Update main with staging 09/21/25 #1108
Conversation
* feat: helper functions and constant for go-sdk * feat: formatRevealedDataPacked in go * chore: refactor * feat: define struct for selfBackendVerifier * feat: verify function for selfBackendVerifier * feat(wip): custom hasher * feat: SelfVerifierBacked in go * test(wip): scope and userContextHash is failing * test: zk proof verified * fix: MockConfigStore getactionId function * chore: refactor * chore: remove abi duplicate files * chore: move configStore to utils * chore: modified VcAndDiscloseProof struct * chore: more review changes * feat: impl DefaultConfig and InMemoryConfigStore * chore: refactor and export functions * fix: module import and README * chore: remove example folder * chore: remove pointers from VerificationConfig * chore: coderabbit review fixes * chore: more coderabbit review fix * chore: add license * fix: convert attestationIdd to int * chore: remove duplicate code --------- Co-authored-by: ayman <[email protected]>
* remove react dom * moves proving utils to the common * need to use rn components * fix imports * add proving-utils and dedeuplicate entry configs for esm and cjs. * must wrap in text component * fix metro bundling * fix mock import * fix builds and tests * please save me * solution? * fix test
* create ofactTree type to share * move proving inputs from app to register inputs in common * missed reexport * ok * add some validations as suggested by our ai overlords
* fix dev screens * add hint * rename * fix path * fix mobile-ci path
* fix: extractMRZ * yarn nice && yarn types * fix test: remove unused * fix mobile ci * add script --------- Co-authored-by: Justin Hernandez <[email protected]>
* moved attest and cose utils to common with cursor converted tests in common to use vitest and converted coseVerify.test to vitest after moving from app to common what does cryptoLoader do? * moved away * get buff Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> --------- Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
* feat: add sentry feedback * add sentry feedback to web * feat: add custom feedback modal & fix freeze on IOS * yarn nice * update lock * feat: show feedback widget on NFC scan issues (#948) * feat: show feedback widget on NFC scan issues * fix ref * clean up * fix report issue screen * abstract send user feedback email logic * fixes * change text to Report Issue * sanitize email and track event messge * remove unnecessary sanitization * add sanitize error message tests * fix tests * save wip. almost done * fix screen test * fix screen test * remove non working test --------- Co-authored-by: Justin Hernandez <[email protected]> Co-authored-by: Justin Hernandez <[email protected]>
* chore: centralize license header scripts * chore: run license header checks from root * add header to other files * add header to bundle * add migration script and update check license headers * convert license to mobile sdk * migrate license headers * remove headers from common; convert remaining * fix headers * add license header checks
* update unsupported passport screen * yarn nice
* setup analytics adapter for self mobile sdk client and use in app * wrap for context * fix build * yarn types is an alias for build when build just compiles ts * ok unlock * deeper * ok this looks to work * fix license check * make sure it starts with this line * someone didnt commit * fix double analytics bug and builds * lint
* chore: upgrade build tooling to Node 22 and AGP 8.6 * chore: upgrade react-native to 0.76.9 * update lock files and formatting * fix path * fix: handle hermes-engine cache mismatch in CI after React Native upgrade - Add fallback logic to run 'pod update hermes-engine' when pod install fails - This resolves CocoaPods cache issues that occur after React Native version upgrades - Fixes CI pipeline failures on codex/update-core-tooling-for-react-native-upgrade branch * fix: improve hermes-engine cache handling in CI - Preemptively clear CocoaPods cache before pod install - This prevents dependency analysis failures that occur when cached podspecs conflict - Addresses the root cause: cache conflicts during 'Analyzing dependencies' phase - Keeps fallback logic for additional safety * fix: handle hermes-engine cache in mobile-bundle-analysis workflow - Add pod-install-with-cache-fix.sh script to handle hermes-engine cache conflicts - Update install-app:setup script to use the new cache fix approach - This fixes the mobile-bundle-analysis.yml workflow failures after React Native upgrade - Proactively clears CocoaPods cache and has fallback for hermes-engine updates * formatting * fix: robust hermes-engine cache handling in CI workflows - Apply comprehensive cache clearing to mobile-ci.yml and mobile-e2e.yml - Pre-emptively run 'pod update hermes-engine' before pod install - Clear multiple cache locations to handle CI environment differences - This prevents 'hermes-engine differs from Pods/Local Podspecs' errors - Fixes all workflows affected by React Native 0.76.9 upgrade cache issues * fixes * clean up * update lock files * fix tests * sort * fixes * fix ci * fix deployment target * android fixes * upgrade fix * fixes * fix: streamline mobile CI build and caching (#946) * fix: streamline mobile CI build and caching * Enable mobile E2E tests on codex/fix-mobile-ci-workflow-errors branch * test * simplify and fix path * workflow fixes * fix loading on 0.76.9 * clean up unnecessary comments * fix readme * finalize upgrade to 0.76.9 * fix android build and upgrade * fix bundler caching * download cli to fix "yarn start" issues * fix cli build erorr * fix script path * better path * abstract build step to prevent race condition * fixes * better cache * fix corepack build error * update lock * update lock * add yarn cache to workflows * fix test building * ci caching improvements * fix common type check * fix common ci * better mobile sdk alpha building logic * chore: speed up mobile e2e workflow (#962) * chore: speed up mobile e2e workflow * chore: disable android e2e job * chore: speed up ios build * fix: bundle js for ios debug build * fix e2e
* feat: improve mixpanel flush strategy * fixes * fix build * update lock * refactor methods * conslidate calls * update package and lock
* refactor: remove namespace imports * refactor: use named fs imports * refactor(app): replace path and fs namespace imports * format * format
* udpates * fox * update license
* Handle missing dsc parsed * nice * fix test * throw * fix
* chore(app): upgrade dependencies * update package * update lock files * fixes * lock * fix
* basic auth adapater * remove SelfMobileSDk, this was another architecture which the adapter patern replaced * rename to avoid confusion with client.test.ts * basic auth adapater * remove SelfMobileSDk, this was another architecture which the adapter patern replaced * rename to avoid confusion with client.test.ts * self * fix * remove prototypes * make sure its mounted * fix tests * fmt * require required adapters * fix types * not a partial * adds missing exports * fix missing data
* fix nfc scanning on ios and android * save test * fix tests * fix lint
* fixes * silence error * fix debugge * fix nfc scanning * lint and pipeline fixes
* bump up to macos-latest-large * fix ci
Co-authored-by: Aaron DeRuvo <[email protected]> Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
* docs: record app integration progress * docs: consolidate mobile SDK migration tracking * docs: humanize migration tracking and merge prompts * docs: add common consolidation tasks * docs: reprioritize migration tasks * docs: soften migration plan tone * docs: detail agent prompts with file paths * docs: catalog Linear tasks for SDK * updates * remove artifact management
* moves validateDocument functions into the common package. * fix build issues and lint * handle bad connections better in nullifiier * add an abort controler to nullifer fetcher, ignore fals positives * import types separately * take it as an arg
* chore(app): resolve lint warnings * update lock * clean up any types * fix types * feedback from cr
* feat: expose mock generator * formatting * fix tests and lint * rename passport to document * fix types
* chore: scaffold mobile sdk demo app * test: cover demo app menu * prettier and types * sort * add android app foundation * fix android loading * get ios app running * update script * cr feedback * disable fabric * fixes * fixes * fix
…945) * Add VerificationPerformed event to track verification calls - Added VerificationPerformed event with comprehensive tracking fields - Captures requestor contract, version, attestation ID, chain ID, config ID, user identifier, output, and user data - Enhanced _executeVerificationFlow to return additional tracking data - Event emission placed after verification completion for accurate tracking * chore: run formatter * chore: rename verify event name to DisclosureVerified
…ortDataWithRightCSCA to SDK (#1041)
* remove tslib -- seems unused * remove deps accidentally added to root * build file
* feat: parse belgium TD1 mrz android * feat: Parse Belgium TD1 MRZ IOS
* fix: relax OFAC tree response validation * test: cover OFAC tree edge cases * fix stateless * revert and fix types * fix tests
* feat: add structured NFC logging * fix ci * Fix: add deps * logging fixes. use breadcrumbs * fix android build * update SeverityLevel * [SELF-705] feat: add proof event logging (#1057) * feat: add proof event logging * refactor: unify sentry event logging * fix types * fix mock * simplify * code rabbit feedback * fix tests --------- Co-authored-by: seshanthS <[email protected]>
* chore: bump v2.6.5 rd2 (#1067) * commit wip version bump * remove from building * chore: update tooling dependencies (#1069) * chore: update tooling dependencies * chore: align react typings and node types * update lock * chore: minor fixes across monorepo (#1068) * small fixes * fixes * fix gesture handler error * ci fixes * fix yarn build; add workflow ci (#1075) * add new workspace ci * disable package version check for now * build before checks * format * fix in future pr * feat: add functions for disclosing aadhaar attributes (#1033) * feat: add functions for disclosing aadhaar attributes * format * chore: update monorepo artifacts (#1079) * remove unneeded artifacts, skip building circuits * update md files * cleans up unused parts of sdk interface, adds inline documentation, (#1078) * cleans up unused parts of sdk interface, adds inline documentation, * fix up build * yolo * Feat/aadhaar sdk (#1082) * feat: add aadhaar support to the ts sdk * feat: aadhaar support to go sdk * chore: refactor * move clearPassportData, markCurrentDocumentAsRegistered, reStorePassportDataWithRightCSCA to SDK (#1041) * Move self app store to mobile sdk (#1040) * chore(mobile-sdk-alpha): remove unused tslib dependency (#1053) * remove tslib -- seems unused * remove deps accidentally added to root * build file * remove unused imports (#1055) * fix: sha256 signed attr tests (#1058) * fix mock screen launch (#1059) * Hotfix: Belgium ID cards (#1061) * feat: parse belgium TD1 mrz android * feat: Parse Belgium TD1 MRZ IOS * fix: OFAC trees not found (#1060) * fix: relax OFAC tree response validation * test: cover OFAC tree edge cases * fix stateless * revert and fix types * fix tests * [SELF-723] feat: add structured NFC and Proof logging (#1048) * feat: add structured NFC logging * fix ci * Fix: add deps * logging fixes. use breadcrumbs * fix android build * update SeverityLevel * [SELF-705] feat: add proof event logging (#1057) * feat: add proof event logging * refactor: unify sentry event logging * fix types * fix mock * simplify * code rabbit feedback * fix tests --------- Co-authored-by: seshanthS <[email protected]> * skip on dev (#1063) * don't get fancy just disable (#1064) * saw it building so gonna try (#1065) * chore: bump v2.6.5 rd2 (#1067) * commit wip version bump * remove from building * chore: update tooling dependencies (#1069) * chore: update tooling dependencies * chore: align react typings and node types * update lock * chore: minor fixes across monorepo (#1068) * small fixes * fixes * fix gesture handler error * ci fixes * fix yarn build; add workflow ci (#1075) * add new workspace ci * disable package version check for now * build before checks * format * fix in future pr * feat: add functions for disclosing aadhaar attributes (#1033) * feat: add functions for disclosing aadhaar attributes * format * chore: update monorepo artifacts (#1079) * remove unneeded artifacts, skip building circuits * update md files * chore: update hub contract address * format * fix: add aadhaar in AllIds * chore: bump to v1.1.0-beta --------- Co-authored-by: vishal <[email protected]> Co-authored-by: Leszek Stachowski <[email protected]> Co-authored-by: Aaron DeRuvo <[email protected]> Co-authored-by: Justin Hernandez <[email protected]> Co-authored-by: Seshanth.S🐺 <[email protected]> Co-authored-by: seshanthS <[email protected]> * feat: change to gcp attestation verification (#959) * feat: change to gcp attestation verification * lint * fix e2e test * chore: don't check PCR0 mapping if building the app locally * fmt:fix --------- Co-authored-by: Justin Hernandez <[email protected]> * Mobile SDK: move provingMachine from the app (#1052) * Mobile SDK: move provingMachine from the app * lint, fixes * fix web build? * lint * fix metro build, add deps * update lock files * move the status handlers and proving machine tests * may it be * fix up * yolo --------- Co-authored-by: Justin Hernandez <[email protected]> Co-authored-by: Aaron DeRuvo <[email protected]> * Revert "Mobile SDK: move provingMachine from the app (#1052)" (#1084) This reverts commit 8983ac2. * fix: sdk (#1085) * bump sdk (#1086) * chore update mobile app types (#1087) * clean up types * clean up additional types * format * fix types * feat: add contract utils (#1088) * Feat/contracts npm publish (#1089) * chore: ci to publish contracts * yarn fmt * fix: use celo sepolia in common (#1091) * chore: export selfappbuilder (#1092) * [SELF-747] feat: clone android passport reader during setup (#1080) * chore: remove android private modules doc * private repo pull * skip private modules * remove unused circuits building * save wip * format * restore tsconfig * fix package install * fix internal repo cloning * unify logic and fix cloning * git clone internal repos efficiently * formatting * run app yarn reinstall from root * coderabbit feedback * coderabbit suggestions * remove skip private modules logic * fix: ensure PAT is passed through yarn-install action and handle missing PAT gracefully - Update yarn-install action to pass SELFXYZ_INTERNAL_REPO_PAT to yarn install - Make setup-private-modules.cjs skip gracefully when PAT is unavailable in CI - Fixes issue where setup script was throwing error instead of skipping for forks * prettier * fix clone ci * clone ci fixes * fix import export sorts * fix instructions * fix: remove SelfAppBuilder re-export to fix duplicate export error - Remove SelfAppBuilder import/export from @selfxyz/qrcode - Update README to import SelfAppBuilder directly from @selfxyz/common - Fixes CI build failure with duplicate export error * fix: unify eslint-plugin-sort-exports version across workspaces - Update mobile-sdk-alpha from 0.8.0 to 0.9.1 to match other workspaces - Removes yarn.lock version conflict causing CI/local behavior mismatch - Fixes quality-checks workflow linting failure * fix: bust qrcode SDK build cache to resolve stale SelfAppBuilder issue - Increment GH_SDK_CACHE_VERSION from v1 to v2 - Forces CI to rebuild artifacts from scratch instead of using cached version - Resolves quality-checks linter error showing removed SelfAppBuilder export * skip job * test yarn cache * bump cache version to try and fix the issue * revert cache version * refactor: use direct re-exports for cleaner qrcode package structure - Replace import-then-export pattern with direct re-exports - Keep SelfAppBuilder export with proper alphabetical sorting (before SelfQRcode) - Maintain API compatibility as documented in README - Eliminates linter sorting issues while keeping clean code structure * fix: separate type and value imports in README examples - Import SelfApp as type since it's an interface - Import SelfAppBuilder as value since it's a class - Follows TypeScript best practices and improves tree shaking * address version mismatches and package resolutions (#1081) * fix package version mismatches and resolutions * fixes * update lock * fix comma * fixes * fix packages * update packages * remove firebase analytics. not needed * fix: aadhaar verifier abi (#1096) * fix: aadhaar verifier abi * bump: core * fix: go-sdk (#1090) * SELF-725: add iOS qrcode opener and aadhaar screen (#1038) * add iOS qrcode opener and aadhaar screen * format * fix test * add Image-picker android (#1077) * add image-picker android * fix validation * feat: implement Aadhaar upload success and error screens, enhance AadhaarNavBar with dynamic progress indication - Added AadhaarUploadedSuccessScreen and AadhaarUploadErrorScreen components for handling upload outcomes. - Updated AadhaarNavBar to reflect current upload step with dynamic progress bar. - Integrated new screens into navigation flow for Aadhaar upload process. - Introduced blue check and warning SVG icons for visual feedback on success and error states. * feat: generate mock aadhar (#1083) * feat: generate mock aadhar * add yarn.lock * update yarn.lock * update protocolStore, update types, start modifying provingMachine * Register mock aadhar (#1093) * Register mock aadhar * fix ofac * temp: generate name * fix dob * Add Aadhaar support to ID card component and screens - Integrated Aadhaar icon and conditional rendering in IdCardLayout. - Updated AadhaarUploadScreen to process QR codes and store Aadhaar data. - Modified navigation and button text in AadhaarUploadedSuccessScreen. - Added mock data generation for Aadhaar in the mobile SDK. - Updated ManageDocumentsScreen to include Aadhaar document type. - Enhanced error handling and validation for Aadhaar QR code processing. - Added utility functions for Aadhaar data extraction and commitment processing. * aadhaar disclose - wip (#1094) * fix: timestamp cal of extractQRDataFields * Feat/aadhar fixes (#1099) * Fix - android aadhar qr scanner * fixes * update text * yarn nice * run prettier * Add mock Aadhaar certificates for development - Introduced hardcoded Aadhaar test certificates for development purposes. - Moved Aadhaar mock private and public keys to a dedicated file for better organization. - Updated the mock ID document generation utility to utilize the new Aadhaar mock certificates. * prettier write * add 'add-aadhaar' button (#1100) * Update .gitleaks.toml to include path for mock certificates in the common/dist directory * yarn nice * Enhance Aadhaar error handling with specific error types - Updated the AadhaarUploadErrorScreen to display different messages based on the error type (general or expired). - Modified the AadhaarUploadScreen to pass the appropriate error type when navigating to the error screen. - Set initial parameters for the home screen to include a default error type. * Update passport handling in proving machine to support Aadhaar document category - Modified the handling of country code in the useProvingStore to return 'IND' for Aadhaar documents. - Ensured that the country code is only fetched from passport metadata for non-Aadhaar documents. * tweak layout, text, change email to support, hide help button * fix ci, remove aadhaar logging, add aadhaar events * remove unused aadhaar tracking events * update globs * fix gitguardian config * don't track id --------- Co-authored-by: Justin Hernandez <[email protected]> Co-authored-by: Seshanth.S🐺 <[email protected]> Co-authored-by: vishal <[email protected]> * fix aadhaar screen test (#1101) * add iOS qrcode opener and aadhaar screen * format * fix test * add Image-picker android (#1077) * add image-picker android * fix validation * feat: implement Aadhaar upload success and error screens, enhance AadhaarNavBar with dynamic progress indication - Added AadhaarUploadedSuccessScreen and AadhaarUploadErrorScreen components for handling upload outcomes. - Updated AadhaarNavBar to reflect current upload step with dynamic progress bar. - Integrated new screens into navigation flow for Aadhaar upload process. - Introduced blue check and warning SVG icons for visual feedback on success and error states. * feat: generate mock aadhar (#1083) * feat: generate mock aadhar * add yarn.lock * update yarn.lock * update protocolStore, update types, start modifying provingMachine * Register mock aadhar (#1093) * Register mock aadhar * fix ofac * temp: generate name * fix dob * Add Aadhaar support to ID card component and screens - Integrated Aadhaar icon and conditional rendering in IdCardLayout. - Updated AadhaarUploadScreen to process QR codes and store Aadhaar data. - Modified navigation and button text in AadhaarUploadedSuccessScreen. - Added mock data generation for Aadhaar in the mobile SDK. - Updated ManageDocumentsScreen to include Aadhaar document type. - Enhanced error handling and validation for Aadhaar QR code processing. - Added utility functions for Aadhaar data extraction and commitment processing. * aadhaar disclose - wip (#1094) * fix: timestamp cal of extractQRDataFields * Feat/aadhar fixes (#1099) * Fix - android aadhar qr scanner * fixes * update text * yarn nice * run prettier * Add mock Aadhaar certificates for development - Introduced hardcoded Aadhaar test certificates for development purposes. - Moved Aadhaar mock private and public keys to a dedicated file for better organization. - Updated the mock ID document generation utility to utilize the new Aadhaar mock certificates. * prettier write * add 'add-aadhaar' button (#1100) * Update .gitleaks.toml to include path for mock certificates in the common/dist directory * yarn nice * Enhance Aadhaar error handling with specific error types - Updated the AadhaarUploadErrorScreen to display different messages based on the error type (general or expired). - Modified the AadhaarUploadScreen to pass the appropriate error type when navigating to the error screen. - Set initial parameters for the home screen to include a default error type. * Update passport handling in proving machine to support Aadhaar document category - Modified the handling of country code in the useProvingStore to return 'IND' for Aadhaar documents. - Ensured that the country code is only fetched from passport metadata for non-Aadhaar documents. * tweak layout, text, change email to support, hide help button * fix ci, remove aadhaar logging, add aadhaar events * remove unused aadhaar tracking events * update globs * fix gitguardian config * don't track id * fix test --------- Co-authored-by: turnoffthiscomputer <[email protected]> Co-authored-by: Seshanth.S🐺 <[email protected]> Co-authored-by: vishal <[email protected]> --------- Co-authored-by: Justin Hernandez <[email protected]> Co-authored-by: Nesopie <[email protected]> Co-authored-by: Aaron DeRuvo <[email protected]> Co-authored-by: vishal <[email protected]> Co-authored-by: Leszek Stachowski <[email protected]> Co-authored-by: Seshanth.S🐺 <[email protected]> Co-authored-by: seshanthS <[email protected]> Co-authored-by: Justin Hernandez <[email protected]> Co-authored-by: Vishalkulkarni45 <[email protected]>
WalkthroughThis PR overhauls CI/CD workflows, adds composite GitHub Actions (cache built deps, clone private Android module), updates Node/Yarn configs, introduces caching across jobs, and expands PR triggers (adds staging). It removes the legacy android-passport-reader module and NFC-related docs, updates Android app config (version bump, dependencies, manifest), and wraps the app with a new FeedbackProvider. Changes
Sequence Diagram(s)sequenceDiagram
autonumber
actor Dev
participant WF as GitHub Workflow
participant CBA as cache-built-deps (composite)
participant Cache as Actions Cache
participant Build as Yarn build:deps
Dev->>WF: PR opened (dev/staging/main)
WF->>CBA: Run composite with cache-version
CBA->>Cache: Restore common/dist, mobile-sdk-alpha/dist
alt Cache hit
CBA-->>WF: outputs.cache-hit = true
WF-->>Build: Skip build deps
else Cache miss
WF->>Build: yarn workspace @selfxyz/mobile-app run build:deps
Build-->>WF: dist artifacts created
WF->>Cache: Save dist paths with key
end
sequenceDiagram
autonumber
actor WF as Mobile CI/Deploy
participant Clone as clone-android-passport-reader
participant PAT as Secrets
participant Repo as android-passport-reader repo
WF->>Clone: Run composite (working_directory=app)
alt PAT provided
Clone->>Repo: git clone using PAT (shallow)
Clone->>Repo: scrub remote to public origin
Clone-->>WF: Completed
else No PAT
Clone-->>WF: Skip cloning (log)
end
Estimated code review effort🎯 5 (Critical) | ⏱️ ~120+ minutes Possibly related PRs
Suggested labels
Suggested reviewers
Poem
Pre-merge checks and finishing touches❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✨ Finishing touches
🧪 Generate unit tests
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
| GitGuardian id | GitGuardian status | Secret | Commit | Filename | |
|---|---|---|---|---|---|
| 20511340 | Triggered | Generic Private Key | ec732da | common/src/mock_certificates/sha256_rsa_130689_4096/mock_csca.key | View secret |
| 20511341 | Triggered | Generic Private Key | ec732da | common/src/mock_certificates/sha1_rsa_64321_4096/mock_csca.key | View secret |
| 20511342 | Triggered | Generic Private Key | ec732da | common/src/mock_certificates/sha256_rsa_107903_4096/mock_dsc.key | View secret |
| 20511343 | Triggered | Generic Private Key | ec732da | common/src/constants/mockCertificates.ts | View secret |
| 20511344 | Triggered | Generic Private Key | ec732da | common/src/mock_certificates/sha256_rsa_130689_4096/mock_dsc.key | View secret |
| 20511345 | Triggered | Generic Private Key | ec732da | common/src/mock_certificates/sha256_rsa_56611_4096/mock_dsc.key | View secret |
| 20511346 | Triggered | Generic Private Key | ec732da | common/src/mock_certificates/sha256_rsa_107903_4096/mock_csca.key | View secret |
| 20511347 | Triggered | Generic Private Key | ec732da | common/src/constants/mockCertificates.ts | View secret |
| 20511348 | Triggered | Generic Private Key | ec732da | common/src/mock_certificates/sha256_rsa_122125_4096/mock_csca.key | View secret |
| 20511349 | Triggered | Generic Private Key | ec732da | common/src/mock_certificates/sha256_rsa_56611_4096/mock_csca.key | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secrets safely. Learn here the best practices.
- Revoke and rotate these secrets.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 9
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (12)
.husky/pre-commit (1)
1-5: Add Husky shebang and init to ensure the hook actually runsWithout the standard Husky shebang and init, the hook may not execute or may miss PATH setup for Yarn/Node on some environments.
+#!/usr/bin/env sh +. "$(dirname -- "$0")/_/husky.sh" +set -e if ! yarn gitleaks; then echo "❌ Gitleaks scan failed. Please review the output above and fix any issues." echo "💡 To skip this check temporarily, use: git commit --no-verify" exit 1 fiapp/android/app/src/main/AndroidManifest.xml (2)
8-8: Remove ACCESS_SURFACE_FLINGER permission (privileged; Play will flag it)This is a signature/privileged permission not granted to third‑party apps and commonly triggers Play Console policy warnings/rejections.
Apply:
- <uses-permission android:name="android.permission.ACCESS_SURFACE_FLINGER" />
9-9: NFC permission/metadata remain but NFC module was removed in this PRPer PR summary, NFC flows were removed. Keeping NFC permission and TECH_DISCOVERED metadata increases attack surface and may confuse Play’s permission declarations.
Apply:
- <uses-permission android:name="android.permission.NFC" /> ... - <meta-data - android:name="android.nfc.action.TECH_DISCOVERED" - android:resource="@xml/nfc_tech_filter" />If NFC is still needed elsewhere, ignore this.
Also applies to: 48-51
.github/workflows/qrcode-sdk-ci.yml (1)
51-63: Replace direct actions/cache with shared cache-yarn composite per guidelines.Our guidelines forbid calling actions/cache directly in workflows; use ./.github/actions/cache-yarn and pass cache-version for stable keys.
Apply (and replicate for each job):
- - name: Cache Yarn dependencies - id: yarn-cache - uses: actions/cache@v4 - with: - path: | - .yarn/cache - node_modules - sdk/qrcode/node_modules - common/node_modules - key: ${{ runner.os }}-${{ env.GH_YARN_CACHE_VERSION }}-node-${{ env.NODE_VERSION_SANITIZED }}-yarn-${{ hashFiles('yarn.lock') }} - restore-keys: | - ${{ runner.os }}-${{ env.GH_YARN_CACHE_VERSION }}-node-${{ env.NODE_VERSION_SANITIZED }}-yarn- + - name: Cache Yarn dependencies + uses: ./.github/actions/cache-yarn + with: + path: | + .yarn/cache + node_modules + sdk/qrcode/node_modules + common/node_modules + cache-version: ${{ env.GH_YARN_CACHE_VERSION }}Also applies to: 109-121, 176-188, 236-248
.github/actions/mobile-setup/action.yml (1)
61-63: Avoid hardcoding Yarn 4.6.0; honor repo‑pinned Yarn via Corepack.Prefer using the repo’s committed Yarn binary (yarnPath) or “corepack use” to the version from .yarn/releases/. Hardcoding risks drift vs local dev.
Apply this diff:
- corepack enable - yarn set version 4.6.0 + corepack enable + # Use the repo-pinned Yarn (from .yarn/releases) if present; otherwise fall back to Corepack default + if [ -f ".yarn/releases" ] && ls .yarn/releases/yarn-*.cjs >/dev/null 2>&1; then + echo "Using repo-pinned Yarn binary" + else + echo "No pinned Yarn found; using Corepack default" + corepack prepare yarn@stable --activate + fi.github/workflows/contracts.yml (1)
51-55: Tests are disabled (if: false) — re‑enable or gate intentionally.Merging to main without contract tests is risky. Either re‑enable now or gate with a flag/branch condition and run in staging at minimum.
Apply this diff to re‑enable:
- - name: Run Tests (Contracts) - working-directory: ./contracts - # skip until they get fixed - if: false - run: yarn test + - name: Run Tests (Contracts) + working-directory: ./contracts + run: yarn testIf still flaky, consider:
- continue-on-error: true on staging only, or
- matrix to run a fast subset on main.
app/README.md (1)
203-209: Replace ChatGPT share link with an official Apple source (blocking onboarding).The “Find your development team id” link points to a ChatGPT share, which is non‑canonical and may break. Replace it with an official Apple Developer/Xcode reference or add brief inline steps (e.g., Xcode → Settings/Preferences → Accounts → Team ID). This blocks iOS contributors if the link is inaccessible.
- Find your [development team id](https://chat.openai.com/share/9d52c37f-d9da-4a62-acb9-9e4ee8179f95) and run: + Find your development team ID (via Apple Developer portal or Xcode: Settings/Preferences → Accounts → select team to view Team ID), then run:.github/workflows/web.yml (1)
18-26: Pin Node to .nvmrc (avoid silent Node 20 on ubuntu-latest).This workflow doesn’t set up Node explicitly. On ubuntu-latest, the default is Node 20, which can break Yarn v4/PNP or builds expecting 22.12.0 from .nvmrc. Add setup-node with node-version-file before installing/building.
- uses: actions/checkout@v4 + - name: Setup Node + uses: actions/setup-node@v4 + with: + node-version-file: .nvmrc - name: Install Dependencies uses: ./.github/actions/yarn-install.github/workflows/npm-publish.yml (2)
8-11: Add contracts/package.json to push path filters or contracts will never auto‑publish.You introduced publish-contracts but didn’t include contracts/package.json in the on.push.paths. The workflow won’t trigger on contracts version bumps unless manually dispatched.
push: branches: - dev paths: - "sdk/core/package.json" - "sdk/qrcode/package.json" - "common/package.json" + - "contracts/package.json"
26-49: Use the full push range for change detection (HEAD^ misses prior commits in a multi‑commit push).Comparing only HEAD^..HEAD can miss version bumps if multiple commits are pushed together. Use the push event range (github.event.before → github.sha). Keep workflow_dispatch override.
- git diff HEAD^ HEAD --name-only | grep -q "sdk/core/package.json" && echo "core_changed=true" >> $GITHUB_OUTPUT || echo "core_changed=false" >> $GITHUB_OUTPUT - git diff HEAD^ HEAD --name-only | grep -q "sdk/qrcode/package.json" && echo "qrcode_changed=true" >> $GITHUB_OUTPUT || echo "qrcode_changed=false" >> $GITHUB_OUTPUT - git diff HEAD^ HEAD --name-only | grep -q "common/package.json" && echo "common_changed=true" >> $GITHUB_OUTPUT || echo "common_changed=false" >> $GITHUB_OUTPUT + RANGE_START="${{ github.event.before }}" + RANGE_END="${{ github.sha }}" + DIFF_CMD="git diff --name-only ${RANGE_START} ${RANGE_END}" + $DIFF_CMD | grep -q "sdk/core/package.json" && echo "core_changed=true" >> $GITHUB_OUTPUT || echo "core_changed=false" >> $GITHUB_OUTPUT + $DIFF_CMD | grep -q "sdk/qrcode/package.json" && echo "qrcode_changed=true" >> $GITHUB_OUTPUT || echo "qrcode_changed=false" >> $GITHUB_OUTPUT + $DIFF_CMD | grep -q "common/package.json" && echo "common_changed=true" >> $GITHUB_OUTPUT || echo "common_changed=false" >> $GITHUB_OUTPUT # check if it was dispatched manually as well if git diff HEAD^ HEAD -- sdk/core/package.json | grep -q '"version":' || [ "${{ github.event_name }}" = "workflow_dispatch" ]; then echo "core_changed=true" >> $GITHUB_OUTPUT fi @@ - if git diff HEAD^ HEAD -- contracts/package.json | grep -q '"version":' || [ "${{ github.event_name }}" = "workflow_dispatch" ]; then + if $DIFF_CMD | grep -q "contracts/package.json" || [ "${{ github.event_name }}" = "workflow_dispatch" ]; then echo "contracts_changed=true" >> $GITHUB_OUTPUT fi.github/workflows/mobile-bundle-analysis.yml (1)
41-66: Replace direct actions/cache with shared composite cache actionsRepo guidelines require ./.github/actions/{cache-yarn,cache-bundler,cache-gradle,cache-pods}. Swap out actions/cache to avoid drift and ensure consistent keys.
Apply representative diffs (Android job):
- - name: Cache Node Modules - uses: actions/cache@v4 - with: - path: | - .yarn/cache - node_modules - app/node_modules - key: ${{ runner.os }}-node-${{ env.NODE_VERSION_SANITIZED }}-yarn-${{ hashFiles('yarn.lock') }} - restore-keys: | - ${{ runner.os }}-node-${{ env.NODE_VERSION_SANITIZED }}-yarn- + - name: Cache Yarn + uses: ./.github/actions/cache-yarn + with: + node-version: ${{ env.NODE_VERSION }} + cache-version: ${{ vars.GH_CACHE_VERSION }} - - name: Cache Ruby Bundler - uses: actions/cache@v4 - with: - path: app/vendor/bundle - key: ${{ runner.os }}-ruby${{ env.RUBY_VERSION }}-gems-${{ hashFiles('app/Gemfile.lock') }} - restore-keys: | - ${{ runner.os }}-ruby${{ env.RUBY_VERSION }}-gems- + - name: Cache Bundler + uses: ./.github/actions/cache-bundler + with: + ruby-version: ${{ env.RUBY_VERSION }} + cache-version: ${{ vars.GH_CACHE_VERSION }} - - name: Cache Gradle - uses: actions/cache@v4 - with: - path: | - ~/.gradle/caches - ~/.gradle/wrapper - key: ${{ runner.os }}-gradle-${{ hashFiles('app/android/**/gradle-wrapper.properties', 'app/android/**/gradle-wrapper.jar') }} - restore-keys: | - ${{ runner.os }}-gradle- + - name: Cache Gradle + uses: ./.github/actions/cache-gradle + with: + cache-version: ${{ vars.GH_CACHE_VERSION }}(iOS job):
- - name: Cache Node Modules - uses: actions/cache@v4 + - name: Cache Yarn + uses: ./.github/actions/cache-yarn with: - path: | - .yarn/cache - node_modules - app/node_modules - key: ${{ runner.os }}-node${{ env.NODE_VERSION }}-yarn-${{ hashFiles('yarn.lock') }} - restore-keys: | - ${{ runner.os }}-node${{ env.NODE_VERSION }}-yarn- + node-version: ${{ env.NODE_VERSION }} + cache-version: ${{ vars.GH_CACHE_VERSION }} - - name: Cache Ruby Bundler - uses: actions/cache@v4 + - name: Cache Bundler + uses: ./.github/actions/cache-bundler with: - path: app/vendor/bundle - key: ${{ runner.os }}-ruby${{ env.RUBY_VERSION }}-gems-${{ hashFiles('app/Gemfile.lock') }} - restore-keys: | - ${{ runner.os }}-ruby${{ env.RUBY_VERSION }}-gems- + ruby-version: ${{ env.RUBY_VERSION }} + cache-version: ${{ vars.GH_CACHE_VERSION }} - - name: Cache CocoaPods - uses: actions/cache@v4 - with: - path: app/ios/Pods - key: ${{ runner.os }}-pods-${{ hashFiles('app/ios/Podfile.lock') }} - restore-keys: | - ${{ runner.os }}-pods- + - name: Cache CocoaPods + uses: ./.github/actions/cache-pods + with: + cache-version: ${{ vars.GH_CACHE_VERSION }}Note: Based on retrieved learnings for this repo’s workflows to use shared composite caching actions.
Also applies to: 104-127
.github/workflows/circuits.yml (1)
37-43: Policy: stop using actions/cache directly; wrap tool cache in a shared composite.Repo guidelines require composite caching actions from .github/actions. Circom binary caching uses actions/cache restore/save directly here. Standardize via a small composite (e.g., .github/actions/cache-file) so keys/versioning are uniform and auditable.
I can draft a minimal composite that accepts key, path, and optional restore-only behavior and update these two steps accordingly. Want me to open a PR stub?
Also applies to: 91-97
🧹 Nitpick comments (16)
.husky/pre-commit (1)
6-15: Scope license header check to staged files to avoid scanning the whole repo on every commitCurrent approach scales poorly in large workspaces and slows developers down. Limit to staged files and exclude heavy/vendor dirs.
-# Check license headers -echo "🔍 Checking license headers..." -if ! node scripts/check-license-headers.mjs --check; then - echo "❌ License header check failed. Please review the output above and fix any issues." - echo "💡 You can auto-fix some issues with: node scripts/check-license-headers.mjs --fix" - echo "💡 To skip this check temporarily, use: git commit --no-verify" - exit 1 -fi +# Check license headers (staged files only) +echo "🔍 Checking license headers for staged files..." +# Collect only relevant staged files and ignore heavy/vendor paths +CHANGED_FILES="$(git diff --name-only --cached \ + | grep -E '\.(ts|tsx|js|jsx|mjs|cjs|json|yml|yaml|java|kt|kts|gradle|xml|sh|sol|swift|m|mm|c|cc|cpp|h|hpp|go|rb|py)$' \ + | grep -Ev '^(node_modules|dist|build|ios/Pods|android/(\.gradle|build)|\.yarn|\.git)/' || true)" + +if [ -z "$CHANGED_FILES" ]; then + echo "ℹ️ No relevant staged changes; skipping license header check." +else + # Note: if the checker supports file args, pass them; otherwise consider adding such support. + if ! node scripts/check-license-headers.mjs --check $CHANGED_FILES; then + echo "❌ License header check failed. Please review the output above and fix any issues." + echo "💡 You can auto-fix some issues with: node scripts/check-license-headers.mjs --fix" + echo "💡 To skip this check temporarily, use: git commit --no-verify" + exit 1 + fi +fiIf the checker does not accept file paths, I can help add support or wrap it to read from stdin to keep this fast.
app/android/app/src/main/AndroidManifest.xml (2)
86-90: PhotoPickerActivity is non‑exported: verify screen privacy for user photosTranslucent UIs can be captured by screenshots/recents. If this screen previews user photos or sensitive thumbnails, set FLAG_SECURE at runtime to prevent unintended capture.
Example (in onCreate):
+getWindow().setFlags( + android.view.WindowManager.LayoutParams.FLAG_SECURE, + android.view.WindowManager.LayoutParams.FLAG_SECURE +);
12-12: RECEIVE_BOOT_COMPLETED: remove permission or add BootReceiverManifest declares RECEIVE_BOOT_COMPLETED but no / BroadcastReceiver implementation exists in the repo — remove the permission from app/android/app/src/main/AndroidManifest.xml unless a third‑party library requires it; if you need boot handling, add an enabled and implement the BroadcastReceiver.
<uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />.github/workflows/qrcode-sdk-ci.yml (1)
29-42: DRY the “read .nvmrc” logic into a reusable step/action.The same bash block repeats across jobs; consider a tiny composite action that exports NODE_VERSION and NODE_VERSION_SANITIZED to cut duplication and errors.
Also applies to: 87-100, 154-167, 214-227
.github/actions/mobile-setup/action.yml (1)
83-103: Ruby install step is robust.Deployment mode + clear failure guidance is solid. Consider caching gems via our composite cache-bundler in workflows for speed.
.github/workflows/workspace-ci.yml (1)
3-14: Avoid duplicate runs on push + pull_request to the same branches.PRs from dev/staging can double-trigger (push and PR). Add concurrency and/or drop push for PR branches to save minutes.
Apply:
name: Workspace CI on: pull_request: branches: - dev - staging - main - push: - branches: - - dev - - staging - - main + +concurrency: + group: workspace-ci-${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: trueapp/README.md (1)
113-121: Fix markdown fenced code languages to satisfy lint and improve DX.Several code fences lack a language hint (MD040). If your CI runs markdownlint, this can fail the build. Add “bash” to CLI snippets.
-``` +```bash adb pair PHONE_IP:PAIRING_PORT PAIRING_CODE-
+bash
adb connect PHONE_IP:DEVELOPMENT_PORT-``` +```bash sdk.dir=/path/to/your/android/sdk-
+bash
echo sdk.dir=$ANDROID_HOME > android/local.properties-``` +```bash cd ios pod installAlso applies to: 127-135, 158-161 </blockquote></details> <details> <summary>.github/workflows/circuits-build.yml (1)</summary><blockquote> `131-133`: **Use Corepack for Yarn v4 to avoid version drift across runners.** Installing Yarn globally via npm can mismatch the repo’s intended Yarn version and PnP settings. Use Corepack to pin Yarn from the repo (aligns with your guidelines). ```diff - - name: Install Yarn - run: npm i -g yarn + - name: Enable Corepack (Yarn v4) + run: | + corepack enable + corepack prepare yarn@stable --activate.github/workflows/common-ci.yml (2)
38-45: Ensure consistency in Yarn cache configuration.The cache configuration is duplicated across jobs with identical paths and cache-version. Consider if this could be consolidated or if different cache keys are intentionally used for job isolation.
Consider extracting the common cache configuration to reduce duplication:
# Could define as a workflow-level environment variable or use a matrix strategy env: YARN_CACHE_PATHS: | .yarn/cache node_modules common/node_modules YARN_CACHE_VERSION: v1Also applies to: 58-65, 92-99
80-81: Add validation for mobile-sdk-alpha build output.The mobile-sdk-alpha build step runs unconditionally in the type-check and test jobs. Consider adding verification that the build artifacts were created successfully.
Add verification after the build step:
- name: Build @selfxyz/mobile-sdk-alpha run: yarn workspace @selfxyz/mobile-sdk-alpha build + - name: Verify mobile-sdk-alpha build artifacts + run: | + if [ ! -f "packages/mobile-sdk-alpha/dist/index.js" ]; then + echo "❌ Mobile SDK build artifacts not found" + exit 1 + fi + echo "✅ Mobile SDK build artifacts verified".github/workflows/mobile-ci.yml (2)
59-63: Inconsistent Yarn version specification.Line 62 hardcodes
[email protected]while other parts reference environment variables. Consider using a consistent approach across all workflows for maintainability.Define Yarn version consistently:
+env: + YARN_VERSION: "4.6.0" + - name: Activate Yarn 4.6.0 - run: corepack prepare [email protected] --activate + run: corepack prepare yarn@${{ env.YARN_VERSION }} --activateAlso applies to: 119-119, 225-225
135-180: Excessive debug logging in production CI.The extensive debugging output (Lines 135-180) includes detailed file system checks and verbose logging. While helpful during development, this creates noise in production CI logs.
Consider conditioning debug output on a debug flag:
- name: Debug Cache Restoration + if: env.CI_DEBUG == 'true' run: | echo "Cache hit: ${{ steps.built-deps.outputs.cache-hit }}".github/workflows/mobile-e2e.yml (1)
219-229: Inconsistent dependency installation patterns.The iOS workflow repeats the same fork detection pattern as Android but with different step names and slight variations. Consider consistency improvements.
Extract the fork detection logic into a reusable composite action to ensure consistent behavior across platforms.
.github/workflows/mobile-bundle-analysis.yml (1)
20-20: Verify “macos-latest-large” entitlement and plan limitsLarge macOS hosted runners require org enablement; if unavailable, jobs will queue/fail. Confirm availability and cost, or add a fallback.
Optional hardening outside this hunk:
+concurrency: + group: mobile-bundle-analysis-${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: readAlso applies to: 83-83
app/android/app/build.gradle (1)
220-222: Remove redundant dependency; keep only activity-ktxactivity-ktx already pulls in the base activity artifact — remove the explicit activity implementation to avoid duplicate artifacts and version skew. (mvnrepository.com)
- implementation "androidx.activity:activity:1.9.3" implementation "androidx.activity:activity-ktx:1.9.3"Activity 1.9.x requires compileSdk >= 34. (stackoverflow.com)
- app root: app/android/build.gradle -> compileSdk = 35 (OK).
- module to check: app/android/react-native-passport-reader/android/build.gradle -> compileSdkVersion 33 — bump that module to >=34 if you encounter AAR/metadata errors.
.github/workflows/circuits.yml (1)
118-122: Switch setup-node to read .nvmrc (avoid hardcoded node-version: 22).github/actions/yarn-install/action.yml currently calls actions/setup-node@v4 with node-version: 22 (line ~25). Hardcoding risks drift from the repo .nvmrc; update the composite to use node-version-file: .nvmrc, or add an explicit actions/setup-node@v4 step in .github/workflows/circuits.yml (lines 118–122) with node-version-file: .nvmrc to guarantee the workflow uses the repository Node version and avoid native build/workspace resolution issues.
| if git clone --depth 1 --quiet "https://${{ inputs.selfxyz_internal_pat }}@github.com/selfxyz/android-passport-reader.git"; then | ||
| echo "✅ android-passport-reader cloned successfully" | ||
| # Immediately scrub the credential from remote URL for security | ||
| git -C android-passport-reader remote set-url origin https://github.com/selfxyz/android-passport-reader.git || true | ||
| else | ||
| echo "❌ Failed to clone android-passport-reader" | ||
| echo "Please ensure a valid SELFXYZ internal PAT is provided to this action" | ||
| exit 1 | ||
| fi |
There was a problem hiding this comment.
Critical security concern: PAT exposure in git clone URL.
The PAT is embedded directly in the git clone URL, which could potentially expose it in logs or process lists. While you do scrub the credential afterward, this creates a window of vulnerability.
Consider using git credential helper or environment variables:
- # Clone using PAT (embed temporarily, then scrub)
- if git clone --depth 1 --quiet "https://${{ inputs.selfxyz_internal_pat }}@github.com/selfxyz/android-passport-reader.git"; then
+ # Configure git credential helper temporarily
+ git config --global credential.helper store
+ echo "https://${{ inputs.selfxyz_internal_pat }}@github.com" > ~/.git-credentials
+
+ if git clone --depth 1 --quiet https://github.com/selfxyz/android-passport-reader.git; then
echo "✅ android-passport-reader cloned successfully"
- # Immediately scrub the credential from remote URL for security
- git -C android-passport-reader remote set-url origin https://github.com/selfxyz/android-passport-reader.git || true
+ # Clean up credentials
+ rm -f ~/.git-credentials
+ git config --global --unset credential.helper📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| if git clone --depth 1 --quiet "https://${{ inputs.selfxyz_internal_pat }}@github.com/selfxyz/android-passport-reader.git"; then | |
| echo "✅ android-passport-reader cloned successfully" | |
| # Immediately scrub the credential from remote URL for security | |
| git -C android-passport-reader remote set-url origin https://github.com/selfxyz/android-passport-reader.git || true | |
| else | |
| echo "❌ Failed to clone android-passport-reader" | |
| echo "Please ensure a valid SELFXYZ internal PAT is provided to this action" | |
| exit 1 | |
| fi | |
| git config --global credential.helper store | |
| echo "https://${{ inputs.selfxyz_internal_pat }}@github.com" > ~/.git-credentials | |
| if git clone --depth 1 --quiet https://github.com/selfxyz/android-passport-reader.git; then | |
| echo "✅ android-passport-reader cloned successfully" | |
| # Clean up credentials | |
| rm -f ~/.git-credentials | |
| git config --global --unset credential.helper | |
| else | |
| echo "❌ Failed to clone android-passport-reader" | |
| echo "Please ensure a valid SELFXYZ internal PAT is provided to this action" | |
| exit 1 | |
| fi |
🤖 Prompt for AI Agents
.github/actions/clone-android-passport-reader/action.yml lines 34-42: avoid
embedding the PAT directly in the clone URL; instead remove the token from the
URL and supply credentials via a non-URL mechanism (e.g., configure git to use
an in-memory credential helper or supply an auth header). Replace the current
git clone call with one that does not include the token and either (a) use git
-c http.extraheader="AUTHORIZATION: bearer $TOKEN" clone
https://github.com/selfxyz/android-passport-reader.git, or (b) use GIT_ASKPASS
or a temporary credential helper to provide the PAT to git (approve the
credential then immediately clear it), and ensure you scrub or unset the
environment variable after use so the token never appears in process args or
logs.
| env: | ||
| SELFXYZ_INTERNAL_REPO_PAT: ${{ secrets.SELFXYZ_INTERNAL_REPO_PAT }} | ||
| - name: Build dependencies |
There was a problem hiding this comment.
🧩 Analysis chain
Avoid exposing PAT as a raw environment variable in steps
Passing SELFXYZ_INTERNAL_REPO_PAT via env increases accidental log exposure risk within the composite action. Prefer passing as an input and exporting only within the composite scope; ensure read-only, fine‑grained PAT.
Apply:
- name: Install Mobile Dependencies
uses: ./.github/actions/mobile-setup
with:
app_path: ${{ env.APP_PATH }}
node_version: ${{ env.NODE_VERSION }}
ruby_version: ${{ env.RUBY_VERSION }}
workspace: ${{ env.WORKSPACE }}
- env:
- SELFXYZ_INTERNAL_REPO_PAT: ${{ secrets.SELFXYZ_INTERNAL_REPO_PAT }}
+ internal_repo_pat: ${{ secrets.SELFXYZ_INTERNAL_REPO_PAT }}And ensure .github/actions/mobile-setup/action.yml defines:
inputs:
internal_repo_pat:
required: false
description: Fine-grained PAT for private read access
runs:
using: composite
steps:
- name: Export token
shell: bash
run: echo "SELFXYZ_INTERNAL_REPO_PAT=${{ inputs.internal_repo_pat }}" >> "$GITHUB_ENV"Please confirm the composite doesn’t echo the token, uses HTTPS with token headers, and avoids set -x.
Also applies to: 134-136
🏁 Script executed:
#!/bin/bash
set -euox pipefail
echo "1) Searching repo for SELFXYZ_INTERNAL_REPO_PAT occurrences..."
if command -v rg >/dev/null 2>&1; then
rg -nS "SELFXYZ_INTERNAL_REPO_PAT" || true
else
grep -RIn --exclude-dir=.git "SELFXYZ_INTERNAL_REPO_PAT" . || true
fi
echo "----"
echo "2) Show .github/workflows/mobile-bundle-analysis.yml around lines 60-95 (if present)"
if [ -f .github/workflows/mobile-bundle-analysis.yml ]; then
nl -ba .github/workflows/mobile-bundle-analysis.yml | sed -n '60,95p'
else
echo "file not found: .github/workflows/mobile-bundle-analysis.yml"
fi
echo "----"
echo "3) Show .github/actions/mobile-setup/action.yml (if present)"
if [ -f .github/actions/mobile-setup/action.yml ]; then
nl -ba .github/actions/mobile-setup/action.yml | sed -n '1,240p'
else
echo "file not found: .github/actions/mobile-setup/action.yml"
fi
echo "----"
echo "4) Search for workflows that `uses: ./.github/actions/mobile-setup`"
if command -v rg >/dev/null 2>&1; then
rg -nS "uses:\s*\.\/\.github\/actions\/mobile-setup" || true
else
grep -RIn --exclude-dir=.git "uses: ./.github/actions/mobile-setup" . || true
fi
echo "----"
echo "5) Check composite action directory for echo to GITHUB_ENV or debug flags (set -x)"
if [ -d .github/actions/mobile-setup ]; then
if command -v rg >/dev/null 2>&1; then
rg -nS "GITHUB_ENV|echo .*GITHUB_ENV|set -x|set -o xtrace" .github/actions/mobile-setup || true
else
grep -RInE --exclude-dir=.git "GITHUB_ENV|echo .*GITHUB_ENV|set -x|set -o xtrace" .github/actions/mobile-setup || true
fi
else
echo "directory not found: .github/actions/mobile-setup"
fi
echo "Done."Length of output: 2064
🏁 Script executed:
#!/bin/bash
# Extract relevant lines from the workflow
if [ -f .github/workflows/mobile-bundle-analysis.yml ]; then
echo "---- .github/workflows/mobile-bundle-analysis.yml L60-95 ----"
sed -n '60,95p' .github/workflows/mobile-bundle-analysis.yml
else
echo "Workflow file not found"
fi
# Extract composite action definition
if [ -f .github/actions/mobile-setup/action.yml ]; then
echo "---- .github/actions/mobile-setup/action.yml ----"
sed -n '1,200p' .github/actions/mobile-setup/action.yml
else
echo "Composite action action.yml not found"
fi
# Check composite for risky echo or debug flags
if [ -d .github/actions/mobile-setup ]; then
echo "---- Checking for GITHUB_ENV echoes in composite ----"
grep -RIn --exclude-dir=.git -E "echo .*GITHUB_ENV" .github/actions/mobile-setup || echo "No GITHUB_ENV echo"
echo "---- Checking for set -x in composite ----"
grep -RIn --exclude-dir=.git "set -x" .github/actions/mobile-setup || echo "No set -x"
else
echo "Composite action directory not found"
fi
# Confirm workflow uses composite action
echo "---- Checking workflows for mobile-setup usage ----"
grep -RIn --exclude-dir=.git "uses: ./.github/actions/mobile-setup" .github/workflows || echo "No mobile-setup usage found in workflows"Length of output: 5184
Security: stop passing SELFXYZ_INTERNAL_REPO_PAT as a step env — pass it as a composite input and export inside the composite
Workflow currently injects the PAT into step env (exposed at .github/workflows/mobile-bundle-analysis.yml L67 & L128; .github/workflows/mobile-deploy.yml L228, L239, L782). Several scripts read this var (app/scripts/setup-private-modules.cjs; app/scripts/mobile-ci-build-android.sh; app/ios/Podfile) — leaking risk is medium/high.
- Change each workflow step that uses ./.github/actions/mobile-setup to pass the secret as an input (remove the step-level env), and add an input in the composite that exports the token only inside the composite scope.
- Audit scripts that consume SELFXYZ_INTERNAL_REPO_PAT and remove patterns that embed the token in URLs (e.g., https://${TOKEN}@github.com/...). Use HTTP headers / credential helpers / GH CLI instead of embedding tokens in clone URLs.
Apply:
- name: Install Mobile Dependencies
uses: ./.github/actions/mobile-setup
with:
app_path: ${{ env.APP_PATH }}
node_version: ${{ env.NODE_VERSION }}
ruby_version: ${{ env.RUBY_VERSION }}
workspace: ${{ env.WORKSPACE }}
- env:
- SELFXYZ_INTERNAL_REPO_PAT: ${{ secrets.SELFXYZ_INTERNAL_REPO_PAT }}
+ internal_repo_pat: ${{ secrets.SELFXYZ_INTERNAL_REPO_PAT }}Ensure .github/actions/mobile-setup/action.yml defines:
inputs:
internal_repo_pat:
required: false
description: Fine-grained PAT for private read access
runs:
using: composite
steps:
- name: Export token
shell: bash
run: echo "SELFXYZ_INTERNAL_REPO_PAT=${{ inputs.internal_repo_pat }}" >> "$GITHUB_ENV"Confirm the composite does NOT print the token to logs, avoids set -x, and that any git clones or HTTP calls use authorization headers or credential helpers (not token-in-URL). Apply the workflow change across all uses of ./.github/actions/mobile-setup and audit the listed scripts/files above.
| uses: ./.github/actions/clone-android-passport-reader | ||
| with: | ||
| working_directory: ${{ env.APP_PATH }} | ||
| selfxyz_internal_pat: ${{ secrets.SELFXYZ_INTERNAL_REPO_PAT }} | ||
| - name: Build Android (with AAPT2 symlink fix) |
There was a problem hiding this comment.
🧩 Analysis chain
Verify clone action integration with Android build.
The clone action is used but verify that the android-passport-reader integration actually works with the Android build process and doesn't cause build failures when the PAT is unavailable.
🏁 Script executed:
#!/bin/bash
# Description: Check Android build configuration for android-passport-reader dependency
# Check if Android build files reference the cloned module
rg -n "android-passport-reader" app/android/ | head -10 || echo "No android-passport-reader references found"
# Look for settings.gradle or build.gradle references
find app/android -name "*.gradle" -exec grep -l "android-passport-reader" {} \; || echo "No gradle references found"Length of output: 164
Prevent CI break: handle missing android-passport-reader clone
- app/android/settings.gradle:12 includes project(':passportreader') → './android-passport-reader/app' — Gradle will fail if that directory is missing.
- .github/workflows/mobile-ci.yml (lines ~452–456) clones that repo using secrets.SELFXYZ_INTERNAL_REPO_PAT; forked PRs / runs without the secret will make the clone fail and break the "Build Android" step.
Fix (choose one): guard the include in settings.gradle (only include if the directory exists), or make the CI clone step resilient (detect missing secret and skip/replace the module), or vendor/publish the module to avoid relying on a private repo.
🤖 Prompt for AI Agents
In .github/workflows/mobile-ci.yml around lines 452–456 the workflow
unconditionally attempts to clone the private android-passport-reader repo using
secrets.SELFXYZ_INTERNAL_REPO_PAT which will fail for forked PRs (no secret) and
break the subsequent "Build Android" step; fix by making the clone step
conditional on the secret (use an if: expression to run only when
secrets.SELFXYZ_INTERNAL_REPO_PAT is defined) or, if you prefer CI resilience,
change the step to detect the secret and when missing either create an empty
placeholder ./android-passport-reader/app directory before the build or skip
adding the module and ensure app/android/settings.gradle is guarded to include
the passportreader project only if the directory exists.
| concurrency: | ||
| group: mobile-deploy-${{ github.ref }} | ||
| cancel-in-progress: false |
There was a problem hiding this comment.
Prevent concurrent prod/internal deploys for rapid merges.
Current concurrency groups by PR ref and keeps cancel-in-progress: false, allowing overlapping releases to the same track. This risks double publishes and race-y versioning. Group by base branch (or track) and cancel in-progress.
Apply:
-concurrency:
- group: mobile-deploy-${{ github.ref }}
- cancel-in-progress: false
+concurrency:
+ group: mobile-deploy-${{ github.event.pull_request.base.ref }}
+ cancel-in-progress: true📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| concurrency: | |
| group: mobile-deploy-${{ github.ref }} | |
| cancel-in-progress: false | |
| concurrency: | |
| group: mobile-deploy-${{ github.event.pull_request.base.ref }} | |
| cancel-in-progress: true |
🤖 Prompt for AI Agents
In .github/workflows/mobile-deploy-auto.yml around lines 13 to 15, the
concurrency group currently uses the PR ref and sets cancel-in-progress: false
which allows overlapping releases; change the group to target the base
branch/track and enable cancellation by replacing the group expression with
something like mobile-deploy-${{ github.event.pull_request.base.ref ||
github.ref_name }} (so PRs use the base branch and pushes use the branch name)
and set cancel-in-progress: true to ensure in-flight runs for the same track are
cancelled.
| key: ${{ runner.os }}-ruby${{ env.RUBY_VERSION }}-gems-${{ env.GH_CACHE_VERSION }}-${{ env.GH_GEMS_CACHE_VERSION }}-${{ hashFiles('app/Gemfile.lock') }} | ||
| restore-keys: | | ||
| ${{ runner.os }}-ruby${{ env.RUBY_VERSION }}-gems-${{ env.GH_CACHE_VERSION }}-${{ env.GH_GEMS_CACHE_VERSION }}-${{ hashFiles('app/Gemfile.lock') }}- | ||
| ${{ runner.os }}-ruby${{ env.RUBY_VERSION }}-gems-${{ env.GH_CACHE_VERSION }}-${{ env.GH_GEMS_CACHE_VERSION }}- | ||
| ${{ runner.os }}-ruby${{ env.RUBY_VERSION }}-gems-${{ env.GH_CACHE_VERSION }}- | ||
There was a problem hiding this comment.
Incorrect cache key usage with cache-bundler action.
Lines 180 and 730 use key and restore-keys parameters that don't exist in the cache-bundler action. The static analysis correctly identifies this issue.
Fix the cache-bundler action usage:
- name: Cache Ruby gems
uses: ./.github/actions/cache-bundler
with:
path: ${{ env.APP_PATH }}/ios/vendor/bundle
- key: ${{ runner.os }}-ruby${{ env.RUBY_VERSION }}-gems-${{ env.GH_CACHE_VERSION }}-${{ env.GH_GEMS_CACHE_VERSION }}-${{ hashFiles('app/Gemfile.lock') }}
- restore-keys: |
- ${{ runner.os }}-ruby${{ env.RUBY_VERSION }}-gems-${{ env.GH_CACHE_VERSION }}-${{ env.GH_GEMS_CACHE_VERSION }}-${{ hashFiles('app/Gemfile.lock') }}-
+ lock-file: app/Gemfile.lock
+ cache-version: ${{ env.GH_CACHE_VERSION }}-${{ env.GH_GEMS_CACHE_VERSION }}Also applies to: 730-735
🧰 Tools
🪛 actionlint (1.7.7)
180-180: input "key" is not defined in action "Cache Bundler" defined at "./.github/actions/cache-bundler". available inputs are "cache-version", "lock-file", "path"
(action)
181-181: input "restore-keys" is not defined in action "Cache Bundler" defined at "./.github/actions/cache-bundler". available inputs are "cache-version", "lock-file", "path"
(action)
| @@ -1 +1 @@ | |||
| 22 | |||
| 22.12.0 | |||
There was a problem hiding this comment.
🧩 Analysis chain
Pin to Node 22.12.0 looks good; ensure CI picks it up from .nvmrc.
Confirm all workflows/composites use actions/setup-node with node-version-file: .nvmrc to avoid Node drift across jobs.
Run:
🏁 Script executed:
#!/bin/bash
# Find setup-node usages that respect .nvmrc
rg -nP --type=yaml -C2 'uses:\s*actions/setup-node@.*\n(?s).*?node-version-file:\s*\.nvmrc' .github/workflows || true
# Inspect composites for setup-node behavior (yarn-install, etc.)
fd -a action.yml .github/actions | xargs -I{} bash -lc 'echo "::group::{}"; rg -n "setup-node|node-version-file|.nvmrc" "{}"; echo "::endgroup::"'Length of output: 1890
Ensure CI reads .nvmrc (Node 22.12.0)
22.12.0 in .nvmrc is fine — CI currently doesn't appear to consume it. Update every actions/setup-node@v4 step to include node-version-file: .nvmrc (or set node-version: '22.12.0').
- .github/actions/mobile-setup/action.yml — uses: actions/setup-node@v4 (line 43) — no node-version-file.
- .github/actions/yarn-install/action.yml — uses: actions/setup-node@v4 (line 23) — no node-version-file.
- No workflows in .github/workflows set node-version-file: .nvmrc (search returned no matches).
🤖 Prompt for AI Agents
.nvmrc lines 1-1: CI isn't consuming the .nvmrc Node version; update the
setup-node steps to read it. Edit .github/actions/mobile-setup/action.yml (uses:
actions/setup-node@v4 at ~line 43) and .github/actions/yarn-install/action.yml
(uses: actions/setup-node@v4 at ~line 23) to add node-version-file: .nvmrc under
the uses step (or alternatively set node-version: '22.12.0'); also search all
.github/workflows/*.yml for actions/setup-node@v4 usages and add
node-version-file: .nvmrc or set node-version: '22.12.0' there so CI
consistently uses Node 22.12.0.
| enableGlobalCache: true | ||
| enableScripts: true | ||
| checksumBehavior: "update" |
There was a problem hiding this comment.
Harden Yarn integrity: use checksumBehavior: "throw" (not "update").
"update" can silently rewrite checksums and mask supply‑chain tampering. Set to "throw" (especially in CI) to fail fast on mismatches.
Apply this diff:
nodeLinker: node-modules
enableGlobalCache: true
enableScripts: true
-checksumBehavior: "update"
+checksumBehavior: "throw"📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| enableGlobalCache: true | |
| enableScripts: true | |
| checksumBehavior: "update" | |
| enableGlobalCache: true | |
| enableScripts: true | |
| checksumBehavior: "throw" |
🤖 Prompt for AI Agents
In .yarnrc.yml around lines 2 to 4, the checksumBehavior is set to "update"
which can silently rewrite checksums; change checksumBehavior to "throw" so Yarn
fails on checksum mismatches (especially in CI) to harden integrity; update the
file to set checksumBehavior: "throw" and ensure CI environments do not override
this setting.
| // Warn on common issues but don't block development | ||
|
|
||
| 'no-console': 'warn', | ||
| 'no-console': 'off', |
There was a problem hiding this comment.
Turning off no-console globally risks PII leakage and noisy production bundles.
Prefer erroring on console usage app-wide with targeted overrides for tests/scripts (already present).
Apply:
- 'no-console': 'off',
+ 'no-console': ['error', { allow: ['warn', 'error'] }],Operational: ensure release builds strip console calls (e.g., Babel transform-remove-console or Metro equivalent in production).
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| 'no-console': 'off', | |
| 'no-console': ['error', { allow: ['warn', 'error'] }], |
🤖 Prompt for AI Agents
In app/.eslintrc.cjs around line 159 the rule 'no-console' is set to 'off' which
weakens linting and risks PII/noisy production logs; change the rule to 'error'
(or 'warn' per team policy) to enforce no-console app-wide, keep or add targeted
overrides for test and script directories to allow console usage, and ensure the
production release pipeline strips console calls (e.g., add
transform-remove-console in Babel or the equivalent Metro/RN config) so builds
do not include console statements.
| // SPDX-FileCopyrightText: 2025 Social Connect Labs, Inc. | ||
| // SPDX-License-Identifier: BUSL-1.1 | ||
| // NOTE: Converts to Apache-2.0 on 2029-06-11 per LICENSE. |
There was a problem hiding this comment.
🧩 Analysis chain
Verify SPDX headers align with LICENSE and planned conversion date.
Headers declare BUSL-1.1 with a conversion note to Apache-2.0 on 2029-06-11. Please confirm the root LICENSE reflects this schedule and that headers are consistent across TS/TSX files to avoid compliance drift in scanners.
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== Inspect LICENSE for BUSL/Apache conversion markers =="
rg -n "BUSL-1\.1|Apache-2\.0|2029-06-11" LICENSE* || true
echo "== Files under app/ missing SPDX identifier in first 3 lines =="
fd -e ts -e tsx app | xargs -I{} sh -c 'head -n3 "{}" | rg -q "SPDX-License-Identifier" || echo "{}"'
echo "== TS/TSX files explicitly marked BUSL-1.1 =="
rg -nP --glob '!**/node_modules/**' '^// SPDX-License-Identifier:\s*BUSL-1\.1' -g 'app/**/*.{ts,tsx}' || trueLength of output: 20003
Sync root LICENSE with file SPDX headers (BUSL-1.1 → Apache-2.0 conversion) — action required
- Root LICENSE contains no occurrences of "BUSL-1.1", "Apache-2.0", or "2029-06-11" — add an explicit conversion clause to match file headers.
- Files missing SPDX identifier in the first 3 lines (add canonical header): common/src/types/app.ts, common/src/utils/appType.ts.
- Some files embed the conversion note inline instead of a single SPDX line (examples: app/tests/utils/selfClientProvider.ts, app/src/utils/qrScanner.ts) — standardize to one SPDX line per file and ensure wording exactly matches LICENSE to avoid scanner false positives.
Risk: compliance scans will flag mismatches; fix before release.
🤖 Prompt for AI Agents
In app/App.tsx lines 1-3, the file header declares BUSL-1.1 converting to
Apache-2.0 on 2029-06-11 but the repo root LICENSE and several files don't
match; update the root LICENSE to include an explicit BUSL-1.1 → Apache-2.0
conversion clause with the exact text and date used in headers, add the
canonical single-line SPDX header ("// SPDX-FileCopyrightText: 2025 Social
Connect Labs, Inc." and "// SPDX-License-Identifier: BUSL-1.1" plus the
conversion note as a single SPDX-style line) to common/src/types/app.ts and
common/src/utils/appType.ts, and replace any inline conversion notes in
app/tests/utils/selfClientProvider.ts and app/src/utils/qrScanner.ts with the
exact single SPDX header line that matches the LICENSE wording to ensure scanner
consistency.
Summary by CodeRabbit
New Features
Mobile
Documentation
Chores