Skip to content

ci(e2e-pay): point maestro actions to latest merged SHA#400

Merged
ignaciosantise merged 2 commits into
developfrom
update-maestro-actions-sha
Jul 2, 2026
Merged

ci(e2e-pay): point maestro actions to latest merged SHA#400
ignaciosantise merged 2 commits into
developfrom
update-maestro-actions-sha

Conversation

@ignaciosantise

Copy link
Copy Markdown
Collaborator

Summary

Points the WalletConnect Pay Maestro E2E actions to the latest merged SHA d385e7a80fb4a3d378ee685021f3f7e24ccdf291 from WalletConnect/actions.

Changes

  • .github/workflows/ci_e2e_pay_tests.yml — bump maestro/pay-tests, maestro/setup, and maestro/permit2-reset to the new SHA (Android + iOS lanes).
  • scripts/setup-maestro-pay-tests.sh — bump the default pinned REF.

Left claude/auto-review@master untouched (not a maestro action).

🤖 Generated with Claude Code

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@claude

claude Bot commented Jul 2, 2026

Copy link
Copy Markdown

Claude finished @ignaciosantise's task in 2m 30s —— View job


Review Complete

  • Read changed files
  • Run breaking changes subagent
  • Run data classification subagent
  • Post review findings

🔄 Full Review — SHA bump only; no logic changes in this PR.

Breaking changes: None found.

Found 2 issue(s) — pre-existing, not introduced by this PR

Issue 1: iOS job interpolates payment secrets directly into CLI args

ID: dcl-ci-e2e-pay-ios-cli-secret-args-f3a1
File: .github/workflows/ci_e2e_pay_tests.yml:390
Severity: LOW
Category: security / data_classification

Context:

  • Pattern: The Run Maestro iOS tests step (lines 383–398) interpolates ${{ secrets.WPAY_* }} directly into maestro --env CLI arguments. The Android job (lines 129–134) correctly hoists the same secrets into an env: block and references them as shell variables.
  • Risk: CLI arguments are readable via /proc/<pid>/cmdline; env vars are not exposed that way.
  • Impact: During maestro test execution another process on the runner could read the payment API keys from the process arg list.

Recommendation: Mirror the Android pattern — add a step env: block and reference vars as $WPAY_…:

env:
  WPAY_CUSTOMER_KEY_SINGLE_NOKYC: ${{ secrets.WPAY_CUSTOMER_KEY_SINGLE_NOKYC }}
  # ... other WPAY_* secrets
run: |
  maestro test \
    --env WPAY_CUSTOMER_KEY_SINGLE_NOKYC=$WPAY_CUSTOMER_KEY_SINGLE_NOKYC \
    ...

Fix this →


Issue 2: Android debug keystore not cleaned up after build

ID: dcl-ci-e2e-pay-keystore-disk-residue-b2c7
File: .github/workflows/ci_e2e_pay_tests.yml:100
Severity: LOW
Category: security / data_classification

Context:

  • Pattern: Line 100 decodes secrets.KEYSTORE to android/app/debug.keystore. The cleanup step at lines 171–173 deletes only build/; the keystore file is never explicitly removed.
  • Risk: Code-signing material persists on the runner for the full job duration. The artifact upload is scoped to /tmp/ paths, so it won't be captured today, but a future scope change could inadvertently include it.

Recommendation: Add an if: always() cleanup after the emulator run:

- name: Clean up signing artifacts
  if: always()
  run: rm -f packages/reown_walletkit/example/android/app/debug.keystore

Fix this →

@ignaciosantise ignaciosantise marked this pull request as ready for review July 2, 2026 20:43
Copilot AI review requested due to automatic review settings July 2, 2026 20:43
@ignaciosantise ignaciosantise merged commit d7d81c4 into develop Jul 2, 2026
15 checks passed
@ignaciosantise ignaciosantise deleted the update-maestro-actions-sha branch July 2, 2026 20:43
@claude

claude Bot commented Jul 2, 2026

Copy link
Copy Markdown

Claude Code is working…

I'll analyze this and get back to you.

View job run

@github-actions github-actions Bot locked and limited conversation to collaborators Jul 2, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant