Skip to content

Revert repository to commit 244d656 #107

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Aug 12, 2025
Merged

Revert repository to commit 244d656 #107

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 47 additions & 0 deletions .github/workflows/build-android.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
name: Android

on:
workflow_call:
inputs:
ref:
description: 'The branch to build from. E.g. main'
required: false
type: string

jobs:
build-android:
name: Android
runs-on: ubuntu-latest
env:
APK_PATH: android/app/build/outputs/apk/release/app-release.apk
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
SENTRY_ALLOW_FAILURE: false
steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs.ref }}

- uses: actions/setup-node@v4
with:
node-version: 18
cache: 'npm'
cache-dependency-path: package-lock.json

- run: npm ci

- uses: actions/setup-java@v4
with:
java-version: '17'
distribution: 'adopt'

- uses: gradle/gradle-build-action@v3

- working-directory: android
run: ./gradlew :app:assembleRelease

- name: Upload APK
uses: actions/upload-artifact@v4
with:
name: empower-plant-react-native-android
path: ${{ env.APK_PATH }}
retention-days: 60
74 changes: 74 additions & 0 deletions .github/workflows/build-ios.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
name: iOS

on:
workflow_call:
inputs:
ref:
description: 'The branch to build from. E.g. main'
required: false
type: string

jobs:
build-ios:
name: iOS
runs-on: macos-14
env:
APP_ARCHIVE_PATH: sentry_react_native.app.zip
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
SENTRY_ALLOW_FAILURE: false
steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs.ref }}

- uses: actions/setup-node@v4
with:
node-version: 18
cache: 'npm'
cache-dependency-path: package-lock.json

- run: npm ci

- uses: ruby/setup-ruby@v1
with:
ruby-version: '3.3.0'
bundler-cache: true # runs 'bundle install' and caches installed gems automatically

- working-directory: ios
run: bundle exec pod install

- name: Run xcodebuild
working-directory: ios
run: |
mkdir -p "DerivedData"
derivedData="$(cd "DerivedData" ; pwd -P)"
set -o pipefail && xcodebuild \
-workspace sentry_react_native.xcworkspace \
-configuration "Release" \
-scheme sentry_react_native \
-destination 'generic/platform=iOS Simulator' \
-derivedDataPath "$derivedData" \
build \
| tee xcodebuild.log \
| xcbeautify --quieter --is-ci --disable-colored-output
- name: Archive App
run: |
cd ios/DerivedData/Build/Products/Release-iphonesimulator
zip -r \
${{ github.workspace }}/${{ env.APP_ARCHIVE_PATH }} \
sentry_react_native.app
- name: Upload APP
uses: actions/upload-artifact@v4
with:
name: empower-plant-react-native-ios
path: ${{ env.APP_ARCHIVE_PATH }}
retention-days: 60

- name: Upload logs
if: ${{ always() }}
uses: actions/upload-artifact@v4
with:
name: build-ios-logs
path: ios/xcodebuild.log
Comment on lines +13 to +74

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI about 2 months ago

To fix the problem, you should add a permissions block to the workflow to explicitly restrict the GITHUB_TOKEN permissions to the minimum required. In this case, the workflow only needs to read repository contents (for actions/checkout) and upload artifacts (which does not require write access to repository contents). The recommended fix is to add permissions: contents: read at the root level of the workflow (above jobs:), which will apply to all jobs unless overridden. This change should be made at the top of the .github/workflows/build-ios.yml file, after the name: and before the on: block.

Suggested changeset 1
.github/workflows/build-ios.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/build-ios.yml b/.github/workflows/build-ios.yml
--- a/.github/workflows/build-ios.yml
+++ b/.github/workflows/build-ios.yml
@@ -1,2 +1,4 @@
 name: iOS
+permissions:
+  contents: read
 
EOF
@@ -1,2 +1,4 @@
name: iOS
permissions:
contents: read

Copilot is powered by AI and may make mistakes. Always verify output.
142 changes: 10 additions & 132 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,144 +6,22 @@
- master
pull_request:

env:
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
SENTRY_ALLOW_FAILURE: false
MAESTRO_VERSION: 1.39.0

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}

jobs:
build-android:
name: Android
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

- uses: actions/setup-node@v4
with:
node-version: 18
cache: 'npm'
cache-dependency-path: package-lock.json

- run: npm ci

- uses: actions/setup-java@v4
with:
java-version: '17'
distribution: 'adopt'

- uses: gradle/gradle-build-action@v3

- working-directory: android
run: ./gradlew :app:assembleRelease

- name: Upload APK
uses: actions/upload-artifact@v4
with:
name: empower-plant-react-native-android
path: android/app/build/outputs/apk/release/app-release.apk
retention-days: 60
name: 'Build Android'
uses: ./.github/workflows/build-android.yml
secrets: inherit

build-ios:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}
name: iOS
runs-on: macos-14
steps:
- uses: actions/checkout@v4

- uses: actions/setup-node@v4
with:
node-version: 18
cache: 'npm'
cache-dependency-path: package-lock.json

- run: npm ci
name: 'Build iOS'
uses: ./.github/workflows/build-ios.yml
secrets: inherit

- uses: ruby/setup-ruby@v1
with:
ruby-version: '3.3.0'
bundler-cache: true # runs 'bundle install' and caches installed gems automatically

- working-directory: ios
run: bundle exec pod install

- name: Run xcodebuild
working-directory: ios
run: |
mkdir -p "DerivedData"
derivedData="$(cd "DerivedData" ; pwd -P)"
set -o pipefail && xcodebuild \
-workspace sentry_react_native.xcworkspace \
-configuration "Release" \
-scheme sentry_react_native \
-destination 'generic/platform=iOS Simulator' \
-derivedDataPath "$derivedData" \
build \
| tee xcodebuild.log \
| xcbeautify --quieter --is-ci --disable-colored-output
- name: Upload APP
uses: actions/upload-artifact@v4
with:
name: empower-plant-react-native-ios
path: ios/DerivedData/Build/Products/Release-iphonesimulator/sentry_react_native.app
retention-days: 60

- name: Upload logs
if: ${{ always() }}
uses: actions/upload-artifact@v4
with:
name: build-ios-logs
path: ios/xcodebuild.log

run-ui-test-android:
name: UI Test Android
test:
Comment on lines +20 to +24

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI about 2 months ago

To fix the problem, add a permissions block to the workflow file. This can be done at the top level (applies to all jobs) or at the job level (applies to individual jobs). Since none of the jobs in this workflow appear to require write access (they only call reusable workflows and run builds/tests), the safest minimal starting point is to set permissions: read-all at the workflow level. This restricts the GITHUB_TOKEN to read-only permissions for all scopes, adhering to the principle of least privilege. If any job or called workflow requires additional permissions, those can be added explicitly in the relevant workflow files.

What to change:

  • Add the following block after the name: line and before on: in .github/workflows/build.yml: 
    permissions: read-all
  • No other changes are needed unless a job requires more permissions, in which case those should be set in the called workflow files.
Suggested changeset 1
.github/workflows/build.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,2 +1,3 @@
 name: Build
+permissions: read-all
 
EOF
@@ -1,2 +1,3 @@
name: Build
permissions: read-all

Copilot is powered by AI and may make mistakes. Always verify output.
name: 'Run UI Tests'
needs: build-android
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

- name: Setup KVM
shell: bash
run: |
# check if virtualization is supported...
sudo apt install -y --no-install-recommends cpu-checker coreutils && echo "CPUs=$(nproc --all)" && kvm-ok
# allow access to KVM to run the emulator
echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' \
| sudo tee /etc/udev/rules.d/99-kvm4all.rules
sudo udevadm control --reload-rules
sudo udevadm trigger --name-match=kvm
- name: Download APK artifact
uses: actions/download-artifact@v4
with:
name: empower-plant-react-native-android

- name: Install Maestro
uses: dniHze/maestro-test-action@bda8a93211c86d0a05b7a4597c5ad134566fbde4 # [email protected]
with:
maestro-version: ${{env.MAESTRO_VERSION}}

- name: Run tests
uses: reactivecircus/android-emulator-runner@62dbb605bba737720e10b196cb4220d374026a6d # [email protected]
with:
api-level: 30
force-avd-creation: false
disable-animations: true
disable-spellchecker: true
target: 'aosp_atd'
channel: canary # Necessary for ATDs
emulator-options: >
-no-window
-no-snapshot-save
-gpu swiftshader_indirect
-noaudio
-no-boot-anim
-camera-back none
-camera-front none
-timezone US/Pacific
script: |
adb install -r -d app-release.apk
maestro test maestro --debug-output maestro-logs --env=APP_ID=com.sentry_react_native
uses: ./.github/workflows/test.yml
Comment on lines +25 to +27

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI about 2 months ago

To fix the problem, you should add a permissions block to the workflow. The best way is to add it at the root level, so it applies to all jobs unless overridden. The minimal starting point is usually contents: read, which is sufficient for most build and test workflows that do not need to write to the repository or interact with issues or pull requests. If any job requires additional permissions, you can override the block at the job level. In this case, since all jobs use reusable workflows and there is no evidence that write permissions are needed, adding permissions: contents: read at the root of .github/workflows/build.yml (after the name: and before on:) is the best fix.

Suggested changeset 1
.github/workflows/build.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,2 +1,4 @@
 name: Build
+permissions:
+  contents: read
 
EOF
@@ -1,2 +1,4 @@
name: Build
permissions:
contents: read

Copilot is powered by AI and may make mistakes. Always verify output.
105 changes: 105 additions & 0 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
name: Release
on:
workflow_dispatch:
inputs:
version:
description: 'The version name to release. E.g. 4.0.2'
required: true

env:
APK_PATH: app-release.apk
APP_ARCHIVE_PATH: sentry_react_native.app.zip
GH_TOKEN: ${{ github.token }}

jobs:
bump-version:
runs-on: ubuntu-latest
name: 'Prepare Release'
steps:
- name: Set environment variables
run: |
echo "VERSION=${{ inputs.version }}" >> $GITHUB_ENV
- uses: actions/checkout@v4

- uses: actions/setup-node@v4
with:
node-version: 18
cache: 'npm'
cache-dependency-path: package-lock.json

- name: Install dependencies
run: npm ci

- name: Bump Version
run: |
git config user.name getsentry-bot
git config user.email [email protected]
git checkout -b release/${{ env.VERSION }}
npm version ${{ env.VERSION }}
git tag --force ${{ env.VERSION }} -m ${{ env.VERSION }}
git push origin ${{ env.VERSION }}
git push origin release/${{ env.VERSION }}
build-android:
Comment on lines +16 to +45

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI about 2 months ago

To fix the problem, add a permissions block at the top level of the workflow (recommended), or at the job level if different jobs require different permissions. The minimal starting point is contents: read, but some jobs (such as those pushing tags/branches or creating releases) require contents: write. The bump-version and publish-release jobs both perform git operations and create releases, so they require contents: write. The build-android and build-ios jobs only call reusable workflows and do not need elevated permissions, so they can inherit the default or be set to contents: read.

The best way to fix this is to add a permissions block at the workflow root, setting contents: write (since at least two jobs require it). If you want to be more restrictive, you could set contents: write only for the jobs that need it, and contents: read for the rest. For simplicity and clarity, adding at the workflow root is sufficient and safe for this workflow.

Change to make:

  • Add the following at the top level of .github/workflows/release.yml, after the name and before on or after on: 
    permissions:
  contents: write
Suggested changeset 1
.github/workflows/release.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,2 +1,4 @@
 name: Release
+permissions:
+  contents: write
 on:
EOF
@@ -1,2 +1,4 @@
name: Release
permissions:
contents: write
on:
Copilot is powered by AI and may make mistakes. Always verify output.
name: 'Build Android'
needs: [bump-version]
uses: ./.github/workflows/build-android.yml
secrets: inherit
with:
ref: release/${{ inputs.version }}

build-ios:
Comment on lines +46 to +53

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI about 2 months ago

To fix the problem, you should add a permissions block to the workflow, either at the root level (to apply to all jobs) or to individual jobs as needed. The minimal starting point is to set contents: read, which allows jobs to read repository contents but not write. For jobs that require additional permissions (such as creating releases or pushing tags/branches), you should grant only the necessary write permissions (e.g., contents: write, pull-requests: write). In this case, since the workflow includes jobs that push tags/branches and create releases, those jobs will need contents: write and possibly pull-requests: write, while build jobs likely only need contents: read. The best way to fix this is to add a root-level permissions block with contents: read (as a safe default), and then override with more permissive settings for jobs that require them (e.g., bump-version and publish-release). The changes should be made at the top of the .github/workflows/release.yml file, and within the relevant jobs.

Suggested changeset 1
.github/workflows/release.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -8,2 +8,5 @@
 
+permissions:
+  contents: read
+
 env:
@@ -17,2 +20,4 @@
     name: 'Prepare Release'
+    permissions:
+      contents: write
     steps:
@@ -64,2 +69,4 @@
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     env:
EOF
@@ -8,2 +8,5 @@

permissions:
contents: read

env:
@@ -17,2 +20,4 @@
name: 'Prepare Release'
permissions:
contents: write
steps:
@@ -64,2 +69,4 @@
runs-on: ubuntu-latest
permissions:
contents: write
env:
Copilot is powered by AI and may make mistakes. Always verify output.
name: 'Build iOS'
needs: [bump-version]
uses: ./.github/workflows/build-ios.yml
secrets: inherit
with:
ref: release/${{ inputs.version }}

publish-release:
Comment on lines +54 to +61

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI about 2 months ago

To fix the problem, you should add an explicit permissions block to the workflow. The best way is to add it at the top level of the workflow (just after the name: and on: blocks), so it applies to all jobs unless overridden. You should set the permissions to the minimum required for the workflow to function. Based on the jobs shown:

  • The bump-version job pushes tags and branches, so it needs contents: write.
  • The publish-release job creates a release, so it needs contents: write.
  • The build-android and build-ios jobs use reusable workflows, so their permissions should be set in those workflows, but it's safe to set minimal permissions here.

A good minimal starting point is:

permissions:
  contents: write

If you know that only releases and pushes are needed, you can further restrict, but contents: write is the standard for workflows that push code or create releases.

Add the following block after the name: and before env: in .github/workflows/release.yml.

Suggested changeset 1
.github/workflows/release.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -8,2 +8,5 @@
 
+permissions:
+  contents: write
+
 env:
EOF
@@ -8,2 +8,5 @@

permissions:
contents: write

env:
Copilot is powered by AI and may make mistakes. Always verify output.
name: 'Publish Release'
needs: [bump-version, build-android, build-ios]
runs-on: ubuntu-latest
env:
MERGE_TARGET: master
steps:
- name: Set environment variables
run: |
echo "VERSION=${{ inputs.version }}" >> $GITHUB_ENV
- uses: actions/checkout@v4
with:
fetch-depth: 0 # fetch all history all branches and tags

- name: Download iOS App
uses: actions/download-artifact@v4
with:
name: empower-plant-react-native-ios

- name: Download Android APK
uses: actions/download-artifact@v4
with:
name: empower-plant-react-native-android

- name: Set GitHub user
run: |
git config user.name getsentry-bot
git config user.email [email protected]
- name: Create Release
run: |
gh release create \
${{ env.VERSION }} \
${{ env.APK_PATH }} \
${{ env.APP_ARCHIVE_PATH }} \
--title ${{ env.VERSION }} \
--notes "Release ${{ env.VERSION }}" \
|| error_exit "Failed to create GitHub release."
- name: Clean up Release Branch
run: |
git reset --hard
git checkout ${{ env.MERGE_TARGET }}
git push origin --delete release/${{ env.VERSION }}
Comment on lines +62 to +105

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI about 2 months ago

To fix the problem, you should add a permissions block to the workflow or to each job, specifying only the permissions required for the actions performed. For this workflow, the jobs that push tags/branches and create releases need contents: write, while jobs that only read code or artifacts may only need contents: read. The minimal fix is to add a permissions block at the workflow root, setting contents: write, or to each job as appropriate. Since the bump-version and publish-release jobs perform git pushes and create releases, they need contents: write. The build-android and build-ios jobs likely only need contents: read (assuming they do not push or create releases). The best fix is to add a workflow-level permissions block with contents: write, or, for stricter control, add job-level permissions blocks.

You should edit .github/workflows/release.yml to add the permissions block. The block should be placed at the top level (after name: and before on: or after on:), or within each job as needed.

Suggested changeset 1
.github/workflows/release.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,2 +1,4 @@
 name: Release
+permissions:
+  contents: write
 on:
EOF
@@ -1,2 +1,4 @@
name: Release
permissions:
contents: write
on:
Copilot is powered by AI and may make mistakes. Always verify output.
Loading
Loading