Harden EAS pipeline, env isolation, and secret handling#17
Merged
Conversation
- development: internal + draft (Internal testing) - staging: alpha + draft (Closed testing / Alpha) - production: production + completed (Production) - docs/EAS.md: map EAS profiles to Play Console Made-with: Cursor
Submit profile staging now targets Play beta track; docs updated. Made-with: Cursor
Source-of-truth table for development/staging/production; link from EAS.md. Made-with: Cursor
- Android: three Gradle flavors only; drop extra variants; wire env files and Fastlane lanes to the same names. - iOS: rename Xcode targets, Info plists, and shared schemes to ReactNativeIgniteKit/ReactNativeCICD development|staging|production; update Podfile and project; refresh CocoaPods lockfile. - EAS, package.json scripts, CI workflow, and docs (README, EAS, Play mapping) describe the unified profile and scheme names. Made-with: Cursor
This makes Metro startup/logging reliable in local terminals and CI while aligning Yarn/EAS tooling to avoid blocked installs and hook setup regressions. Made-with: Cursor
Ensure staging, development, and production always load their matching .env files across CLI and Android Studio tasks, and submit Android artifacts by build profile to avoid cross-profile track uploads. Made-with: Cursor
Wire Expo Updates settings into app.config and native Android/iOS files so EAS update runs end-to-end, and align iOS Hermes config with Expo export expectations. Made-with: Cursor
Replace legacy Yarn 1 and deprecated Android deploy steps with stable lint/test/version checks, and correct README quick-start commands to match available scripts. Made-with: Cursor
… secret scanning Stop tracking sensitive keystore/config files, strip signing placeholders from tracked env files, and add a staged-change secret scanner to block accidental credential commits. Made-with: Cursor
Remove Node and Yarn tooling variables from runtime .env files so client-shipped configuration only contains app-level values. Made-with: Cursor
Add .env.<profile>.local override support and a pre-build EAS hook that injects profile-scoped map keys from secrets, while keeping tracked env files on non-sensitive placeholders. Made-with: Cursor
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Test plan
yarn lintyarn testyarn eas:version:get/yarn eas:version:checkplutil -lintyarn eas:update:stagingpublishes successfullysecret_scanhook blocks sensitive staged additionsMade with Cursor