chore: simplify CI/CD env file handling

[ignaciosantise]

Summary

Simplifies CI/CD configuration with two major improvements:

1. Single .env file per project

• Use .env instead of variant-specific files (.env.debug, .env.internal, .env.production)
• Move SENTRY_TAG to misc_*.ts files for build variant identification
• Remove env file copying from iOS Xcode schemes
• Simplify Android gradle to use single .env file

2. Consolidated CI/CD workflows (12 → 3 files)

• release-appkit.yaml - Replaces 4 dapp workflows
• release-walletkit.yaml - Replaces 4 wallet workflows
• release-pos.yaml - Replaces 4 POS workflows

flowchart LR
    subgraph Before["Before (12 files)"]
        direction TB
        B1["release-dapp-android-internal"]
        B2["release-dapp-android-production"]
        B3["release-dapp-ios-internal"]
        B4["release-dapp-ios-production"]
        B5["release-wallet-android-internal"]
        B6["release-wallet-android-production"]
        B7["release-wallet-ios-internal"]
        B8["release-wallet-ios-production"]
        B9["release-pos-android"]
        B10["release-pos-legacy-android"]
        B11["release-pos-ios"]
        B12["release-pos-ios-legacy"]
    end
    
    subgraph After["After (3 files)"]
        direction TB
        A1["release-appkit.yaml<br/>├─ platform: android/ios<br/>├─ release-type: internal/prod<br/>└─ e2e-build: true/false"]
        A2["release-walletkit.yaml<br/>├─ platform: android/ios<br/>├─ release-type: internal/prod<br/>└─ e2e-build: true/false"]
        A3["release-pos.yaml<br/>├─ platform: android/ios<br/>└─ variant: production/legacy"]
    end
    
    Before --> After

Loading

Workflow Features

• Platform selection: Choose Android or iOS from dropdown
• Release type: Choose internal or production
• E2E build option: Upload to S3 for AppKit SDK repo E2E tests

Changes Summary

• Removed ENV_RELAY_URL (library has default)
• Environment files use secrets: APPKIT_ENV_FILE, WALLETKIT_ENV_FILE, POS_ENV_FILE
• Removed unused env-file-path input from base workflows
• Updated READMEs with clearer setup instructions

Required Manual Steps

After merging, create/update these GitHub Secrets:

# APPKIT_ENV_FILE
ENV_PROJECT_ID=<project_id>
ENV_SENTRY_DSN=<dsn>

# WALLETKIT_ENV_FILE
ENV_PROJECT_ID=<project_id>
ENV_SENTRY_DSN=<dsn>
ENV_TON_CENTER_API_KEY=<api_key>

# POS_ENV_FILE & POS_LEGACY_ENV_FILE
# (update existing if needed)

Test Plan

• Verify local iOS debug build works
• Verify local Android debug build works
• Create/update GitHub secrets
• Test Release AppKit workflow (android + internal)
• Test Release AppKit workflow (ios + internal)
• Test Release WalletKit workflow (android + internal)
• Test Release WalletKit workflow (ios + internal)
• Test Release Mobile POS workflow

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
react-native-examples	Ready	Preview, Comment	Jan 12, 2026 7:27pm

[claude]

Claude finished @ignaciosantise's task in 2m 13s —— View job

---

Review Complete: CI/CD env file handling simplification

Found 1 issue(s)

Issue 1: GitHub Variable used for potentially sensitive data

ID: release-dapp-appkit-env-exposure-a3f2
File: .github/workflows/release-dapp-android-internal.yaml:20
Severity: HIGH
Category: security

AppKit workflow uses vars.APPKIT_ENV_FILE (GitHub Variable) instead of secrets.APPKIT_ENV_FILE. GitHub Variables are visible to repository viewers and not encrypted, while Secrets are encrypted and access-controlled.

The PR description states "AppKit uses vars.APPKIT_ENV_FILE (non-sensitive data)" containing ENV_PROJECT_ID and ENV_SENTRY_DSN. While Project ID may be considered non-sensitive, Sentry DSN can expose project structure and potentially be abused for sending fake error reports to your Sentry quota.

Recommendation: Use secrets.APPKIT_ENV_FILE instead for defense-in-depth:

secrets:
  env-file: ${{ secrets.APPKIT_ENV_FILE }}

Rationale: Even if data is considered "non-sensitive," storing configuration in Secrets provides:

• Encryption at rest
• Access control and audit logging
• Protection against accidental exposure
• Consistent security posture across all projects

---

Automated Checks

🔒 External Domain URLs Detected (Non-blocking)

New documentation references to external domains:

• sentry.io - Referenced in README for Sentry setup instructions (dapps/W3MWagmi/README.md:24, wallets/rn_cli_wallet/README.md:25)
• toncenter.com - Referenced in README for TON Center API key (wallets/rn_cli_wallet/README.md:26)

These are legitimate third-party service documentation links in setup instructions. No action required.

✅ No workflow security issues detected
✅ No cache-control issues detected

---

Review Summary

This PR successfully simplifies CI/CD configuration by consolidating variant-specific env files into a single .env file per project. The implementation is clean and the migration path is well-documented.

Key observations:

• ✅ Proper gitignore coverage (root .gitignore has *.env pattern)
• ✅ iOS schemes correctly updated to remove env file copying
• ✅ Android gradle properly configured with single .env default
• ✅ Variant metadata correctly moved to misc_*.ts files
• ✅ Type definitions updated to remove unused env vars
• ⚠️ Consider using Secrets instead of Variables for AppKit env file

The architecture simplification is sound. The main concern is the security posture of using GitHub Variables vs Secrets for configuration data.

[Copilot]

Pull request overview

This PR simplifies CI/CD environment file handling by consolidating variant-specific environment files (.env.debug, .env.internal, .env.production) into a single .env file per project. The variant-specific metadata (SENTRY_TAG) is now managed through TypeScript files that are copied at build time.

Changes:

• Environment configuration consolidated from multiple variant-specific .env files to a single .env file
• Sentry environment tags moved from env files to SENTRY_TAG constants in variant-specific misc_*.ts files
• GitHub workflows updated to use consolidated env-file secrets instead of individual configuration parameters
• Relay URL configuration simplified to use library defaults instead of explicit environment variable

Reviewed changes

Copilot reviewed 36 out of 39 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
wallets/rn_cli_wallet/src/utils/misc.ts	Added SENTRY_TAG constant for production variant
wallets/rn_cli_wallet/src/utils/WalletKitUtil.ts	Simplified relay URL to use library default instead of ENV_RELAY_URL
wallets/rn_cli_wallet/src/screens/App.tsx	Updated Sentry initialization to use SENTRY_TAG from misc.ts
wallets/rn_cli_wallet/scripts/misc_*.ts	Added SENTRY_TAG constants for each build variant
wallets/rn_cli_wallet/scripts/copy-sample-files.sh	Updated to copy .env instead of .env.debug
wallets/rn_cli_wallet/ios/*.xcscheme	Removed .env file copying, kept misc.ts copying
wallets/rn_cli_wallet/ios/Podfile.lock	Updated CocoaPods version and dependency versions
wallets/rn_cli_wallet/declarations.d.ts	Removed ENV_RELAY_URL and ENV_SENTRY_TAG declarations
wallets/rn_cli_wallet/android/app/build.gradle	Simplified to use single .env file
wallets/rn_cli_wallet/README.md	Updated setup instructions for single .env file
wallets/rn_cli_wallet/.env.example	Removed variant-specific instructions and ENV_RELAY_URL
dapps/W3MWagmi/src/utils/misc.ts	Updated metadata to production defaults and added SENTRY_TAG
dapps/W3MWagmi/src/App.tsx	Updated Sentry initialization to use SENTRY_TAG from misc.ts
dapps/W3MWagmi/scripts/misc_*.ts	Added SENTRY_TAG constants for each build variant
dapps/W3MWagmi/scripts/copy-sample-files.sh	Updated to copy .env instead of .env.debug
dapps/W3MWagmi/ios/*.xcscheme	Updated to copy variant misc files
dapps/W3MWagmi/ios/Podfile.lock	Updated CocoaPods version
dapps/W3MWagmi/android/app/build.gradle	Simplified to use single .env file
dapps/W3MWagmi/README.md	Updated setup instructions for single .env file
dapps/W3MWagmi/.gitignore	Added blank line
dapps/W3MWagmi/.env.example	Removed variant-specific instructions
.github/workflows/release--ios-.yaml	Updated to use env-file secret instead of individual parameters
.github/workflows/release--android-.yaml	Updated to use env-file secret instead of individual parameters
.github/workflows/release-ios-base.yaml	Removed individual secret parameters, added env-file handling and variant file copying
.github/workflows/release-android-base.yaml	Removed individual secret parameters, added env-file handling and variant file copying

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[ignaciosantise]

@claude review

[claude]

Claude finished @ignaciosantise's task in 1m 49s —— View job

---

Review Complete: CI/CD env file handling simplification

Found 1 issue(s)

Issue 1: Env file secret not validated as non-empty

ID: android-base-env-empty-7a3c
File: .github/workflows/release-android-base.yaml:99
Severity: MEDIUM
Category: reliability

The workflow writes the env file from secrets without validating that the secret is non-empty. If secrets.env-file is undefined or empty, it creates an empty .env file, causing the build to fail with cryptic errors about missing environment variables.

Same issue exists in release-ios-base.yaml:159.

Recommendation: Add validation before creating the env file:

- name: Create env file
  run: |
    if [ -z "${{ secrets.env-file }}" ]; then
      echo "Error: env-file secret is empty or not set"
      exit 1
    fi
    echo "${{ secrets.env-file }}" > ${{ inputs.root-path }}/.env

---

Automated Checks

🔒 External Domain URLs Detected (Non-blocking)

New documentation references to external domains detected in README files:

• sentry.io - Referenced in setup instructions (dapps/W3MWagmi/README.md:24, wallets/rn_cli_wallet/README.md:53)
• toncenter.com - Referenced for TON Center API key setup (wallets/rn_cli_wallet/README.md:54)

These are legitimate third-party service documentation links in setup instructions. No action required.

✅ No workflow security issues detected
✅ No cache-control issues detected

---

Review Summary

This PR successfully simplifies CI/CD configuration by:

1. ✅ Consolidating 12 workflow files into 3 parameterized workflows
2. ✅ Replacing variant-specific env files with single .env per project
3. ✅ Moving variant metadata (SENTRY_TAG) to TypeScript files
4. ✅ Proper use of GitHub Secrets for all env files (AppKit, WalletKit, POS)

Key observations:

• ✅ Workflow consolidation well-designed with proper conditional logic
• ✅ Base workflows properly parameterized with variant file copying support
• ✅ Android gradle correctly configured with project.ext.defaultEnvFile = ".env"
• ✅ iOS schemes properly updated to copy variant misc_*.ts files
• ✅ Copy-variant-files.sh scripts correctly handle debug/internal/production variants
• ✅ Type definitions properly cleaned up (removed ENV_RELAY_URL, ENV_SENTRY_TAG)
• ✅ READMEs updated with clear setup instructions
• ⚠️ Minor: Consider adding validation for empty env-file secrets in workflows

The architecture is sound and the consolidation reduces maintenance burden significantly. The main suggestion is defensive validation for missing secrets to provide clearer error messages.

---