Conversation
WalkthroughThe updates introduce a new GitHub Actions workflow for PR preview updates that conditionally creates lightweight EAS updates or full builds based on runtime compatibility. They extend environment configuration with update-related options, add an "Updates Menu" to the debug menu for managing updates, refine animation and query logic in conversation features, comment out a conversation preloading hook, add native fingerprinting ignore rules and configuration, add a runtime compatibility check script, and rename several plugin functions from arrow to named functions. Changes
Sequence Diagram(s)sequenceDiagram
participant Developer
participant GitHub
participant GitHub Actions
participant Expo EAS
participant PR Preview Channel
Developer->>GitHub: Open/Synchronize/Reopen PR
GitHub->>GitHub Actions: Trigger PR Preview workflow
GitHub Actions->>GitHub Actions: Checkout code, setup Node.js & Yarn
GitHub Actions->>GitHub Actions: Install dependencies, build plugin
GitHub Actions->>Expo EAS: Setup EAS CLI
GitHub Actions->>scripts/check-runtime-compatibility.js: Run compatibility check
alt Compatible (JS-only changes)
GitHub Actions->>Expo EAS: Create preview update (PR branch)
Expo EAS->>PR Preview Channel: Publish update
GitHub Actions->>GitHub: Comment PR with update info
else Incompatible (native changes)
GitHub Actions->>Expo EAS: Trigger full EAS build (iOS preview profile)
Expo EAS->>GitHub Actions: Build progress and completion notifications
GitHub Actions->>GitHub: Post multiple PR comments with build status and instructions
end
GitHub Actions->>Developer: PR preview update or build available
Suggested reviewers
Poem
✨ Finishing Touches
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
SupportNeed help? Create a ticket on our support page for assistance with any issues or questions. Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Nitpick comments (3)
features/conversation/conversation-list/conversation-list.screen.tsx (1)
198-228: Consider removing commented code if permanently disabled.If the
usePreloadRecentConversationshook is permanently disabled, consider removing the commented implementation to keep the codebase clean. If it's temporarily disabled for debugging, consider adding a TODO comment explaining when it should be re-enabled.Apply this change if permanently removing:
-// function usePreloadRecentConversations(args: { conversationsIds: IXmtpConversationId[] }) { -// const { conversationsIds } = args -// const router = useRouter() -// const currentSender = useSafeCurrentSender() -// const preloadedConversationsRef = useRef(new Set<IXmtpConversationId>()) - -// useEffectAfterInteractions(() => { -// if (conversationsIds) { -// conversationsIds.forEach((conversationId) => { -// // Skip if already preloaded -// if (preloadedConversationsRef.current.has(conversationId)) { -// return -// } - -// const conversation = getConversationQueryData({ -// clientInboxId: currentSender.inboxId, -// xmtpConversationId: conversationId, -// }) - -// if (conversation) { -// router.preload("Conversation", { -// xmtpConversationId: conversation.xmtpId, -// }) - -// // Mark as preloaded -// preloadedConversationsRef.current.add(conversationId) -// } -// }) -// } -// }, [conversationsIds]) -// }components/debug-menu.tsx (1)
1123-1338: Well-implemented updates menu with good error handling.The new
showUpdatesMenufunction provides comprehensive update management functionality with proper error handling and user feedback. The environment-specific features (PR branch switching for preview only) are well-designed.However, consider the following improvements:
Suggestion: Extract hardcoded update URL to configuration
The update URL
"https://u.expo.dev/f9089dfa-8871-4aff-93ea-da08af0370d2"appears multiple times (lines 1193, 1232). Consider extracting this to a configuration constant for better maintainability.+ const UPDATE_URL = "https://u.expo.dev/f9089dfa-8871-4aff-93ea-da08af0370d2" - updateUrl: "https://u.expo.dev/f9089dfa-8871-4aff-93ea-da08af0370d2", + updateUrl: UPDATE_URL,Note: Verify PR number validation
The PR number validation on line 1186 checks for
isNaN(Number(prNumber))but doesn't validate if it's a positive integer. Consider adding additional validation to ensure the PR number is a valid positive integer..github/workflows/pr-preview.yml (1)
1-48: Well-structured GitHub Actions workflow following best practices.The workflow is properly configured with:
- Appropriate trigger events for PR previews
- Correct permissions (read contents, write pull-requests)
- Proper Node.js setup with caching from
.nvmrc- Secure use of repository secrets for EXPO_TOKEN
- Environment-specific configuration with
EXPO_ENV: previewMinor suggestion: Consider adding workflow timeout
For better resource management, consider adding a timeout to prevent workflows from running indefinitely:
jobs: create-update: name: Create EAS Update runs-on: ubuntu-latest + timeout-minutes: 15 permissions: contents: read pull-requests: writeVerify EAS update command compatibility
The command
eas update --channel=preview --branch=pr-${{ github.event.number }}creates PR-specific branches. Ensure this aligns with your EAS project configuration and that the preview channel exists.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (6)
.github/workflows/pr-preview.yml(1 hunks)app.config.ts(5 hunks)components/debug-menu.tsx(2 hunks)features/conversation/conversation-chat/conversation-messages.query.ts(3 hunks)features/conversation/conversation-chat/conversation-messages.tsx(1 hunks)features/conversation/conversation-list/conversation-list.screen.tsx(2 hunks)
🧰 Additional context used
🧬 Code Graph Analysis (1)
features/conversation/conversation-chat/conversation-messages.query.ts (1)
features/xmtp/xmtp-conversations/xmtp-conversations-sync.ts (1)
syncOneXmtpConversation(89-104)
⏰ Context from checks skipped due to timeout of 90000ms (3)
- GitHub Check: test
- GitHub Check: Code Review
- GitHub Check: Create EAS Update
🔇 Additional comments (9)
app.config.ts (3)
29-31: Well-structured configuration extension.The addition of the
updatesconfiguration object to theEnvironmentConfigtype is clean and follows the existing pattern.
77-79: Environment-specific update configurations are well-designed.The configuration values are appropriate for each environment:
- Development and preview enable
disableAntiBrickingMeasuresfor easier testing- Production keeps it disabled with a clear safety comment
The comment on line 142 is particularly valuable for preventing accidental production misconfigurations.
Also applies to: 109-111, 141-144
163-163: Runtime version policy change aligns with update workflow.Changing from
"nativeVersion"to"fingerprint"is appropriate for the new update system, as fingerprint-based versioning provides more granular control over update delivery.features/conversation/conversation-chat/conversation-messages.tsx (1)
576-580: Improved animation condition for better UX.The refinement to only animate messages with
status === "sending"is excellent. This ensures animations only trigger for messages actively being sent, providing more accurate visual feedback and preventing unnecessary animations for already-sent messages.features/conversation/conversation-chat/conversation-messages.query.ts (3)
77-77: Good introduction of semantic variable.The
isFirstPagevariable clearly expresses the intent and will be used consistently throughout the function.
89-95: Cleaner synchronization logic.Using
isFirstPageinstead of the direct cursor check improves readability and ensures consistent first-page detection throughout the function.
124-124: Consistent cache merging condition.The refactoring maintains the same logic while improving code clarity by using the semantic
isFirstPagevariable.features/conversation/conversation-list/conversation-list.screen.tsx (1)
51-51: Clarify the reason for disabling conversation preloading.The preloading functionality has been commented out. Could you provide context on:
- Is this a temporary or permanent change?
- What impact analysis was done on user experience?
- Are there performance issues with the current preloading implementation?
The preloading hook was designed to improve navigation performance by preloading conversation screens. Understanding the rationale will help assess if alternative optimizations are needed.
components/debug-menu.tsx (1)
1427-1438: Correct integration of the Updates Menu.The new "Updates Menu" is properly integrated into the primaryMethods object and the dependency array is correctly updated to include
showUpdatesMenu.
Add PR update preview system with automated GitHub Actions workflow for creating EAS updates or builds based on runtime version fingerprint compatibilityImplements an automated PR preview system that uses runtime version fingerprints to determine whether pull request changes require a new native build or can be delivered as an over-the-air update. The system includes:
📍Where to StartStart with the GitHub Actions workflow in .github/workflows/pr-preview.yml to understand the overall PR preview automation process, then examine the runtime compatibility checking logic in scripts/check-runtime-compatibility.js. Macroscope summarized fd26376. |
![macroscopeapp[bot]](https://avatars.githubusercontent.com/in/900172?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 4
🧹 Nitpick comments (3)
scripts/check-runtime-compatibility.js (1)
118-143: Consider extracting legacy version check into a separate function.The legacy version handling logic is nested and makes the main function harder to read. Extracting it would improve maintainability.
Consider applying this refactor:
+/** + * Checks if current app version matches legacy runtime version format + */ +function checkLegacyVersionCompatibility(previewRuntimeVersion) { + if (!previewRuntimeVersion.match(/^\d+\.\d+\.\d+$/)) { + return false + } + + console.log("\n⚠️ Preview build uses old runtime version format") + + const configOutput = execCommand("EXPO_ENV=preview npx expo config --json") + if (configOutput) { + try { + const config = JSON.parse(configOutput) + const appVersion = config.version + return appVersion === previewRuntimeVersion + } catch (error) { + console.error("Failed to parse expo config:", error.message) + } + } + return false +} // Check if preview build uses old version format (like "1.0.1") // and current app version matches - if (previewRuntimeVersion.match(/^\d+\.\d+\.\d+$/)) { - console.log("\n⚠️ Preview build uses old runtime version format") - - // Get current app version - const configOutput = execCommand("EXPO_ENV=preview npx expo config --json") - if (configOutput) { - try { - const config = JSON.parse(configOutput) - const appVersion = config.version - - if (appVersion === previewRuntimeVersion) { - console.log(`✅ App version (${appVersion}) matches build runtime version`) - console.log("can_create_update=true") - console.log( - "\n💡 Consider creating a new preview build with fingerprint policy for better compatibility detection", - ) - setGitHubOutput("can_create_update", "true") - setGitHubOutput("current_fingerprint", currentFingerprint) - setGitHubOutput("preview_fingerprint", previewRuntimeVersion) - process.exit(0) - } - } catch (error) { - console.error("Failed to parse expo config:", error.message) - } - } + if (checkLegacyVersionCompatibility(previewRuntimeVersion)) { + console.log(`✅ App version matches build runtime version`) + console.log("can_create_update=true") + console.log( + "\n💡 Consider creating a new preview build with fingerprint policy for better compatibility detection", + ) + setGitHubOutput("can_create_update", "true") + setGitHubOutput("current_fingerprint", currentFingerprint) + setGitHubOutput("preview_fingerprint", previewRuntimeVersion) + process.exit(0) }.github/workflows/pr-preview.yml (2)
168-232: Fix formatting: Remove trailing spaces.Multiple lines in the PR comment templates have trailing spaces which violate YAML formatting standards.
Remove trailing spaces from the following lines: 168, 170, 174, 179, 184, 198, 200, 205, 207, 221, 223, 227, 232.
- 🔨 **Native Changes Detected - Creating New Build** - + 🔨 **Native Changes Detected - Creating New Build** + This PR contains native changes that require a new build. A preview build is being created now. - + **Runtime Versions:** - PR Fingerprint: \`${{ needs.check-compatibility.outputs.current_fingerprint }}\` - Latest preview Build: \`${{ needs.check-compatibility.outputs.preview_fingerprint }}\` - + **What's happening:** - ⏳ Creating new iOS preview build (this takes ~10-15 minutes) - 📱 Build will be available on TestFlight internal testing - 🔄 You'll get a notification when the build is ready - + **To test this PR:** 1. Wait for the build to complete 2. Update your TestFlight app to the latest preview build 3. The new build will include your changes - + **Build started at:** ${new Date().toLocaleString()}`🧰 Tools
🪛 YAMLlint (1.37.1)
[error] 168-168: trailing spaces
(trailing-spaces)
[error] 170-170: trailing spaces
(trailing-spaces)
[error] 174-174: trailing spaces
(trailing-spaces)
[error] 179-179: trailing spaces
(trailing-spaces)
[error] 184-184: trailing spaces
(trailing-spaces)
[error] 198-198: trailing spaces
(trailing-spaces)
[error] 200-200: trailing spaces
(trailing-spaces)
[error] 205-205: trailing spaces
(trailing-spaces)
[error] 207-207: trailing spaces
(trailing-spaces)
[error] 221-221: trailing spaces
(trailing-spaces)
[error] 223-223: trailing spaces
(trailing-spaces)
[error] 227-227: trailing spaces
(trailing-spaces)
[error] 232-232: trailing spaces
(trailing-spaces)
20-44: Consider extracting common environment setup into a reusable workflow.The Node.js and EAS setup steps are duplicated across all three jobs, which violates the DRY principle and makes maintenance harder.
Consider creating a composite action or reusable workflow for the common setup steps to reduce duplication and improve maintainability.
Also applies to: 62-84, 103-117
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
⛔ Files ignored due to path filters (1)
yarn.lockis excluded by!**/yarn.lock,!**/*.lock
📒 Files selected for processing (8)
.fingerprintignore(1 hunks).github/workflows/pr-preview.yml(1 hunks)components/debug-menu.tsx(2 hunks)fingerprint.config.js(1 hunks)package.json(1 hunks)plugins/notification-service-extension/plugin/src/with-my-plugin-ios.ts(5 hunks)plugins/notification-service-extension/plugin/src/with-my-plugin.ts(1 hunks)scripts/check-runtime-compatibility.js(1 hunks)
✅ Files skipped from review due to trivial changes (5)
- package.json
- plugins/notification-service-extension/plugin/src/with-my-plugin-ios.ts
- .fingerprintignore
- fingerprint.config.js
- plugins/notification-service-extension/plugin/src/with-my-plugin.ts
🚧 Files skipped from review as they are similar to previous changes (1)
- components/debug-menu.tsx
🧰 Additional context used
🪛 actionlint (1.7.7)
.github/workflows/pr-preview.yml
120-120: "github.event.pull_request.title" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions for more details
(expression)
127-127: "github.event.pull_request.title" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions for more details
(expression)
237-237: property "check-compatibility" is not defined in object type {}
(expression)
240-240: property "check-compatibility" is not defined in object type {}
(expression)
277-277: property "check-compatibility" is not defined in object type {}
(expression)
280-280: property "check-compatibility" is not defined in object type {}
(expression)
🪛 YAMLlint (1.37.1)
.github/workflows/pr-preview.yml
[error] 168-168: trailing spaces
(trailing-spaces)
[error] 170-170: trailing spaces
(trailing-spaces)
[error] 174-174: trailing spaces
(trailing-spaces)
[error] 179-179: trailing spaces
(trailing-spaces)
[error] 184-184: trailing spaces
(trailing-spaces)
[error] 198-198: trailing spaces
(trailing-spaces)
[error] 200-200: trailing spaces
(trailing-spaces)
[error] 205-205: trailing spaces
(trailing-spaces)
[error] 207-207: trailing spaces
(trailing-spaces)
[error] 221-221: trailing spaces
(trailing-spaces)
[error] 223-223: trailing spaces
(trailing-spaces)
[error] 227-227: trailing spaces
(trailing-spaces)
[error] 232-232: trailing spaces
(trailing-spaces)
⏰ Context from checks skipped due to timeout of 90000ms (5)
- GitHub Check: tsc
- GitHub Check: test
- GitHub Check: lint
- GitHub Check: Check Update Compatibility
- GitHub Check: Code Review
🔇 Additional comments (1)
scripts/check-runtime-compatibility.js (1)
163-167: Good error handling with catch block.The script properly handles unexpected errors in the main execution with appropriate logging and GitHub Actions output setting.
| const hashMatch = output.match(/"hash":"([^"]+)"/g) | ||
|
|
||
| if (hashMatch && hashMatch.length > 0) { | ||
| // Get the last hash (which is the final fingerprint) | ||
| const lastHash = hashMatch[hashMatch.length - 1] | ||
| const fingerprint = lastHash.match(/"hash":"([^"]+)"/)[1] | ||
|
|
There was a problem hiding this comment.
🛠️ Refactor suggestion
Improve robustness of fingerprint extraction.
The regex-based parsing of JSON output is fragile and could break if the output format changes. The potential null pointer access on line 45 could cause runtime errors.
Apply this diff to make the parsing more robust:
- // The fingerprint output is a JSON object with a final "hash" field
- // Extract the last hash value from the output
- const hashMatch = output.match(/"hash":"([^"]+)"/g)
-
- if (hashMatch && hashMatch.length > 0) {
- // Get the last hash (which is the final fingerprint)
- const lastHash = hashMatch[hashMatch.length - 1]
- const fingerprint = lastHash.match(/"hash":"([^"]+)"/)[1]
+ try {
+ // Try to parse as JSON first
+ const jsonOutput = JSON.parse(output)
+ if (jsonOutput.hash) {
+ const fingerprint = jsonOutput.hash
+ console.log(`✅ Current fingerprint: ${fingerprint}`)
+ return fingerprint
+ }
+ } catch (jsonError) {
+ // Fallback to regex parsing for non-JSON output
+ const hashMatch = output.match(/"hash":"([^"]+)"/g)
+ if (hashMatch && hashMatch.length > 0) {
+ const lastHash = hashMatch[hashMatch.length - 1]
+ const hashMatches = lastHash.match(/"hash":"([^"]+)"/)
+ if (hashMatches && hashMatches[1]) {
+ const fingerprint = hashMatches[1]
+ console.log(`✅ Current fingerprint: ${fingerprint}`)
+ return fingerprint
+ }
+ }
+ }Committable suggestion skipped: line range outside the PR's diff.
🤖 Prompt for AI Agents
In scripts/check-runtime-compatibility.js around lines 40 to 46, the code uses
regex to parse JSON output, which is fragile and risks runtime errors if the
format changes or the match is null. To fix this, parse the output as JSON
instead of using regex, then safely extract the fingerprint property from the
parsed object. Add checks to ensure the property exists before accessing it to
avoid null pointer errors.
.github/workflows/pr-preview.yml
Outdated
| run: | | ||
| # Create build with PR-specific message | ||
| eas build --platform ios --profile preview --non-interactive --message "PR #${{ github.event.number }}: ${{ github.event.pull_request.title }}" | ||
|
|
There was a problem hiding this comment.
Security vulnerability: Untrusted input in shell command.
Using github.event.pull_request.title directly in shell commands poses a security risk as it can contain malicious content that could be executed.
Apply this diff to fix the security issue:
- name: Create EAS Build
+ env:
+ PR_TITLE: ${{ github.event.pull_request.title }}
+ PR_NUMBER: ${{ github.event.number }}
run: |
# Create build with PR-specific message
- eas build --platform ios --profile preview --non-interactive --message "PR #${{ github.event.number }}: ${{ github.event.pull_request.title }}"
+ eas build --platform ios --profile preview --non-interactive --message "PR #${PR_NUMBER}: ${PR_TITLE}"Committable suggestion skipped: line range outside the PR's diff.
🧰 Tools
🪛 actionlint (1.7.7)
120-120: "github.event.pull_request.title" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions for more details
(expression)
🤖 Prompt for AI Agents
In .github/workflows/pr-preview.yml around lines 120 to 123, the shell command
uses the untrusted input github.event.pull_request.title directly, which can
lead to command injection vulnerabilities. To fix this, sanitize or escape the
pull request title before including it in the shell command, or use GitHub
Actions built-in mechanisms to safely pass this value as an environment variable
or argument without direct shell interpolation.
| script: | | ||
| const body = `## 🏗️ New Build Started | ||
|
|
||
| ⏳ **Creating new preview build** for native changes... | ||
|
|
||
| ### 📊 Build Details | ||
| - **Platform:** iOS | ||
| - **Profile:** preview | ||
| - **Reason:** Native changes detected in PR #${{ github.event.number }} | ||
| - **Message:** "${{ github.event.pull_request.title }}" | ||
|
|
||
| ### ⏱️ Expected Timeline | ||
| - **Build time:** ~10-15 minutes | ||
| - **TestFlight processing:** ~5-10 minutes | ||
| - **Total:** ~15-25 minutes | ||
|
|
||
| ### 🔔 What's Next | ||
| 1. **Build will appear in EAS dashboard** when complete | ||
| 2. **New build will be submitted to TestFlight** automatically | ||
| 3. **You'll get a notification** when ready for testing | ||
| 4. **Update your preview app** before testing this PR | ||
|
|
||
| --- | ||
| *You can track build progress in the [EAS dashboard](https://expo.dev/accounts/ephemera/projects/convos/builds).*`; | ||
|
|
||
| github.rest.issues.createComment({ | ||
| issue_number: context.issue.number, | ||
| owner: context.repo.owner, | ||
| repo: context.repo.repo, | ||
| body: body | ||
| }); | ||
|
|
There was a problem hiding this comment.
Security vulnerability: Untrusted input in inline script.
The PR title is used directly in the JavaScript code without proper escaping, which could lead to script injection attacks.
Apply this diff to fix the security issue:
- name: Comment on PR - Build Started
uses: actions/github-script@v7
+ env:
+ PR_TITLE: ${{ github.event.pull_request.title }}
+ PR_NUMBER: ${{ github.event.number }}
with:
script: |
+ const prTitle = process.env.PR_TITLE;
+ const prNumber = process.env.PR_NUMBER;
const body = `## 🏗️ New Build Started
⏳ **Creating new preview build** for native changes...
### 📊 Build Details
- **Platform:** iOS
- **Profile:** preview
- - **Reason:** Native changes detected in PR #${{ github.event.number }}
- - **Message:** "${{ github.event.pull_request.title }}"
+ - **Reason:** Native changes detected in PR #${prNumber}
+ - **Message:** "${prTitle}"
### ⏱️ Expected Timeline
- **Build time:** ~10-15 minutes📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| script: | | |
| const body = `## 🏗️ New Build Started | |
| ⏳ **Creating new preview build** for native changes... | |
| ### 📊 Build Details | |
| - **Platform:** iOS | |
| - **Profile:** preview | |
| - **Reason:** Native changes detected in PR #${{ github.event.number }} | |
| - **Message:** "${{ github.event.pull_request.title }}" | |
| ### ⏱️ Expected Timeline | |
| - **Build time:** ~10-15 minutes | |
| - **TestFlight processing:** ~5-10 minutes | |
| - **Total:** ~15-25 minutes | |
| ### 🔔 What's Next | |
| 1. **Build will appear in EAS dashboard** when complete | |
| 2. **New build will be submitted to TestFlight** automatically | |
| 3. **You'll get a notification** when ready for testing | |
| 4. **Update your preview app** before testing this PR | |
| --- | |
| *You can track build progress in the [EAS dashboard](https://expo.dev/accounts/ephemera/projects/convos/builds).*`; | |
| github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: body | |
| }); | |
| - name: Comment on PR - Build Started | |
| uses: actions/github-script@v7 | |
| env: | |
| PR_TITLE: ${{ github.event.pull_request.title }} | |
| PR_NUMBER: ${{ github.event.number }} | |
| with: | |
| script: | | |
| const prTitle = process.env.PR_TITLE; | |
| const prNumber = process.env.PR_NUMBER; | |
| const body = `## 🏗️ New Build Started | |
| ⏳ **Creating new preview build** for native changes... | |
| ### 📊 Build Details | |
| - **Platform:** iOS | |
| - **Profile:** preview | |
| - **Reason:** Native changes detected in PR #${prNumber} | |
| - **Message:** "${prTitle}" | |
| ### ⏱️ Expected Timeline | |
| - **Build time:** ~10-15 minutes | |
| - **TestFlight processing:** ~5-10 minutes | |
| - **Total:** ~15-25 minutes | |
| ### 🔔 What's Next | |
| 1. **Build will appear in EAS dashboard** when complete | |
| 2. **New build will be submitted to TestFlight** automatically | |
| 3. **You'll get a notification** when ready for testing | |
| 4. **Update your preview app** before testing this PR | |
| --- | |
| *You can track build progress in the [EAS dashboard](https://expo.dev/accounts/ephemera/projects/convos/builds).*`; | |
| github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: body | |
| }); |
🧰 Tools
🪛 actionlint (1.7.7)
127-127: "github.event.pull_request.title" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions for more details
(expression)
🤖 Prompt for AI Agents
In .github/workflows/pr-preview.yml around lines 127 to 158, the PR title is
directly embedded in the JavaScript string without escaping, which risks script
injection. To fix this, sanitize or escape the PR title before including it in
the body string to ensure any special characters are neutralized and cannot
break out of the string context. Use a proper escaping function or method to
safely insert the PR title into the comment body.
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (4)
.github/workflows/pr-preview.yml (4)
3-6: Consider adding concurrency controls to the workflow
Prevent redundant preview runs by cancelling in-flight workflows for the same PR.You can add at the top level:
name: PR Preview concurrency: group: pr-preview-${{ github.event.pull_request.number }} cancel-in-progress: true on: pull_request: types: [opened, synchronize, reopened]
17-37: Extract shared setup steps into a reusable workflow or composite action
The sequence of checkout → setup-node → corepack → yarn install → plugin build repeats across all jobs. Factor this out with YAML anchors or a composite action to improve maintainability and reduce drift.Also applies to: 58-86, 145-169
222-233: Remove trailing spaces in the comment body
Several lines in the “Build Complete” comment block have trailing whitespace. Trim them to keep diffs clean and avoid unintended spaces in the posted comment.🧰 Tools
🪛 YAMLlint (1.37.1)
[error] 223-223: trailing spaces
(trailing-spaces)
[error] 225-225: trailing spaces
(trailing-spaces)
[error] 230-230: trailing spaces
(trailing-spaces)
[error] 232-232: trailing spaces
(trailing-spaces)
245-258: Remove trailing spaces in the failure comment body
The multi-line string for “Preview Build Failed” contains trailing spaces on multiple lines—please remove these to maintain consistency.🧰 Tools
🪛 YAMLlint (1.37.1)
[error] 246-246: trailing spaces
(trailing-spaces)
[error] 248-248: trailing spaces
(trailing-spaces)
[error] 252-252: trailing spaces
(trailing-spaces)
[error] 257-257: trailing spaces
(trailing-spaces)
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (2)
.github/workflows/pr-preview.yml(1 hunks)App.tsx(1 hunks)
✅ Files skipped from review due to trivial changes (1)
- App.tsx
🧰 Additional context used
🪛 actionlint (1.7.7)
.github/workflows/pr-preview.yml
210-210: "github.event.pull_request.title" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions for more details
(expression)
🪛 YAMLlint (1.37.1)
.github/workflows/pr-preview.yml
[error] 223-223: trailing spaces
(trailing-spaces)
[error] 225-225: trailing spaces
(trailing-spaces)
[error] 230-230: trailing spaces
(trailing-spaces)
[error] 232-232: trailing spaces
(trailing-spaces)
[error] 246-246: trailing spaces
(trailing-spaces)
[error] 248-248: trailing spaces
(trailing-spaces)
[error] 252-252: trailing spaces
(trailing-spaces)
[error] 257-257: trailing spaces
(trailing-spaces)
⏰ Context from checks skipped due to timeout of 90000ms (1)
- GitHub Check: Review for correctness
🔇 Additional comments (1)
.github/workflows/pr-preview.yml (1)
11-14:Details
✅ Verification successful
Verify that the compatibility script sets outputs correctly
Downstream jobs rely oncan_create_update,current_fingerprint, andpreview_fingerprint. Ensurescripts/check-runtime-compatibility.jswrites to$GITHUB_OUTPUT(rather than the deprecatedset-output).
🏁 Script executed:
#!/bin/bash # Confirm the script emits to GITHUB_OUTPUT rg -n 'GITHUB_OUTPUT' scripts/check-runtime-compatibility.jsLength of output: 173
Outputs correctly set to GITHUB_OUTPUT
The compatibility script writescan_create_update,current_fingerprint, andpreview_fingerprintto$GITHUB_OUTPUTviafs.appendFileSync(process.env.GITHUB_OUTPUT, …)in scripts/check-runtime-compatibility.js (lines 156–158). No changes needed.
| eas build --platform ios --profile preview --non-interactive --message "PR #${{ github.event.number }}: ${{ github.event.pull_request.title }}" | ||
|
|
There was a problem hiding this comment.
Security risk: untrusted PR title in build command
The eas build ... --message "PR #${{ github.event.number }}: ${{ github.event.pull_request.title }}" invocation interpolates untrusted input. Use env vars or escape the title to avoid injection.
🤖 Prompt for AI Agents
In .github/workflows/pr-preview.yml at lines 211-212, the eas build command uses
the untrusted PR title directly in the --message argument, which risks command
injection. To fix this, avoid direct interpolation of the PR title in the
command line; instead, assign the PR title to a GitHub Actions environment
variable with proper escaping or sanitization, then reference that variable
safely in the eas build command to prevent injection vulnerabilities.
| - name: Create PR preview update | ||
| uses: expo/expo-github-action/preview@v8 | ||
| with: | ||
| command: eas update --branch=pr-${{ github.event.number }} --message="PR #${{ github.event.number }}: ${{ github.event.pull_request.title }}" |
There was a problem hiding this comment.
Security risk: untrusted PR title in update command
Using ${{ github.event.pull_request.title }} directly in the eas update --message flag can lead to command-injection. Pass the title via an environment variable or properly escape/sanitize it.
🤖 Prompt for AI Agents
In .github/workflows/pr-preview.yml at line 92, the PR title is directly used in
the eas update command message, which poses a command injection risk. To fix
this, avoid inserting the raw PR title directly in the command string; instead,
assign the PR title to an environment variable and reference that variable in
the command, or sanitize/escape the title properly before usage to prevent
injection vulnerabilities.
1 participant
Add PR update preview functionality by implementing GitHub Actions workflow for EAS updates and configuring application for preview builds
nativeVersiontofingerprintshowUpdatesMenufunction for managing EAS updates and PR branch switchingsendingstatus📍Where to Start
Start with the GitHub Actions workflow in .github/workflows/pr-preview.yml to understand the PR preview automation, then review the configuration changes in app.config.ts.
Macroscope summarized 20efa82.
Summary by CodeRabbit
New Features
Improvements
Refactor
Chores