Skip to content

Develop #58

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ucswift merged 4 commits into from
Aug 21, 2025
Merged

Develop #58

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
7b69d55
CU-868ex18rd Setting correct version numbers in build
ucswift Jul 31, 2025
e24d99b
Merge branch 'develop' of https://github.com/Resgrid/Responder into d…
ucswift Jul 31, 2025
af8b1bb
CU-868ex18rd Updating from Unit app, making Responder app updates.
ucswift Aug 19, 2025
321db84
CU-868ex18rd Lots o changes
ucswift Aug 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
25 changes: 25 additions & 0 deletions .env.development
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
# Storage Encryption Key (Optional)
# If not provided, a secure key will be generated and stored in the device's secure keystore
# For production, consider using a key management service or environment-specific key
# RESPOND_STORAGE_ENCRYPTION_KEY=your-256-bit-encryption-key-here

# API Configuration
RESPOND_BASE_API_URL=https://qaapi.resgrid.dev
RESPOND_API_VERSION=v4
RESPOND_RESGRID_API_URL=/api/v4
RESPOND_CHANNEL_API_URL=https://qaevents.resgrid.dev/
RESPOND_CHANNEL_HUB_NAME=eventingHub
RESPOND_REALTIME_GEO_HUB_NAME=geolocationHub

# App Configuration
RESPOND_LOGGING_KEY=
RESPOND_APP_KEY=

# Mapbox Configuration
RESPOND_MAPBOX_PUBKEY=
RESPOND_MAPBOX_DLKEY=

# Analytics Configuration
RESPOND_SENTRY_DSN=
RESPOND_APTABASE_APP_KEY=
RESPOND_APTABASE_URL=
44 changes: 42 additions & 2 deletions .github/workflows/react-native-cicd.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -154,13 +154,15 @@
sudo apt-get update && sudo apt-get install -y jq
fi
androidVersionCode=$((5080345 + ${{ github.run_number }}))
echo "Android Version Code: ${androidVersionCode}"
# Fix the main entry in package.json
if [ -f ./package.json ]; then
# Create a backup
cp package.json package.json.bak
# Update the package.json
jq '.version = "7.${{ github.run_number }}"' package.json > package.json.tmp && mv package.json.tmp package.json
jq '.versionCode = "7${{ github.run_number }}"' package.json > package.json.tmp && mv package.json.tmp package.json
jq --arg version "10.${{ github.run_number }}" --argjson versionCode "$androidVersionCode" '.version = $version | .versionCode = $versionCode' package.json > package.json.tmp && mv package.json.tmp package.json
echo "Updated package.json versions"
cat package.json | grep "version"
cat package.json | grep "versionCode"
Expand Down Expand Up @@ -273,3 +275,41 @@
file: ./ResgridRespond-ios-adhoc.ipa
groups: Resgrid
notify: on

- name: 📋 Extract Release Notes from PR Body
if: ${{ matrix.platform == 'android' }}
env:
PR_BODY: ${{ github.event.pull_request.body }}
run: |
set -eo pipefail
# Grab lines after "## Release Notes" until the next header
RELEASE_NOTES="$(printf '%s\n' "$PR_BODY" \
| awk 'f && /^## /{f=0} /^## Release Notes/{f=1; next} f')"
# Use a unique delimiter to write multiline into GITHUB_ENV
delimiter="EOF_$(date +%s)_$RANDOM"
{
echo "RELEASE_NOTES<<$delimiter"
printf '%s\n' "${RELEASE_NOTES:-No release notes provided.}"
echo "$delimiter"
} >> "$GITHUB_ENV"
Comment on lines +283 to +294

Check failure

Code scanning / CodeQL

Environment variable built from user-controlled sources Critical

Potential environment variable injection in [set -eo pipefail Grab lines after "## Release Notes" until the next header RELEASE_NOTES="$(printf '%s\\n' "$PR_BODY" \\
| awk 'f && /^## /{f=0} /^## Release Notes/{f=1; next} f')" Use a unique delimiter to write multiline into GITHUB_ENV delimiter="EOF_$(date +%s)_$RANDOM"
{
echo "RELEASE_NOTES<<$delimiter"
printf '%s\\n' "${RELEASE_NOTES:-No release notes provided.}"
echo "$delimiter"
} >> "$GITHUB_ENV"](1), which may be controlled by an external user (
workflow_dispatch
Loading
).

Copilot Autofix

AI 5 months ago

To fix the problem, we must ensure that user-controlled data (the PR body) cannot inject new environment variables or break out of the intended assignment in the $GITHUB_ENV file. The best way to do this is:

  • Check that the chosen delimiter does not appear in the extracted release notes. If it does, generate a new delimiter and try again, or sanitize the release notes to remove or escape the delimiter.
  • Alternatively, use a cryptographically strong random delimiter (e.g., using uuidgen if available) to make delimiter collision practically impossible.
  • Optionally, sanitize the release notes to remove any lines that could be interpreted as environment variable assignments, or to remove newlines if a single-line variable is sufficient.

In this case, the best fix is to use uuidgen to generate a strong, unique delimiter, and to check that the delimiter does not appear in the release notes before writing to $GITHUB_ENV. If uuidgen is not available, fall back to the current method, but still check for delimiter collisions.

Required changes:

  • In the step at lines 279-295, update the delimiter generation to use uuidgen if available.
  • Add a check to ensure the delimiter does not appear in the release notes. If it does, regenerate the delimiter.
  • Optionally, add a maximum number of attempts to avoid infinite loops.
Suggested changeset 1
.github/workflows/react-native-cicd.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/react-native-cicd.yml b/.github/workflows/react-native-cicd.yml
--- a/.github/workflows/react-native-cicd.yml
+++ b/.github/workflows/react-native-cicd.yml
@@ -285,14 +285,29 @@
           # Grab lines after "## Release Notes" until the next header
           RELEASE_NOTES="$(printf '%s\n' "$PR_BODY" \
             | awk 'f && /^## /{f=0} /^## Release Notes/{f=1; next} f')"
-          # Use a unique delimiter to write multiline into GITHUB_ENV
-          delimiter="EOF_$(date +%s)_$RANDOM"
+          # Use a cryptographically strong unique delimiter and check for collision
+          max_attempts=5
+          attempt=0
+          while [ $attempt -lt $max_attempts ]; do
+            if command -v uuidgen >/dev/null 2>&1; then
+              delimiter="EOF_$(uuidgen)"
+            else
+              delimiter="EOF_$(date +%s)_$RANDOM"
+            fi
+            if ! printf '%s\n' "${RELEASE_NOTES:-No release notes provided.}" | grep -q "$delimiter"; then
+              break
+            fi
+            attempt=$((attempt+1))
+          done
+          if [ $attempt -eq $max_attempts ]; then
+            echo "Failed to generate a safe delimiter for RELEASE_NOTES" >&2
+            exit 1
+          fi
           {
             echo "RELEASE_NOTES<<$delimiter"
             printf '%s\n' "${RELEASE_NOTES:-No release notes provided.}"
             echo "$delimiter"
           } >> "$GITHUB_ENV"
-
       - name: 📋 Prepare Release Notes file
         if: ${{ matrix.platform == 'android' }}
         run: |
EOF
@@ -285,14 +285,29 @@
# Grab lines after "## Release Notes" until the next header
RELEASE_NOTES="$(printf '%s\n' "$PR_BODY" \
| awk 'f && /^## /{f=0} /^## Release Notes/{f=1; next} f')"
# Use a unique delimiter to write multiline into GITHUB_ENV
delimiter="EOF_$(date +%s)_$RANDOM"
# Use a cryptographically strong unique delimiter and check for collision
max_attempts=5
attempt=0
while [ $attempt -lt $max_attempts ]; do
if command -v uuidgen >/dev/null 2>&1; then
delimiter="EOF_$(uuidgen)"
else
delimiter="EOF_$(date +%s)_$RANDOM"
fi
if ! printf '%s\n' "${RELEASE_NOTES:-No release notes provided.}" | grep -q "$delimiter"; then
break
fi
attempt=$((attempt+1))
done
if [ $attempt -eq $max_attempts ]; then
echo "Failed to generate a safe delimiter for RELEASE_NOTES" >&2
exit 1
fi
{
echo "RELEASE_NOTES<<$delimiter"
printf '%s\n' "${RELEASE_NOTES:-No release notes provided.}"
echo "$delimiter"
} >> "$GITHUB_ENV"

- name: 📋 Prepare Release Notes file
if: ${{ matrix.platform == 'android' }}
run: |
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
Comment on lines +279 to +295
Copy link

@coderabbitai coderabbitai bot Aug 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Avoid writing PR body into GITHUB_ENV; write directly to a file to eliminate env injection risk.

PR bodies are user-controlled on pull_request and workflow_dispatch. Even with a randomized delimiter, writing arbitrary content into GITHUB_ENV is unnecessary here and flagged by CodeQL. Generate the release notes file directly and drop the environment variable.

Apply this diff to remove the env write step:

-      - name: 📋 Extract Release Notes from PR Body
-        if: ${{ matrix.platform == 'android' }}
-        env:
-          PR_BODY: ${{ github.event.pull_request.body }}
-        run: |
-          set -eo pipefail
-          # Grab lines after "## Release Notes" until the next header
-          RELEASE_NOTES="$(printf '%s\n' "$PR_BODY" \
-            | awk 'f && /^## /{f=0} /^## Release Notes/{f=1; next} f')"
-          # Use a unique delimiter to write multiline into GITHUB_ENV
-          delimiter="EOF_$(date +%s)_$RANDOM"
-          {
-            echo "RELEASE_NOTES<<$delimiter"
-            printf '%s\n' "${RELEASE_NOTES:-No release notes provided.}"
-            echo "$delimiter"
-          } >> "$GITHUB_ENV"

Committable suggestion skipped: line range outside the PR's diff.

🧰 Tools
🪛 GitHub Check: CodeQL

[failure] 283-294: Environment variable built from user-controlled sources
Potential environment variable injection in [set -eo pipefail

Grab lines after "## Release Notes" until the next header

RELEASE_NOTES="$(printf '%s\n' "$PR_BODY" \
| awk 'f && /^## /{f=0} /^## Release Notes/{f=1; next} f')"

Use a unique delimiter to write multiline into GITHUB_ENV

delimiter="EOF_$(date +%s)_$RANDOM"
{
echo "RELEASE_NOTES<<$delimiter"
printf '%s\n' "${RELEASE_NOTES:-No release notes provided.}"
echo "$delimiter"
} >> "$GITHUB_ENV"](1), which may be controlled by an external user (workflow_dispatch).

🤖 Prompt for AI Agents 
.github/workflows/react-native-cicd.yml around lines 279-295: the job currently
extracts the "## Release Notes" section from the PR body and writes it into
GITHUB_ENV using a randomized delimiter, which risks env injection; instead,
write the extracted release notes directly to a file in the workspace (for
example, ./release-notes.txt or ./release-notes.md) and remove the GITHUB_ENV
write and delimiter logic; keep the same extraction logic but redirect output to
a file (with a safe default like "No release notes provided." when empty) and
update any downstream steps to read that file rather than relying on an
environment variable.

- name: 📋 Prepare Release Notes file
if: ${{ matrix.platform == 'android' }}
run: |
{
echo "## Version 10.${{ github.run_number }} - $(date +%Y-%m-%d)"
echo
printf '%s\n' "${RELEASE_NOTES:-No release notes provided.}"
} > RELEASE_NOTES.md
Comment on lines +296 to +304
Copy link

@coderabbitai coderabbitai bot Aug 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Build the RELEASE_NOTES.md directly (no dependency on env state).

Inline the extraction in this step and write the file directly.

-      - name: 📋 Prepare Release Notes file
-        if: ${{ matrix.platform == 'android' }}
-        run: |
-          {
-            echo "## Version 10.${{ github.run_number }} - $(date +%Y-%m-%d)"
-            echo
-            printf '%s\n' "${RELEASE_NOTES:-No release notes provided.}"
-          } > RELEASE_NOTES.md
+      - name: 📋 Prepare Release Notes file
+        if: ${{ matrix.platform == 'android' }}
+        env:
+          PR_BODY: ${{ github.event.pull_request.body }}
+        run: |
+          set -eo pipefail
+          NOTES="$(printf '%s\n' "$PR_BODY" | awk 'f && /^## /{f=0} /^## Release Notes/{f=1; next} f')"
+          {
+            echo "## Version 10.${{ github.run_number }} - $(date +%Y-%m-%d)"
+            echo
+            if [ -n "$NOTES" ]; then
+              printf '%s\n' "$NOTES"
+            else
+              echo "No release notes provided."
+            fi
+          } > RELEASE_NOTES.md
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: 📋 Prepare Release Notes file
if: ${{ matrix.platform == 'android' }}
run: |
{
echo "## Version 10.${{ github.run_number }} - $(date +%Y-%m-%d)"
echo
printf '%s\n' "${RELEASE_NOTES:-No release notes provided.}"
} > RELEASE_NOTES.md
- name: 📋 Prepare Release Notes file
if: ${{ matrix.platform == 'android' }}
env:
PR_BODY: ${{ github.event.pull_request.body }}
run: |
set -eo pipefail
NOTES="$(printf '%s\n' "$PR_BODY" | awk 'f && /^## /{f=0} /^## Release Notes/{f=1; next} f')"
{
echo "## Version 10.${{ github.run_number }} - $(date +%Y-%m-%d)"
echo
if [ -n "$NOTES" ]; then
printf '%s\n' "$NOTES"
else
echo "No release notes provided."
fi
} > RELEASE_NOTES.md
🤖 Prompt for AI Agents 
In .github/workflows/react-native-cicd.yml around lines 296–304, replace the
current step that writes RELEASE_NOTES.md using the RELEASE_NOTES env var with
an inline generation that writes the file directly: create the header ("##
Version 10.${{ github.run_number }} - $(date +%Y-%m-%d)"), then append extracted
release notes obtained inline (prefer github.event.inputs.release_notes or
github.event.pull_request.body if present, otherwise fall back to recent commit
messages via git log), and write the combined content to RELEASE_NOTES.md in
this step (fail the job if extraction fails).

- name: 📦 Create Release
if: ${{ matrix.platform == 'android' && (github.event.inputs.buildType == 'all' || github.event_name == 'push' || github.event.inputs.buildType == 'prod-apk') }}
uses: ncipollo/release-action@v1
with:
tag: '10.${{ github.run_number }}'
commit: ${{ github.sha }}
makeLatest: true
allowUpdates: true
name: '10.${{ github.run_number }}'
artifacts: './ResgridRespond-prod.apk'
bodyFile: 'RELEASE_NOTES.md'
158 changes: 0 additions & 158 deletions __mocks__/react-native-ble-plx.ts
View file
Open in desktop

This file was deleted.

2 changes: 1 addition & 1 deletion __mocks__/react-native-gesture-handler.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1 @@
module.exports = require('react-native-gesture-handler/src/mocks.js');
module.exports = require('react-native-gesture-handler/lib/commonjs/mocks.js');
16 changes: 0 additions & 16 deletions android/.gitignore
View file
Open in desktop

This file was deleted.

Loading
Loading