in package/scripts/sentry-xcode.sh \
+                       package/scripts/sentry-xcode-debug-files.sh \
+                       package/scripts/collect-modules.sh \
+                       package/scripts/eas-build-hook.js \
+                       package/scripts/expo-upload-sourcemaps.js; do
+            mode=$(tar -tvf "$TARBALL" "$entry" 2>/dev/null | awk 'NR==1{print $1}')
+            if [ -z "$mode" ]; then
+              echo "::error::$entry missing from tarball"
+              FAILED=1
+            elif [ "$mode" != "-rwxr-xr-x" ]; then
+              echo "::error::$entry has mode $mode, expected -rwxr-xr-x"
+              FAILED=1
+            else
+              echo "OK: $entry ($mode)"
+            fi
+          done
+          exit $FAILED
+      - name: Install tarball into fresh project
+        run: |
+          set -e
+          TARBALL=$(find "$PWD/artifacts" -name 'sentry-react-native-*.tgz' -print -quit)
+          mkdir -p /tmp/install-test
+          cd /tmp/install-test
+          npm init -y >/dev/null
+          npm install --no-save "$TARBALL"
+          # workspace:* spec must have been resolved by yarn pack (#6037 regression)
+          if grep -q 'workspace:' node_modules/@sentry/react-native/package.json; then
+            echo "::error::published package.json still contains unresolved workspace: spec"
+            grep workspace: node_modules/@sentry/react-native/package.json
+            exit 1
+          fi
+          # bin entries must be linked into node_modules/.bin and executable
+          for bin in sentry-eas-build-on-complete \
+                     sentry-eas-build-on-error \
+                     sentry-eas-build-on-success \
+                     sentry-expo-upload-sourcemaps; do
+            if [ ! -x "node_modules/.bin/$bin" ]; then
+              echo "::error::node_modules/.bin/$bin missing or not executable"
+              ls -la node_modules/.bin/ | grep -i sentry || true
+              exit 1
+            fi
+            echo "OK: node_modules/.bin/$bin"
+          done
+          # sentry-xcode.sh is invoked directly by the iOS build phase, so it
+          # must remain executable after install (#6047)
+          if [ ! -x node_modules/@sentry/react-native/scripts/sentry-xcode.sh ]; then
+            echo "::error::scripts/sentry-xcode.sh is not executable after install"
+            ls -la node_modules/@sentry/react-native/scripts/sentry-xcode.sh
+            exit 1
+          fi
+          echo "OK: scripts/sentry-xcode.sh executable"
+
   job_type_check:
     name: Type Check Typescript 3.8
     runs-on: ["ghcr.io/cirruslabs/ubuntu-runner-amd64:24.04", "runner_group_id:10"]
diff --git a/packages/core/.npmignore b/packages/core/.npmignore
index 49af5a37e2..a8241b93f9 100644
--- a/packages/core/.npmignore
+++ b/packages/core/.npmignore
@@ -27,6 +27,7 @@
 !scripts/sentry-xcode-debug-files.sh
 !scripts/sentry_utils.rb
 !scripts/expo-upload-sourcemaps.js
+!scripts/eas-build-hook.js
 
 # Metro
 !/metro.js
diff --git a/packages/core/scripts/build-tarball.sh b/packages/core/scripts/build-tarball.sh
index 9be5f160ad..4af6809b41 100755
--- a/packages/core/scripts/build-tarball.sh
+++ b/packages/core/scripts/build-tarball.sh
@@ -14,4 +14,16 @@ cp ../../README.md README.md
 # rewritten to concrete versions in the published tarball. npm pack leaves
 # the spec as `workspace:*`, which consumers cannot resolve.
 VERSION=$(node -p "require('./package.json').version")
-yarn pack --out "sentry-react-native-${VERSION}.tgz"
+TARBALL="sentry-react-native-${VERSION}.tgz"
+yarn pack --out "$TARBALL"
+
+# yarn pack stores non-bin files with mode 0644, which breaks the Xcode build
+# phase that invokes scripts/sentry-xcode.sh directly (Permission denied).
+# Re-pack with +x on shell scripts and bin entrypoints.
+TMP_DIR=$(mktemp -d)
+trap 'rm -rf "$TMP_DIR"' EXIT
+tar -xzf "$TARBALL" -C "$TMP_DIR"
+chmod 0755 "$TMP_DIR"/package/scripts/*.sh \
+           "$TMP_DIR"/package/scripts/eas-build-hook.js \
+           "$TMP_DIR"/package/scripts/expo-upload-sourcemaps.js
+tar -czf "$TARBALL" -C "$TMP_DIR" package

From bb630823d4d00720ce210266b4215b2652d60bb7 Mon Sep 17 00:00:00 2001
From: Antonis Lilis <antonis.lilis@sentry.io>
Date: Mon, 27 Apr 2026 10:08:25 +0200
Subject: [PATCH 2/2] docs: Update changelog

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 CHANGELOG.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e7242cefb8..9749d32d88 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,13 @@
 > make sure you follow our [migration guide](https://docs.sentry.io/platforms/react-native/migration/) first.
 <!-- prettier-ignore-end -->
 
+## Unreleased
+
+### Fixes
+
+- Restore executable bit on shell scripts in the published tarball, fixing `Permission denied` on iOS build ([#6049](https://github.com/getsentry/sentry-react-native/pull/6049))
+- Restore EAS build hook bin scripts (`sentry-eas-build-on-{success,error,complete}`) missing from the published tarball ([#6049](https://github.com/getsentry/sentry-react-native/pull/6049))
+
 ## 8.9.1
 
 ### Features