SDKS-5050: Release activities

[tsdamas]

Summary by CodeRabbit

• Chores

  • E2E upload/usage clarified to require hosted app/test URLs; upload handling improved.
  • CI now runs Android E2E after unit tests; test runner limits Jest workers in CI for stability.
  • Android packaging excludes problematic license/manifest files; native subprojects and build tasks adjusted.
  • Detox BrowserStack dev dependency bumped.
  • Network settings relaxed to allow cleartext for local/emulator testing.

• New Features

  • Added a post-test step that fetches and displays BrowserStack session results.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Re-enables the BrowserStack Android CI job; cleans and documents the BrowserStack E2E workflow; adds a post-test step to extract Detox session_id and query BrowserStack; updates Detox runner args; and applies Android packaging, settings, and npm script changes.

Changes

BrowserStack ID-based app resolution

Layer / File(s)	Summary
Enable BrowserStack CI job .github/workflows/ci.yml	The browserstack-android job's if: false guard was removed so the job can run in CI.
Workflow cleanup, codegen formatting, and upload comments .github/workflows/browserstack-e2e-android.yml	Removed top TODO; reformatted the multi-module ./gradlew generateCodegenArtifactsFromSchema invocation; clarified upload/upload-client comments about using app_url/app_client_url (not bare IDs); added a post-test step that parses session_id from /tmp/detox-bs.log and (if present) queries the BrowserStack Detox sessions API.
Detox runner args and comment PingTestRunner/.detoxrc.js	testRunner.args no longer sets $0: 'jest' and adds maxWorkers: process.env.CI ? 2 : undefined; an inline BrowserStack app comment was edited without changing the visible android.cloud wiring.
Android wiring, packaging, and npm scripts PingTestRunner/android/app/build.gradle, PingTestRunner/android/settings.gradle, PingTestRunner/android/app/src/main/res/xml/network_security_config.xml, PingTestRunner/package.json	Added android.packaging.resources exclusions, included new Android subprojects, replaced domain-based cleartext allowlist with base-config cleartextTrafficPermitted="true", changed build:bs:android to use :app:-prefixed Gradle task paths, and bumped devDependencies.detox to 20.38.0-cloud.3.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I hop through CI, logs in paw,
IDs and tests line up in awe,
Detox whispers, workers two,
Sessions fetched to see what's new,
Nibbles of build, a tiny law.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'SDKS-5050: Release activities' is vague and does not convey meaningful information about the specific changes in the pull request, which include enabling BrowserStack E2E tests, updating Detox configuration, fixing resource packaging, and network security config.	Use a more descriptive title that summarizes the main technical changes, such as 'Enable BrowserStack E2E Android testing and update Detox configuration' or similar.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch SDKS-5050

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

PR Preview Action v1.8.1
🚀 View preview at https://ForgeRock.github.io/ping-react-native-sdk/docs-preview/pr-48/
Built to branch gh-pages at 2026-06-10 20:28 UTC. Preview will be ready when the GitHub Pages deployment is complete.

[coderabbitai]

🧹 Nitpick comments (1)

PingTestRunner/package.json (1)

24-24: 💤 Low value

Consider aligning Gradle task qualification across build scripts.

The build:bs:android script now uses fully-qualified task names (:app:assembleRelease :app:assembleAndroidTest), which is more explicit and safer in multi-project builds. However, the .detoxrc.js file's android.release build command (line 40) still uses unqualified task names (assembleRelease assembleAndroidTest).

While these serve different code paths (BrowserStack vs. local), the inconsistency could create maintenance confusion.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@PingTestRunner/package.json` at line 24, The android release build command is
inconsistent: package.json's "build:bs:android" uses fully-qualified Gradle
tasks while .detoxrc.js's android.release uses unqualified task names; update
the android.release build command in .detoxrc.js to use the fully-qualified
tasks (e.g., replace "assembleRelease assembleAndroidTest" with
":app:assembleRelease :app:assembleAndroidTest") so both build scripts use the
same explicit task qualification.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@PingTestRunner/package.json`:
- Line 24: The android release build command is inconsistent: package.json's
"build:bs:android" uses fully-qualified Gradle tasks while .detoxrc.js's
android.release uses unqualified task names; update the android.release build
command in .detoxrc.js to use the fully-qualified tasks (e.g., replace
"assembleRelease assembleAndroidTest" with ":app:assembleRelease
:app:assembleAndroidTest") so both build scripts use the same explicit task
qualification.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0a4487e1-002e-415b-9af7-d883813c10d9

📥 Commits

Reviewing files that changed from the base of the PR and between bcc0c08 and d3395ee.

⛔ Files ignored due to path filters (2)

• .yarn/install-state.gz is excluded by !**/.yarn/**, !**/*.gz
• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (4)

• .github/workflows/browserstack-e2e-android.yml
• PingTestRunner/android/app/build.gradle
• PingTestRunner/android/settings.gradle
• PingTestRunner/package.json

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/browserstack-e2e-android.yml

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/browserstack-e2e-android.yml:
- Around line 207-223: Change the BrowserStack session fetch in the View
BrowserStack test results step to call the correct GET endpoint and surface curl
failures: replace the POST to
"https://api-cloud.browserstack.com/app-automate/detox/v2/android/sessions/${session_id}"
with a GET to
"https://api-cloud.browserstack.com/app-automate/detox/v2/android/sessions/${session_id}.json",
run curl so it fails on non-2xx responses (check exit code / use --fail) and
print a clear warning including the session_id on error; optionally pipe the
response through jq to pretty-print successful JSON. Ensure you update the curl
invocation that references session_id and the step that echoes "Fetching
BrowserStack session details for session: $session_id".

In `@PingTestRunner/android/app/src/main/res/xml/network_security_config.xml`:
- Around line 15-27: The network_security_config.xml in src/main currently
enables cleartext globally via the <base-config cleartextTrafficPermitted="true"
/> referenced by android:networkSecurityConfig and combined with
android:usesCleartextTraffic="true", which makes cleartext available to all
builds; move that permissive base-config into a variant-scoped overlay (e.g.,
src/debug/res/xml/network_security_config.xml or
src/androidTest/res/xml/network_security_config.xml) and remove or replace the
permissive <base-config> in src/main/res/xml/network_security_config.xml with a
restrictive policy, then update the debug/androidTest manifest overlay (or
manifestPlaceholders) to reference the permissive resource (and/or set
android:usesCleartextTraffic="true" only in debug/androidTest) so only
Detox/Test runs (DetoxTest.kt targeting ws://10.0.2.2) allow cleartext.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: bd8907c4-5f00-42e9-a015-f809e975a496

📥 Commits

Reviewing files that changed from the base of the PR and between d3395ee and 8a85dc9.

📒 Files selected for processing (3)

• .github/workflows/browserstack-e2e-android.yml
• PingTestRunner/.detoxrc.js
• PingTestRunner/android/app/src/main/res/xml/network_security_config.xml

🚧 Files skipped from review as they are similar to previous changes (1)

• PingTestRunner/.detoxrc.js

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Locate and print the relevant files with line numbers (small targeted reads).
sed -n '1,120p' PingTestRunner/android/app/src/main/res/xml/network_security_config.xml | nl -ba

echo "---- AndroidManifest.xml (snippet) ----"
# Print a reasonable window around where networkSecurityConfig likely appears
sed -n '1,120p' PingTestRunner/android/app/src/main/AndroidManifest.xml | nl -ba | sed -n '1,120p'

echo "---- DetoxTest.kt (snippet) ----"
# Print DetoxTest around the referenced lines
sed -n '1,120p' PingTestRunner/android/app/src/androidTest/java/com/pingtestrunner/DetoxTest.kt | nl -ba

echo "---- Search for other network security config files/overlays ----"
# Find any other network_security_config.xml under the Android module
fd -t f network_security_config.xml PingTestRunner/android/app/src -a | sort

# Also search for base-config or cleartextTrafficPermitted occurrences anywhere in Android resources.
rg -n "cleartextTrafficPermitted|networkSecurityConfig|base-config" PingTestRunner/android/app/src/main PingTestRunner/android/app/src/androidTest PingTestRunner/android/app/src/debug || true

echo "---- Check for debug overrides / resource overlays ----"
# Look for other XML files with network security config names or Android network security config refs.
rg -n "android:networkSecurityConfig|network_security_config" PingTestRunner/android/app/src || true

# Print gradle buildTypes/flavors if present to reason about debug overlays
echo "---- build.gradle files (relevant sections) ----"
for f in \
  PingTestRunner/android/app/build.gradle \
  PingTestRunner/android/app/build.gradle.kts \
  PingTestRunner/android/build.gradle \
  PingTestRunner/android/build.gradle.kts; do
  if [ -f "$f" ]; then
    echo "== $f =="
    sed -n '1,200p' "$f" | nl -ba | head -n 200
  fi
done

Repository: ForgeRock/ping-react-native-sdk

Length of output: 118

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "---- network_security_config.xml (first 200 lines) ----"
sed -n '1,200p' PingTestRunner/android/app/src/main/res/xml/network_security_config.xml | cat -n

echo "---- AndroidManifest.xml (first 200 lines) ----"
sed -n '1,200p' PingTestRunner/android/app/src/main/AndroidManifest.xml | cat -n

echo "---- DetoxTest.kt (lines 1-140) ----"
sed -n '1,140p' PingTestRunner/android/app/src/androidTest/java/com/pingtestrunner/DetoxTest.kt | cat -n

echo "---- Find other network_security_config.xml ----"
fd -t f network_security_config.xml PingTestRunner/android/app/src -a 2>/dev/null | sort || true

echo "---- Search for networkSecurityConfig / cleartextTrafficPermitted usage ----"
rg -n "cleartextTrafficPermitted|networkSecurityConfig|network_security_config|base-config" PingTestRunner/android/app/src/main PingTestRunner/android/app/src/androidTest PingTestRunner/android/app/src/debug 2>/dev/null || true

echo "---- Search for debug resource overlays dirs ----"
fd -t d -a --max-depth 5 "debug" PingTestRunner/android/app/src 2>/dev/null | sort || true

echo "---- build gradle snippets (first 240 lines) ----"
for f in \
  PingTestRunner/android/app/build.gradle \
  PingTestRunner/android/app/build.gradle.kts \
  PingTestRunner/android/build.gradle \
  PingTestRunner/android/build.gradle.kts; do
  if [ -f "$f" ]; then
    echo "== $f =="
    sed -n '1,240p' "$f" | cat -n | head -n 240
  fi
done

Repository: ForgeRock/ping-react-native-sdk

Length of output: 13408

---

Scope cleartext override to Detox/test builds only

src/main/res/xml/network_security_config.xml sets <base-config cleartextTrafficPermitted="true" />, and the app references it from the main manifest (android:networkSecurityConfig="@xml/network_security_config") while also enabling android:usesCleartextTraffic="true". That makes cleartext permissive for all destinations, not just the Detox emulator-host WS endpoint (ws://10.0.2.2) rewritten in DetoxTest.kt. Move the permissive config to a debug/androidTest-scoped overlay (or equivalent variant-specific resource/manifest) and keep src/main restrictive.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@PingTestRunner/android/app/src/main/res/xml/network_security_config.xml`
around lines 15 - 27, The network_security_config.xml in src/main currently
enables cleartext globally via the <base-config cleartextTrafficPermitted="true"
/> referenced by android:networkSecurityConfig and combined with
android:usesCleartextTraffic="true", which makes cleartext available to all
builds; move that permissive base-config into a variant-scoped overlay (e.g.,
src/debug/res/xml/network_security_config.xml or
src/androidTest/res/xml/network_security_config.xml) and remove or replace the
permissive <base-config> in src/main/res/xml/network_security_config.xml with a
restrictive policy, then update the debug/androidTest manifest overlay (or
manifestPlaceholders) to reference the permissive resource (and/or set
android:usesCleartextTraffic="true" only in debug/androidTest) so only
Detox/Test runs (DetoxTest.kt targeting ws://10.0.2.2) allow cleartext.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@PingTestRunner/.detoxrc.js`:
- Line 20: Remove the forced CI override of maxWorkers in the Detox config by
eliminating or conditionalizing the line setting maxWorkers: process.env.CI ? 2
: undefined; instead let Detox/Jest pick the appropriate worker count (or
explicitly set it to 1) so it does not conflict with testRunner.args.maxWorkers
and the e2e/jest.config.js maxWorkers: 1; update .detoxrc.js to either omit
maxWorkers entirely on CI or set it to 1 to ensure only one worker/device
session is used.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9827f892-46e9-444d-9f4a-3137e5fb0899

📥 Commits

Reviewing files that changed from the base of the PR and between 8a85dc9 and 09379fb.

📒 Files selected for processing (1)

• PingTestRunner/.detoxrc.js