From 0acf07d995fcb398fef5350319e4cd2ced28b31c Mon Sep 17 00:00:00 2001
From: Tom Owers <owerstom@gmail.com>
Date: Fri, 22 May 2026 16:26:25 +0100
Subject: [PATCH 1/3] fix(ci): grant promote job contents:read for
 mobile-promote

The promote job set permissions:{} (contents:none) but the called
mobile-promote.yml submit job requests contents:read, which GitHub
rejects as an invalid workflow file.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/mobile-build.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/mobile-build.yml b/.github/workflows/mobile-build.yml
index 1600e9e93..0f8cc6f0f 100644
--- a/.github/workflows/mobile-build.yml
+++ b/.github/workflows/mobile-build.yml
@@ -81,7 +81,8 @@ jobs:
   # Auto-promote the freshly built production binaries. Only runs when the build
   # job waited for completion (otherwise there is no finished build to submit).
   promote:
-    permissions: {}
+    permissions:
+      contents: read
     needs: build
     if: ${{ inputs.profile == 'production' && inputs.wait }}
     uses: ./.github/workflows/mobile-promote.yml

From afee7b4fd942f3676b2f055654ff9b4bf4f4acb3 Mon Sep 17 00:00:00 2001
From: Tom Owers <owerstom@gmail.com>
Date: Fri, 22 May 2026 16:27:24 +0100
Subject: [PATCH 2/3] fix(ci): pin expo-github-action to correct v8 SHA

The previous SHA did not exist in expo/expo-github-action, breaking
both mobile-build and mobile-promote. Pin to the real v8 commit.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/mobile-build.yml   | 2 +-
 .github/workflows/mobile-promote.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/mobile-build.yml b/.github/workflows/mobile-build.yml
index 0f8cc6f0f..bc342e51e 100644
--- a/.github/workflows/mobile-build.yml
+++ b/.github/workflows/mobile-build.yml
@@ -57,7 +57,7 @@ jobs:
           cache: "pnpm"
 
       - name: Setup EAS
-        uses: expo/expo-github-action@4479f9c12e08b76bb8a6ae00a31544a13d3b3d68 # v8
+        uses: expo/expo-github-action@c7b66a9c327a43a8fa7c0158e7f30d6040d2481e # v8
         with:
           eas-version: latest
           token: ${{ secrets.EXPO_TOKEN }}
diff --git a/.github/workflows/mobile-promote.yml b/.github/workflows/mobile-promote.yml
index c55d44943..8f8e024d7 100644
--- a/.github/workflows/mobile-promote.yml
+++ b/.github/workflows/mobile-promote.yml
@@ -77,7 +77,7 @@ jobs:
           cache: "pnpm"
 
       - name: Setup EAS
-        uses: expo/expo-github-action@4479f9c12e08b76bb8a6ae00a31544a13d3b3d68 # v8
+        uses: expo/expo-github-action@c7b66a9c327a43a8fa7c0158e7f30d6040d2481e # v8
         with:
           eas-version: latest
           token: ${{ secrets.EXPO_TOKEN }}

From b7401932b9ee55b41d6413b3cba112ae99ceb350 Mon Sep 17 00:00:00 2001
From: Tom Owers <owerstom@gmail.com>
Date: Fri, 22 May 2026 17:01:27 +0100
Subject: [PATCH 3/3] fix(mobile): set ascAppId for iOS submit profile

eas submit --non-interactive cannot resolve the App Store Connect app
without ascAppId. Pin it so iOS promotion works in CI.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/mobile/eas.json | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/apps/mobile/eas.json b/apps/mobile/eas.json
index 979d49a2d..dd2661104 100644
--- a/apps/mobile/eas.json
+++ b/apps/mobile/eas.json
@@ -26,7 +26,9 @@
   },
   "submit": {
     "production": {
-      "ios": {},
+      "ios": {
+        "ascAppId": "6762366098"
+      },
       "android": {
         "track": "internal"
       }