feat: split buildOptions from buildCredentials in build request

[WcaleNieWolny]

Summary

• Splits the flat credentials payload into buildOptions (non-sensitive) and buildCredentials (secrets only)
• Adds cliVersion to buildOptions for server-side version gating
• Non-secret fields (scheme, target, distribution, output flags, directories) move to buildOptions
• Only actual secrets (certs, passwords, keystores, keys) remain in buildCredentials
• Companion PR needed in builder repo for the secrets endpoint

Test plan

• Verify buildOptions contains all required fields with correct types
• Verify buildCredentials contains only secret material
• Verify cliVersion is populated from package.json
• Verify default values are logged with info prefix
• Verify credential merge precedence still works (CLI > env > saved)
• Verify API call sends { buildOptions, buildCredentials } not flat credentials
• End-to-end with builder PR: iOS build succeeds
• End-to-end with builder PR: Android build succeeds

Summary by CodeRabbit

• Refactor
  • Reorganized build request payload structure to separate configurable build options from credentials for improved clarity
  • Enhanced build logging to display comprehensive configuration summary including platform, build mode, and CLI version tracking
  • Improved build system architecture to better organize platform-specific build settings and output controls

[coderabbitai]

Warning

Rate limit exceeded

@WcaleNieWolny has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 1 minutes and 24 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between adca78f and b99ff3b.

📒 Files selected for processing (3)

• package.json
• src/build/request.ts
• test/test-payload-split.mjs

📝 Walkthrough

Walkthrough

This PR restructures build configuration by extracting non-secret build options from the BuildCredentialsSchema into a new BuildOptionsPayload type. The build request payload is refactored to separate buildOptions (containing platform, buildMode, cliVersion, iOS/Android directories, and output controls) from buildCredentials (filtered credential data), with CLI version stamped from package.json.

Changes

Cohort / File(s)	Summary
Schema Restructuring src/schemas/build.ts	Removed 6 fields from BuildCredentialsSchema (iOS scheme/target/distribution and build output controls), and introduced new BuildOptionsPayloadSchema with fields for platform, buildMode, cliVersion, iOS/Android directories, and output retention settings.
Request Payload Refactoring src/build/request.ts	Restructured requestBuildInternal to use nested payload with separate buildOptions and buildCredentials objects; added credential filtering logic; updated logging to display credential keys and buildOptions summary instead of full credential dump; imported BuildOptionsPayload type and package.json for version stamping.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• feat: add --ios-scheme and --ios-target options #519: Adds CAPGO_IOS_SCHEME and CAPGO_IOS_TARGET to BuildCredentials, directly conflicting with fields removed in this PR.
• feat: add iOS ad-hoc distribution mode #528: Adds CAPGO_IOS_DISTRIBUTION to BuildCredentials, creating potential conflict with the distribution removal in this PR.
• feat: make Google Play config optional for Android builds #520: Modifies output-upload conditional logic and Android Play-config handling related to BUILD_OUTPUT_UPLOAD_ENABLED, which is moved to BuildOptionsPayload in this PR.

Poem

🐰 Credentials and options now dance apart,
Secrets tucked safe, configs take heart!
A BuildOptions payload, clean and bright,
Non-secrets separated—what a delight! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: splitting buildOptions from buildCredentials in the build request payload, which is the core refactoring across both modified files.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/split-options-credentials

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

src/build/request.ts (1)

921-958: Consider separating non-credential options earlier in the flow.

Non-credential fields (iosScheme, iosTarget, iosDistribution, outputUpload, etc.) are added to cliCredentials, merged through the credential pipeline, then extracted into buildOptionsPayload and filtered out of buildCredentialsPayload. While this works correctly and preserves merge precedence, it's slightly confusing to route non-sensitive configuration through the credentials path.

This is fine for now since the filtering is explicit, but a future refactor could handle options merging separately from credentials merging for clarity.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/build/request.ts` around lines 921 - 958, The code currently writes
non-sensitive settings into cliCredentials (e.g., iosScheme, iosTarget,
iosDistribution, outputUpload, outputRetention, skipBuildNumberBump) which then
flow through the credential merge pipeline and are later filtered into
buildOptionsPayload/buildCredentialsPayload; instead, create and populate a
separate plain object (e.g., buildOptions or optionsPayload) for these
non-credential fields before any credential merging, use parseOptionalBoolean
and parseOutputRetentionSeconds when setting its values, and keep cliCredentials
limited to true secrets (keystore fields, playConfigJson if sensitive) so that
merge precedence remains the same but non-sensitive configuration does not
travel through credential-specific code paths like cliCredentials or the
credentials merge/export that produces buildCredentialsPayload.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/build/request.ts`:
- Around line 1136-1141: The NON_CREDENTIAL_KEYS Set declaration violates the
antfu/consistent-list-newline rule; split each string element onto its own line
so every array item is on its own line (e.g., move 'CAPGO_IOS_SCHEME',
'CAPGO_IOS_TARGET', etc. so each occupies a separate line), keep the opening and
closing brackets on their own lines, and ensure trailing commas are consistent;
update the NON_CREDENTIAL_KEYS initialization accordingly to satisfy ESLint
without changing the set contents.

---

Nitpick comments:
In `@src/build/request.ts`:
- Around line 921-958: The code currently writes non-sensitive settings into
cliCredentials (e.g., iosScheme, iosTarget, iosDistribution, outputUpload,
outputRetention, skipBuildNumberBump) which then flow through the credential
merge pipeline and are later filtered into
buildOptionsPayload/buildCredentialsPayload; instead, create and populate a
separate plain object (e.g., buildOptions or optionsPayload) for these
non-credential fields before any credential merging, use parseOptionalBoolean
and parseOutputRetentionSeconds when setting its values, and keep cliCredentials
limited to true secrets (keystore fields, playConfigJson if sensitive) so that
merge precedence remains the same but non-sensitive configuration does not
travel through credential-specific code paths like cliCredentials or the
credentials merge/export that produces buildCredentialsPayload.

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a0c1fe8 and 19215bd.

📒 Files selected for processing (2)

• src/build/request.ts
• src/schemas/build.ts

[Copilot]

Pull request overview

Refactors the native build request contract to separate non-sensitive build configuration from secret credential material, enabling server-side version gating via an added CLI version field.

Changes:

• Introduces a buildOptionsPayloadSchema and BuildOptionsPayload type for non-secret build configuration (including cliVersion).
• Updates build request construction to send { app_id, buildOptions, buildCredentials } instead of a flat credentials payload.
• Filters out known non-secret keys from the credential blob before sending buildCredentials.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File	Description
src/schemas/build.ts	Adds schema/type for buildOptions payload; removes some non-secret fields from the explicit credentials schema list.
src/build/request.ts	Builds buildOptions (including cliVersion) and filters buildCredentials to exclude non-secret keys before POSTing the build request.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/build/request.ts`:
- Around line 1115-1122: The payload currently sets iosDistribution from
mergedCredentials.CAPGO_IOS_DISTRIBUTION which can be undefined, causing a
mismatch with the earlier validation that normalizes missing values to
'app_store'; update the BuildOptionsPayload construction (buildOptionsPayload)
to use the validated/normalized iOS distribution value produced by the
validation step (e.g., replace mergedCredentials.CAPGO_IOS_DISTRIBUTION with the
validatedIosDistribution or call the normalize function used in validation) so
the payload always sends the normalized 'app_store' | 'ad_hoc' value to the
builder.
- Around line 1129-1131: Replace the silent coercion using Number.parseInt(...)
|| 3600 when assigning outputRetentionSeconds and instead call the existing
parseOutputRetentionSeconds function with
mergedCredentials.BUILD_OUTPUT_RETENTION_SECONDS so the same validation and
fallback logic used for CLI input is applied; ensure the call returns a numeric
value and still falls back to 3600 if parsing returns invalid/undefined.

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a0c1fe8 and adca78f.

📒 Files selected for processing (2)

• src/build/request.ts
• src/schemas/build.ts

[sonarqubecloud]

Quality Gate failed

Failed conditions
4.5% Duplication on New Code (required ≤ 3%)
D Reliability Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE