Xin Cheng Shen

This commit introduces a **new capability** to the **Apple code signing tools**, enabling the `--profiles-dir` CLI argument to accept multiple directory paths. The argument parsing in `prelude/apple/tools/bundling/signing_context.py` and `prelude/apple/tools/code_signing/main.py` has been updated to support this multi-value input. For **backward compatibility**, the system currently only utilizes the first directory provided, ensuring no immediate change in behavior for existing workflows. This **feature enhancement** lays the groundwork for future improvements in profile selection logic, allowing for more flexible and robust fallback mechanisms.

This commit introduces a **new feature** to the **Apple bundling and codesigning process**, enabling the consumption of multiple provisioning profile sources. The `assemble_bundle` function within `prelude/apple/apple_bundle_part.bzl` is updated to utilize `AppleProvisioningProfileSourcesInfo` when `apple.provisioning_profile_sources_enabled` is true. This allows passing each profile source as a distinct `--profiles-dir` argument to the `codesign` tool, preserving priority ordering. This enhancement provides more flexible and granular control over provisioning profile management, with full multi-directory support in the Python `codesign` tool expected in a follow-up.

This commit **enhances the Apple build system** by wiring up new attributes for **provisioning profile management** within `apple_bundle` and `apple_test` rules. It introduces `_provisioning_profile_sources` to point to a new `apple_provisioning_profile_sources` target and `_provisioning_profile_sources_enabled` as a buckconfig-controlled flag to switch between old and new profile selection flows. Concurrently, this change performs **maintenance** by removing deprecated attributes such as `_system_provisioning_profiles` from `_apple_bundle_like_common_attrs` in `prelude/apple/apple_rules_impl_utility.bzl`. This work lays the foundation for a more flexible provisioning profile selection, which is currently gated and will be enabled in a future update.

This commit introduces a **new capability** to the **Bazel prelude for Apple builds** by defining the `apple_provisioning_profile_sources` rule. This rule provides a structured way to manage and wrap **Apple provisioning profiles**, which are essential for signing and deploying Apple applications. The change involves adding the rule's implementation in `prelude/apple/apple_provisioning_profile_sources.bzl` and declaring it in `prelude/apple/apple_rules_decls.bzl`. This enhancement streamlines the configuration of provisioning profiles within Bazel build definitions, improving the overall developer experience for Apple projects.

This commit introduces a **preventative measure** to enforce **content-based hashing** for **Swift compilation** (`swift_compile`) and **Swift module compilation** (`swiftmodule_compile`) actions. It integrates a check for `expect_eligible_for_dedupe` within the `compile_with_argsfile` function in `prelude/apple/swift/swift_helpers.bzl` via a new helper function. While there are no immediate behavioral changes, this **maintenance** work prevents future regressions by ensuring all inputs and outputs for these actions are content-based hashed, gated by a new attribute on the Swift toolchain.

This commit **fixes entitlement verification** for **macOS applications** by **ignoring `com.apple.security.*` entitlements** during the code signing process. Previously, these entitlements, which are not present in provisioning profiles for native macOS apps, caused false-positive mismatches and build failures. The `_verify_entitlements` function in `codesign_bundle.py` is updated to accept an `ApplePlatform` parameter, enabling platform-specific verification that now correctly bypasses these problematic keys for macOS. This **bug fix** prevents incorrect build failures and improves the reliability of the **code signing process** for macOS targets.

This commit introduces a **new capability** within the **Swift toolchain** to enforce deduplication eligibility for build actions. It adds an `enforce_dedupe_eligibility` boolean attribute to the `swift_toolchain` rule definition in `prelude/apple/apple_rules_decls.bzl`, which is then passed to and stored within the `SwiftToolchainInfo` provider. When this attribute is enabled, it will ensure that all Swift build actions are explicitly marked as eligible for deduplication, preventing regressions and improving build efficiency. This mechanism supports a **gradual rollout** of stricter deduplication policies for Swift targets.

This commit **enhances the Mockingbird build system** by enabling content-based pathing for additional outputs. It modifies the `mockingbird_mock_impl` function within `prelude/apple/mockingbird/mockingbird_mock.bzl`, specifically setting `has_content_based_path = True` for two more output declarations. This **configuration update** is a critical step towards fully integrating a larger **feature rollout** (D86326800), ensuring that specific outputs generated by the **Mockingbird** framework correctly utilize content-based paths.

This commit introduces **new attributes** to the common definitions for `apple_bundle`-like rules, specifically within `prelude/apple/apple_rules_impl_utility.bzl`. It adds `_system_provisioning_profiles`, `_system_provisioning_profiles_enabled`, and `_user_provisioning_profiles` to facilitate **provisioning profile selection**. This **new capability** is crucial for enabling Apple builds to utilize provisioning profiles on **Linux hosts** (e.g., OD and devserver), expanding the platform support for iOS/macOS development. The change lays the groundwork for improved build environments on non-macOS systems.

This commit **enables entitlements verification by default** for Apple builds, rolling out a new security measure. It updates the `prelude/apple/apple_rules_impl_utility.bzl` file, specifically within the `_apple_bundle_like_common_attrs` definition, to set the `entitlements_verification_check_enabled` attribute to `true`. This **configuration change** means that all Apple bundles will now automatically perform entitlements verification, enhancing the integrity and correctness of built applications. The change primarily affects the **Apple build system** and its default behavior for entitlement validation.

This commit implements a **bug fix** within the **Apple binary build rules** by modifying `prelude/apple/apple_binary.bzl`. It passes a new `uses_content_based_paths` flag to the `prepare_headers` function, which is invoked by `_get_bridging_header_flags`. This change resolves a specific build rule failure, ensuring the correct preparation of **bridging headers** by properly configuring path handling. The fix enhances the reliability of **Apple build processes** by addressing issues related to content-based path generation.

This commit **fixes a build failure** by **enabling content-based paths** for **Apple frameworks** and **xcframeworks**, making them eligible for deduplication. It introduces support for content-based paths within the `prebuilt_apple_framework_impl` rule in `prelude/apple/prebuilt_apple_framework.bzl`. Additionally, this **feature enhancement** enables content-based paths for generated framework and dSYM artifacts within the `prebuilt_apple_xcframework_macro_impl` macro in `prelude/apple/prebuilt_apple_xcframework_macro_impl.bzl`. This change to the **Apple build system** improves build efficiency and resolves issues related to artifact deduplication.

This commit introduces a **configuration change** to explicitly manage content-based path hashing for `wa_apple_library` targets. It **refactors** the `apple_library` rule in `prelude/apple/apple_rules_decls.bzl` by replacing `uses_experimental_content_based_path_hashing` with a new `has_content_based_path` attribute. The `get_uses_content_based_paths` function in `prelude/apple/swift/swift_incremental_support.bzl` is updated to prioritize this new attribute, ensuring that `wa_apple_library` targets can reliably **disable content-based paths**. This **maintenance** update provides a more robust and explicit mechanism to control path generation, preventing potential build inconsistencies for these specific library types.

This commit introduces a **pre-emptive validation check** within the **Swift compilation process** to address an incompatible build configuration. It modifies the `compile_swift` function in `prelude/apple/swift/swift_compilation.bzl` to **automatically fail the build** if both content-based path hashing and Swift incremental compilation are simultaneously enabled. This **improves developer experience** by providing an immediate and descriptive error message, preventing a less informative failure later in the build process. The change acts as a **guardrail** for the **build system's Swift module**, ensuring clearer feedback for developers attempting to use these incompatible features together.

This commit performs a **cleanup** operation by **removing unused import statements** from the `assemble_bundle` module. This **maintenance** task eliminates dead code, specifically declarations that were no longer referenced within the bundling logic. The change improves **code hygiene** and readability within the **build system**, ensuring that the `assemble_bundle` script is leaner and easier to understand without introducing any functional changes or affecting the output of the bundling process.

This commit introduces a **new validation step** for **iOS application builds** by integrating entitlement verification into the code signing process. It modifies the `signing_context_with_profile_selection` function within the `prelude/apple/tools/code_signing/codesign_bundle.py` module to conditionally invoke a new `_verify_entitlements` function. This **enhancement** ensures that **iOS builds** are checked for correct entitlements, improving the overall integrity and reliability of the generated application bundles. The change also updates `prelude/apple/tools/bundling/signing_context.py` to pass the `should_verify_entitlements` argument and adds a build dependency in `prelude/apple/tools/code_signing/BUCK` to support this new check.

This commit introduces a **new attribute**, `entitlements_verification_check_enabled`, to the common attributes defined in `_apple_bundle_like_common_attrs` for **Apple bundle-like rules**. This **enhancement** provides granular control over whether entitlements verification checks are performed during the build process for these targets. By exposing this option, developers can now explicitly enable or disable this verification step, impacting the build configuration and potentially the validation of **Apple applications**.

This commit introduces a **new feature** to the **Apple bundling process** by enabling the conditional passing of a `--verify-entitlements` flag to the `assemble_bundle` tool. It modifies the `assemble_bundle` function in `prelude/apple/apple_bundle_part.bzl` to forward this argument if an attribute is present and set to true. Concurrently, `prelude/apple/tools/bundling/main.py` is updated to recognize and parse the new `--verify-entitlements` command-line argument. This change lays the essential groundwork for future **entitlement verification** during the bundling process, preparing the system for a subsequent implementation that will perform the actual checks.

This commit delivers a **bug fix** to restore **deduplication eligibility** for anonymous targets generated by **Swift compilation rules**. It updates the `_swift_pcm_compilation`, `_swift_sdk_pcm_compilation`, and `_swift_interface_compilation` rules, along with their respective `get_*_anon_targets` functions, to correctly pass `has_content_based_path=True`. This change rectifies a regression where anonymous targets built for the exec platform were no longer eligible for content-based path deduplication. By re-enabling this flag, the commit ensures proper build caching and avoids redundant work for **Swift modules** and their dependencies.

This commit introduces a **build system improvement** to **optimize Swift builds** by making `swift_macros` eligible for deduplication. It achieves this by enabling **content-based path hashing** for `swift_macros` by default, which helps reduce redundant build actions, and is implemented by updating the `get_uses_experimental_content_based_path_hashing` function in `prelude/apple/swift/swift_incremental_support.bzl` to check for a `has_content_based_path` attribute. This **optimization** is necessary because `swift_macros` are built against the execution platform, and a platform transition prevents the direct use of the toolchain's experimental content-based path hashing flag. The change ensures **more efficient builds** for projects utilizing `swift_macros` by allowing their build outputs to be properly deduplicated.