chore: CI simulator bump and project housekeeping

[frederikprijck]

Summary

Extracts unrelated maintenance from the passkeys PR (#858).

• Bump CI iOS simulator iPhone 16 → iPhone 17 (.github/workflows/main.yml)
• Ignore Swift Package Manager build caches .build/ and .swiftpm/ (ios/macos/darwin .gitignore)
• Pick up Flutter-generated xcscheme debug settings (LLDB init file, GPU validation)
• Minor example_app.dart cleanup (RegExp literal + SSO idToken display)

Context

These changes were bundled into #858 (passkeys) but are independent, low-risk maintenance unrelated to the passkeys feature.

Test plan

• CI passes on iPhone 17 simulator
• Example app builds on iOS/macOS

Summary by CodeRabbit

• Chores
  • Updated the iOS simulator target used in the CI workflow
  • Improved build cache handling by adding Swift Package Manager cache ignores for iOS, macOS, and Darwin projects

[coderabbitai]

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 3e0e7662-56e8-4bbb-9607-4be24471e1f9

📥 Commits

Reviewing files that changed from the base of the PR and between 23f5b4d and bd82ca9.

📒 Files selected for processing (1)

• .github/workflows/main.yml

---

Walkthrough

The PR updates the CI workflow to target iPhone 17 for iOS simulator tests and adds Swift Package Manager build cache directories (.build/ and .swiftpm/) to gitignore files across the darwin, ios, and macos platform directories.

Changes

Build & CI Setup Updates

Layer / File(s)	Summary
iOS simulator version update .github/workflows/main.yml	CI workflow environment variable ios-simulator updated from iPhone 16 to iPhone 17 for iOS test jobs.
SPM build cache exclusions auth0_flutter/darwin/.gitignore, auth0_flutter/ios/.gitignore, auth0_flutter/macos/.gitignore	Swift Package Manager build cache directories .build/ and .swiftpm/ were added to the platform gitignore files with a descriptive comment.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

📱 iPhone seventeen steps in bright,
Swift cache files tucked out of sight,
Build trails vanish, neat and clean,
A calmer CI, sharp and keen ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main maintenance changes: CI simulator bump and project housekeeping.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/ci-and-housekeeping

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/main.yml:
- Around line 28-29: The workflow’s active actions/checkout steps are still
persisting GITHUB_TOKEN in git config; update every checkout invocation in
main.yml to include the same with.persist-credentials: false setting. Apply this
consistently to each checkout step referenced by the workflow so the existing
checkout jobs no longer leave credentials available for later repo commands or
artifact uploads.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 3e0e7662-56e8-4bbb-9607-4be24471e1f9

📥 Commits

Reviewing files that changed from the base of the PR and between 23f5b4d and bd82ca9.

📒 Files selected for processing (1)

• .github/workflows/main.yml

[coderabbitai]

Caution

Inline review comments failed to post. This is likely due to GitHub's internal server error or limits when posting large numbers of comments. If you are seeing this consistently it is likely a permissions issue. Please check "Moderation" -> "Code review limits" under your organization settings.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/main.yml:
- Around line 28-29: The workflow’s active actions/checkout steps are still
persisting GITHUB_TOKEN in git config; update every checkout invocation in
main.yml to include the same with.persist-credentials: false setting. Apply this
consistently to each checkout step referenced by the workflow so the existing
checkout jobs no longer leave credentials available for later repo commands or
artifact uploads.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 3e0e7662-56e8-4bbb-9607-4be24471e1f9

📥 Commits

Reviewing files that changed from the base of the PR and between 23f5b4d and bd82ca9.

📒 Files selected for processing (1)

• .github/workflows/main.yml

🛑 Comments failed to post (1)

.github/workflows/main.yml (1)

28-29: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Disable credential persistence on every checkout step.

These checkouts keep GITHUB_TOKEN in the local git config for the rest of each job. Since the same jobs later run repo-controlled commands and/or upload artifacts, that unnecessarily widens token exposure.

Suggested fix

             - name: Checkout
               uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0
+              with:
+                persist-credentials: false

Apply the same with.persist-credentials: false block to every active actions/checkout step in this workflow.

Also applies to: 51-52, 82-83, 101-102, 135-136, 213-214, 278-279, 316-317, 525-526

🧰 Tools

🪛 zizmor (1.26.1)

[warning] 28-29: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/main.yml around lines 28 - 29, The workflow’s active
actions/checkout steps are still persisting GITHUB_TOKEN in git config; update
every checkout invocation in main.yml to include the same
with.persist-credentials: false setting. Apply this consistently to each
checkout step referenced by the workflow so the existing checkout jobs no longer
leave credentials available for later repo commands or artifact uploads.

Source: Linters/SAST tools