Release to Staging - 2025-12-12

.github/actions/generate-github-token/action.yml

@@ -0,0 +1,56 @@
+name: "Generate GitHub App Token"
+description: "Generates a GitHub App token for accessing repositories in the selfxyz organization"
+
+inputs:
+  app-id:
+    description: "The GitHub App ID"
+    required: true
+  private-key:
+    description: "The GitHub App private key"
+    required: true
+  configure-netrc:
+    description: "If true, writes a ~/.netrc entry for github.com using the generated token (useful for CocoaPods / git HTTPS fetches)"
+    required: false
+    default: "false"
+  netrc-machine:
+    description: "The machine hostname to write into ~/.netrc (default: github.com)"
+    required: false
+    default: "github.com"
+  owner:
+    description: "The owner (organization) of the repositories"
+    required: false
+    default: "selfxyz"
+  repositories:
+    description: "Comma-separated list of repository names to grant access to"
+    required: false
+    default: "NFCPassportReader,android-passport-nfc-reader,react-native-passport-reader,mobile-sdk-native"
+
+outputs:
+  token:
+    description: "The generated GitHub App installation token"
+    value: ${{ steps.app-token.outputs.token }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Generate GitHub App Token
+      uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
+      id: app-token
+      with:
+        app-id: ${{ inputs.app-id }}
+        private-key: ${{ inputs.private-key }}
+        owner: ${{ inputs.owner }}
+        repositories: ${{ inputs.repositories }}
+    - name: Configure Git auth via ~/.netrc (optional)
+      if: ${{ inputs.configure-netrc == 'true' }}
+      shell: bash
+      run: |
+        set -euo pipefail
+        TOKEN="${{ steps.app-token.outputs.token }}"
+        MACHINE="${{ inputs.netrc-machine }}"
+
+        # Mask the token in logs defensively (it shouldn't print, but this protects against future edits).
+        echo "::add-mask::${TOKEN}"
+
+        printf "machine %s\n  login x-access-token\n  password %s\n" "${MACHINE}" "${TOKEN}" > "${HOME}/.netrc"
+        chmod 600 "${HOME}/.netrc"

.github/workflows/mobile-bundle-analysis.yml

@@ -5,6 +5,7 @@ env:
   JAVA_VERSION: 17
   WORKSPACE: ${{ github.workspace }}
   APP_PATH: ${{ github.workspace }}/app
+  NODE_ENV: "production"
 
 on:
   pull_request:
@@ -57,6 +58,14 @@ jobs:
           path: |
             ~/.gradle/caches
             ~/.gradle/wrapper
+      - name: Generate token for self repositories
+        if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false }}
+        uses: ./.github/actions/generate-github-token
+        id: github-token
+        with:
+          app-id: ${{ vars.GH_WORKFLOWS_CROSS_ACCESS_ID }}
+          private-key: ${{ secrets.GH_WORKFLOWS_CROSS_ACCESS_KEY }}
+          configure-netrc: "true"
       - name: Install Mobile Dependencies
         uses: ./.github/actions/mobile-setup
         with:
@@ -65,7 +74,7 @@ jobs:
           ruby_version: ${{ env.RUBY_VERSION }}
           workspace: ${{ env.WORKSPACE }}
         env:
-          SELFXYZ_INTERNAL_REPO_PAT: ${{ secrets.SELFXYZ_INTERNAL_REPO_PAT }}
+          SELFXYZ_APP_TOKEN: ${{ steps.github-token.outputs.token }}
       - name: Build dependencies
         shell: bash
         run: yarn workspace @selfxyz/common build
@@ -113,6 +122,14 @@ jobs:
         with:
           path: app/ios/Pods
           lockfile: app/ios/Podfile.lock
+      - name: Generate token for self repositories
+        if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false }}
+        uses: ./.github/actions/generate-github-token
+        id: github-token
+        with:
+          app-id: ${{ vars.GH_WORKFLOWS_CROSS_ACCESS_ID }}
+          private-key: ${{ secrets.GH_WORKFLOWS_CROSS_ACCESS_KEY }}
+          configure-netrc: "true"
       - name: Install Mobile Dependencies
         uses: ./.github/actions/mobile-setup
         with:
@@ -121,7 +138,7 @@ jobs:
           ruby_version: ${{ env.RUBY_VERSION }}
           workspace: ${{ env.WORKSPACE }}
         env:
-          SELFXYZ_INTERNAL_REPO_PAT: ${{ secrets.SELFXYZ_INTERNAL_REPO_PAT }}
+          SELFXYZ_APP_TOKEN: ${{ steps.github-token.outputs.token }}
       - name: Build dependencies
         shell: bash
         run: yarn workspace @selfxyz/common build

.github/workflows/mobile-ci.yml

@@ -35,7 +35,7 @@ concurrency:
 
 jobs:
   build-deps:
-    runs-on: macos-latest-large
+    runs-on: ubuntu-latest
     timeout-minutes: 60
     steps:
       - uses: actions/checkout@v4
@@ -90,12 +90,9 @@ jobs:
       - name: Check App Types
         run: yarn types
         working-directory: ./app
-      - name: Check license headers
-        run: node scripts/check-license-headers.mjs --check
-        working-directory: ./
 
   test:
-    runs-on: macos-latest-large
+    runs-on: ubuntu-latest
     needs: build-deps
     timeout-minutes: 60
     steps:
@@ -190,6 +187,8 @@ jobs:
         env:
           # Increase Node.js memory to prevent hermes-parser WASM memory errors
           NODE_OPTIONS: --max-old-space-size=4096
+          # Override production NODE_ENV for tests - React's production build doesn't include testing utilities
+          NODE_ENV: test
         run: |
           # Final verification from app directory perspective
           echo "Final verification before running tests (from app directory)..."
@@ -268,6 +267,7 @@ jobs:
       - name: Cache Ruby gems
         uses: ./.github/actions/cache-bundler
         with:
+          # TODO(jcortejoso): Confirm the path of the bundle cache
           path: app/ios/vendor/bundle
           lock-file: app/Gemfile.lock
           cache-version: ${{ env.GH_CACHE_VERSION }}-${{ env.GH_GEMS_CACHE_VERSION }}-ruby${{ env.RUBY_VERSION }}
@@ -315,6 +315,14 @@ jobs:
           bundle config set --local path 'vendor/bundle'
           bundle install --jobs 4 --retry 3
         working-directory: ./app
+      - name: Generate token for self repositories
+        if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false }}
+        uses: ./.github/actions/generate-github-token
+        id: github-token
+        with:
+          app-id: ${{ vars.GH_WORKFLOWS_CROSS_ACCESS_ID }}
+          private-key: ${{ secrets.GH_WORKFLOWS_CROSS_ACCESS_KEY }}
+          configure-netrc: "true"
       - name: Install iOS Dependencies
         uses: nick-fields/retry@v3
         with:
@@ -325,7 +333,7 @@ jobs:
             cd app/ios
             bundle exec bash scripts/pod-install-with-cache-fix.sh
         env:
-          SELFXYZ_INTERNAL_REPO_PAT: ${{ secrets.SELFXYZ_INTERNAL_REPO_PAT }}
+          SELFXYZ_APP_TOKEN: ${{ steps.github-token.outputs.token }}
       - name: Resolve iOS workspace
         run: |
           WORKSPACE_OPEN="ios/OpenPassport.xcworkspace"
@@ -470,12 +478,19 @@ jobs:
         run: |
           echo "Cache miss for built dependencies. Building now..."
           yarn workspace @selfxyz/mobile-app run build:deps
+      - name: Generate token for self repositories
+        if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false }}
+        uses: ./.github/actions/generate-github-token
+        id: github-token
+        with:
+          app-id: ${{ vars.GH_WORKFLOWS_CROSS_ACCESS_ID }}
+          private-key: ${{ secrets.GH_WORKFLOWS_CROSS_ACCESS_KEY }}
       - name: Setup Android private modules
         run: |
           cd ${{ env.APP_PATH }}
           PLATFORM=android node scripts/setup-private-modules.cjs
         env:
-          SELFXYZ_INTERNAL_REPO_PAT: ${{ secrets.SELFXYZ_INTERNAL_REPO_PAT }}
+          SELFXYZ_APP_TOKEN: ${{ steps.github-token.outputs.token }}
           CI: true
       - name: Build Android (with AAPT2 symlink fix)
         run: yarn android:ci

.github/workflows/mobile-deploy.yml

@@ -31,6 +31,7 @@ name: Mobile Deploy
 env:
   # Build environment versions
   RUBY_VERSION: 3.2
+  NODE_ENV: "production"
   JAVA_VERSION: 17
   ANDROID_API_LEVEL: 35
   ANDROID_NDK_VERSION: 27.0.12077973
@@ -385,6 +386,7 @@ jobs:
         id: gems-cache
         uses: ./.github/actions/cache-bundler
         with:
+          # TODO(jcortejoso): Confirm the path of the bundle cache
           path: ${{ env.APP_PATH }}/ios/vendor/bundle
           lock-file: app/Gemfile.lock
           cache-version: ${{ env.GH_CACHE_VERSION }}-${{ env.GH_GEMS_CACHE_VERSION }}-ruby${{ env.RUBY_VERSION }}
@@ -428,6 +430,14 @@ jobs:
           fi
 
           echo "✅ Lock files exist"
+      - name: Generate token for self repositories
+        if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false }}
+        uses: ./.github/actions/generate-github-token
+        id: github-token
+        with:
+          app-id: ${{ vars.GH_WORKFLOWS_CROSS_ACCESS_ID }}
+          private-key: ${{ secrets.GH_WORKFLOWS_CROSS_ACCESS_KEY }}
+          configure-netrc: "true"
 
       - name: Install Mobile Dependencies (main repo)
         if: inputs.platform != 'android' && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false)
@@ -438,7 +448,7 @@ jobs:
           ruby_version: ${{ env.RUBY_VERSION }}
           workspace: ${{ env.WORKSPACE }}
         env:
-          SELFXYZ_INTERNAL_REPO_PAT: ${{ secrets.SELFXYZ_INTERNAL_REPO_PAT }}
+          SELFXYZ_APP_TOKEN: ${{ steps.github-token.outputs.token }}
 
       - name: Install Mobile Dependencies (forked PRs - no secrets)
         if: inputs.platform != 'android' && github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true
@@ -691,7 +701,7 @@ jobs:
           IOS_TESTFLIGHT_GROUPS: ${{ secrets.IOS_TESTFLIGHT_GROUPS }}
           NODE_OPTIONS: "--max-old-space-size=8192"
           SEGMENT_KEY: ${{ secrets.SEGMENT_KEY }}
-          SELFXYZ_INTERNAL_REPO_PAT: ${{ secrets.SELFXYZ_INTERNAL_REPO_PAT }}
+          SELFXYZ_APP_TOKEN: ${{ steps.github-token.outputs.token }}
           SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
           TURNKEY_AUTH_PROXY_CONFIG_ID: ${{ secrets.TURNKEY_AUTH_PROXY_CONFIG_ID }}
           TURNKEY_GOOGLE_CLIENT_ID: ${{ secrets.TURNKEY_GOOGLE_CLIENT_ID }}
@@ -1046,6 +1056,14 @@ jobs:
 
           echo "✅ Lock files exist"
 
+      - name: Generate token for self repositories
+        if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false }}
+        uses: ./.github/actions/generate-github-token
+        id: github-token
+        with:
+          app-id: ${{ vars.GH_WORKFLOWS_CROSS_ACCESS_ID }}
+          private-key: ${{ secrets.GH_WORKFLOWS_CROSS_ACCESS_KEY }}
+
       - name: Install Mobile Dependencies (main repo)
         if: inputs.platform != 'ios' && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false)
         uses: ./.github/actions/mobile-setup
@@ -1055,7 +1073,7 @@ jobs:
           ruby_version: ${{ env.RUBY_VERSION }}
           workspace: ${{ env.WORKSPACE }}
         env:
-          SELFXYZ_INTERNAL_REPO_PAT: ${{ secrets.SELFXYZ_INTERNAL_REPO_PAT }}
+          SELFXYZ_APP_TOKEN: ${{ steps.github-token.outputs.token }}
           PLATFORM: ${{ inputs.platform }}
 
       - name: Install Mobile Dependencies (forked PRs - no secrets)
@@ -1112,7 +1130,7 @@ jobs:
           cd ${{ env.APP_PATH }}
           PLATFORM=android node scripts/setup-private-modules.cjs
         env:
-          SELFXYZ_INTERNAL_REPO_PAT: ${{ secrets.SELFXYZ_INTERNAL_REPO_PAT }}
+          SELFXYZ_APP_TOKEN: ${{ steps.github-token.outputs.token }}
           CI: true
 
       - name: Build Dependencies (Android)

.github/workflows/mobile-e2e.yml

@@ -70,6 +70,14 @@ jobs:
       - name: Toggle Yarn hardened mode for trusted PRs
         if: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false }}
         run: echo "YARN_ENABLE_HARDENED_MODE=0" >> $GITHUB_ENV
+      - name: Generate token for self repositories
+        if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false }}
+        uses: ./.github/actions/generate-github-token
+        id: github-token
+        with:
+          app-id: ${{ vars.GH_WORKFLOWS_CROSS_ACCESS_ID }}
+          private-key: ${{ secrets.GH_WORKFLOWS_CROSS_ACCESS_KEY }}
+          configure-netrc: "true"
       - name: Install deps (internal PRs and protected branches)
         if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false }}
         uses: nick-fields/retry@v3
@@ -79,7 +87,7 @@ jobs:
           retry_wait_seconds: 5
           command: yarn install --immutable --silent
         env:
-          SELFXYZ_INTERNAL_REPO_PAT: ${{ secrets.SELFXYZ_INTERNAL_REPO_PAT }}
+          SELFXYZ_APP_TOKEN: ${{ steps.github-token.outputs.token }}
       - name: Install deps (forked PRs - no secrets)
         if: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true }}
         uses: nick-fields/retry@v3
@@ -138,7 +146,7 @@ jobs:
           cd app
           PLATFORM=android node scripts/setup-private-modules.cjs
         env:
-          SELFXYZ_INTERNAL_REPO_PAT: ${{ secrets.SELFXYZ_INTERNAL_REPO_PAT }}
+          SELFXYZ_APP_TOKEN: ${{ steps.github-token.outputs.token }}
           CI: true
       - name: Build Android APK
         run: |
@@ -149,6 +157,8 @@ jobs:
       - name: Clean up Gradle build artifacts
         uses: ./.github/actions/cleanup-gradle-artifacts
       - name: Verify APK and android-passport-nfc-reader integration
+        env:
+          SELFXYZ_APP_TOKEN: ${{ steps.github-token.outputs.token }}
         run: |
           echo "🔍 Verifying build artifacts..."
           APK_PATH="app/android/app/build/outputs/apk/debug/app-debug.apk"
@@ -160,8 +170,8 @@ jobs:
           echo "📱 APK size: $APK_SIZE bytes"
 
           # Verify private modules were properly integrated (skip for forks)
-          if [ -z "${SELFXYZ_INTERNAL_REPO_PAT:-}" ]; then
-            echo "🔕 No PAT available — skipping private module verification"
+          if [ -z "${SELFXYZ_APP_TOKEN:-}" ]; then
+            echo "🔕 No SELFXYZ_APP_TOKEN available — skipping private module verification"
           else
             # Verify android-passport-nfc-reader
             if [ -d "app/android/android-passport-nfc-reader" ]; then
@@ -263,6 +273,14 @@ jobs:
       - name: Toggle Yarn hardened mode for trusted PRs
         if: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false }}
         run: echo "YARN_ENABLE_HARDENED_MODE=0" >> $GITHUB_ENV
+      - name: Generate token for self repositories
+        if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false }}
+        uses: ./.github/actions/generate-github-token
+        id: github-token
+        with:
+          app-id: ${{ vars.GH_WORKFLOWS_CROSS_ACCESS_ID }}
+          private-key: ${{ secrets.GH_WORKFLOWS_CROSS_ACCESS_KEY }}
+          configure-netrc: "true"
       - name: Install deps (internal PRs and protected branches)
         if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false }}
         uses: nick-fields/retry@v3
@@ -272,7 +290,7 @@ jobs:
           retry_wait_seconds: 5
           command: yarn install --immutable --silent
         env:
-          SELFXYZ_INTERNAL_REPO_PAT: ${{ secrets.SELFXYZ_INTERNAL_REPO_PAT }}
+          SELFXYZ_APP_TOKEN: ${{ steps.github-token.outputs.token }}
       - name: Install deps (forked PRs - no secrets)
         if: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true }}
         uses: nick-fields/retry@v3
@@ -360,7 +378,7 @@ jobs:
             echo "📦 Installing pods via centralized script…"
             BUNDLE_GEMFILE=../Gemfile bundle exec bash scripts/pod-install-with-cache-fix.sh
         env:
-          SELFXYZ_INTERNAL_REPO_PAT: ${{ secrets.SELFXYZ_INTERNAL_REPO_PAT }}
+          SELFXYZ_APP_TOKEN: ${{ steps.github-token.outputs.token }}
       - name: Setup iOS Simulator
         run: |
           echo "Setting up iOS Simulator..."