Develop

[ucswift]

Summary by CodeRabbit

• Chores
  • Pre-release Android and iOS builds are now distributed via Firebase App Distribution to testers, improving delivery reliability and access management. No in-app behavior changes.
  • Updated the networking library (axios) to a newer minor version to gain security and performance improvements; no functional changes expected for users.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
1 out of 2 committers have signed the CLA.

✅ ucswift
❌ dependabot[bot]
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

Walkthrough

Replace TestFairy distribution in the React Native CI workflow with Firebase App Distribution for Android and iOS; add Firebase CLI setup using the firebase_token secret; update distribution commands and app IDs; retain artifact uploads and release-note steps. Bump axios in package.json from ~1.7.5 to ^1.11.0.

Changes

Cohort / File(s)	Summary
CI/CD Workflow \.github/workflows/react-native-cicd.yml	Removed TestFairy upload steps; added Firebase CLI setup (w9jds/setup-firebase@main, tools-version: 11.9.0) and two firebase appdistribution:distribute steps for Android (ResgridRespond-prod.apk) and iOS (ResgridRespond-ios-adhoc.ipa) using FIREBASE_RESP_ANDROID_APP_ID, FIREBASE_RESP_IOS_APP_ID, testers group, and firebase_token secret.
Dependencies package.json	Updated dependency: axios from ~1.7.5 to ^1.11.0.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant GH as GitHub Actions
  participant FBCLI as Firebase CLI
  participant FBA as Firebase App Distribution

  rect rgb(235,245,255)
  note over GH: Build artifacts (APK/IPA) produced and uploaded as GitHub artifacts
  end

  rect rgb(245,255,235)
  GH->>FBCLI: Setup Firebase CLI (w9jds/setup-firebase@main)<br/>Auth with `firebase_token`
  GH->>FBA: firebase appdistribution:distribute (Android APK)<br/>app: $FIREBASE_RESP_ANDROID_APP_ID, group: testers
  FBA-->>GH: Distribution result (Android)
  GH->>FBA: firebase appdistribution:distribute (iOS IPA)<br/>app: $FIREBASE_RESP_IOS_APP_ID, group: testers
  FBA-->>GH: Distribution result (iOS)
  end

  note over GH: Release-notes and artifact upload steps remain unchanged

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

I hop through YAML, quick and keen,
Swapping Fairies for Firebase green.
APKs and IPAs take flight,
Tokens hum through CI night.
Axios upgraded — carrot dreams! 🐇✨

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 9c0d1dc and f42bee6.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• package.json (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• package.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: test
• GitHub Check: Analyze (javascript-typescript)

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch develop

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 3

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 3c88d4f and 9c0d1dc.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (2)

• .github/workflows/react-native-cicd.yml (1 hunks)
• package.json (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: test
• GitHub Check: Analyze (javascript-typescript)

[coderabbitai]

🛠️ Refactor suggestion

Pin the Firebase setup action to a tag or SHA (avoid @main for supply-chain safety).

Inputs tools-version and firebase_token are valid for this action, but using @main is mutable. Prefer a tagged release (e.g., v1.0.0) or a commit SHA. (github.com)

-      - name: 📦 Setup Firebase CLI
-        uses: w9jds/setup-firebase@main
+      - name: 📦 Setup Firebase CLI
+        uses: w9jds/setup-firebase@v1.0.0
         with:
           tools-version: 11.9.0
           firebase_token: ${{ secrets.FIREBASE_TOKEN }}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: 📦 Setup Firebase CLI
	uses: w9jds/setup-firebase@main
	with:
	api-key: ${{ secrets.TESTFAIRY_API_KEY }}
	file: ./ResgridRespond-prod.apk
	groups: Resgrid
	notify: on
	tools-version: 11.9.0
	firebase_token: ${{ secrets.FIREBASE_TOKEN }}
	- name: 📦 Setup Firebase CLI
	uses: w9jds/setup-firebase@v1.0.0
	with:
	tools-version: 11.9.0
	firebase_token: ${{ secrets.FIREBASE_TOKEN }}

🤖 Prompt for AI Agents

.github/workflows/react-native-cicd.yml lines 279-284: the workflow uses the
mutable reference w9jds/setup-firebase@main which is unsafe for supply-chain
integrity; update the uses line to pin the action to a specific released tag or
commit SHA (for example replace @main with a stable tag like @v1.0.0 or an exact
commit SHA), commit the change, and optionally add a comment noting the chosen
tag/SHA and link to the action's releases so future maintainers can update
intentionally.

[coderabbitai]

🛠️ Refactor suggestion

Gate Firebase distribution by buildType and attach release notes.

As written, these steps run on every matrix platform regardless of which artifact was built; manual runs like buildType=dev will fail because the prod files don’t exist. Also, it’s useful to include release notes in Firebase. The CLI supports --groups and --release-notes/--release-notes-file. (firebase.google.com)

Use the same build-type guards you used for the build steps and pass succinct notes inline:

-      - name: 📦 Upload Android artifact to Firebase App Distribution
-        if: (matrix.platform == 'android')
+      - name: 📦 Upload Android artifact to Firebase App Distribution
+        if: (matrix.platform == 'android' && (github.event.inputs.buildType == 'all' || github.event_name == 'push' || github.event.inputs.buildType == 'prod-apk'))
         run: |
-          firebase appdistribution:distribute ./ResgridRespond-prod.apk --app ${{ secrets.FIREBASE_RESP_ANDROID_APP_ID }} --groups "testers"
+          firebase appdistribution:distribute ./ResgridRespond-prod.apk \
+            --app ${{ secrets.FIREBASE_RESP_ANDROID_APP_ID }} \
+            --groups "testers" \
+            --release-notes "RN Android 10.${{ github.run_number }} • ${{ github.sha }}"
 
-      - name: 📦 Upload iOS artifact to Firebase App Distribution
-        if: (matrix.platform == 'ios')
+      - name: 📦 Upload iOS artifact to Firebase App Distribution
+        if: (matrix.platform == 'ios' && (github.event.inputs.buildType == 'all' || github.event_name == 'push' || github.event.inputs.buildType == 'ios-adhoc'))
         run: |
-          firebase appdistribution:distribute ./ResgridRespond-ios-adhoc.ipa --app ${{ secrets.FIREBASE_RESP_IOS_APP_ID }} --groups "testers"
+          firebase appdistribution:distribute ./ResgridRespond-ios-adhoc.ipa \
+            --app ${{ secrets.FIREBASE_RESP_IOS_APP_ID }} \
+            --groups "testers" \
+            --release-notes "RN iOS 10.${{ github.run_number }} • ${{ github.sha }}"

Optional: If you prefer richer notes, generate RELEASE_NOTES.md earlier in the job and swap --release-notes for --release-notes-file RELEASE_NOTES.md. (firebase.google.com)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: 📦 Upload Android artifact to Firebase App Distribution
	if: (matrix.platform == 'android')
	run: |
	firebase appdistribution:distribute ./ResgridRespond-prod.apk --app ${{ secrets.FIREBASE_RESP_ANDROID_APP_ID }} --groups "testers"
	- name: 📦 Upload iOS artifact to Firebase App Distribution
	if: (matrix.platform == 'ios')
	run: |
	firebase appdistribution:distribute ./ResgridRespond-ios-adhoc.ipa --app ${{ secrets.FIREBASE_RESP_IOS_APP_ID }} --groups "testers"
	- name: 📦 Upload Android artifact to Firebase App Distribution
	if: (matrix.platform == 'android' && (github.event.inputs.buildType == 'all' || github.event_name == 'push' || github.event.inputs.buildType == 'prod-apk'))
	run: |
	firebase appdistribution:distribute ./ResgridRespond-prod.apk \
	--app ${{ secrets.FIREBASE_RESP_ANDROID_APP_ID }} \
	--groups "testers" \
	--release-notes "RN Android 10.${{ github.run_number }} • ${{ github.sha }}"
	- name: 📦 Upload iOS artifact to Firebase App Distribution
	if: (matrix.platform == 'ios' && (github.event.inputs.buildType == 'all' || github.event_name == 'push' || github.event.inputs.buildType == 'ios-adhoc'))
	run: |
	firebase appdistribution:distribute ./ResgridRespond-ios-adhoc.ipa \
	--app ${{ secrets.FIREBASE_RESP_IOS_APP_ID }} \
	--groups "testers" \
	--release-notes "RN iOS 10.${{ github.run_number }} • ${{ github.sha }}"

🤖 Prompt for AI Agents

.github/workflows/react-native-cicd.yml lines 285-294: the Firebase upload steps
run regardless of buildType and will fail when prod artifacts aren't present;
update each step's if-condition to gate on both platform and buildType (e.g.,
if: matrix.platform == 'android' && matrix.buildType == 'prod') so they only run
when the matching artifact was produced, and add a --release-notes argument (or
--release-notes-file RELEASE_NOTES.md if you generate that file earlier in the
job) to the firebase appdistribution:distribute commands to include succinct
release notes.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Security: bump axios baseline to ≥1.8.3 (tilde on 1.8.2 can leave you on a vulnerable patch).

1.8.2 fixes CVE-2025-27152 (SSRF/credential leakage), but a follow-up fix recommends 1.8.3+ to address a bypass; set the floor to 1.8.3 to be safe and regenerate the lockfile. (nvd.nist.gov, security.snyk.io, advisories.gitlab.com)

Apply one of these minimal diffs:

-    "axios": "~1.8.2",
+    "axios": "~1.8.3",

Or, if you’re comfortable with minor bumps:

-    "axios": "~1.8.2",
+    "axios": "^1.11.0",

Run to confirm the resolved version in yarn.lock and catch older transitive axios versions:

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
if fd yarn.lock >/dev/null 2>&1; then
  rg -nP '"axios"\s*:\s*"[^"]+"' yarn.lock || true
  rg -nP 'axios@' yarn.lock -n -C2
fi
# Show installed version from node_modules if present
node -e 'try{console.log(require("./node_modules/axios/package.json").version)}catch(e){process.exit(0)}'

Length of output: 430

---

Security: Upgrade axios to ≥1.8.3 to mitigate CVE-2025-27152 bypass

The lockfile still shows axios@1.8.2, so the package.json bump hasn’t been applied yet. Please update and regenerate your lockfile to eliminate the vulnerable patch.

• In package.json (line 94), change:

-    "axios": "~1.8.2",
+    "axios": "~1.8.3",

– or, for a broader minor bump:

-    "axios": "~1.8.2",
+    "axios": "^1.11.0",

• After updating, run yarn install (or npm install) and verify with:

grep -nP '"axios"\s*:\s*"' yarn.lock
rg -nP 'axios@' yarn.lock -n -C2
node -e 'console.log(require("./node_modules/axios/package.json").version)'

Ensure no older transitive references remain, then commit the updated lockfile.

🤖 Prompt for AI Agents

package.json lines 94-94: axios is pinned to ~1.8.2 which is vulnerable; update
the dependency to at least 1.8.3 (or a newer safe minor/major), run your package
manager to regenerate the lockfile (yarn install or npm install), verify the
installed axios version and that no transitive references to 1.8.2 remain (use
the suggested grep/rg/node checks or your package manager’s audit commands), and
commit the updated package.json and regenerated lockfile.

[ucswift]

Approve

[github-actions]

This PR is approved.