ci: use env credentials for mobile builds

[riderx]

Summary (AI generated)

• Remove the mobile workflow build credentials save steps.
• Pass Android and iOS signing credentials directly to build request through environment variables.
• Remove the app-id Bash helper steps and let the Capgo CLI infer the app id from the Capacitor project config.
• Keep the build request command as a single command per platform.

Motivation (AI generated)

The iOS and Android GitHub Actions should not write local Capgo CLI build credentials in CI. The workflows should use GitHub secrets as environment variables on the build request itself, and the command should stay simple instead of running Bash helpers around it.

Business Impact (AI generated)

This restores the manual native mobile build workflows while keeping CI credential handling simpler: signing material stays in GitHub Actions environment variables for the single build request instead of being written into local Capgo CLI credential storage.

Test Plan (AI generated)

• bun install --frozen-lockfile
• bun run lint:backend
• bun lint
• Commit hook typecheck: bun run cli:build && vue-tsc --noEmit
• Parsed both changed workflow YAML files successfully.
• Confirmed no shell: bash, set -euo, app-config step references, legacy provisioning profile secret, or build credentials command remains in the mobile build workflows.
• git diff --check -- .github/workflows/build_mobile_android.yml .github/workflows/build_mobile_ios.yml
• Checked published @capgo/cli@latest build request --help for supported build request credential fields.

Screenshots (AI generated)

Not applicable. This is a GitHub Actions workflow change.

Checklist (AI generated)

• My code follows the code style of this project and passes bun run lint:backend && bun run lint.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• My change has adequate E2E test coverage.
• I have tested my code manually, and I have provided steps how to reproduce my tests.

Summary by CodeRabbit

• Chores
  • Simplified and consolidated Android and iOS mobile build workflows to use a single, environment-driven build request.
  • Removed local handling of resolved app identifiers and credential save steps; signing inputs are now provided directly at build time.
  • Standardized artifact upload and retention behavior via environment-configured settings for more consistent deployments.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 78e43ab6-4fb2-404a-b035-61aa5122d23f

📥 Commits

Reviewing files that changed from the base of the PR and between e71d36c and 83eade0.

📒 Files selected for processing (2)

• .github/workflows/build_mobile_android.yml
• .github/workflows/build_mobile_ios.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/build_mobile_ios.yml

---

📝 Walkthrough

Walkthrough

Android and iOS GitHub Actions workflows were simplified: local credential-save steps and explicit app id / output-upload/retention CLI flags were removed. Capgo build requests now run directly, receiving credentials, iOS provisioning map, and build-output configuration via environment variables.

Changes

Mobile Build Workflow Updates

Layer / File(s)	Summary
Android: single Capgo CLI build request .github/workflows/build_mobile_android.yml	Replaces prior app-id resolution and local Capgo credential-save steps with one build request step that uses env vars for Capgo token, Android keystore/play credentials, and build-output upload/retention settings.
iOS: remove local credential-save, pass provisioning map and output config via env .github/workflows/build_mobile_ios.yml	Removes preceding credential handling and explicit app_id; injects CAPGO_IOS_PROVISIONING_MAP_BASE64, BUILD_OUTPUT_UPLOAD_ENABLED, and BUILD_OUTPUT_RETENTION_SECONDS as environment variables and calls bunx @capgo/cli@latest build request without app_id or --output-upload/--output-retention flags.

Possibly Related PRs

• Cap-go/capgo#2025: Adds CLI support for decoding CAPGO_IOS_PROVISIONING_MAP_BASE64 into the provisioning map format used by CI.

Suggested Reviewers

• zinc-builds

Estimated Code Review Effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

A rabbit hops through YAML lines, 🐰
Swapping flags for env-defined signs,
Secrets tucked in variables neat,
Build requests run—no local seat.
CI hums on with lighter design.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: moving from local credential storage to environment variable-based credentials in mobile build workflows.
Description check	✅ Passed	The description covers all required template sections including Summary, Test Plan, and Checklist with thorough details about changes and testing performed.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/fix-mobile-build-env-credentials

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codspeed-hq]

Merging this PR will not alter performance

✅ 43 untouched benchmarks
⏩ 2 skipped benchmarks¹

---

_{Comparing codex/fix-mobile-build-env-credentials (83eade0) with main (22ea833)}

Footnotes

1. 2 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/build_mobile_ios.yml (1)

72-103: ⚖️ Poor tradeoff

Provisioning profile parsing uses UTF-8 decoding of a binary CMS container, which is fragile.

iOS provisioning profiles are binary CMS-signed containers with an embedded plist. While the plist XML is embedded as plaintext, decoding the binary wrapper as UTF-8 can produce invalid sequences that may cause the regex to fail with certain profile structures. The code has no error handling beyond checking if the name match exists.

Since the job runs on ubuntu-latest, macOS tools like security cms -D are unavailable. To improve robustness, either verify the regex approach works across varied provisioning profile structures, or use a Node.js CMS/PKCS#7 parsing library (e.g., asn1.js, pkijs) to extract the plist cleanly.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build_mobile_ios.yml around lines 72 - 103, The inline Bun
script that builds provisioning_map_base64 currently decodes the base64 profile
with Buffer.from(...).toString("utf8") and then uses a regex (nameMatch) to find
the plist name, which is fragile for binary CMS containers; replace this by
parsing the CMS/PKCS#7 container properly (e.g., use a Node PKCS#7/ASN.1 library
such as pkijs or asn1.js) inside the bun script to extract the embedded plist
XML, then run the existing nameMatch/decodeXml logic against that extracted
plist string; add robust error handling around the parsing step so
provisioning_map_base64 construction fails with a clear error if the CMS parsing
or plist extraction fails.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/build_mobile_ios.yml:
- Around line 72-103: The inline Bun script that builds provisioning_map_base64
currently decodes the base64 profile with Buffer.from(...).toString("utf8") and
then uses a regex (nameMatch) to find the plist name, which is fragile for
binary CMS containers; replace this by parsing the CMS/PKCS#7 container properly
(e.g., use a Node PKCS#7/ASN.1 library such as pkijs or asn1.js) inside the bun
script to extract the embedded plist XML, then run the existing
nameMatch/decodeXml logic against that extracted plist string; add robust error
handling around the parsing step so provisioning_map_base64 construction fails
with a clear error if the CMS parsing or plist extraction fails.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 35b76873-c369-485d-a140-1bba5f0c46b2

📥 Commits

Reviewing files that changed from the base of the PR and between 107e6ed and 6ec2a3c.

📒 Files selected for processing (2)

• .github/workflows/build_mobile_android.yml
• .github/workflows/build_mobile_ios.yml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build_mobile_android.yml:
- Around line 55-57: The environment variable BUILD_OUTPUT_RETENTION_SECONDS is
set to a duration string ("7d") which the Capgo CLI rejects; change it to a
numeric seconds value (use "604800" for 7 days) in the workflow where
BUILD_OUTPUT_UPLOAD_ENABLED and BUILD_OUTPUT_RETENTION_SECONDS are defined so
the bunx `@capgo/cli` build request --platform android --path . invocation gets a
valid numeric retention value.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0f92c852-0dfd-4d9b-b98a-35ff2ff0ae4e

📥 Commits

Reviewing files that changed from the base of the PR and between 6ec2a3c and e71d36c.

📒 Files selected for processing (2)

• .github/workflows/build_mobile_android.yml
• .github/workflows/build_mobile_ios.yml

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	plausible-tracker@​0.3.9
	simple-git-hooks@​2.13.1
	unplugin-vue-macros@​2.14.5
	unplugin-formkit@​0.3.0
	vue-turnstile@​1.0.11
	vitest@​4.1.6
	vite-plugin-environment@​1.1.3
	stripe@​22.1.1
	mime@​4.1.0
	vue-chartjs@​5.3.3
	pinia@​3.0.4
	vite-plugin-vue-layouts@​0.11.0
	vue-demi@​0.14.10
	vite@​8.0.10
	vue-sonner@​2.0.9
	tailwindcss@​4.3.0
	vite-plugin-webfont-dl@​3.12.0
	vite-plugin-devtools-json@​1.0.0
	vite-plugin-vue-devtools@​8.1.2
	unplugin-auto-import@​21.0.0
	unplugin-icons@​23.0.1
	semver@​7.8.0
	jose@​6.2.3
	typescript@​6.0.3
	pg@​8.21.0
	sass@​1.99.0
	vue-router@​5.0.7
	unplugin-vue-components@​32.0.0
	vue@​3.5.33
	vue-tsc@​3.2.7
	wrangler@​4.92.0
	knip@​6.14.1
	zod@​4.4.3
See 2 more rows in the dashboard

View full report

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud