SDKS-5050: Release activities

[tsdamas]

Summary

• Split Android BrowserStack E2E into two parallel workflows
• Extracted Android artifact build into a dedicated reusable workflow (browserstack-prep-android-artifacts.yml) so both E2E workflows share a single APK upload step.
• Fixed device-profile Android bridge pre-populating default collectors: collectors { addAll(...) } was appending to the SDK's default set (which includes LocationCollector), causing a location-permission prompt even when the caller omitted "location". Added clear() before addAll() so the bridge-supplied list is the authoritative set.
• Removed flaky iOS test testCollectDeviceProfileWithAllStableKnownCollectors — five sequential real collectors regularly exceeded the 10 s timeout under parallel simulator load in CI.
• Fixed Android BrowserStack SSL failure by switching network_security_config.xml from to . Ktor CIO calls the 2-arg checkServerTrusted variant; triggers Android's 3-arg hostname-aware enforcement, causing every HTTPS call to fail.
• Detox hardening: commandTimeout raised to 120 s for cold BrowserStack session starts; maxWorkers: 1 on CI; retries set to 4 on CI.
• Dependency and tooling updates: Ruby 2.6.10 → 3.3.6 (Bundler 4), refreshed iOS pod lockfiles, resolved critical npm vulnerabilities in the sample app.
• Excluded PingTestRunner/ from Mend SCA scans (test harness, not shipped code).
• Added build-status and npm badges to README.md.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Re-enables the BrowserStack Android CI job; cleans and documents the BrowserStack E2E workflow; adds a post-test step to extract Detox session_id and query BrowserStack; updates Detox runner args; and applies Android packaging, settings, and npm script changes.

Changes

BrowserStack ID-based app resolution

Layer / File(s)	Summary
Enable BrowserStack CI job .github/workflows/ci.yml	The browserstack-android job's if: false guard was removed so the job can run in CI.
Workflow cleanup, codegen formatting, and upload comments .github/workflows/browserstack-e2e-android.yml	Removed top TODO; reformatted the multi-module ./gradlew generateCodegenArtifactsFromSchema invocation; clarified upload/upload-client comments about using app_url/app_client_url (not bare IDs); added a post-test step that parses session_id from /tmp/detox-bs.log and (if present) queries the BrowserStack Detox sessions API.
Detox runner args and comment PingTestRunner/.detoxrc.js	testRunner.args no longer sets $0: 'jest' and adds maxWorkers: process.env.CI ? 2 : undefined; an inline BrowserStack app comment was edited without changing the visible android.cloud wiring.
Android wiring, packaging, and npm scripts PingTestRunner/android/app/build.gradle, PingTestRunner/android/settings.gradle, PingTestRunner/android/app/src/main/res/xml/network_security_config.xml, PingTestRunner/package.json	Added android.packaging.resources exclusions, included new Android subprojects, replaced domain-based cleartext allowlist with base-config cleartextTrafficPermitted="true", changed build:bs:android to use :app:-prefixed Gradle task paths, and bumped devDependencies.detox to 20.38.0-cloud.3.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I hop through CI, logs in paw,
IDs and tests line up in awe,
Detox whispers, workers two,
Sessions fetched to see what's new,
Nibbles of build, a tiny law.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'SDKS-5050: Release activities' is vague and does not convey meaningful information about the specific changes in the pull request, which include enabling BrowserStack E2E tests, updating Detox configuration, fixing resource packaging, and network security config.	Use a more descriptive title that summarizes the main technical changes, such as 'Enable BrowserStack E2E Android testing and update Detox configuration' or similar.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch SDKS-5050

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

PR Preview Action v1.8.1
🚀 View preview at https://ForgeRock.github.io/ping-react-native-sdk/docs-preview/pr-48/
Built to branch gh-pages at 2026-06-15 18:38 UTC. Preview will be ready when the GitHub Pages deployment is complete.

[coderabbitai]

🧹 Nitpick comments (1)

PingTestRunner/package.json (1)

24-24: 💤 Low value

Consider aligning Gradle task qualification across build scripts.

The build:bs:android script now uses fully-qualified task names (:app:assembleRelease :app:assembleAndroidTest), which is more explicit and safer in multi-project builds. However, the .detoxrc.js file's android.release build command (line 40) still uses unqualified task names (assembleRelease assembleAndroidTest).

While these serve different code paths (BrowserStack vs. local), the inconsistency could create maintenance confusion.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@PingTestRunner/package.json` at line 24, The android release build command is
inconsistent: package.json's "build:bs:android" uses fully-qualified Gradle
tasks while .detoxrc.js's android.release uses unqualified task names; update
the android.release build command in .detoxrc.js to use the fully-qualified
tasks (e.g., replace "assembleRelease assembleAndroidTest" with
":app:assembleRelease :app:assembleAndroidTest") so both build scripts use the
same explicit task qualification.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@PingTestRunner/package.json`:
- Line 24: The android release build command is inconsistent: package.json's
"build:bs:android" uses fully-qualified Gradle tasks while .detoxrc.js's
android.release uses unqualified task names; update the android.release build
command in .detoxrc.js to use the fully-qualified tasks (e.g., replace
"assembleRelease assembleAndroidTest" with ":app:assembleRelease
:app:assembleAndroidTest") so both build scripts use the same explicit task
qualification.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0a4487e1-002e-415b-9af7-d883813c10d9

📥 Commits

Reviewing files that changed from the base of the PR and between bcc0c08 and d3395ee.

⛔ Files ignored due to path filters (2)

• .yarn/install-state.gz is excluded by !**/.yarn/**, !**/*.gz
• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (4)

• .github/workflows/browserstack-e2e-android.yml
• PingTestRunner/android/app/build.gradle
• PingTestRunner/android/settings.gradle
• PingTestRunner/package.json

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/browserstack-e2e-android.yml

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/browserstack-e2e-android.yml:
- Around line 207-223: Change the BrowserStack session fetch in the View
BrowserStack test results step to call the correct GET endpoint and surface curl
failures: replace the POST to
"https://api-cloud.browserstack.com/app-automate/detox/v2/android/sessions/${session_id}"
with a GET to
"https://api-cloud.browserstack.com/app-automate/detox/v2/android/sessions/${session_id}.json",
run curl so it fails on non-2xx responses (check exit code / use --fail) and
print a clear warning including the session_id on error; optionally pipe the
response through jq to pretty-print successful JSON. Ensure you update the curl
invocation that references session_id and the step that echoes "Fetching
BrowserStack session details for session: $session_id".

In `@PingTestRunner/android/app/src/main/res/xml/network_security_config.xml`:
- Around line 15-27: The network_security_config.xml in src/main currently
enables cleartext globally via the <base-config cleartextTrafficPermitted="true"
/> referenced by android:networkSecurityConfig and combined with
android:usesCleartextTraffic="true", which makes cleartext available to all
builds; move that permissive base-config into a variant-scoped overlay (e.g.,
src/debug/res/xml/network_security_config.xml or
src/androidTest/res/xml/network_security_config.xml) and remove or replace the
permissive <base-config> in src/main/res/xml/network_security_config.xml with a
restrictive policy, then update the debug/androidTest manifest overlay (or
manifestPlaceholders) to reference the permissive resource (and/or set
android:usesCleartextTraffic="true" only in debug/androidTest) so only
Detox/Test runs (DetoxTest.kt targeting ws://10.0.2.2) allow cleartext.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: bd8907c4-5f00-42e9-a015-f809e975a496

📥 Commits

Reviewing files that changed from the base of the PR and between d3395ee and 8a85dc9.

📒 Files selected for processing (3)

• .github/workflows/browserstack-e2e-android.yml
• PingTestRunner/.detoxrc.js
• PingTestRunner/android/app/src/main/res/xml/network_security_config.xml

🚧 Files skipped from review as they are similar to previous changes (1)

• PingTestRunner/.detoxrc.js

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@PingTestRunner/.detoxrc.js`:
- Line 20: Remove the forced CI override of maxWorkers in the Detox config by
eliminating or conditionalizing the line setting maxWorkers: process.env.CI ? 2
: undefined; instead let Detox/Jest pick the appropriate worker count (or
explicitly set it to 1) so it does not conflict with testRunner.args.maxWorkers
and the e2e/jest.config.js maxWorkers: 1; update .detoxrc.js to either omit
maxWorkers entirely on CI or set it to 1 to ensure only one worker/device
session is used.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9827f892-46e9-444d-9f4a-3137e5fb0899

📥 Commits

Reviewing files that changed from the base of the PR and between 8a85dc9 and 09379fb.

📒 Files selected for processing (1)

• PingTestRunner/.detoxrc.js

[pingidentity-gaurav]

Code review findings

[pingidentity-gaurav]

This causes the journey job to run even when core fails, burning BrowserStack credits on a broken build. Unless the two suites are genuinely independent (journey tests don't rely on anything core validates), consider dropping always() so journey is skipped when core fails.

[tsdamas]

Thanks for calling out. This was added for testing purposes only as we are experiencing the issue on their detox fork and will be removed before merging.

[pingidentity-gaurav]

LGTM