Skip to content

BOM_1.4.10#187

Merged
jakubuid merged 48 commits intomasterfrom
develop
Sep 4, 2025
Merged

BOM_1.4.10#187
jakubuid merged 48 commits intomasterfrom
develop

Conversation

@jakubuid
Copy link
Collaborator

@jakubuid jakubuid commented Sep 3, 2025

No description provided.

dependabot bot and others added 30 commits August 4, 2025 12:55
@dependabot
ci(deps): bump actions/add-to-project from 0.1.0 to 1.0.2
1ae3b8e 
Bumps [actions/add-to-project](https://github.com/actions/add-to-project) from 0.1.0 to 1.0.2.
- [Release notes](https://github.com/actions/add-to-project/releases)
- [Commits](actions/add-to-project@v0.1.0...v1.0.2)

---
updated-dependencies:
- dependency-name: actions/add-to-project
  dependency-version: 1.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
ci(deps): bump release-drafter/release-drafter from 5 to 6
495e8e7 
Bumps [release-drafter/release-drafter](https://github.com/release-drafter/release-drafter) from 5 to 6.
- [Release notes](https://github.com/release-drafter/release-drafter/releases)
- [Commits](release-drafter/release-drafter@v5...v6)

---
updated-dependencies:
- dependency-name: release-drafter/release-drafter
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
deps(deps): bump accompanist from 0.34.0 to 0.36.0
3ebd828 
Bumps `accompanist` from 0.34.0 to 0.36.0.

Updates `com.google.accompanist:accompanist-drawablepainter` from 0.34.0 to 0.36.0
- [Release notes](https://github.com/google/accompanist/releases)
- [Commits](google/accompanist@v0.34.0...v0.36.0)

Updates `com.google.accompanist:accompanist-navigation-material` from 0.34.0 to 0.36.0
- [Release notes](https://github.com/google/accompanist/releases)
- [Commits](google/accompanist@v0.34.0...v0.36.0)

Updates `com.google.accompanist:accompanist-navigation-animation` from 0.34.0 to 0.36.0
- [Release notes](https://github.com/google/accompanist/releases)
- [Commits](google/accompanist@v0.34.0...v0.36.0)

Updates `com.google.accompanist:accompanist-systemuicontroller` from 0.34.0 to 0.36.0
- [Release notes](https://github.com/google/accompanist/releases)
- [Commits](google/accompanist@v0.34.0...v0.36.0)

Updates `com.google.accompanist:accompanist-pager` from 0.34.0 to 0.36.0
- [Release notes](https://github.com/google/accompanist/releases)
- [Commits](google/accompanist@v0.34.0...v0.36.0)

Updates `com.google.accompanist:accompanist-pager-indicators` from 0.34.0 to 0.36.0
- [Release notes](https://github.com/google/accompanist/releases)
- [Commits](google/accompanist@v0.34.0...v0.36.0)

---
updated-dependencies:
- dependency-name: com.google.accompanist:accompanist-drawablepainter
  dependency-version: 0.36.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
- dependency-name: com.google.accompanist:accompanist-navigation-material
  dependency-version: 0.36.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
- dependency-name: com.google.accompanist:accompanist-navigation-animation
  dependency-version: 0.36.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
- dependency-name: com.google.accompanist:accompanist-systemuicontroller
  dependency-version: 0.36.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
- dependency-name: com.google.accompanist:accompanist-pager
  dependency-version: 0.36.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
- dependency-name: com.google.accompanist:accompanist-pager-indicators
  dependency-version: 0.36.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
deps(deps): bump androidx.test:orchestrator from 1.5.0 to 1.6.1
bfd4dea 
Bumps androidx.test:orchestrator from 1.5.0 to 1.6.1.

---
updated-dependencies:
- dependency-name: androidx.test:orchestrator
  dependency-version: 1.6.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
deps(deps): bump kotlinxCoroutinesTest from 1.5.2 to 1.10.2
a593f21 
Bumps `kotlinxCoroutinesTest` from 1.5.2 to 1.10.2.

Updates `org.jetbrains.kotlinx:kotlinx-coroutines-test` from 1.5.2 to 1.10.2
- [Release notes](https://github.com/Kotlin/kotlinx.coroutines/releases)
- [Changelog](https://github.com/Kotlin/kotlinx.coroutines/blob/master/CHANGES.md)
- [Commits](Kotlin/kotlinx.coroutines@1.5.2...1.10.2)

Updates `org.jetbrains.kotlinx:kotlinx-coroutines-android` from 1.8.1 to 1.10.2
- [Release notes](https://github.com/Kotlin/kotlinx.coroutines/releases)
- [Changelog](https://github.com/Kotlin/kotlinx.coroutines/blob/master/CHANGES.md)
- [Commits](Kotlin/kotlinx.coroutines@1.8.1...1.10.2)

---
updated-dependencies:
- dependency-name: org.jetbrains.kotlinx:kotlinx-coroutines-test
  dependency-version: 1.10.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
- dependency-name: org.jetbrains.kotlinx:kotlinx-coroutines-android
  dependency-version: 1.10.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
deps(deps): bump androidxLifecycle from 2.8.5 to 2.9.2
06dbde3 
Bumps `androidxLifecycle` from 2.8.5 to 2.9.2.

Updates `androidx.lifecycle:lifecycle-livedata-ktx` from 2.8.5 to 2.9.2

Updates `androidx.lifecycle:lifecycle-viewmodel-ktx` from 2.8.5 to 2.9.2

Updates `androidx.lifecycle:lifecycle-runtime-ktx` from 2.8.5 to 2.9.2

---
updated-dependencies:
- dependency-name: androidx.lifecycle:lifecycle-livedata-ktx
  dependency-version: 2.9.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
- dependency-name: androidx.lifecycle:lifecycle-viewmodel-ktx
  dependency-version: 2.9.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
- dependency-name: androidx.lifecycle:lifecycle-runtime-ktx
  dependency-version: 2.9.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
deps(deps): bump koin from 3.5.6 to 4.1.0
cfaca42 
Bumps `koin` from 3.5.6 to 4.1.0.

Updates `io.insert-koin:koin-core` from 3.5.6 to 4.1.0
- [Release notes](https://github.com/InsertKoinIO/koin/releases)
- [Changelog](https://github.com/InsertKoinIO/koin/blob/main/CHANGELOG.md)
- [Commits](InsertKoinIO/koin@3.5.6...4.1.0)

Updates `io.insert-koin:koin-android` from 3.5.6 to 4.1.0
- [Release notes](https://github.com/InsertKoinIO/koin/releases)
- [Changelog](https://github.com/InsertKoinIO/koin/blob/main/CHANGELOG.md)
- [Commits](InsertKoinIO/koin@3.5.6...4.1.0)

Updates `io.insert-koin:koin-test` from 3.5.6 to 4.1.0
- [Release notes](https://github.com/InsertKoinIO/koin/releases)
- [Changelog](https://github.com/InsertKoinIO/koin/blob/main/CHANGELOG.md)
- [Commits](InsertKoinIO/koin@3.5.6...4.1.0)

---
updated-dependencies:
- dependency-name: io.insert-koin:koin-core
  dependency-version: 4.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
- dependency-name: io.insert-koin:koin-android
  dependency-version: 4.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
- dependency-name: io.insert-koin:koin-test
  dependency-version: 4.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
deps(deps): bump beagle from 2.9.0 to 2.9.10
7046ca6 
Bumps `beagle` from 2.9.0 to 2.9.10.

Updates `io.github.pandulapeter.beagle:ui-view` from 2.9.0 to 2.9.10
- [Release notes](https://github.com/pandulapeter/beagle/releases)
- [Commits](pandulapeter/beagle@2.9.0...2.9.10)

Updates `io.github.pandulapeter.beagle:log` from 2.9.0 to 2.9.10
- [Release notes](https://github.com/pandulapeter/beagle/releases)
- [Commits](pandulapeter/beagle@2.9.0...2.9.10)

Updates `io.github.pandulapeter.beagle:log-crash` from 2.9.0 to 2.9.10
- [Release notes](https://github.com/pandulapeter/beagle/releases)
- [Commits](pandulapeter/beagle@2.9.0...2.9.10)

Updates `io.github.pandulapeter.beagle:log-okhttp` from 2.9.0 to 2.9.10
- [Release notes](https://github.com/pandulapeter/beagle/releases)
- [Commits](pandulapeter/beagle@2.9.0...2.9.10)

---
updated-dependencies:
- dependency-name: io.github.pandulapeter.beagle:ui-view
  dependency-version: 2.9.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: io.github.pandulapeter.beagle:log
  dependency-version: 2.9.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: io.github.pandulapeter.beagle:log-crash
  dependency-version: 2.9.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: io.github.pandulapeter.beagle:log-okhttp
  dependency-version: 2.9.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
ci(deps): bump actions/download-artifact from 4 to 5
ffb7c8f 
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4 to 5.
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](actions/download-artifact@v4...v5)

---
updated-dependencies:
- dependency-name: actions/download-artifact
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
deps(deps): bump androidx.compose.ui:ui-test-junit4 from 1.7.1 to 1.9.0
c78318f 
Bumps androidx.compose.ui:ui-test-junit4 from 1.7.1 to 1.9.0.

---
updated-dependencies:
- dependency-name: androidx.compose.ui:ui-test-junit4
  dependency-version: 1.9.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
ci(deps): bump actions/setup-java from 3 to 5
b0a2f5d 
Bumps [actions/setup-java](https://github.com/actions/setup-java) from 3 to 5.
- [Release notes](https://github.com/actions/setup-java/releases)
- [Commits](actions/setup-java@v3...v5)

---
updated-dependencies:
- dependency-name: actions/setup-java
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@jakubuid
Merge branch 'develop' of https://github.com/reown-com/reown-kotlin i…
0dea121 
…nto develop
@jakubuid
add delete staging repositories task
2756a6b
@jakubuid
Merge pull request #180 from reown-com/gradle_task_frop_stating_repos…
6b6da97 
…itories

chore: drop repositories task
@jakubuid
Merge branch 'develop' of https://github.com/reown-com/reown-kotlin i…
8679ecf 
…nto develop
@jakubuid
maven license update
b95cbb7
@jakubuid
claude review
020b18d
@jakubuid
Merge pull request #182 from reown-com/license_update_maven
f68cbd5 
chore: license update maven
@jakubuid
change project context
e6c1f53
@jakubuid
Merge branch 'develop' of https://github.com/reown-com/reown-kotlin i…
e21bb28 
…nto develop
@jakubuid
add cta workflow
b7dae88
@jakubuid
Merge pull request #147 from reown-com/18bcdependabot/github_actions/…
c0e58f0 
…actions/add-to-project-1.0.2

ci(deps): bump actions/add-to-project from 0.1.0 to 1.0.2
@jakubuid
Merge pull request #149 from reown-com/cb69dependabot/github_actions/…
c55f3c8 
…release-drafter/release-drafter-6

ci(deps): bump release-drafter/release-drafter from 5 to 6
@jakubuid
Merge pull request #153 from reown-com/6967dependabot/gradle/androidx…
ffcbc92 
….test-orchestrator-1.6.1

deps(deps): bump androidx.test:orchestrator from 1.5.0 to 1.6.1
@jakubuid
Merge pull request #175 from reown-com/cd76dependabot/github_actions/…
716890e 
…actions/setup-java-5

ci(deps): bump actions/setup-java from 3 to 5
@jakubuid
Merge pull request #159 from reown-com/9d44dependabot/gradle/beagle-2…
b9951fd 
….9.10

deps(deps): bump beagle from 2.9.0 to 2.9.10
@jakubuid
Merge pull request #171 from reown-com/a4cfdependabot/gradle/androidx…
102e1d8 
….compose.ui-ui-test-junit4-1.9.0

deps(deps): bump androidx.compose.ui:ui-test-junit4 from 1.7.1 to 1.9.0
@dependabot
ci(deps): bump actions/checkout from 3 to 5
576c5c2 
Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 5.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v3...v5)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@jakubuid
Merge branch 'develop' of https://github.com/reown-com/reown-kotlin i…
5309797 
…nto develop
@jakubuid
Merge pull request #170 from reown-com/f1a8dependabot/github_actions/…
abf885b 
…actions/checkout-5

ci(deps): bump actions/checkout from 3 to 5
@jakubuid
Merge pull request #161 from reown-com/e0a2dependabot/github_actions/…
faa7848 
…actions/download-artifact-5

ci(deps): bump actions/download-artifact from 4 to 5
@jakubuid
Merge branch 'develop' of https://github.com/reown-com/reown-kotlin i…
9eb09cb 
…nto develop
@jakubuid
Merge branch 'develop' of https://github.com/reown-com/reown-kotlin i…
d689586 
…nto 7b0bdependabot/gradle/koin-4.1.0
@jakubuid
Merge pull request #183 from reown-com/claude_review
c95979c 
chore: Claude review
@jakubuid
Merge pull request #184 from reown-com/cta_assistant
1650ca2 
chore: CTA assistant
@jakubuid
update
694b379
@jakubuid
Merge pull request #158 from reown-com/7b0bdependabot/gradle/koin-4.1.0
c97c5dd 
deps(deps): bump koin from 3.5.6 to 4.1.0
@jakubuid
Merge branch 'develop' of https://github.com/reown-com/reown-kotlin i…
7080451 
…nto 6afddependabot/gradle/androidxLifecycle-2.9.2
@jakubuid
update
6ca5ffe
@jakubuid
Merge pull request #156 from reown-com/6afddependabot/gradle/androidx…
6817b5d 
…Lifecycle-2.9.2

deps(deps): bump androidxLifecycle from 2.8.5 to 2.9.2
@jakubuid
Merge pull request #155 from reown-com/e4eddependabot/gradle/kotlinxC…
6760b9b 
…oroutinesTest-1.10.2

deps(deps): bump kotlinxCoroutinesTest from 1.5.2 to 1.10.2
@jakubuid
Merge pull request #152 from reown-com/22c7dependabot/gradle/accompan…
5643352 
…ist-0.36.0

deps(deps): bump accompanist from 0.34.0 to 0.36.0
@jakubuid
Merge branch 'develop' of https://github.com/reown-com/reown-kotlin i…
7091071 
…nto develop
@jakubuid
agp update
25d6630
@jakubuid
Merge pull request #185 from reown-com/apg_update
d5cc3ab 
chore: android gradle plugin update
@jakubuid
Merge branch 'develop' of https://github.com/reown-com/reown-kotlin i…
581f68a 
…nto develop
@jakubuid
1.4.10 bump
04a485d
@jakubuid
Merge pull request #186 from reown-com/version_bump
ee5cf6c 
chore: 1.4.10 version bump
@claude
Copy link

claude bot commented Sep 3, 2025
edited
Loading

Claude finished @jakubuid's task —— View job

🔍 PR Review: BOM_1.4.10

This BOM version bump PR contains extensive changes across 46 files with consistent version updates to 1.4.10. Here's my comprehensive review:

Positive Aspects:

Version Consistency: All SDK modules properly updated to 1.4.10 across:

  • buildSrc/src/main/kotlin/Versions.kt: All version constants correctly set
  • BOM structure maintains proper dependency management
  • Sample applications correctly reference the new BOM version

Dependency Management:

  • Proper BOM usage in sample apps (sample/*/build.gradle.kts:113-115)
  • Clean separation between debug/internal (project references) vs release (BOM references)
  • Gradle wrapper updated to 8.13 for improved build performance

Infrastructure Improvements:

  • Added Claude auto-review workflow for automated PR reviews
  • Added CTA assistant for contributor guidance
  • GitHub Actions updated with latest action versions (v4, v5)

🚨 Security & Quality Issues:

1. Secrets Exposure Risk ⚠️

File: build.gradle.kts:118-128

stagingProfileId.set(System.getenv("REOWN_SONATYPE_STAGING_PROFILE_ID"))
username.set(System.getenv("CENTRAL_PORTAL_USERNAME"))
password.set(System.getenv("CENTRAL_PORTAL_PASSWORD"))

Issue: While using environment variables is correct, ensure these are properly secured in CI/CD and not logged.

2. Network Configuration Concerns ⚠️

File: build.gradle.kts:219-220, 279-280

.setConnectTimeout(30000) // 30 seconds
.setSocketTimeout(60000) // 60 seconds

Issue: Long timeout values (60s) could cause hanging builds. Consider reducing to 15-30s for staging operations.

3. JSON Parsing Without Library ⚠️

File: build.gradle.kts:236-260

// Simple JSON parsing - in a real implementation you might want to use a proper JSON library
val repoPattern = """"key":\s*"([^"]+)".*?"state":\s*"([^"]+)".*?(?:"portal_deployment_id":\s*"([^"]*)")?""".toRegex()

Issue: Manual regex-based JSON parsing is error-prone and fragile. Consider using Moshi or Gson for robust JSON handling in production release scripts.

4. Workflow Security ⚠️

File: .github/workflows/claude-review.yml:32

uses: WalletConnect/actions/claude/auto-review@master

Issue: Using @master instead of pinned version creates supply chain risk. Recommend pinning to specific SHA or tag.

File: .github/workflows/cta.yml:19

uses: walletconnect/actions/github/cta-assistant@master

Same issue: Should pin to specific version.

5. Missing Error Handling

File: build.gradle.kts:307-310, 361-362
Exception handling prints stack traces but continues execution. Consider if some failures should halt the release process.

📋 Additional Observations:

Cleanup Operations:

  • Removed 9 test resource files from buildSrc/src/test/resources/ (427 lines deleted)
  • This appears to be legitimate cleanup of unused test fixtures

Version Management:

  • AGP updated to 8.12.2 - latest stable version ✅
  • Kotlin updated to 2.2.0 - good for latest language features ✅
  • All dependencies properly aligned

Sample App Integration:

  • Proper buildConfig field injection: buildConfigField("String", "BOM_VERSION", "\"${BOM_VERSION}\"")
  • Correct conditional dependency declarations for different build variants

🔧 Recommendations:

  1. Immediate: Pin GitHub Action versions to specific SHAs or tags
  2. Soon: Replace manual JSON parsing with proper library (Moshi/Gson)
  3. Consider: Reduce HTTP timeout values in staging operations
  4. Monitor: Ensure release script error handling meets requirements

📊 Overall Assessment:

This is a well-structured BOM release with consistent versioning across all modules. The version bump appears properly coordinated, and the cleanup of test resources is appropriate. Main concerns are around the release automation scripts and workflow security practices.

Recommendation: APPROVE with above security improvements addressed in follow-up PRs.

@sonarqubecloud
Copy link

sonarqubecloud bot commented Sep 3, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@jakubuid jakubuid merged commit c5225a8 into master Sep 4, 2025
25 checks passed
@github-actions github-actions bot locked and limited conversation to collaborators Sep 4, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@skibitsky skibitsky skibitsky approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jakubuid @skibitsky