Update actions #437
Update actions #437
Conversation
📝 WalkthroughWalkthroughThis PR introduces Firebase App Distribution capabilities and makes related configuration updates. A new GitHub Actions workflow enables app distribution via Firebase, while the manual release workflow gains configurable input parameters for selective module publishing. The workbench build configuration is updated with Firebase and Google Play Services plugins, plus version properties for the debug build. Finally, the UI activity is updated to use a UserButton component in place of UserProfileView. Pre-merge checks❌ Failed checks (2 warnings, 1 inconclusive)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
📜 Review details
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Disabled knowledge base sources:
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (4)
.github/workflows/firebase-app-distribution.yml(1 hunks).github/workflows/manual-release.yml(2 hunks)workbench/build.gradle.kts(2 hunks)workbench/src/main/java/com/clerk/workbench/UiActivity2.kt(2 hunks)
🧰 Additional context used
📓 Path-based instructions (1)
**/*
⚙️ CodeRabbit configuration file
If there are no tests added or modified as part of the PR, please suggest that tests be added to cover the changes.
**/*: Only comment on issues that would block merging, ignore minor or stylistic concerns.
Restrict feedback to errors, security risks, or functionality-breaking problems.
Do not post comments on code style, formatting, or non-critical improvements.
Keep reviews short: flag only issues that make the PR unsafe to merge.
Group similar issues into a single comment instead of posting multiple notes.
Skip repetition: if a pattern repeats, mention it once at a summary level only.
Do not add general suggestions, focus strictly on merge-blocking concerns.
If there are no critical problems, respond with minimal approval (e.g., 'Looks good'). Do not add additional review.
Avoid line-by-line commentary unless it highlights a critical bug or security hole.
Highlight only issues that could cause runtime errors, data loss, or severe maintainability issues.
Ignore minor optimization opportunities, focus solely on correctness and safety.
Provide a top-level summary of critical blockers rather than detailed per-line notes.
Comment only when the issue must be resolved before merge, otherwise remain silent.
When in doubt, err on the side of fewer comments, brevity and blocking issues only.
Avoid posting any refactoring issues.
Files:
workbench/build.gradle.ktsworkbench/src/main/java/com/clerk/workbench/UiActivity2.kt
🧬 Code graph analysis (1)
workbench/src/main/java/com/clerk/workbench/UiActivity2.kt (1)
source/ui/src/main/java/com/clerk/ui/userbutton/UserButton.kt (1)
UserButton(46-108)
🪛 actionlint (1.7.9)
.github/workflows/firebase-app-distribution.yml
14-14: label "blacksmith-4vcpu-ubuntu-2404" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-11-arm", "ubuntu-slim", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-26-xlarge", "macos-26", "macos-15-intel", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file
(runner-label)
🔇 Additional comments (3)
workbench/src/main/java/com/clerk/workbench/UiActivity2.kt (1)
21-21: Looks good.The component swap from
UserProfileViewtoUserButtonis correctly implemented with the matching import.Also applies to: 41-41
.github/workflows/manual-release.yml (1)
176-200: Looks good.The conditional task selection logic correctly handles both release events and manual workflow dispatch, with proper validation for empty module selection.
workbench/build.gradle.kts (1)
9-10: Looks good.Plugin additions align with the Firebase App Distribution workflow requirements.
Also applies to: 21-22
| - name: Build and upload to Firebase App Distribution | ||
| env: | ||
| ORG_GRADLE_PROJECT_WORKBENCH_CLERK_PUBLISHABLE_KEY: ${{ secrets.WORKBENCH_CLERK_PUBLISHABLE_KEY }} | ||
| run: | | ||
| ./gradlew :workbench:assembleDebug :workbench:appDistributionUploadDebug |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Check if Firebase App Distribution is configured with credentials in build files
echo "=== Checking Firebase App Distribution config in build files ==="
rg -n "firebaseAppDistribution|serviceCredentialsFile|appDistribution" --type=gradle
echo ""
echo "=== Checking for google-services.json ==="
fd "google-services.json"
echo ""
echo "=== Checking for Firebase-related secrets usage in workflows ==="
rg -n "FIREBASE|GOOGLE_APPLICATION" .github/workflows/Repository: clerk/clerk-android
Length of output: 433
Add Firebase App Distribution credentials to the workflow.
The appDistributionUploadDebug task requires explicit Firebase authentication. The workflow only provides WORKBENCH_CLERK_PUBLISHABLE_KEY but no Firebase credentials. GitHub Actions runners are ephemeral and have no persistent Firebase CLI login state.
Add one of:
- A
FIREBASE_TOKENsecret (acquired viafirebase login:ci) - A
GOOGLE_APPLICATION_CREDENTIALSenvironment variable pointing to a service account key file - A
serviceCredentialsFileproperty in the app-levelbuild.gradle
Without this, the upload step will fail with an authentication error.
🤖 Prompt for AI Agents
.github/workflows/firebase-app-distribution.yml lines 32-36: The workflow
invokes the Gradle appDistributionUploadDebug task but provides no Firebase
authentication, so the upload will fail; fix by adding Firebase credentials to
the job — set a FIREBASE_TOKEN secret (from firebase login:ci) and expose it as
FIREBASE_TOKEN in the env for that step, or upload a service account JSON to a
secret and set GOOGLE_APPLICATION_CREDENTIALS to point to it (or configure
serviceCredentialsFile in the app-level build.gradle and supply the file via a
secret), ensuring the chosen credential is available as an environment variable
before running the Gradle task.
| run: | | ||
| ./gradlew :source:api:publishMavenPublicationToMavenCentralRepository \ | ||
| :source:ui:publishMavenPublicationToMavenCentralRepository \ | ||
| :source:telemetry:publishAllPublicationsToMavenCentralRepository | ||
| TASKS="" | ||
| # For release events, publish all modules. For workflow_dispatch, use the inputs. | ||
| if [ "${{ github.event_name }}" == "release" ]; then | ||
| TASKS=":source:api:publishMavenPublicationToMavenCentralRepository :source:ui:publishMavenPublicationToMavenCentralRepository :source:telemetry:publishAllPublicationsToMavenCentralRepository" | ||
| else | ||
| if [ "${{ github.event.inputs.publish_api }}" == "true" ]; then | ||
| TASKS="$TASKS :source:api:publishMavenPublicationToMavenCentralRepository" | ||
| fi | ||
| if [ "${{ github.event.inputs.publish_ui }}" == "true" ]; then | ||
| TASKS="$TASKS :source:ui:publishMavenPublicationToMavenCentralRepository" | ||
| fi | ||
| if [ "${{ github.event.inputs.publish_telemetry }}" == "true" ]; then | ||
| TASKS="$TASKS :source:telemetry:publishAllPublicationsToMavenCentralRepository" | ||
| fi | ||
| fi | ||
| if [ -z "$TASKS" ]; then | ||
| echo "No modules selected for publishing" | ||
| exit 1 | ||
| fi | ||
| echo "Publishing modules: $TASKS" | ||
| ./gradlew $TASKS |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
To resolve this comment:
✨ Commit Assistant Fix Suggestion
- Move all use of
${{ github.event_name }}and${{ github.event.inputs.* }}out of therun:script and into environment variables by defining them underenv:for this step. - In the
run:script, reference these new environment variables using shell variable syntax. For example, replace${{ github.event_name }}with$EVENT_NAMEand${{ github.event.inputs.publish_api }}with$PUBLISH_API, etc. Make sure to use double-quotes around each environment variable, like"$EVENT_NAME". - Example changes:
- Add under the relevant step:
env: EVENT_NAME: ${{ github.event_name }} PUBLISH_API: ${{ github.event.inputs.publish_api }} PUBLISH_UI: ${{ github.event.inputs.publish_ui }} PUBLISH_TELEMETRY: ${{ github.event.inputs.publish_telemetry }} - Update the script to use these variables:
if [ "$EVENT_NAME" == "release" ]; then ... if [ "$PUBLISH_API" == "true" ]; then ... if [ "$PUBLISH_UI" == "true" ]; then ... if [ "$PUBLISH_TELEMETRY" == "true" ]; then
- Add under the relevant step:
This approach prevents the possibility of user-controlled values being executed directly in the shell, mitigating injection risks.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by run-shell-injection.
You can view more details about this finding in the Semgrep AppSec Platform.
Summary of changes
Summary by CodeRabbit
Release Notes
New Features
Chores
✏️ Tip: You can customize this high-level summary in your review settings.