feat(distribution): Add dedicated distribution auth token property (#1007)

* feat(distribution): Add dedicated distribution auth token property

Add distributionAuthToken property to DistributionExtension to decouple distribution authentication from the main org auth token for improved security separation.

Changes:
- Add distributionAuthToken property to DistributionExtension
- Update GenerateDistributionPropertiesTask to use distributionAuthToken from extension
- Add fallback to SENTRY_DISTRIBUTION_AUTH_TOKEN environment variable
- Update all existing tests to use the new property
- Add tests for distributionAuthToken property and environment variable fallback

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* refactor(distribution): Simplify auth token with convention

Simplify the distribution auth token implementation by using Gradle's convention mechanism:
- Rename distributionAuthToken to authToken for simplicity
- Set convention to System.getenv("SENTRY_DISTRIBUTION_AUTH_TOKEN")
- Remove explicit fallback logic in GenerateDistributionPropertiesTask
- Update tests to reflect the simpler convention-based approach

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* test: Add tests to verify distribution auth token isolation

Add tests to ensure:
- distribution.authToken takes precedence over main authToken
- No fallback to main authToken when distribution authToken is not set

This ensures proper security separation between distribution and main auth tokens.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

---------

Co-authored-by: Claude <noreply@anthropic.com>

Author: runningcode

plugin-build/src/main/kotlin/io/sentry/android/gradle/extensions/DistributionExtension.kt

@@ -2,6 +2,7 @@ package io.sentry.android.gradle.extensions
 
 import javax.inject.Inject
 import org.gradle.api.model.ObjectFactory
+import org.gradle.api.provider.Property
 import org.gradle.api.provider.SetProperty
 import org.jetbrains.annotations.ApiStatus.Experimental
 
@@ -16,4 +17,8 @@ open class DistributionExtension @Inject constructor(objects: ObjectFactory) {
    */
   val enabledVariants: SetProperty<String> =
     objects.setProperty(String::class.java).convention(emptySet())
+
+  /** Auth token used for distribution operations. */
+  val authToken: Property<String> =
+    objects.property(String::class.java).convention(System.getenv("SENTRY_DISTRIBUTION_AUTH_TOKEN"))
 }

plugin-build/src/main/kotlin/io/sentry/android/gradle/tasks/GenerateDistributionPropertiesTask.kt

@@ -117,8 +117,7 @@ abstract class GenerateDistributionPropertiesTask : PropertiesFileOutputTask() {
           }
         task.projectSlug.set(projectProvider)
 
-        // Auth token only from extension (no fallback)
-        task.orgAuthToken.set(extension.authToken)
+        task.orgAuthToken.set(extension.distribution.authToken)
 
         task.buildConfiguration.set(buildConfiguration)
       }

plugin-build/src/test/kotlin/io/sentry/android/gradle/extensions/DistributionExtensionTest.kt

@@ -24,4 +24,23 @@ class DistributionExtensionTest {
 
     assertEquals(setOf("freeDebug", "paidRelease"), extension.enabledVariants.get())
   }
+
+  @Test
+  fun `authToken uses environment variable by default`() {
+    val project = ProjectBuilder.builder().build()
+    val extension = project.objects.newInstance(DistributionExtension::class.java)
+
+    val envToken = System.getenv("SENTRY_DISTRIBUTION_AUTH_TOKEN")
+    assertEquals(envToken, extension.authToken.orNull)
+  }
+
+  @Test
+  fun `authToken can be configured`() {
+    val project = ProjectBuilder.builder().build()
+    val extension = project.objects.newInstance(DistributionExtension::class.java)
+
+    extension.authToken.set("test-token")
+
+    assertEquals("test-token", extension.authToken.get())
+  }
 }

plugin-build/src/test/kotlin/io/sentry/android/gradle/tasks/GenerateDistributionPropertiesTaskTest.kt

@@ -31,7 +31,7 @@ class GenerateDistributionPropertiesTaskTest {
     val extension = project.extensions.findByName("sentry") as SentryPluginExtension
     extension.org.set("test-org")
     extension.projectName.set("test-project")
-    extension.authToken.set("test-token")
+    extension.distribution.authToken.set("test-token")
 
     val task: TaskProvider<GenerateDistributionPropertiesTask> =
       GenerateDistributionPropertiesTask.register(
@@ -64,7 +64,7 @@ class GenerateDistributionPropertiesTaskTest {
     val extension = project.extensions.findByName("sentry") as SentryPluginExtension
     extension.org.set("extension-org")
     extension.projectName.set("extension-project")
-    extension.authToken.set("extension-token")
+    extension.distribution.authToken.set("extension-token")
 
     val task: TaskProvider<GenerateDistributionPropertiesTask> =
       GenerateDistributionPropertiesTask.register(
@@ -89,7 +89,7 @@ class GenerateDistributionPropertiesTaskTest {
     // ext properties should take precedence
     assertEquals("ext-org", props.getProperty(ORG_SLUG_PROPERTY))
     assertEquals("ext-project", props.getProperty(PROJECT_SLUG_PROPERTY))
-    // auth token should still come from extension as it's not in ext
+    // auth token should still come from distribution extension
     assertEquals("extension-token", props.getProperty(DISTRIBUTION_AUTH_TOKEN_PROPERTY))
   }
 
@@ -132,16 +132,17 @@ class GenerateDistributionPropertiesTaskTest {
 
     assertEquals("props-org", props.getProperty(ORG_SLUG_PROPERTY))
     assertEquals("props-project", props.getProperty(PROJECT_SLUG_PROPERTY))
-    // Auth token should not be present (no fallback)
-    assertNull(props.getProperty(DISTRIBUTION_AUTH_TOKEN_PROPERTY))
+    // Distribution auth token should match environment variable (if set)
+    val envToken = System.getenv("SENTRY_DISTRIBUTION_AUTH_TOKEN")
+    assertEquals(envToken, props.getProperty(DISTRIBUTION_AUTH_TOKEN_PROPERTY))
   }
 
   @Test
   fun `extension properties override sentry properties file`() {
     val project = createProject()
     val extension = project.extensions.findByName("sentry") as SentryPluginExtension
     extension.org.set("extension-org")
-    extension.authToken.set("extension-token")
+    extension.distribution.authToken.set("extension-token")
 
     // Create a sentry.properties file
     val sentryPropertiesFile = File(project.projectDir, "sentry.properties")
@@ -178,10 +179,69 @@ class GenerateDistributionPropertiesTaskTest {
     assertEquals("extension-org", props.getProperty(ORG_SLUG_PROPERTY))
     // Project should fall back to properties file
     assertEquals("props-project", props.getProperty(PROJECT_SLUG_PROPERTY))
-    // Auth token comes from extension only
+    // Distribution auth token comes from distribution extension
     assertEquals("extension-token", props.getProperty(DISTRIBUTION_AUTH_TOKEN_PROPERTY))
   }
 
+  @Test
+  fun `distribution authToken takes precedence over main authToken`() {
+    val project = createProject()
+    val extension = project.extensions.findByName("sentry") as SentryPluginExtension
+    extension.authToken.set("main-auth-token")
+    extension.distribution.authToken.set("distribution-auth-token")
+
+    val task: TaskProvider<GenerateDistributionPropertiesTask> =
+      GenerateDistributionPropertiesTask.register(
+        project,
+        extension,
+        null,
+        project.layout.buildDirectory.dir("dummy/folder/"),
+        "test",
+        "debug",
+      )
+
+    val outputDir = File(project.buildDir, "dummy/folder/")
+    outputDir.mkdirs()
+
+    task.get().generateProperties()
+
+    val expectedFile = File(project.buildDir, "dummy/folder/sentry-distribution.properties")
+    val props = PropertiesUtil.load(expectedFile)
+
+    // Distribution auth token should be used, not main auth token
+    assertEquals("distribution-auth-token", props.getProperty(DISTRIBUTION_AUTH_TOKEN_PROPERTY))
+  }
+
+  @Test
+  fun `does not fall back to main authToken when distribution authToken is not set`() {
+    val project = createProject()
+    val extension = project.extensions.findByName("sentry") as SentryPluginExtension
+    extension.authToken.set("main-auth-token")
+    // Explicitly set distribution auth token to null to override the env var convention
+    extension.distribution.authToken.set(null as String?)
+
+    val task: TaskProvider<GenerateDistributionPropertiesTask> =
+      GenerateDistributionPropertiesTask.register(
+        project,
+        extension,
+        null,
+        project.layout.buildDirectory.dir("dummy/folder/"),
+        "test",
+        "debug",
+      )
+
+    val outputDir = File(project.buildDir, "dummy/folder/")
+    outputDir.mkdirs()
+
+    task.get().generateProperties()
+
+    val expectedFile = File(project.buildDir, "dummy/folder/sentry-distribution.properties")
+    val props = PropertiesUtil.load(expectedFile)
+
+    // Distribution auth token should not fall back to main auth token
+    assertNull(props.getProperty(DISTRIBUTION_AUTH_TOKEN_PROPERTY))
+  }
+
   @Test
   fun `handles missing values gracefully`() {
     val project = createProject()
@@ -208,7 +268,9 @@ class GenerateDistributionPropertiesTaskTest {
     // Should not write null values
     assertNull(props.getProperty(ORG_SLUG_PROPERTY))
     assertNull(props.getProperty(PROJECT_SLUG_PROPERTY))
-    assertNull(props.getProperty(DISTRIBUTION_AUTH_TOKEN_PROPERTY))
+    // Distribution auth token should match environment variable (if set)
+    val envToken = System.getenv("SENTRY_DISTRIBUTION_AUTH_TOKEN")
+    assertEquals(envToken, props.getProperty(DISTRIBUTION_AUTH_TOKEN_PROPERTY))
     // Build configuration should always be present
     assertEquals("debug", props.getProperty(BUILD_CONFIGURATION_PROPERTY))
   }